A central aspect of the EU AI Act concerns the promotion of AI systems with a free open source license. Corresponding AI systems are not even covered by the EU AI Act. But what are the “exceptions to the exception”? And what exactly must be disclosed and how? Clear information is rare. A search for clues that yields some surprising results.

• Free and open source AI systems are not subject to the EU AI Act, see Art. 2 (12) EU AI Act.
  
• Exceptions: Prohibited AI, high-risk AI and in the case of AI that falls under Article 50 EU AI Act (e.g. chatbots and generative AI for media).
  
• In case of doubt, all components must be disclosed for an AI system to fall under Article 2 (12) EU AI Act.
  
• With regard to the type of documentation, there are hardly any requirements in the EU AI Act.
  
• The most important aspects are summarized in a matrix at the end of the article.

Articles of the EU AI Act mentioned in this post (German)

• Artikel 2 EU AI Act
• Artikel 3 EU AI Act
• Artikel 5 EU AI Act
• Artikel 6 EU AI Act
• Artikel 25 EU AI Act
• Artikel 50 EU AI Act
• Artikel 53 EU AI Act
• Artikel 55 EU AI Act

Please note that the original text of this article is based on the official German translation of the EU AI Act. Its wording may differ in part from the English version of the EU AI Act.

Open source AI systems within the meaning of the EU AI Act

Article 2 (12) EU AI Act states that AI systems within the meaning of Article 3 No. 1 EU AI Act with free and open source licenses are not covered by the EU AI Act.

The following overview by openfuture outlines the general path of different open source variants of the EU AI Act:

• for AI systems
• for GPAI models

The overview shows:

• Only AI systems can be considered as an open source exception to the EU AI Act.
• GPAI models with a general-purpose within the meaning of Article 3 No. 63 EU AI Act always fall under the EU AI Act. However, as open source, they may be subject to simplified rules.

As this article focuses on the exception for AI systems, two different questions arise:

1. Which open source AI system does not fall under the exception of Article 2 (12) EU AI Act in the first place?
2. Which components of an AI system must be disclosed and how in order for the exemption to apply?

In summary, the combination of both aspects results in the following workflow. See also the checklist for open source AI systems.

As will be shown shortly, in practice there is not much left of the open source privilege for AI systems in many cases. It is therefore important to always check first whether an exception exists at all.

1. Exceptions to the open source privilege

First of all, the question of when the exception for open source does not even come into consideration. This is the case with:

1. prohibited AI practices within the meaning of Article 5 EU AI Act,
2. in the case of high-risk AI within the meaning of Article 6 EU AI Act and
3. in the cases of Article 50 EU AI Act.

1.1 Exeptions in detail

Points 1 and 2 are comparatively self-explanatory.

• Prohibited AI systems remain prohibited even as open source variants.
• And a high-risk AI system remains high-risk even with a free and open-source license due to the focus on the risks of the use case.

However, the third “exception to the exception” is more cryptic: The reference to Article 50 EU AI Act:

• According to paragraph 1, this article initially refers to “AI systems intended to interact directly with natural persons”. These are in particular AI chatbots.
• Paragraph 2 concerns “AI systems, including general-purpose AI systems, generating synthetic audio, image, video or text content”. This refers to two types of generative AI:
  • GPAI systems within the meaning of Article 3 No. 66 EU AI Act – i.e. those which include a general-purpose AI model within the meaning of Article 3 No. 63 EU AI Act and which are used to generate synthetic media .
  • However, due to the wording “including”, other generative AI systems that are not GPAI models are also affected if they generate synthetic media.
  • Both variants are AI systems that (could) be used for deepfakes or the dissemination of fake news within the meaning of paragraph 4. They are always subject to the EU AI Act.

