Por: Carlos A. FERREYROS SOTO
Doctor en Derecho
Universidad de Montpellier I Francia.
cferreyros@ferreyros-ferreyros.com
RESUMEN
La Comisión Europea ha lanzado una herramienta digital aparentemente
segura y confidencial para denunciar posibles infracciones de la Ley de
Inteligencia Artificial de la UE directamente ante la Oficina de IA Europea; de forma anónima, en cualquier idioma oficial
de la UE y con soporte de documentación.
La “AI Act Whistleblower Tool” es un canal en línea que
permite a personas vinculadas profesionalmente con proveedores de modelos de IA
o sistemas de IA informar sobre prácticas internas que puedan vulnerar
obligaciones del Reglamento de IA, especialmente en modelos de uso general y
sistemas de alto riesgo. El objetivo es detectar tempranamente incumplimientos
que puedan poner en riesgo derechos fundamentales, salud, seguridad o la
confianza pública, contribuyendo a un desarrollo seguro y transparente de la IA
en Europa.
Los informes se envían a una plataforma cifrada
certificada, con un “buzón seguro” que permite comunicación bidireccional. La
Oficina de IA limita el acceso a los informes a un número muy reducido de
personas formadas en confidencialidad y seguridad; a partir del 2 de agosto de
2026, salvo en algunos ámbitos ya cubiertos (seguridad de productos, consumo,
datos personales, seguridad de la información).
Se admiten informaciones sobre prácticas internas que
incumplan obligaciones del AI Act, como documentación, políticas de copyright, resúmenes de datos de
entrenamiento, evaluación de riesgos y medidas de mitigación para modelos
avanzados. Pueden adjuntarse documentos (memos internos, informes, métricas,
correos, etc.), eliminando siempre cualquier dato que identifique al
denunciante u otras personas.
El proceso comienza pulsando “Submit a report”,
respondiendo preguntas y describiendo los hechos, con posibilidad de subir
hasta cinco archivos y mantener el anonimato marcando la casilla
correspondiente. Al enviar se crea un buzón seguro protegido por una contraseña
y un “Case ID” aleatorio, que permiten consultar el estado, aportar nueva
información y responder a preguntas de la Oficina de IA sin perder el
anonimato. La Oficina de IA registra el informe en una base de datos segura,
acusa recibo en un máximo de siete días laborables y, en catorce días, indica
si es la autoridad competente o facilita otro punto de contacto. A lo largo del
proceso se puede solicitar aclaraciones, compartir información con personal
experto previa aprobación del denunciante y, en un plazo general de hasta tres
meses (seis en casos excepcionales), informar del resultado o de la decisión
sobre el seguimiento del caso, pudiendo remitirlo a otras autoridades
competentes manteniendo la confidencialidad.
A fin de acceder a normas
similares y estándares europeos, las empresas, organizaciones públicas y
privadas interesadas en asesorías, consultorías, capacitaciones, estudios,
evaluaciones, auditorías sobre el tema, sírvanse comunicar al correo
electrónico:cferreyros@ferreyros-ferreyros.com
_________________________________________________
La Comisión lanza una herramienta de denuncia de
irregularidades para la Ley de IA
La Comisión Europea lanzó una herramienta de denuncia
para la Ley de Inteligencia Artificial (IA).
Imágenes de Getty © Aree Sarak
La herramienta proporcionará un canal seguro y confidencial para que las
personas informen sobre presuntas infracciones de la Ley de IA directamente
a la Oficina de IA de la UE, el centro de experiencia en IA de la Comisión.
Los denunciantes pueden proporcionar
información relevante en cualquiera de los idiomas oficiales de la UE y en
cualquier formato pertinente. La herramienta ofrece una forma segura de
denunciar posibles infracciones de la ley que podrían poner en peligro los
derechos fundamentales, la salud o la confianza pública. Se garantiza el máximo
nivel de confidencialidad y protección de datos mediante mecanismos de cifrado
certificados. Este sistema permite un seguimiento seguro, permitiendo a los
denunciantes recibir actualizaciones sobre el progreso de su denuncia y la
posibilidad de responder a preguntas adicionales de la Oficina de Inteligencia
Artificial, sin comprometer su anonimato.
La Ley de IA de la UE tiene como
objetivo promover la innovación y la adopción de la IA en la UE, a la vez que
aborda los posibles riesgos para la salud, la seguridad y los derechos
fundamentales de las personas, y salvaguarda la democracia y el Estado de
derecho. Al informar sobre infracciones, los denunciantes pueden ayudar a la
Oficina de IA a detectarlas de forma temprana, contribuyendo así al desarrollo
seguro y transparente de las tecnologías de IA.
Acceda a la herramienta de denuncia de
irregularidades de la Ley AI y lea más información sobre la
herramienta y las preguntas frecuentes .
__________________________________________________
Herrramienta de
Denuncia de Irregularidades de la Ley de IA
AI Act Whistleblower Tool
The AI Act Whistleblower Tool is a secure channel set up by the European AI Office for individuals who wish to anonymously report potential breaches of the AI Act, thereby contributing to the safe and transparent development of AI technologies.
