Introduction
As Artificial Intelligence (hereinafter “
AI”) continues to develop at an unprecedented pace and becomes an integral part of daily life, it has evolved into a critical tool that is fundamentally transforming economic, social and institutional activity. With such technological change inevitably comes legal and regulatory uncertainty. It is therefore essential for all sectors, including the legal field, to adapt to the realities shaped by AI. In the absence of an appropriate legal framework, particularly in relation to rapidly emerging technologies, significant risks to public interests and fundamental rights may arise.
In 2024, the European Union (hereinafter “
EU”) adopted Regulation (EU) 2024/1689, the Artificial Intelligence Act (hereinafter “
the Act”), which constitutes the first comprehensive and binding legal framework governing AI systems across the Union.
The Act seeks to ensure the smooth functioning of the internal market, while guaranteeing a uniform and high level of protection for public interests and fundamental rights in the development, placing on the market and use of AI systems. To avoid regulatory fragmentation, reduce legal uncertainty and facilitate cross‑border deployment, it harmonises obligations applicable to operators throughout the Union, thereby providing consistent safeguards for health, safety, democracy, the rule of law and fundamental rights. It establishes EU‑wide rules governing the placing on the market, use and monitoring of AI systems and general‑purpose AI models, including prohibitions of certain harmful practices, requirements for high‑risk systems, transparency obligations, and governance and enforcement mechanisms. At the same time, the Act promotes a human‑centric, transparent, trustworthy, non‑discriminatory and environmentally responsible approach to AI, while fostering innovation and competitiveness—particularly for SMEs and start‑ups—within a European ecosystem aligned with the Union values.
As a Member State of the EU, and in light of its rapidly developing digital economy, the Republic of Cyprus is required to ensure full compliance with the Act and facilitate its effective implementation at national level.
Overview
The Act introduces a comprehensive regulatory framework governing the development, deployment and distribution of AI systems within the EU. The Act creates new compliance duties, contractual risks, and governance expectations, particularly in relation to:
- Prohibited AI practices (Chapter II; Article 5)
- High‑risk AI systems (Chapter III; Articles 6–29)
- Transparency obligations for limited‑risk AI (Chapter IV; Article 50)
- General‑Purpose AI (GPAI) models (Chapter V; Articles 51–55)
Prohibited AI Practices, High-Risk AI Systems and obligations of providers of high-risk AI systems and other parties
Delving deeper into the Act, the Act uses a risk-based framework that categorizes AI systems into four levels with corresponding rules:
(i) Prohibited AI practices
Article 5 of the Act establishes a category of prohibited AI practices, where the use of artificial intelligence is deemed to pose an unacceptable risk to fundamental rights and public interests. These prohibitions target AI systems that manipulate human behaviour through subliminal, deceptive or exploitative techniques, particularly where such practices impair informed decision-making or exploit vulnerabilities linked to age, disability or socio-economic status. The Act also prohibits social scoring systems that lead to unjustified or disproportionate detrimental treatment of individuals, as well as AI systems that predict criminal behaviour based solely on profiling or personality traits.
Further prohibited practices include:
- the creation of facial recognition databases through untargeted scraping,
- the inference of emotions in workplace and educational contexts (save for medical or safety purposes), and
- biometric categorisation systems that deduce sensitive personal attributes such as political opinions, religious beliefs or sexual orientation.
The use of real-time remote biometric identification in publicly accessible spaces for law enforcement purposes is in principle prohibited and is permitted only under narrowly defined and strictly necessary exceptions related to serious crimes, imminent threats, or the search for victims or missing persons. Even within these exceptions, such use is subject to stringent safeguards, including prior judicial or independent administrative authorisation, necessity and proportionality assessments, fundamental rights impact assessments, registration obligations, and ongoing national and EU-level oversight and reporting. Collectively, these prohibitions reflect the EU’s commitment to preventing AI practices that undermine human dignity, autonomy, equality and fundamental rights.
(ii) High-Risk AI systems
Article 6 of the Act establishes the criteria for classifying high‑risk AI systems. Under this provision, an AI system is designated as high‑risk if it falls within one of two categories:
First category: an AI system is considered high‑risk where it is linked to regulated products covered by the Union harmonisation legislation listed in Annex I. This applies where both of the following conditions are satisfied:
- the system is intended to be used as a safety component of a product, or constitutes a product in its own right, falling within the scope of the legislation enumerated in Annex I (such as machinery, medical devices, toys or vehicles); and
- the relevant product is subject to a third‑party conformity assessment prior to being placed on the market or put into service.
Second category: an AI system is classified as high‑risk where it is included among the stand‑alone use cases listed in Annex III. These encompass, inter alia:
- biometric identification and categorisation;
- the management and operation of critical infrastructure;
- education and vocational training;
- employment, worker management and access to self‑employment;
- access to essential public and private services;
- law enforcement;
- migration, asylum and border control; and
- the administration of justice and democratic processes.
