Is Your Business Ready for the EU AI Act? (Part 1)
What is the EU AI Act?
The EU AI Act is a new law designed to regulate the development and use of artificial intelligence (AI) within the European Union. This law has a broad reach, applying to anyone who:
Provides AI systems within the EU.
Deploys AI systems within the EU.
Imports AI systems into the EU.
Makes the output of their AI system available in the EU (regardless of where they are based).
In essence, if your AI system or its output touches the EU in any way, you need to understand these regulations and integrate compliance into your business operations. Enforcement will be rolled out in phases, with the earliest provisions taking effect in February 2025.
By the Numbers
The EU AI Act is a substantial piece of legislation, comprising:
180 recitals
113 articles
13 annexes
144 pages
...and a partridge in a pear tree?
To add to the complexity, different rules apply depending on the risk level of the AI system and your business's role in its lifecycle. Unlike GDPR enforcement, penalties under the AI Act consider the size of the business, its role, and the nature of the infraction.
AI Systems vs. GPAI Models
The AI Act governs both AI systems and general-purpose AI models (GPAI).
An AI system is a machine-based system that:
Operates with some degree of autonomy and may even adapt after deployment.
Infers how to generate outputs (predictions, content, recommendations, decisions) from its inputs.
Can influence physical or virtual environments.
A GPAI model is an AI model that:
Is trained on a massive dataset with self-supervision.
Can perform a wide range of tasks and has broad applicability.
Can be integrated into various downstream systems or applications.
While the AI Act applies to both, different obligations apply to each based on their potential risk. GPAI models, in particular, may pose a systemic risk. Non-compliance can lead to hefty fines, regulatory scrutiny, and damage to reputation and goodwill.
Key Players in the AI Act
Understanding the different roles defined in the AI Act is crucial for compliance.
Provider: Develops the AI system or GPAI model (or has it developed on their behalf) and places it on the market under their name or trademark (e.g., OpenAI, Google, Anthropic). This also includes companies that use third-party language learning models (LLMs) with tailored prompts to create specific outputs.
Deployer: Uses a provider's AI system for a specific purpose (e.g., using an AI chatbot for customer service).
Importer: A person or organization within the EU that imports an AI system from outside the EU.
Distributor: Makes an AI system available in the EU without being a provider or importer.
Product Manufacturer: Incorporates an AI system into their product. If the AI system is high-risk (e.g., a safety component in a car), the manufacturer takes on the role of a provider.
It's important to remember that businesses can hold multiple roles under the AI Act and must fulfill the obligations associated with each role. Just like under the GDPR, an entity's role is determined by its actions in practice, not just contractual definitions.
The Journey Ahead
This introduction to the AI Act provides a foundational understanding. There's much more to explore, such as the role of supervisory bodies and how the AI Act applies to public entities, research, and non-public models. As enforcement phases approach, we can expect further commentary and guidance.
How the AI Act applies to you will depend on your specific circumstances. We're here to help you navigate these complexities and ensure your AI initiatives are compliant and responsible.
If you'd like to learn more about how the AI Act relates to your business, schedule a complimentary consultation today.
