The structure of the Regulation establishes a detailed risk classification system (Chapter II), which differentiates AI systems based on their potential danger to individuals and society, with particular implications for privacy protection, transparency, and civil liability. AI systems are divided into four levels: unacceptable risk, high risk, limited risk, and minimal risk. For each level, the Regulation imposes specific regulatory requirements that providers must comply with to ensure a balance between innovation and the protection of fundamental rights. For example, high-risk systems are subject to a rigorous conformity assessment that includes cybersecurity management, human oversight, and thorough technical documentation throughout the system’s lifecycle.
Among the fundamental principles of the Regulation is the need for responsible data governance: the quality, representativeness, and non-discrimination of the data used to train AI models must meet high standards of reliability and confidentiality. Compliance with the principle of proportionality is also crucial, requiring that the use of AI be calibrated so as not to unreasonably compromise individual rights. For instance, AI systems that pose high risks to personal dignity and safety, such as real-time biometric surveillance, are strictly regulated or even prohibited.
The course also examines the specific responsibilities of AI system providers and deployers, identified by the Regulation as the main actors responsible for the compliance of systems placed on the European market. Providers are required to implement an iterative risk management system and adhere to strict rules on transparency and traceability of AI models. Deployers, on the other hand, are responsible for the operational supervision of the system, the management of generated data, and the timely reporting of incidents or malfunctions to the competent authorities.
Further attention is dedicated to the recommendations of the European data protection authorities, in particular the European Data Protection Board (EDPB), which has developed guidelines aimed at harmonizing the requirements of the AI Act with the General Data Protection Regulation (GDPR).
The course also includes the analysis of relevant judgments of the Court of Justice of the European Union (CJEU), which establish legal principles applicable to AI systems as well. These include decisions on the right to be forgotten, profiling, and the transparency of decision-making processes, forming the basis of a jurisprudence aimed at protecting fundamental rights in the use of AI. Through guided discussions, participants will examine cases inspired by these rulings, developing a critical ability to interpret legal principles and their applications.
Finally, the course addresses sanctions and enforcement measures, analyzing the penalty system provided by the AI Act for non-compliance with regulatory provisions. Participants will reflect on the deterrent role of sanctions and understand how compliance is not merely a formal obligation but an essential element for building an AI ecosystem consistent with the ethical and legal principles of the European Union.
Mirjana Pejic Bach
English
through online sessions.
