Your obligations
Introduction
Section titled “Introduction”🎯 Learning goals
- Understand how requirements cascade from your role and risk class
- Know the basic obligation that applies to everyone: AI literacy
- Understand what additional requirements apply for high-risk systems
- Know which GPAI requirements apply to providers and deployers
Requirements cascade from an organization’s role (provider or deployer) and the inherent risk class or transparency demands. AI systems that are out of scope have no requirements.
This section takes you through requirements from lightest to heaviest.
AI literacy — applies to everyone
Section titled “AI literacy — applies to everyone”For those that do, the basic requirement of both providers and deployers is AI literacy. Whoever is working on the system from the providers’ side and whoever is using or governing the system from the deployers’ side, has to have a “sufficient level” of AI literacy.
There are no further requirements or specifications, so providers and deployers are free to choose how to meet this requirement, as long as the “sufficient level” accounts for people’s technical knowledge, experience, education and training, the context the AI systems are to be used in, and the people on whom the AI system will be used.
Example of insufficient AI literacy: High school summer interns are given access to an assistant on their first day, and told to watch the training videos before using it. Their manager does not account for their age or explore their existing AI knowledge, or monitor their use of the assistant over the first few days.
Transparency requirements
Section titled “Transparency requirements”If your AI system has transparency requirements (which most GPAIs and systems built on them do), there are obligations for providers and deployers.
For deployers: No specific requirements.
For providers: The requirement here is simply to ensure that the person interacting with a system knows this system is not human. If the person is seeing output, they know this output did not come from a human.
Requirements for high-risk AI systems
If your AI system falls into a high-risk area, additional requirements apply. Requirements differ by role.
Deployers of high-risk systems
Section titled “Deployers of high-risk systems”- Human oversight: Ensure real human oversight by people with the right authority and competence. A human must always have the final say. The provider must make it feasible for the deployer to exercise this oversight.
- Employee notification: If the system is used in the workplace, notify employees and unions.
- Notification to affected persons: If the system is involved in decision-support or decision-making that affects people, notify those people that the system is in use.
- Correct input data: Ensure that only relevant and appropriate data (input) is fed into the assistant.
- Use in accordance with instructions: The assistant must be used exclusively in accordance with the instructions for use provided by the provider.
- Monitoring and logging: Monitor the use of the system and log certain events systematically.
- Registration with authorities: The system must be registered in a public register on the EU or national level.
- Privacy (DPIA): Carry out a Data Protection Impact Assessment (DPIA) if the solution processes personal data.
Providers of high-risk systems
Section titled “Providers of high-risk systems”Most of these requirements won’t apply to Intric’s customers, who will only be deployers. But Intric, and any customers who use widgets to make their assistants available to other organizations, have these requirements. Intric fulfills these requirements for the platform as a whole, while a downstream provider only has to think about the assistant that they are sharing:
- Quality management: Establish and maintain a formal quality management system for the assistant.
- Risk assessments: Carry out and document formal risk assessments before and during sharing.
- Data governance: Establish strict routines for data management and data quality.
- Registration with authorities: Register the assistant as a high-risk system.
- Monitoring and logging: Implement systematic monitoring and logging of how the system performs and is used by the other municipalities.
Requirements for GPAIs
Section titled “Requirements for GPAIs”GPAIs have their own requirements, separate from the high-risk classification.
For providers of GPAIs
Section titled “For providers of GPAIs”The easiest way to meet all requirements is to fill out the voluntary Code of Practice: digital-strategy.ec.europa.eu/en/policies/contents-code-gpai. Requirements relate to documentation (particularly to providers who want to use their GPAI models in their own AI systems), transparency, and existing copyright-related rules.
Models with systemic risks also require evaluation, cybersecurity, monitoring of incidents. These providers are expected to address systemic risks.
For deployers of GPAIs
Section titled “For deployers of GPAIs”No specific requirements for deployers of GPAIs, although there will be a lot of overlap between deploying a GPAI and deploying an AI system with transparency requirements.
Key takeaways
Section titled “Key takeaways”- AI literacy is the baseline requirement for everyone
- Transparency obligations primarily fall on providers: ensure the person interacting knows the system is not human
- High-risk deployers have significant obligations: human oversight, employee notification, notification to affected persons, correct input data, monitoring, logging, and registration
- High-risk providers bear the heaviest burden: quality management, risk assessments, data governance, and registration
- Most Intric customers are deployers, not providers — but customers who share assistants externally become downstream providers with provider-level obligations
Test your knowledge
4 questions · 100% correct to pass · Review your answers when done