It should be noted that certain systems listed in Annex III may be exempted from high‑risk classification where the specific conditions set out in Article 6(3) are met (e.g., when the AI system intends to narrow procedural tasks, to improve the result of a previously human activity).
High‑risk AI systems are permissible under the Act, however, they are subject to stringent regulatory obligations, due to their potential impact on individuals’ health, safety and fundamental rights. Therefore, this category includes both AI systems integrated into regulated products and the stand‑alone systems identified in Annex III, such as those used in medical devices, employment and worker management, educational assessment, law enforcement, migration and border control, the administration of justice, and the provision of essential services. In such contexts, the consequences of malfunction, discriminatory outcomes or misuse may be particularly severe, thereby warranting enhanced safeguards.
Consistent with the Act’s risk‑based regulatory architecture, providers and users of high‑risk AI systems must comply with a detailed set of obligations. These include requirements relating to risk management, data governance and data quality, technical documentation, record‑keeping, transparency, human oversight, robustness, accuracy, cybersecurity, and post‑market monitoring. Collectively, these obligations are intended to ensure that high‑risk systems operate in a manner consistent with the EU values and fundamental rights, and that risks are systematically identified, mitigated and monitored throughout the system’s lifecycle. Reflecting the centrality of this category within the overall regulatory framework, a substantial proportion of the Act’s operative provisions is devoted to the governance of high‑risk AI systems.
Moreover, Articles 8-17 of the Act require high-risk AI system providers to implement a comprehensive risk and quality management framework across the system’s lifecycle, including robust data governance to ensure appropriate datasets. The providers must prepare technical documentation demonstrating regulatory compliance, enable automatic record-keeping for risk monitoring and system modifications, and provide clear instructions for downstream deployers. Additionally, systems must support effective human oversight and be designed to meet appropriate standards of accuracy, robustness, and cybersecurity.
(iii) Limited Risk AI systems and applicable transparency obligations
Limited-risk AI systems, although not defined in a standalone article, are treated under the Act as systems that are not high risk but are nonetheless subject to lighter transparency obligations.
Article 50 of the Act, sets out the duties that apply specifically to limited‑risk AI systems, such as:
- informing users when they are interacting with an AI system,
- labelling synthetic or manipulated content (e.g., deepfakes),
- disclosing the use of emotion‑recognition or biometric categorisation systems.
(iv)Minimal / no risk systems
Minimal / no risk systems are unregulated as they pose no significant threats.
General -Purpose AI
The Act introduces a dedicated regulatory framework for General-Purpose AI models (hereinafter
“GPAI models”). Article 2 of the Act defines a GPAI model as
“
an AI model, including where such an AI model is trained with a large amount of data using self-supervision at scale, that displays significant generality and is capable of competently performing a wide range of distinct tasks regardless of the way the model is placed on the market and that can be integrated into a variety of downstream systems or applications, except AI models that are used for research, development or prototyping activities before they are placed on the market.”
This definition clarifies that the concept covers AI models with broad, versatile abilities, instead of ones designed for only one use.
Moreover, article 2 further defines “
systemic risk” as “
a risk that is specific to the high-impact capabilities of general-purpose AI models, having a significant impact on the Union market due to their reach, or due to actual or reasonably foreseeable negative effects on public health, safety, public security, fundamental rights or society as a whole, that can be propagated at scale across the value chain.”
Under this definition, the Act recognizes that some models can create large, rippling harms because of their scale and widespread use.
GPAI models are subject to a dedicated regime under Chapter V (Articles 51–55) of the Act. Lawmakers created these rules because large scale AI systems could end up influencing many different tools, products or sectors at once, which means they can create wide-ranging risks:
- Article 51 establishes the criteria for classifying a GPAI model as posing systemic risk, introducing a presumption of high-impact capability where the cumulative training computation exceeds 10²⁵ floating-point operations, while also empowering the Commission to designate models ex officio or following scientific alerts on the basis of qualitative criteria set out in Annex XIII and to recalibrate thresholds by delegated acts.
- Article 52 sets out the notification, designation, reassessment and publication procedures applicable to systemic-risk GPAI models, including providers’ rights to contest designation and request periodic reassessment, as well as the Commission’s competence to maintain and publish a public register of designated models.
- Articles 53 and 54 establish the baseline obligations applicable to all GPAI providers, including detailed technical documentation, transparency obligations towards downstream providers, copyright-compliance policies, and the public disclosure of training data summaries, as well as the mandatory appointment of authorised representatives for non-EU providers. Limited derogations apply to certain open-source GPAI models pursuant to Article 53(2) and Article 54(6), which do not apply where the model presents systemic risk.
