EU AI Act: Key Terms and Definitions

AI System (Article 3(1)): A machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments. This definition is intentionally broad. It covers traditional machine learning models, deep learning systems, rule-based systems that adapt over time, and hybrid systems. It does not cover simple automation, lookup tables, or deterministic rule systems that cannot be considered to 'infer' outputs. Provider (Article 3(3)): A natural or legal person, public authority, agency, or other body that develops an AI system or a general-purpose AI model and places it on the market or puts it into service under its own name or trademark, whether for payment or free of charge. Deployer (Article 3(4)): A natural or legal person, public authority, agency, or other body that uses an AI system under its authority except where the AI system is used in the course of a personal non-professional activity.

Unacceptable Risk / Prohibited Practices (Article 5): AI systems whose use is prohibited outright in the EU. These include: AI systems that use subliminal techniques or exploit vulnerabilities to distort behaviour in ways that cause harm; social scoring systems used by public authorities; real-time remote biometric identification systems in public spaces for law enforcement (with narrow exceptions); emotion recognition systems in workplaces and educational institutions; and biometric categorisation systems that infer sensitive attributes. High-Risk AI System (Article 6 and Annex III): AI systems that pose significant risks to health, safety, or fundamental rights. These fall into two categories: AI systems that are safety components of products already regulated by existing EU product safety legislation (Annex II); and AI systems that operate in specific domains listed in Annex III. Limited-Risk AI System: AI systems subject to specific transparency obligations under Article 50, including chatbots, synthetic content generators, and emotion recognition systems. Minimal Risk AI System: All remaining AI systems. No specific obligations under the Act, though the EU AI Act encourages voluntary adoption of codes of conduct.

Conformity Assessment (Article 43): The process by which a provider demonstrates that a high-risk AI system complies with applicable requirements. For most systems, this is a self-assessment. For certain systems (biometric identification, AI in safety-regulated products), third-party notified body assessment is required. CE Marking: The marking placed on a high-risk AI system after successful conformity assessment, indicating EU compliance. The CE marking for AI is affixed under the EU AI Act framework and may also include CE markings from other applicable product legislation. Technical Documentation (Annex IV): The comprehensive technical file that providers must create and maintain for all high-risk AI systems. It must be available to supervisory authorities on request and must be kept for at least 10 years after last market placement. Post-Market Monitoring (Article 72): The proactive process by which providers collect and review data from deployed AI systems to identify emerging risks and compliance issues. It is an ongoing obligation, not a one-time assessment. Systemic Risk (Article 3(65)): For GPAI models, a risk arising due to high-impact capabilities (as indicated by training compute above 10^25 FLOPs or as designated by the EU AI Office) that could significantly impact the internal market or pose threats to public health, safety, public security, or fundamental rights.

Authorised Representative (Article 22): A natural or legal person established in the EU mandated by a non-EU provider to act on their behalf regarding EU AI Act compliance. Non-EU providers placing AI systems on the EU market must designate an authorised representative before market placement. Notified Body (Article 3(21)): A conformity assessment body designated by a member state and notified to the European Commission to carry out third-party conformity assessments. Notified bodies must be accredited and technically competent for the specific AI domains they assess. Market Surveillance Authority (Article 3(26)): The national authority responsible for market surveillance activities — monitoring AI systems placed on the market to ensure compliance. In Ireland, DRAI (Digital, Research and Artificial Intelligence Authority) is the market surveillance authority for general-purpose AI systems. Fundamental Rights Impact Assessment (Article 27): A structured assessment conducted by deployers of high-risk AI systems to evaluate the potential impact on fundamental rights. Mandatory for public authorities and private bodies providing essential services; recommended as best practice for others.