EU Regulations and Compliance Archives - Blakistons

How Europe’s new AI rulebook would (and wouldn’t) touch autonomous combat aircraft—and what the defence carve?outs really mean

admin.richard — Thu, 06 Nov 2025 18:28:20 +0000

By Richard Ryan, barrister and drone lawyer

How Europe’s new AI rulebook would (and wouldn’t) touch autonomous combat aircraft — and what the defence carve-outs really mean.

In Brief…

Purely military AI systems are out of scope of the EU AI Act. If an AI system is developed or used exclusively for military/defence or national-security purposes, the Act does not apply. (EUR-Lex)
Dual-use is different. If the same autonomy stack, sensors or models are marketed or used for civilian purposes in the EU (for example, civil UAS, border or law-enforcement tasks), the Act can apply — with stringent duties for “high-risk” systems. (EUR-Lex)
Real-world testing is regulated. Pre-market R&D is generally excluded, but real-world testing isn’t — it requires specific safeguards and registration. (EUR-Lex)
Foundation models (GPAI) have their own rules from 2 Aug 2025; the defence carve-out in the Act is written for AI systems, not explicitly for models. If a model is placed on the EU market generally, the provider’s GPAI obligations can still bite. (EUR-Lex)

Context: sUAS News reports that GA-ASI is showcasing its autonomous fighter portfolio (for example, YFQ-42A CCA, MQ-20 Avenger) at the International Fighter Conference in Rome, 4–6 Nov 2025. This post overlays that scenario with the EU AI Act’s rules.

1) First principles: When does the EU AI Act apply?

The Act has extraterritorial reach. It covers (i) providers and deployers in the EU, (ii) providers placing on the EU market or putting systems into service in the EU — even if they are not established here — and (iii) providers/deployers in third countries where the AI system’s output is used in the EU. (EUR-Lex)

However, Article 2(3) draws a bright line: the Act does not apply to AI systems used exclusively for military, defence or national security. It also does not apply where a system is not placed on the EU market but its output is used in the EU exclusively for those purposes. Recital 24 reiterates this and clarifies that non-defence use falls back under the Act. (EUR-Lex)

What this means in Rome:

A closed, defence-only showcase for European militaries: out of scope.
A civil-use pitch, civil flight trials, or plans to sell autonomy modules to EU civilian buyers: in scope (see the high-risk section below). (EUR-Lex)

2) The key defence carve-outs (and their limits)

Carve-out #1 — Defence/military:

“This Regulation shall not apply to AI systems … used exclusively for military, defence or national security purposes.” (Article 2(3))

Two important nuances:

Exclusivity matters. The moment an autonomy stack or sensor suite is also marketed or used for civilian or law-enforcement tasks, the defence exclusion no longer shields those non-defence uses. (EUR-Lex)
Models vs systems. The text explicitly excludes AI systems for defence; it does not create an explicit defence exclusion for general-purpose AI models. If a GPAI model is placed on the EU market, Chapter V obligations for model providers can still apply — even if one downstream customer is a defence user. (More on GPAI below.) (EUR-Lex)

Carve-out #2 — Pre-market R&D:
R&D before placing on the market is generally outside scope, but real-world testing is not. Testing in real-world conditions triggers a dedicated regime (for example, registration, time limits, informed consent or special conditions for law enforcement, incident reporting). (EUR-Lex)

Carve-out #3 — Emergency derogations (non-defence):
For exceptional public-security reasons (or imminent threats to life/health), market surveillance authorities can authorise temporary use of a high-risk AI system before full conformity assessment — subject to strict conditions. Law-enforcement or civil-protection bodies can also use in urgent cases, then seek authorisation without undue delay. This is not a defence-specific carve-out, but it explains emergency deployments outside the military context. (EUR-Lex)

3) If the defence exclusion doesn’t apply, would autonomous fighters tech be “high-risk”?

