Understanding the EU AI Act and Implementing Key Measures

The forthcoming EU AI legislation will have a massive impact on firms operating or deploying artificial intelligence (AI) in the EU. With the EU AI Act (AI Act) nearing its final stages of the legislative process, it is imperative for all companies using AI to grasp the extent of compliance required to avoid regulatory enforcement and the potential for damages claims. This article provides a clear and structured overview of the basics of the AI Act, translating its requirements into actionable items for your business.

The AI Act at a Glance

·?????? Impact: The AI Act is a groundbreaking piece of legislation designed to regulate AI within the EU. The scope of the new regulation is much broader than one might think at first glance. It largely affects any use of AI that has an impact in the EU. In particular, the new rules apply to functionalities or applications that rely directly or indirectly on AI.

·?????? Mechanism: Many of the mechanisms and requirements of the AI Act are modeled after the EU Data Protection Regulation (GDPR). For instance, transparency, risk analysis and accountability rules as well as the AI Act sanctions systems closely resemble respective GDPR rules. The new rules categorize AI systems based on the risk they pose, from unacceptable risk to high, limited, and minimal risk. The Act sets out a framework for legal compliance, focusing on high-risk AI systems due to their significant potential impact on rights and safety.

·?????? Global Scope: The new rules not only apply within the EU, but will also have extraterritorial effect. For instance, they apply to providers placing on the market or putting into service AI systems in the EU as well as to providers or placing on the market general-purpose AI models in the EU – irrespective of whether those providers are established or located within the EU or in a third country. In other scenarios, a mere impact of AI systems taking place in the EU can result in the applicability of the AI Act.

·?????? Timing: The AI Act comes into force on the twentieth day following that of its upcoming publication in the EU Official Journal.

Most Relevant AI Act Compliance Requirements

·?????? Risk Assessment: Companies must conduct thorough risk assessments for AI systems to determine their risk category within the categories defined by the AI Act. This risk analysis dictates the level of regulatory scrutiny and compliance measures required.

·?????? Data Governance: High-risk AI systems must use high-quality datasets, ensuring they are free from biases and inaccuracies. Firms must implement robust data governance policies to meet this requirement.

·?????? Transparency and Information: AI systems should be transparent, providing users with information about their capabilities and limitations.

·?????? Human Oversight: Ensure that high-risk AI systems include adequate human oversight mechanisms to prevent or minimize risks.

·?????? Record-Keeping: Maintain comprehensive records of AI system development and deployment processes to demonstrate compliance with the AI Act.

·?????? Conformity Assessment: Conduct conformity assessments for high-risk AI systems before market entry.

·?????? Registration: Register high-risk AI systems in the EU database.

·?????? Interaction: Analyze interaction and ensure compliance with other EU Acts, in particular with the GDPR.

Sanctions for Non-Compliance

EU and member state regulators have far-reaching enforcement powers. The sanctions system is modeled after the GDPR fine mechanism. For instance, the AI Act imposes significant sanctions for non-compliance, which can include fines of up to 7?% of global annual turnover per violation for the most serious infringements - or up to 35 million euros, whichever amount is higher.

Concrete AI Action Items

To avoid the sanctions and other enforcement measures, firms must in particular take the following actions items:

·?????? Establish an internal AI Act compliance team.

·?????? Regularly train staff on AI Act requirements.

·?????? Conduct periodic internal audits of AI systems.

·?????? Analyze interaction with GDPR requirements on processing personal data.

·?????? Engage with EU and member state regulatory authorities proactively.

Regulatory Authorities and Their Interplay:

The AI Act designates the European Commission’s Artificial Intelligence Board (EAIB) as the key body overseeing the Act's implementation, supported by national supervisory authorities. The EAIB's role includes ensuring consistent application of the AI Act across member states and advising the European Commission. Moreover, EU member state GDPR supervisory authorities are going to closely scrutinize any use of personal data in AI systems. These authorities and the Court of Justice of the EU have established a very wide interpretation of the definition of personal data – and hence, the applicability of the GDPR. As a practical consequence, GDPR supervisory authorities are going to play a substantial role in AI governance, too.

Conclusion

The EU AI Act represents a significant step towards the ethical and safe deployment of AI technologies. For global IT, tech and other firms deploying AI, early and comprehensive preparation is crucial to ensure compliance and avoid the severe penalties associated with non-compliance. By following the outlined action items and engaging with the regulatory framework, companies can position themselves as leaders in responsible AI use and maintain their competitive edge in the digital market.