Federated Learning and AI Regulation in the European Union: Who is Responsible? -- An Interdisciplinary Analysis

TL;DR

Federated Learning enables training across data silos by sharing only model updates, aligning with the EU AI Act's emphasis on data governance and privacy. The paper argues that responsibility in FL is shared between the server operator and clients, but proposes shifting the provider role to the server through auditability, verifiability, integrity, and privacy safeguards to meet regulatory requirements. It analyzes regulatory mappings between the AI Act and GDPR, and distinguishes cross-device versus cross-silo FL architectures to identify where responsibility can be allocated. The work highlights open technical and legal challenges—such as data provenance, auditing, and governance in networked FL—to establish practical, compliant deployment of FL under EU regulation and to drive broader adoption.

Abstract

The European Union Artificial Intelligence Act mandates clear stakeholder responsibilities in developing and deploying machine learning applications to avoid substantial fines, prioritizing private and secure data processing with data remaining at its origin. Federated Learning (FL) enables the training of generative AI Models across data siloes, sharing only model parameters while improving data security. Since FL is a cooperative learning paradigm, clients and servers naturally share legal responsibility in the FL pipeline. Our work contributes to clarifying the roles of both parties, explains strategies for shifting responsibilities to the server operator, and points out open technical challenges that we must solve to improve FL's practical applicability under the EU AI Act.