Very likely yes — for civil variants or dual-use spin-outs:

Annex I (product-safety route). AI that is a safety component of products covered by sectoral EU safety laws is high-risk where those products need third-party conformity assessment. That list explicitly includes EU civil aviation law (Reg. 2018/1139) — covering unmanned aircraft and their remotely controllable equipment. In a civil-UAS configuration, an autonomy stack acting as a safety component would be regulated as high-risk. (EUR-Lex)
Annex III (stand-alone uses). Separate “high-risk” buckets also capture, for example, remote biometric identification and other sensitive functions (if and where permitted by Union/national law), critical infrastructure safety components, and more. If a fighter-born sensing suite were repurposed for civil border surveillance or public-space identification, you quickly hit these Annex III categories. (EUR-Lex)

What “high-risk” demands in practice
Providers must implement a risk-management system, data governance, technical documentation, logging, transparency/instructions, human oversight, and accuracy/robustness/cybersecurity — then pass conformity assessment, issue an EU Declaration of Conformity, and affix CE marking. Deployers also carry duties (for example, monitoring, data relevance, user notification in some cases). (EUR-Lex)

4) Sensors on show: what about face recognition and other “red lines”?

The EU bans several AI practices outright (from 2 Feb 2025), including:

Untargeted scraping of facial images to build recognition databases.
Biometric categorisation inferring sensitive traits (for example, race, political opinions, religion).
Emotion recognition in workplaces or schools (with narrow safety/medical exceptions).
Predictive “risk assessments” of criminality based solely on personality traits/profiling.
Real-time remote biometric identification (RBI) in public spaces for law enforcement — unless strictly authorised and necessary for narrowly defined objectives (for example, locating a specific suspect in serious crimes, preventing a specific imminent threat, finding missing persons), with prior judicial/independent approval and registration. (EUR-Lex)

Implication for a trade-show demo: training a camera on attendees to test real-time RBI in a public venue would likely be unlawful unless those strict law-enforcement exceptions and procedural safeguards apply — which they typically will not at a commercial defence conference. (EUR-Lex)

5) Real-world testing in the EU (civil or dual-use variants)

If a provider runs real-world flight tests in the EU (outside the defence exclusion), the Act requires — among other things — registration, an EU-established entity or EU legal representative, limits on duration (normally up to six months, extendable once), rules on informed consent (with special handling for law-enforcement tests), qualified oversight, and the ability to reverse/ignore the system’s outputs. Serious incidents must be reported promptly. (EUR-Lex)

6) Foundation models (GPAI): obligations can still attach

From 2 Aug 2025, Chapter V sets baseline transparency and copyright-policy duties for providers of general-purpose AI models (with extra obligations if the model presents systemic risks). The defence exclusion in Article 2(3) is framed for AI systems, not models. So, if a foundation model is placed on the EU market, the model provider can have obligations even if a downstream customer is a defence prime. (Open-source specifics and systemic-risk thresholds also apply.) (EUR-Lex)

7) Timelines you need in Rome (as of 6 Nov 2025)

Entry into force: 1 Aug 2024 (20 days after OJ publication).
Prohibited practices + core chapters (I–II): apply from 2 Feb 2025.
GPAI rules (Chapter V), plus other chapters (III §4, VII, XII, and Article 78): apply from 2 Aug 2025.
General application: 2 Aug 2026 (high-risk regime starts to bite broadly).
Article 6(1) Annex III classification trigger & related obligations: 2 Aug 2027. (EUR-Lex)

8) Enforcement and penalties

Violating prohibited practices (Article 5) can draw fines up to €35m or 7% of worldwide annual turnover, whichever is higher.
Other operator obligations can reach €15m or 3%; supplying misleading information can reach €7.5m or 1% (SMEs benefit from caps). Separate fine scales apply to EU institutions. (EUR-Lex)

9) Practical playbook for IFC attendees

If you are a defence OEM showing autonomy stacks:

Map uses: Defence-only (excluded) vs any civil or law-enforcement pathways (potentially in scope). Document the exclusivity of defence deployments if you rely on the carve-out. (EUR-Lex)
GPAI suppliers: If you place a foundation model on the EU market, expect Chapter V duties regardless of defence customers. (EUR-Lex)
No RBI demos on the show floor. Those prohibitions already apply in 2025. (EUR-Lex)
Planning EU flight tests for civil variants? Prepare for real-world testing conditions (registration, oversight, incident reporting). (EUR-Lex)
For civil UAS commercialisation, treat your autonomy as high-risk (EASA product-safety route), budget time for conformity assessment and CE marking. (EUR-Lex)

