The full and final text of the EU AI Act, the European Union’s landmark regulation for artificial intelligence (AI), has been published in the Official Journal, marking the beginning of its implementation timeline. Starting August 1, 2024, the Act will gradually impose various obligations on AI developers and users through mid-2026 and beyond.
This groundbreaking regulation represents a significant step toward ensuring AI systems in the EU are safe, ethical and transparent. However, it may pose challenges in compliance and implementation. In this blog post, we outline the top ways the AI Act impacts business operations.
Compliance Timeline and Phased Implementation
Organizations need to be aware of the AI Act’s phased implementation approach:
- Prohibited AI Systems: Compliance required by early 2025.
- High-Risk AI Systems: Compliance required by mid-2026 for most, with some extended deadlines up to 2027.
- General-Purpose AI (GPAI): Transparency requirements start in August 2025.
Takeaway
By understanding these timelines, businesses can plan and allocate resources effectively to ensure timely compliance.
Risk-Based Classification and Obligations
The AI Act classifies AI systems into three categories based on risk:
- Prohibited AI Systems: Includes AI for social scoring and real-time biometric surveillance in public spaces, with exceptions. AI that manipulates behavior or exploits vulnerabilities is also prohibited.
- High-Risk AI Systems: Covers AI in critical sectors like healthcare, employment, law enforcement and education. Obligations include risk management, transparency, high-quality data and human oversight.
- Limited/Minimal Risk AI Systems: Subject to lighter transparency requirements, such as disclosure when interacting with AI (e.g., chatbots).
Takeaway
Businesses must assess their AI systems to determine their risk category and comply with relevant obligations.
Transparency and Documentation
All AI systems, especially high-risk and GPAI models, must adhere to stringent transparency and documentation requirements:
- GPAI Models: Must maintain up-to-date technical documentation, uphold transparency and respect EU copyright laws. Systemic-risk GPAIs must conduct risk assessments and notify the European Commission.
- High-Risk AI Systems: Providers must ensure comprehensive documentation, maintain event logs and provide clear user instructions. Deployers must also keep data logs and conduct impact assessments.
Takeaway
Promoting transparency helps build trust and accountability, essential for both regulatory compliance and customer confidence. Businesses must adjust operations to adhere to the AI Act.
Governance and Human Oversight
The AI Act underscores the need for robust governance and human oversight:
- Providers and Deployers: Must assign human oversight to monitor AI performance and intervene when necessary.
- AI Office and AI Board: This entity will oversee implementation, monitor for consistent application across the EU and provide guidelines for compliance.
Takeaway
Effective governance frameworks and human oversight mechanisms are necessary for minimizing risks and advancing ethical AI use.
Impact on Importers, Distributors and Manufacturers
The AI Act extends special obligations to importers, distributors and product manufacturers:
- Importers and Distributors: Must ensure AI systems from outside the EU comply with the Act before putting them on the market.
- Manufacturers: Must integrate compliant AI systems into products and make sure they adhere to sector-specific EU laws.
Takeaway
Importers, distributors and manufacturers must implement rigorous compliance checks to avoid disruptions in market access and operations.
Data Privacy and Security
Complementing the General Data Protection Regulation (GDPR), the AI Act reinforces data privacy and security:
- Data Quality and Governance: High-risk AI systems must use high-quality, non-biased data. Data logs must be securely maintained.
- Synthetic Content: AI-generated content must be marked as artificial. Systems for emotion recognition or biometric categorization must disclose their intended use, except for crime detection.
Takeaway
Businesses must modify their data protection and usage policies to align with the AI Act’s stringent requirements.
Penalties for Non-Compliance
Non-compliance with the AI Act can result in substantial penalties as follows:
- Prohibited AI Practices: Fines up to €35 million or 7% of global turnover.
- High-Risk System Violations: Fines up to €20 million or 4% of global turnover.
- Misleading Information: Fines up to €7.5 million or 1.5% of global turnover.
Takeaway
The severe financial repercussions underscore the importance of prioritizing compliance. Failure to comply can compromise an organization’s financial stability and market reputation.
Action Steps for Organizations
To navigate the complexities of the AI Act, organizations should consider taking the following steps:
- Conduct Comprehensive Audits: Review all AI systems to ensure compliance with the new regulations.
- Implement Training Programs: Educate employees about the AI Act and its implications for daily operations.
- Engage Legal and Compliance Experts: Consult with experts to understand and implement necessary changes to AI practices.
- Strengthen Data Governance: Enhance data management frameworks to align with the AI Act and GDPR.
- Develop Transparent Practices: Ensure transparency in AI use, particularly in high-risk applications like hiring and employee management.
Looking Ahead: More Regulations
As the EU AI Act evolves, organizations must stay informed and adapt to new developments. For multinational companies (MNCs), it is expected that similar frameworks will be passed in other jurisdictions to regulate AI implementation.
By proactively addressing compliance, organizations can not only avoid penalties but also position themselves as leaders in ethical and responsible AI use.
Stay tuned for further updates and insights into the AI Act and other regulations shaping the future of AI in business.
Contact us today to learn more about how an Employer of Record (EOR) solution can help you maintain compliance with AI regulations and other local employment laws.