What proper compliance with the EU AI act will entail for your company

The much-anticipated AI Act was adopted by the European Parliament in March 2024. Given the increasing role of AI systems, the need for stricter regulation is growing.[1] It is important for companies to know what obligations they have to comply with in (short) term.

The need for regulation

Artificial intelligence systems work on the basis of input, which can be provided by humans or machines, to perform specific tasks. To compute the output, AI processes the input through models and algorithms.[2] As you are probably well aware, the use of AI in business can increase efficiency. For example, businesses use AI to automate tasks, improve data analysis, identify problems and create more efficient production systems.[3] However, the use of AI also carries risks.

The AI Act is the first extensive and comprehensive piece of regulation to address the risks regarding artificial intelligence and the act will lay the foundation for the regulation of AI in the EU.[4] The purpose is to ensure that AI systems in the European Union are safe, transparent, traceable, non-discriminatory and environmentally friendly. It aims to allow innovation and economic developments to take place while public values are protected.

Identifying risks and obligations

In addressing these risks, obligations are imposed on providers and users of AI systems.[5] In this short overview article only the obligations for providers will be addressed. These obligations are based on the risk the AI system will pose. This risk-based approach classifies four different categories of risks: unacceptable risk, high-risk, limited risk and minimal risk.

AI systems with an unacceptable risk are prohibited. This category concerns inter alia social scoring systems and AI systems that deploy manipulative or deceptive techniques to distort behavior or exploit vulnerabilities related to age or disability.[6] High-risk AI systems are for instance systems that process personal data to assess various aspects of a person’s life or fall under Annex III of the AI Act. The majority of the obligations fall on the providers of these AI systems. These providers must establish a risk management system, conduct data governance and provide instructions for use, among other things.[7] The AI Act also regulates limited risk AI systems, which are referred to as General Purpose AI Systems (GPAIS). These systems, such as chatbots and deepfakes, must ensure that the end-user is aware that they are interacting with AI. The providers of GPAI systems must therefore draw up technical documentation and information and documentation to supply downstream providers. The category of minimal risk is not regulated in the AI Act.

Complying as a company

To ensure your compliance with the AI Act, it is necessary to assess the AI systems currently running in your business and to maintain a list of them. The use of AI must then be categorized based on the potential harm it is capable of causing. Is the risk unacceptable, high, limited or low? If the AI system poses a high or limited risk, obligations under the AI Act will apply. The higher the risk, the more obligations the system will have to comply with. Regardless of the risk, it is important to keep date record of use of the system and provide ongoing training in ethical practices and decision making. It is also important for companies to assess the extent to which you are able to explain decisions taken by your algorithms and develop a compliance and audit-readiness roadmap.

Furthermore, when published, companies should rely on the Codes of Practice of the AI Act as a central tool for the proper compliance with the obligations for GPAIs. Providers can rely on Codes of Practice to demonstrate compliance with the obligations. The AI Office, established in February 2024, should encourage the drawing up of this Code of Practices and will – in cooperation with the Member States – monitor the effective implementation and compliance of the AI Act.[8]

Entry of AI Act and their obligations

Before the AI Act enters into force, the act will first have to be formally adopted by the Council of the European Union.[9] Once the Council has also adopted the act and published it in the Official Journal, the regulation enters into force 20 days later.[10] Although the regulation will fully apply 24 months after entry into force, GPAIS have 12 months to comply and compliance with the Codes of Practice must be met 9 months after entry into force. Some high-risk AI systems will however get more time to ensure their compliance with the AI Act, since their obligations will apply 36 months after entry into force.

We will keep you informed of further updates on the AI Act and Codes of Practices.