If you are a European ministry or agency:

Distinguish military operations (out of scope) from law-enforcement or border uses (in scope; watch RBI limits and high-risk duties). Consider Article 46 emergency derogations only in exceptional and documented cases. (EUR-Lex)

If you are a civil UAS integrator:

Expect the full high-risk package (risk management, data governance, human oversight, cybersecurity, logs, conformity assessment, CE). Build compliance into your system architecture, ML pipelines, safety cases, and ops manuals from day one. (EUR-Lex)

10) Quick decision pathway

Is the use exclusively defence or national security?
Yes: AI system is out of scope.
No: continue. (EUR-Lex)
Is it a civil product or law-enforcement/border use?
Civil product with safety function (for example, civil UAS): High-risk via Annex I ? conformity assessment + CE. (EUR-Lex)
Stand-alone sensitive use (for example, RBI, critical infrastructure): Annex III high-risk or Article 5 prohibition applies. (EUR-Lex)
Is there a GPAI model being placed on the EU market?
Yes: Chapter V duties for model providers from 2 Aug 2025, separate from the defence carve-out for systems. (EUR-Lex)
Is this pre-market testing?
Real-world testing rules apply (registration, oversight, incident reporting). (EUR-Lex)

Bottom line for “Autonomous Fighters in Rome”

A military-only display of GA-ASI’s autonomous fighters is outside the AI Act.
Any civil spin-off (cargo drones, civil surveillance, airport ops) or law-enforcement application in the EU will trigger the Act — often at the high-risk level — together with tight prohibitions around biometric uses in public spaces. Plan your compliance architecture accordingly. (EUR-Lex)

This article is informational and not legal advice. Citations are to the Official Journal text of the Artificial Intelligence Act (Regulation (EU) 2024/1689) for scope (Art. 2), prohibitions (Art. 5), high-risk regime (Ch. III), real-world testing (Arts. 57–61), GPAI (Ch. V incl. Art. 53), timelines (Art. 113), and penalties (Art. 99–101).

About the author — Richard Ryan

Richard Ryan is a UK barrister (Direct Access), mediator and Chartered Arbitrator (FCIArb), and a Bencher of Gray’s Inn. He practises across defence, aerospace, construction, engineering and commodities, with a leading specialism in drone and counter-drone law, unmanned aviation regulation, and AI-enabled safety and compliance. Richard advises government, primes and operators on EU/UK UAS frameworks, BVLOS, U-space/UTM and the EU AI Act. He leads Blakiston’s Chambers and contributes regularly to industry guidance and policy consultations.

The post How Europe’s new AI rulebook would (and wouldn’t) touch autonomous combat aircraft—and what the defence carve?outs really mean appeared first on Blakistons.

What the UK Drone Industry Can Learn from EASA’s Adoption of SORA 2.5

admin.richard — Tue, 30 Sep 2025 10:57:46 +0000

By Richard Ryan, Barrister & Drone Lawyer •
30th September 2025

Introduction

On 29 September 2025, the European Union Aviation Safety Agency (EASA) published ED Decision 2025/018/R, updating the Acceptable Means of Compliance (AMC) and Guidance Material (GM) to Implementing Regulation (EU) 2019/947. This update introduces the European version of the Specific Operations Risk Assessment (SORA) 2.5, developed by the Joint Authorities for Rulemaking on Unmanned Systems (JARUS).

Although the UK has left the EU regulatory framework, these developments are highly relevant. UK operators, manufacturers, and regulators can learn much from how EASA is simplifying compliance, clarifying roles, and promoting harmonisation across Member States.

What Changed under SORA 2.5?

Simplification of procedures: Ambiguities from earlier SORA versions have been removed, making it easier for operators and authorities to understand their obligations.
Clarity of roles: Responsibilities are now more clearly divided between operators, designers, and manufacturers. For example, design verification reports (DVRs) from EASA are required at SAIL IV, and type certification is required at SAIL V and VI.
Terminology alignment: EU-specific terms replace JARUS wording. For instance, “EVLOS” has been dropped in favour of “BVLOS with airspace observer”.
Containment requirements: Refined criteria for ground risk buffers and adjacent ground areas, particularly relevant for BVLOS and urban operations.
Flexibility for competent authorities: NAAs can use direct assessment, recognised entities, or qualified entities to review compliance.
Removal of weak cybersecurity rules: EASA stripped out JARUS’s cybersecurity provisions, deeming them disproportionate, but stressed that vulnerability assessments remain best practice.

