EU AI Act

What is the EU AI Act?

The EU Artificial Intelligence Act (AIA) is a new legislative cross-sector framework for regulating AI systems in the European Union (EU). It sets harmonised rules for the use of AI technologies, including generative and general-purpose AI. The act uses a risk-based approach, categorising AI systems by their potential risks to health, safety, and fundamental rights, and imposing specific obligations accordingly.

Why is the EU AI Act relevant to UK Firms?

The AIA’s scope is extra-territorial, meaning UK businesses that develop or deploy AI systems for the EU market fall under its regulation. UK entities are within the scope as providers when releasing AI systems through EU subsidiaries and also within scope if their models are not deployed in the EU, but their outputs are intended be used in the EU.

While other regions are developing their own AI regulations, the EU AI Act is a global reference point. The UK government acknowledges that the challenges posed by AI technologies will ultimately require legislative action in every country. However, it currently relies on existing laws and frameworks, estimating that more time is needed to better understand the risks, opportunities, and appropriate regulatory responses. There is broad agreement on AI risks and principles across jurisdictions, but regulatory divergence remains a potential challenge for firms.

When will the Act be enforced?

Timelines for compliance have been established for different risk classifications. Organisations must proactively classify and assess the risks of their AI systems in the coming months to avoid penalties and reputational damage.

For example, a firm deploying an AI system that is deemed to be prohibited, such as one that infers emotions in the workplace, six months after the Act takes effect could face fines of up to 35,000,000 EUR or 7% of its total worldwide annual turnover from the previous financial year, whichever is higher. Such a system would have to be removed from the European market, or redesigned such that it no longer meets the prohibited criteria as defined by the EU AI Act.

Our view for UK firms

UK firms must act now to comply with the EU AI Act’s requirements. While the majority of the obligations, including for most high-risk systems, will apply in 24 months, some provisions will apply before and after that milestone. For example, prohibitions on certain AI systems will be enforced by the end of 2024, and requirements for general-purpose AI will apply by mid-2025.

Actions for firms:

• Assess the impact on compliance: evaluate the impact of the AIA on existing compliance frameworks, particularly for cross-border functions.
• Classify AI systems and develop an inventory of AI assets: categorise AI systems according to the risk classifications and keep a dynamic inventory based on the EU taxonomy.
• Identify prohibited AI systems and take action immediately: determine and address AI systems that will be prohibited by the end of 2024.
• Review AI governance model: update governance frameworks to align with the AIA.
• Risk management framework: develop and implement comprehensive risk management, testing, and validation procedures.
• Data governance: ensure robust data management practices.
• Ensure adequate controls: confirm that proper controls are in place, especially for advanced AI systems.
• Map interdependencies: understand internal and external dependencies related to AI systems. Build trust with cloud and third-party platform providers to ensure shared visions, roles, and responsibilities to implement adequate controls and safeguards.

The AIA will likely present new compliance challenges but also offers an opportunity to align AI development and deployment with strategic priorities. Proactively addressing these challenges can enhance innovation capabilities, ensure ethical AI practices globally, and strengthen competitive advantage.

Question & Answer