In Short
- The EU AI Act categorises AI systems by risk levels (unacceptable, high, limited, minimal) and imposes compliance requirements based on risk.
- The Act applies to EU and non-EU businesses whose AI affects EU individuals, with potential fines up to €35 million or 7% of global turnover.
- Early compliance preparation is essential to avoid penalties.
Tips for Businesses
Evaluate all AI systems your business uses or supplies to check their compliance with the EU AI Act. Categorise them by risk and adapt practices accordingly. Legal advice can be valuable to navigate the Act's complexity and ensure your business meets requirements.
Artificial intelligence (AI) tools are increasingly prevalent and used across various industries worldwide. However, the rapid growth of AI technologies has also raised some serious concerns about matters such as AI safety, ethics, and transparency. In response to such concerns, the European Union introduced the EU AI Act, the first comprehensive legislation regulating AI systems. This landmark law, which recently came into effect, is designed to ensure that AI is developed and used safely and transparently. This article will explore critical things your business should know about the EU AI Act and its business implications.
What is the EU AI Act?
The EU AI Act is a law which categorises AI systems based on their potential risk to human rights and safety. The law classifies these systems into various risk categories- unacceptable, high, limited, and minimal or no risk. Unacceptable risk systems, such as real-time biometric surveillance and social scoring, are banned entirely. High-risk systems (which include AI in law enforcement, healthcare, and critical infrastructure) are subject to stringent requirements, including risk management, transparency, and human oversight. Systems classified as limited or minimal risk must comply with transparency rules, although they face fewer regulatory rules.
How Will the EU AI Act Impact Business?
If your business is part of the AI value chain (e.g., as a provider, deployer, distributor, or importer), you will need to assess whether your AI systems fall within the scope of the EU AI Act. High-risk systems will be the most affected.
Businesses (depending on their activities and use of AI) may need to take various compliance-related steps, including implementing risk management systems, ensuring transparency, complying with codes of practice, and enabling human oversight throughout the AI system's lifecycle. Businesses must also keep records of the AI's performance and take immediate corrective action if issues arise.
For limited-risk systems (such as chatbots), businesses must ensure transparency by informing users that they are interacting with AI. Even if your systems pose minimal risk, complying with best practices and voluntary guidelines can help businesses improve trust and minimise any regulatory risks in the future.
Your business needs to remember that while this is EU law, it does not just apply to European companies. The EU AI Act also applies to businesses outside the EU if their AI systems affect individuals within the EU.
For instance, as a UK business, you must comply with the EU AI Act if you supply AI systems to the EU market or if your AI systems are used within the EU. This extraterritorial reach mirrors the GDPR's reach, meaning your company could face fines for non-compliance, even if you operate outside the EU. If your UK business falls within the law's scope, you must ensure that your AI practices align with the EU AI Act's requirements to avoid these consequences.
GDPR Essentials Factsheet
This factsheet sets out how your business can become GDPR compliant.
What are the Penalties for Non-Compliance?
Non-compliance with the EU AI Act can result in severe financial penalties similar to those imposed by the GDPR. If you use prohibited AI systems, your business could face fines of up to €35 million or 7% of global annual turnover. Less severe breaches could still give rise to significant penalties of up to €15 million or 3% of global turnover. It is, therefore, crucial to understand any obligations applicable to your business and prepare for compliance to avoid potentially severe financial consequences.
What Should Your Business Do to Comply with These Rules?
The EU AI Act was recently introduced, and most provisions will apply in stages, with specific prohibitions already in effect. Your business should begin by identifying all AI systems you use or supply and whether they fall within the EU AI Act's scope and requirements. You will then need to determine which risk categories your AI systems fall into and understand and implement your obligations accordingly.
Depending on your specific activities and their risk, you may need to implement various actions, from staff training and allocating responsibilities for compliance to updating your AI policies and procedures and reviewing your contracts.
Given the significant length and complexity of the requirements under this new law, businesses should consider seeking legal advice early to clarify their obligations and ensure compliance before engaging with the EU market.
Key Takeaways
The EU AI Act introduced a landmark regulatory framework with strict requirements for AI systems. Non-compliance can lead to significant penalties, including fines of up to €35 million or 7% of global annual turnover. Your business should evaluate its AI systems and determine whether its activities fall within the scope of the law. It should also implement the necessary procedures to comply with the law.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