The European AI Office, established within the European Commission, is the centre of AI expertise and forms the foundation for a single European AI governance system. Reporting directly to the AI Office helps us to strengthen our ability to detect and address violations early on.
Reports are submitted anonymously in any EU language and can be supported by relevant documents both upon initial submission and during the course of bi-directional communication with the AI Office via a secure inbox. The highest level of confidentiality is guaranteed.
A key feature of the tool is its secure inbox, which allows for continued communication between the whistleblower and the AI Office without compromising anonymity. Through this inbox, the AI Office can acknowledge receipt, request clarification, and provide feedback on the handling of the report.
We highly value the trust in bringing matters to our attention and are committed to handling every report with the utmost care, diligence, and integrity.
For more information on
whistleblower protection, confidentiality, information processing, and the
functioning of the tool, please consult our FAQs.
Información sobre la
herramienta
AI Act Whistleblower Tool
Whistleblowers play a vital role in
identifying potential violations of the law that could endanger fundamental
rights, health, or public trust, and which might otherwise go undetected. By
reporting potential violations, whistleblowers can support the AI Office in detecting them early on, thereby contributing to the safe and
transparent development of AI technologies.
The AI Act Whistleblower
Tool, launched by the AI Office, allows
individuals who are professionally connected to an AI model provider to report
harmful practices by providers of general-purpose AI models and certain AI
systems. You can submit your report anonymously in any EU language together
with supporting documents using the secure inbox in the tool. The inbox also
enables whistleblowers to stay up to date on the progress of their report,
answer follow-up questions while remaining anonymous.
Alongside with the secure tool, the AI
Office commits itself to a high standard of confidentiality and has documented
internal procedures to maximise the protection whistleblowers' identities.
While these robust safeguards ensure confidentiality, it is important to note
that legal protection against retaliation under the Whistleblower
Directive will only extend to reports
concerning infringements of the AI Act from 2 August 2026 onwards. Until then, confidentiality remains
the primary means of protection for whistleblowers. Meanwhile, some AI-related
activities — particularly those linked to product safety, consumer protection,
privacy and personal data, or information security — may already fall within
the Directive’s scope and thus benefit from its protection.
FAQs
Why should I submit a report?
Compliance with the EU AI Act helps to ensure that AI is being developed in a way that upholds fundamental rights, protects health and safety, and fosters public trust in AI technologies.
If you are professionally connected to an AI model provider — whether as a current or former employee, a self-employed collaborator, a shareholder, or a member of the company’s administrative, management, or supervisory body — you may be among the first to notice potential breaches of the law. Your unique position enables you to detect irregularities that could otherwise go unnoticed.
The European
AI Office supports the development
and use of trustworthy AI, while protecting against AI risks. Established
within the European Commission, the AI Office is the centre of AI expertise and
forms the foundation for a single European AI governance system. By reporting
directly to us, you help strengthen our ability to detect violations early on.
More information about the AI Act can be accessed here: AI Act | Shaping Europe’s digital future
How am I protected?
The European AI Office protects your status as a whistleblower by maintaining confidentiality and safeguarding your anonymity. Please refer to our Confidentiality Policy for details on how we fulfil this commitment. This helps to prevent retaliation against you by your employer.
Apart from this, currently, there is no legal protection against retaliation by your employer for breaching non-disclosure agreements or similar contractual terms by your reporting of potential breaches of the AI Act. From 2 August 2026 onwards, however, such reports will fall within the scope of the Whistleblower Directive, which provides legal protection against retaliation.
Until then, only some AI-related activities may fall within the scope of the Directive, particularly concerning product safety, consumer protection, privacy and personal data, and information security. To benefit from the protection granted by the Directive, your professional relationship must be governed by EU law (e.g., you work in the EU or you are employed under an EU contract). Protection under the EU Whistleblower Directive does not depend on whether an investigation subsequently confirms a violation of the law. Rather, whistleblowers are protected if they had reasonable cause to believe that the information was true at the time of reporting, and that it constituted a violation of the law covered by the Directive. You may also submit your report to your national whistleblowing authority, where you will receive the safeguards established under the EU Whistleblower Directive — alternatively, and only with your express consent, we will forward your report to the relevant national authority as part of our follow-up.
How is confidentiality ensured throughout the process?
The overarching principle behind the AI Act Whistleblower Tool is to provide a secure and confidential reporting channel through which individuals can report suspected breaches of the AI Act directly to the European AI Office. This applies regardless of whether the AI Office is the competent authority for the incoming report.
Your report will be kept secure through encryption and other security functions that are certified by an independent body. As you submit your report anonymously, we ask you to not provide any personal data about you or about any other persons that could directly or indirectly reveal their identity (e.g., name of your work colleagues, email addresses, phone number).
