Rules for High-Risk AI Systems under the AI Act

How to Allocate Responsibility Along the AI Value Chain

The European Union (EU) AI Act is now in force, but its impact will depend on how it is implemented. Modern artificial intelligence (AI) systems are rarely static: they are updated, repurposed, and incorporate inputs supplied by different companies, including general-purpose models, cloud services, and data.

This creates two central questions for policy makers and firms: when does a change to an AI system create new legal duties, and how should responsibility be shared between the actors that develop, supply, adapt, and deploy AI systems?

Challenges

The AI Act sets different rules for different AI systems based on a risk categorisation. However, a system’s risk profile can change over time. A routine update, a new dataset, or a new use case might move a system into the high-risk category, while a tool initially developed for one purpose might later be adapted for another. These modifications might be undertaken by the AI system’s original provider or by another party.

These questions are particularly complex for general-purpose and agentic AI systems, which do not have a single fixed purpose. Uncertainty about when a substantial modification occurs, or when a change of purpose creates new provider obligations, can create uncertainty and deter investment in high-value areas. This is of particular concern for AI deployment in sectors like healthcare and education, where AI can offer significant social benefits.

Policy Directions

Addressing these issues requires clearer guidance on when changes to AI systems trigger new obligations. The AI Office should provide practical criteria for assessing when such a ‘substantial modification’ might occur and changes of purpose, including indicative examples of what does and does not qualify.

Clearer guidance would give firms more predictable reference points and help ensure that legal obligations follow meaningful changes in risk, rather than minor technical adjustments.

Responsibility also needs to be allocated in a workable way along the AI value chain  – with clear rules about how different parties in the value chain should cooperate and notify each other about modifications. As value chains become more complex, a high-risk provider may not be able to identify, let alone contract with, every upstream supplier.

A pragmatic approach would anchor obligations in existing contractual relationships. Information should flow through direct contractual links, supported by different forms of disclosure: public disclosure, confidential exchange, and disclosure to regulators for the most sensitive material. Voluntary model contract terms from the AI Office could help turn this into common practice.

A Timely Opportunity

The AI Office is now developing the guidelines that will determine how these rules work in practice, while the proposed Digital Omnibus may reshape the high-risk regime further.

Getting this right will be critical. Clearer rules on substantial modification, changes of purpose, and information sharing can reduce legal uncertainty, support innovation, and ensure that responsibility follows the actors best placed to manage risk.