Lessons for the UK CAA

Consistency and clarity – EASA has responded to industry feedback by clarifying operator versus manufacturer responsibilities. The UK’s guidance could benefit from similar precision, particularly in BVLOS authorisations.
Streamlining approvals – The two-phase SORA process (Phase 1 for risk identification, Phase 2 for compliance evidence) allows operators to obtain early regulatory feedback. This approach could make the UK’s OSC process faster and more predictable.
Population density mapping – EASA now recommends more accurate, dynamic maps to avoid over- or under-estimating risk in commercial and recreational areas. The UK could adopt a similar model, especially for urban drone delivery corridors.
Terminology alignment – Dropping “EVLOS” in favour of “BVLOS with AO” reflects operational reality and removes confusion. The UK should consider whether maintaining unique terminology helps or hinders international harmonisation.
Cybersecurity gap – By removing JARUS’s rules but encouraging vulnerability assessments, EASA has left space for proportionate, risk-based security. The CAA could similarly mandate cybersecurity risk assessments in line with wider aviation resilience standards.

Best Practice for UK Drone Pilots and Operators

Adopt SORA 2.5 methodology voluntarily – Even though the UK hasn’t formally adopted it, operators preparing risk assessments will benefit from aligning with European standards, especially if seeking approvals abroad.
Keep clear records – Maintain compliance matrices and comprehensive safety portfolios (CSPs) as outlined in SORA 2.5. This not only supports OSC applications but also protects operators in audits and insurance claims.
Use accurate population data – Don’t rely solely on outdated maps; supplement with local knowledge, real-time data, or site surveys to avoid underestimating risk.
Plan robust contingency procedures – Ensure abnormal and emergency procedures are well defined, tested, and rehearsed with crew. The new focus on containment means that “fly-away” risks must be demonstrably controlled.
Stay ahead on cybersecurity – Even though not mandated, conduct vulnerability assessments for command-and-control links and data storage. Cyber weaknesses could undermine insurance and liability cover.

Conclusion

EASA’s adoption of SORA 2.5 is a significant step towards regulatory clarity and harmonisation across Europe. The UK CAA should take note: simplifying authorisations, clarifying roles, and embracing proportionate risk-based approaches would strengthen the UK’s position as a leader in drone regulation.

For operators and pilots, the message is clear: best practice means anticipating international standards, not just meeting the minimum domestic requirement.

At Blakiston’s Chambers we advise drone operators, manufacturers, and service providers on all aspects of UK drone law, including airspace rights, regulatory compliance, and litigation risk. If your business is concerned about trespass or overflight liability, our team can help.

The post What the UK Drone Industry Can Learn from EASA’s Adoption of SORA 2.5 appeared first on Blakistons.

The Impact of the EU AI Act on Drones: A Comprehensive Overview

admin.richard — Tue, 12 Nov 2024 08:09:16 +0000

The Impact of the EU AI Act on Drones: A Comprehensive Overview

By Richard Ryan, Drone Lawyer

Introduction

The integration of Artificial Intelligence (AI) into drones has revolutionised various industries, from agriculture and logistics to surveillance and defence. AI-powered drones offer advanced capabilities like autonomous navigation, obstacle avoidance, and sophisticated data analysis. However, the rapid advancement of AI technologies brings forth legal and ethical challenges that necessitate robust regulatory frameworks.

The European Union’s proposed Artificial Intelligence Act (AI Act) represents a pioneering effort to regulate AI technologies comprehensively. As a drone lawyer based in the UK, I aim to explore the potential impact of the AI Act on the drone industry and review the current state of its implementation across various EU countries.

The EU AI Act and Its Relevance to Drones

The AI Act is designed to mitigate risks associated with AI systems by categorizing them based on their potential impact on safety and fundamental rights. High-risk AI systems—those used in critical infrastructure, law enforcement, or that have significant implications for health and safety—are subject to stringent regulatory requirements.