Please do not use any technical device provided by your employer, such as a PC, smartphone, or Wi-Fi, to submit your report. We recommend that when submitting a report you formulate the description of the violation in such a way that, when any follow-up measures are taken, third parties have no possibility of drawing conclusions about your identity from the manner in which the facts are presented in the report. Use caution when documenting evidence, e.g., downloading information from work machines.
The AI Office ensures that
your report is not disclosed to anyone without your explicit consent beyond the
limited staff members at the AI Office designated to receive or follow up on
reports (see the question on how the AI Office processes your report). These
staff members receive specific training for the purposes of handling reports.
The set up of a secure inbox is required, as a bidirectional channel with the AI Office, to provide you with feedback on what is happening with your information or ask questions if further details are needed — you will also remain anonymous during this exchange.
For more information, please consult our Confidentiality Policy.
What sort of reports will help the AI Office?
Information about any internal practices of AI model providers that may violate the obligations set out in the AI Act, or on any other activities that could endanger fundamental rights, health, or public trust, is welcome. These obligations include documentation requirements, a copyright policy, and a training data summary (Article 53), as well as risk assessment and mitigation measures for the most advanced models (Article 55).
Reports can be submitted in any EU language and be supported by relevant documents in any form, including internal memos, presentations, reports, data metrics, email exchanges, analyses, research, or similar documents. However, to protect your anonymity, please examine any file you choose to include carefully to ensure that it does not disclose your or other party’s identity and redact it where applicable.
Even if the report does not fall within the remit of the AI Office, we will still follow up with you within fourteen working days through your secure inbox and if possible, provide you with the relevant point of contact so that you can submit your report to the most suitable agency as soon as possible.
What is the process for submitting information? How do I set up a secure
inbox?
To submit information, start by clicking the ‘Submit a report’ button located on the homepage.
On the next page, you can answer questions and provide a description of the relevant facts. Please ensure your answers are accurate, detailed, honest, and thorough. You can also submit up to five supporting files, each with a maximum size of 100 MBs. If you wish to submit files at a later moment or you wish to provide additional files, you can send them via the secure inbox (see below).
You will then be asked to remain anonymous via the ‘Stay anonymous’ checkbox. As you are required to stay anonymous, please ensure that any information or files you provide do not disclose your identity or any third-party's identity (e.g., your work colleagues).
When you submit a report, you will be asked to set up a secure inbox. This will allow us to establish a bi-directional channel with you without compromising your anonymity. This will enable you to anonymously send us follow-up information and receive feedback and updates on the progress of your report. It also allows the AI Office to ask follow-up questions and gather your consent for relevant next steps.
To set up the secure inbox,
when you submit your report, you will be asked to create a password. Upon
submission you will also receive a randomly generated Case ID alongside
your confirmation. Please save them somewhere safe, as you will need both your
Case ID and password to access your secure inbox.
If you already have a secure inbox, you can access it directly via the ‘Secure Inbox’ button.
How does the AI Office process my report?
Upon receiving a report, it is
promptly and securely entered into our database, in full compliance with strict
confidentiality and information security standards. We are committed to
maintaining open and transparent communication throughout the process via your
secure inbox.
1. Your report
will be received via a secure platform to which only three members of the AI
Office staff have access to. The authorised staff was educated on their
responsibility to maintain whistleblower confidentiality.
2. You will
receive a formal acknowledgement of receipt within seven working days,
confirming that your submission has been successfully recorded.
3. Upon your
approval, the content of your report will be shared with authorised staff from
the AI Office, which comprises multidisciplinary expertise in areas such as
machine learning, model evaluation, cybersecurity, risk assessment, and
copyright. Access to your report will be strictly limited to those with the
relevant expertise to diligently assess the matter, only following your
approval and upon having received specific training for the purposes of
handling reports.
4. We will
respond within fourteen working days to confirm whether we are the correct
authority to handle your report. If we are not the most suitable authority, if
possible, we will provide you with the relevant point of contact to redirect
your report.
5. We may
maintain contact with you throughout the process, to share updates, answer your
questions, collect additional information, or obtaining your approval to share
the content of the report with third parties when required. We therefore
recommend you to check your secure inbox regularly.
6. We will
provide you with feedback within three months, or within six months if
exceptional circumstances arise. If we conclude that a report does not require further
follow-up (e.g., because the breach is minor or already known) we
will notify you of the decision and the reasons
thereof.
7. We will communicate to you the final outcome triggered by the report.
Along this
timeline, the whistleblower may also be asked by the AI Office to provide
supplementary information or clarifications. However, there is no obligation to
provide information in this respect.
As further
follow-up measures, the AI Office may, at its dutiful discretion:
- refer the whistleblower to other competent authorities and communicate with those authorities to support the protection of the whistleblower, provided that the whistleblower has given their prior approval; and/or
- transfer the proceedings to a competent authority for further investigation, while safeguarding the confidentiality of the whistleblower.
We highly
value your trust in bringing matters to our attention, and we are dedicated to
handling every report with care, diligence, and integrity.
No hay comentarios:
Publicar un comentario