Note: AI chatbots always fall under the EU AI Act – no matter what type of open source or variant of AI model is integrated. And generative AI (either based on a GPAI model or another generative AI model) also does not fall under the exceptions of Article 2 (12) EU AI Act if it is used or can be used to create synthetic media.
Here the question of whether a GPAI model is integrated with or without systemic risks within the meaning of Article 3 No. 66 EU AI Act is irrelevant at all. The question of whether GPAI models such as Llama 2 are open source or not would also be moot, at least with regard to the exception for open source AI systems examined here (this PDF from iit-Berlin is very informative on this otherwise very important topic).

1.2 Classification of the exceptions for generative AI

While the reference to prohibited AI practices and high-risk AI is clear, the undifferentiated reference to Article 50 EU AI Act is not really successful! This is simply because the arcticle lists several AI variants that are simply lumped together in terms of open source.

As a result, the EU AI Act has been “extended by the back door” to include an almost unmanageable number of AI systems and AI models. The mere wording “including general-purpose AI systems”. By inference, this means that “other generative AI systems”, including their models, are also affected by the EU AI Act, without any recognizable criteria for the quality of synthetic media results,

Legal certainty and promotion of open source looks different …

2. Open vs. Closed Source

Assumes that there is no “exception to the exception” in an AI system: What exactly does this mean? Which components of an AI system must be disclosed and how in order to benefit from the exception?

Despite intensive research, there is hardly any publicly available information on this subject. Neither in the EU AI Act itself, nor in specialist articles. In this respect, this article is primarily based on the interpretation of arcticles, the annexes and the recitals of the EU AI Act as well as their methodical interpretation.

Firstly, the term “open source” (which is only used in the English version). The German version of the EU AI Act refers to “frei und quelloffen” (which means more or less the same).

Both criteria must be present cumulatively, i.e:

1. Free licenses must be granted: Freedoms for the use, distribution and modification of the work. (e.g. Creative Commons licenses).
2. Open source licenses must be granted: These refer, among other things, to the freedom to examine, modify and redistribute the source code.

This article focuses primarily on the second criterion.

However, despite the workflow, it remains unclear which details must be disclosed for an AI system with a free and open source license. The relevant information is difficult to find in the EU AI Act. It is necessary to create an overall picture from a lot of individual information and the protective purpose of the law.

3. Components of AI systems

First, the criteria and components of AI systems. Article 3 No. 1 of the EU AI Act provides initial guidance. Apart from the term “machine”, which is also emphasized in Number 12 of the recitals, there are actually only indirect references with regard to those components that are relevant for open source.

AI systems within the meaning of the EU AI Act can have a variety of different components:

• AI systems can contain (several) AI systems:
  • Both AI systems with a specific intended use
  • as well as GPAI systems with a general-purpose (see Article 3 No. 66 EU AI Act) – however, the exception of Article 2 (12) EU AI Act does not apply to these (see above).
• It can also contain several AI models:
  • Specific AI models (see recommendation of a definition for AI models)
  • Specific AI models can also be based on simple machine learning algorithms, but can also be generative (in case of doubt, the exception does not apply to the generation of media, see above)
  • as well as GPAI models in the sense of (cf. Article 53 EU AI Act) or GPAI models with systemic risks (cf. Article 3 No. 65, Article 55 EU AI Act) – here too, the exception of Article 2 (12) EU AI Act does not apply (see above).
• It can connect additional data sources:
  • Knowlegde Graphs, for example.
  • or your own (local) data via API
• The AI system also contains the interaction interface:
  • as an application interface or as a browser interface (in the case of direct interaction with natural persons, the exception also does not apply, see above)
• as another interaction interface (e.g. as part of a higher-level component)
• The hardware, on the other hand, should not generally have a major impact on the decision-making of an AI system. However, it should not hurt if this information is also disclosed. Exceptions are certainly conceivable here too, e.g. in the case of a pacemaker (which, as a high-risk AI system, falls under the EU AI Act anyway). However, this is probably not the case for an AI chatbot.

