EU ministers on Tuesday unanimously gave their final approval to the Artificial Intelligence Act, a major new law that regulates the use of the transformative technology in "high-risk" situations, such as law enforcement and employment.
The European Union hopes that by laying down strict AI rules relatively early in the technology's development it will address potential dangers in time and help shape the international agenda for regulating AI.
Systems intended for use in "high-risk" situations, which are listed in the law's annexes, will have to meet various standards spanning transparency, accuracy, cybersecurity and quality of training data, among other things. Some uses - such as Chinese-style social credit scoring - will be banned outright.
High-risk systems will have to obtain certification from approved bodies before they can be put on the EU market. A new "AI Office" will oversee enforcement at EU level.
There are also more basic rules for "general purpose" systems that may be used in various situations - some high-risk, others not. For example, providers of such systems will have to keep certain technical documents for audit.
But providers of especially powerful general purpose AI systems will have to notify the European Commission if their system possesses certain technical capabilities.
Unless the provider can prove that their system poses no serious risk, the commission could designate it as a "general-purpose AI model with systemic risk," after which stricter risk-mitigation rules would apply.
Meanwhile, AI-generated content such as images, sound or text would have to be marked as such to protect against misleading deepfakes.
The maximum fine possible in the AI Act - for using an AI system for a prohibited purpose - is up to €35 million ($38 million) or 7% of a company's annual revenue, depending on the type of offender.
Banned uses include systems designed to evaluate or classify people based on their "social behaviour;" to manipulate people subliminally; or to predict who might commit a crime based solely on their personality or characteristics.
For example, the maximum fine for large companies would be whichever of these two limits is higher, but small and medium-sized businesses would see their fines limited to the lower ceiling.
Offenders that are not revenue-earning businesses would be subject to a €35 million maximum fine.
Similarly, for most of the law's other rules - such as the obligations for providers of systems classified as high risk - violations can lead to fines of up to €15 million or 3% of revenue.
Examples of high-risk uses specified in the law include systems designed to recognize someone's emotions; systems for assessing students or employees; or systems used to screen eligibility for essential public services, especially healthcare.
Supplying incorrect, incomplete or misleading information would incur a fine of up to €7.5 million or 1% of revenue.
The fines would be capped lower for EU bodies that break the rules.
The European Commission proposed the first draft of the AI Act in April 2021, having published a "white paper" outlining its plan for a risk-based approach in February 2020.
The European Parliament pushed for much stricter rules - such as a blanket ban on police use of real-time facial recognition to identify people in live CCTV feeds.
But EU member states were reluctant to impose too many restrictions on law enforcement and border security, and feared too much red tape would harm economic competitiveness.
Negotiators for the parliament and the member states finally reached a compromise in December, after several rounds of gruelling late-night talks.
The final law does impose a general ban on real-time facial recognition in live CCTV, but there are exceptions for law enforcement uses, such as finding missing persons or victims of kidnapping, preventing human trafficking, or finding suspects in serious criminal cases.
Now that the law had been finalized by Tuesday's unanimous vote among ministers, it must be signed by the presidents of the EU legislature and then published in the EU's statute book. It then technically becomes law 20 days later, but its various provisions will come into effect gradually over the following two years.