Key Implications for the Drone Industry:

1. Classification as High-Risk AI Systems: Drones equipped with AI functionalities for surveillance, data collection, or autonomous operations may be classified as high-risk. This classification subjects them to rigorous compliance obligations.

2. Compliance Requirements: Manufacturers and operators must implement risk management systems, ensure high-quality data sets, maintain transparency, and provide detailed technical documentation.

3. Conformity Assessments: Before entering the EU market, AI-powered drones may need to undergo conformity assessments to verify compliance with the AI Act’s provisions.

4. Transparency and Human Oversight: The Act emphasises the need for human oversight over AI systems. Drone operators may be required to ensure that AI decisions can be audited and overridden by humans when necessary.

5. Data Governance: Strict rules on data quality and governance affect how drones collect, process, and store data, especially personal or sensitive information.

Current Implementation Status in EU Countries

While the AI Act is still under negotiation and has not been enacted as of October 2023, several EU Member States are proactively preparing for its implementation.

Spain

Spain has established the Spanish Artificial Intelligence Supervisory Agency (AESIA), demonstrating a proactive stance toward AI regulation. AESIA is set to act as the market surveillance authority under the Department of Digital Transformation, indicating Spain’s commitment to enforcing the AI Act’s provisions once they become law.

Finland

Finland proposes a decentralized model by appointing multiple existing authorities as market surveillance entities, including the Energy Authority and the Medicines Agency. This approach leverages existing regulatory bodies to oversee AI compliance across different sectors.

Italy

Italy is considering assigning its national digital and cybersecurity agencies to enforce the AI Act. Preparations include building internal capacities and fostering research partnerships, emphasizing the development of competencies and continuous dialogue with scientific communities.

Ireland

Ireland has published a list of nine national public authorities responsible for protecting fundamental rights under the AI Act. These authorities will gain additional powers to address high-risk AI systems, including access to mandatory documentation from developers and deployers.

Germany and France

Both countries are actively engaged in discussions and preparatory measures to align with the AI Act. Germany’s Federal Ministry for Economic Affairs and Climate Action and France’s Directorate General of Enterprises are leading these efforts, though detailed implementation plans are still forthcoming.

Implications for the UK Drone Industry

Although the UK has left the EU, the AI Act could significantly impact UK-based drone companies:

– Market Access: To operate within the EU, UK companies must ensure their AI-enabled drones comply with the AI Act’s requirements.
– Regulatory Alignment: The UK may consider aligning its AI regulations with the EU to facilitate trade and maintain high standards of AI governance.
– Competitive Edge: Understanding and adapting to the AI Act can provide UK companies with a competitive advantage in the European market.

Recommendations for Drone Stakeholders

1. Stay Informed: Keep abreast of developments regarding the AI Act and its implementation across EU Member States.

2. Assess AI Systems: Evaluate existing AI functionalities within drones to determine if they fall under the high-risk category.

3. Prepare for Compliance: Develop strategies to meet compliance obligations, including documentation, risk assessments, and implementing human oversight mechanisms.

4. Engage with Regulators: Participate in consultations and dialogues with regulatory bodies to influence policy and gain clarity on compliance requirements.

Conclusion

The EU AI Act represents a significant step toward comprehensive AI regulation, with profound implications for the drone industry. Companies involved in the development and operation of AI-powered drones must proactively address potential compliance challenges. By understanding the regulatory landscape and preparing accordingly, drone manufacturers and operators can ensure continued innovation while adhering to legal and ethical standards.

—

About the Author

Richard Ryan is a drone lawyer based in the UK, specialising in aviation law, AI regulation, and data protection. With extensive experience advising drone manufacturers, operators, and users, Richard Ryan has presented to leading defence companies on the impact of AI regulation on drone technology. Committed to guiding clients through the complex legal landscape of emerging technologies, Richard Ryan offers insights and expertise to navigate the evolving world of AI and drones. Richard Ryan is a PhD student at Cranfield University researching the regulatory framework of UTM system for unmanned aviation.

The post The Impact of the EU AI Act on Drones: A Comprehensive Overview appeared first on Blakistons.