3.1 AI model

The AI model must always be disclosed. There is an interesting reference to this in number 87 of the recitals:

“Developers of free and open source tools, services, processes or AI components that are not general-purpose AI models should be encouraged to use widely available documentation methods, such as model maps and datasheets, as a means to accelerate the exchange of information along the AI value chain so that trustworthy AI systems can be promoted in the Union”

This formulation, which is also discussed in this article, is a kind of recommendation to use recognized disclosure procedures. It therefore does not concern the “whether” but the “how” of disclosure – the “whether” is virtually assumed. Conversely, it can therefore be argued that “tools”, “services”, “procedures” and other “AI components” such as a specific AI model must always be disclosed!

It should be noted that the provider of the AI system is also considered a downstream provider within the meaning of Article 3 No. 68 EU AI Act for “specific” AI models. The provider therefore bears full responsibility for ensuring that the AI model is appropriately disclosed.

However, this also means that there are no clear standards in this regard. In case of doubt, the manufacturer of the AI system can therefore decide for itself which instruments are to be used for documentation (e.g. model cards). However, it must be assumed that training data, algorithms and parameters of the model must be disclosed “somehow”. If this is the case, the exception of Article 2 (12) EU AI Act may apply – assuming that all other relevant components are also disclosed. More on this in a moment.

3.2 Additional Connected Data

It is difficult to assess whether and to what extent additional data sources, e.g. connected via API or Knowledge Graphs, must also be disclosed. Since the criterion “free license” is always required in addition to “open source”, this should be assumed: Because the sublicenses for the corresponding components would also have to be at least free and, in case of doubt, also open source.

In this regard, the type and type of integration of knowledge graphs, for example, plays  an important role. These are alo available as Open Source. Here, too, there are many variants, which are not all to be considered in the same way. In case of doubt, it is advisable to make all related data and add-ons public.

3.3 Interaction interface

It is no different with regard to the interaction interface (as long as it is not an AI chatbot). Among other things, it has an influence on the input and the final output of the system. The question of whether and how the AI system trains the AI model via the interface could also be relevant. This aspect plays an important role, at least for high-risk AI, see Article 10 (1), (6) EU AI Act. It should also be relevant with regard to open source in general.

In this respect, all source code must also be disclosed in this respect.

4. Conclusion

The privilege for open source is quite unclearly structured overall. In practice, it will probably be particularly important where AI either does not interact at all or only indirectly with natural persons, e.g. in the area of machine2machine communication or the analysis of data etc.

In order to fall under the exception of Article 2 (12) EU AI Act within the rather limited range of applications, the following components should be free and open source:

1. The AI model used, including how it works.
2. The additional data connected to the AI system.
3. In addition, the input and output components, i.e. the connection to the interface.

At least as long as there are no clear guidelines in this regard.

The whole thing again as a matrix overview:

There are hardly any binding regulations regarding the type of documentation. In addition, the company size of the provider is also used as a benchmark. For example, number 103 of the recitals calls for company size to be taken into account as a factor in the application of the EU AI Act. This means that smaller companies may have to meet less stringent disclosure requirements than larger ones.

Of course, the question arises as to whether and how the use of open source AI could be promoted in view of the ambiguities. In view of the ambiguity, however, the current rather vague wording – with the exception of the integration of GPAI models – can certainly be seen as an opportunity: There are few specifications and there is therefore also a lot of freedom and flexibility!

Links to the articles of the EU AI Act mentioned in this post (German):

• Artikel 2 EU AI Act
• Artikel 3 EU AI Act
• Artikel 5 EU AI Act
• Artikel 6 EU AI Act
• Artikel 25 EU AI Act
• Artikel 50 EU AI Act
• Artikel 53 EU AI Act
• Artikel 55 EU AI Act

Checklists and Workflows:

• CAIR4: Opensource i.S.d. EU AI Acts
• openfuture: Workflow

Further articles on the topic:

• datainnovation.org
• trending topics.eu
• orrick.com
• hackernoon.com

About the Autor:

Oliver M. Merx