This is our fourth and final EU AI Act lesson. Today we cover transparency obligations for limited-risk AI, deeper detail on GPAI with systemic risk, and the enforcement framework — including penalties that can reach 7% of global turnover.
AI systems classified as limited risk must meet specific transparency obligations:
AI-generated content:
- Content that is image, audio, or video and constitutes a deepfake must be labeled as artificially generated or manipulated
- AI-generated text published to inform the public on matters of public interest must be labeled as AI-generated
- Exception: AI content that undergoes substantial human review and where a human has editorial responsibility
Chatbots and conversational AI:
- Users must be informed that they are interacting with an AI system
- The notification must occur before the first interaction or at the moment of exposure
Emotion recognition and biometric categorization:
- Individuals must be informed when emotion recognition or biometric categorization systems are used
- Must be informed of the type of personal data processed and the purpose
The EU AI Act establishes a tiered penalty structure:
Prohibited AI practices — Up to 35 million EUR or 7% of global annual turnover (whichever is higher)
High-risk AI non-compliance — Up to 15 million EUR or 3% of global annual turnover
Incorrect information to authorities — Up to 7.5 million EUR or 1.5% of global annual turnover
SME and startup adjustments — Lower of the two amounts (flat vs. percentage) applies to SMEs and startups
Enforcement bodies:
- EU AI Office — Enforces GPAI model obligations at EU level
- National competent authorities — Enforce most provisions at member state level
- Market surveillance authorities — Monitor AI products on the market
- National data protection authorities — May enforce AI Act provisions related to fundamental rights
The AI Office is a new body within the European Commission responsible for:
- Enforcing rules on GPAI models (both standard and systemic risk)
- Coordinating with national authorities
- Developing guidance and codes of practice
- Monitoring AI market developments and emerging risks
- Managing the EU database of high-risk AI systems
- International cooperation on AI governance
The AI Office has the power to request information from GPAI model providers, conduct evaluations, and impose penalties for non-compliance.
For the exam, memorize these numbers:
- 4 risk tiers: Unacceptable, High, Limited, Minimal
- 8 Annex III categories: Biometrics, Infrastructure, Education, Employment, Essential services, Law enforcement, Migration, Justice
- 10^25 FLOPs: Threshold for GPAI systemic risk presumption
- 35M EUR / 7%: Maximum penalty for prohibited practices
- 15M EUR / 3%: Maximum penalty for high-risk AI non-compliance
- 7.5M EUR / 1.5%: Maximum penalty for incorrect information
- Article 5: Prohibited practices
- Articles 9–15: Core provider obligations for high-risk AI
- Article 26: Deployer obligations
- Article 50: Transparency obligations
In early 2024, the EU AI Office opened its first major investigation into transparency compliance when it examined how major GPAI providers — including OpenAI, Google DeepMind, and Meta — handled their obligations around training data disclosure. Under the EU AI Act, all GPAI model providers must publish a "sufficiently detailed summary" of training data content. OpenAI faced particular scrutiny because it had historically declined to disclose detailed information about the datasets used to train GPT-4, citing competitive concerns and security considerations. The AI Office signaled that vague or boilerplate summaries would not satisfy the Act's transparency requirements.
Simultaneously, deepfake transparency obligations were tested in the run-up to the 2024 European Parliament elections. Several member states flagged AI-generated political advertisements and synthetic media that lacked the required labeling under Article 50. In one notable case, an AI-generated video mimicking a prominent EU politician circulated widely on social media platforms before being identified as synthetic. The incident accelerated the development of technical standards for content provenance, including the adoption of C2PA (Coalition for Content Provenance and Authenticity) watermarking as a recommended approach for compliance.
For the AIGP exam, these events illustrate the practical tension between transparency requirements and commercial interests for GPAI providers, and the enforcement challenges of deepfake labeling in fast-moving digital environments. They also demonstrate the EU AI Office's central role in GPAI enforcement — a key distinction from the national-level enforcement of other AI Act provisions.
Want to see these concepts applied to full case studies? Check out AIGP Scenarios — 10 real-world governance simulations mapped to the AIGP exam domains.