- Article 55 imposes enhanced obligations on providers of systemic-risk GPAI models, including mandatory state-of-the-art model evaluations, adversarial testing, Union-level systemic risk identification and mitigation, serious incident reporting, and cybersecurity safeguards, thereby operationalising the Act’s risk-based regulatory architecture for the most powerful and widely deployable AI models.
Special Provisions for Open-Source AI
As is evident from the above analysis, recognising the innovation-enhancing potential of free and open-source development, the Act establishes a narrowly circumscribed derogation from certain baseline obligations applicable to GPAI models released under genuine free and open-source licences. Pursuant to Articles 53(2) and 54(6), providers of such models are exempted from the documentation and downstream-provider transparency obligations laid down in Article 53(1)(a) and (b), as well as from the requirement to appoint an authorised representative within the Union, provided that the licence allows for access, use, modification and distribution of the model and that the model’s parameters, including its weights, architecture and information on model usage, are made publicly available.
These derogations are expressly inapplicable where a GPAI model is classified as presenting systemic risk. In such cases, the full set of obligations under Articles 53, 54 and 55 applies irrespective of the licensing status of the model. This ensures that open-source release cannot be relied upon to circumvent the enhanced transparency, governance, cybersecurity and systemic-risk-mitigation safeguards imposed on high-impact general-purpose AI models under the Union’s risk-based regulatory framework.
Enforcement and Sanctions
The Act establishes a comprehensive enforcement architecture designed to ensure uniform, effective and deterrent application across the Union. Pursuant to Articles 99–101, the Regulation introduces a graduated system of administrative fines reflecting the severity of the infringement and the economic capacity of the infringing undertaking. Non-compliance with the prohibitions of Article 5, which concern AI practices presenting unacceptable risk, may attract administrative fines of up to EUR 35 million or 7% of total worldwide annual turnover, whichever is higher. Infringements of other substantive obligations under the Act, including those applicable to high-risk AI systems and general-purpose AI models, may result in fines of up to EUR 15 million or 3% of worldwide annual turnover, while the provision of incorrect, incomplete or misleading information to competent authorities may be sanctioned by fines of up to EUR 7.5 million or 1% of worldwide annual turnover. These sanctions constitute some of the most significant fines and remedial mechanisms provided by the Act and are complemented by corrective measures, withdrawal orders and restrictions on market access. Within this harmonised framework, Member States retain limited discretion to specify national enforcement procedures, subject to the principles of effectiveness, proportionality and dissuasiveness.
Transitional Regime under the Act
The Act enters into force through a phased implementation schedule beginning on
2 February 2025 (Article 113(a)), when the general provisions—including definitions, AI literacy requirements and the prohibitions set out in Chapter II—became applicable.
By
2 August 2025 (Article 113(b)), the regulatory framework for GPAI took effect, requiring providers to comply with the obligations in Chapter V, while Member States were required to designate national competent authorities, adopt national penalty regimes and the Union was required to establish its governance architecture, including the AI Board, Scientific Panel and Advisory Forum.
The core operational provisions of the Act will apply from
2 August 2026 (Article 113), at which point the majority of obligations will become enforceable.
Finally, from
2 August 2027, the rules governing high‑risk AI systems embedded in regulated products— notably those subject to existing sectoral product‑safety legislation— will become fully applicable, completing the Act’s staged transition to full regulatory operation.
Competent Authorities in Cyprus
The Council of Ministers, by its decision dated 22 January 2025, proceeded with the designation of the national competent authorities, fulfilling the requirements set out in Article 70 of the Act.
In particular, the following authorities have been designated:
- The Deputy Ministry of Research, Innovation and Digital Policy (DMRID) is responsible for the overall coordination of the implementation of the Act at national level and for representing the Republic of Cyprus at the European Artificial Intelligence Board (AI Board).
- The Commissioner of Electronic Communications has been designated as:
- Notifying Authority
- Market Surveillance Authority (MSA)
- Single Point of Contact for the application of the Regulation in Cyprus
- The Commissioner for Personal Data Protection has been designated as:
- Market Surveillance Authority (MSA) for high-risk AI systems referred to in points 1, 6, 7, and 8 of Annex III of the Act. Additionally responsible for the enforcement of prohibited AI practices under Article 5, insofar as they fall within her domain of competence.
Conclusion
The Act marks a structural shift in the regulation of digital technologies, introducing binding, risk-based obligations that will reshape how AI is developed, deployed and governed across the Union. Businesses must promptly identify and classify their AI systems, assess contractual and supply-chain exposure, implement internal governance frameworks, and establish documentation, transparency and risk-management procedures aligned with the Act’s requirements.
How we can help
Our
Technology, Media and Telecommunication team includes of lawyers who are well positioned to support organisations throughout this transition by providing regulatory gap analyses, draft new and/or review old contracts and representation before supervisory authorities, thereby enabling clients to achieve lawful, secure and commercially sustainable deployment of artificial intelligence.