The EU AI Regulation
A guide for effective implementation
The rapid development of artificial intelligence (AI) opens up a wide range of application possibilities for companies, but also entails considerable risks. To ensure the responsible use of AI systems, the European Union has AI Regulation (AI-VO) introduced – the world’s first comprehensive set of rules for artificial intelligence.
This article provides a structured overview of the AI Regulation, explains its key content and shows how companies can effectively implement the regulation.
Background and legislative process
The AI Regulation was developed to regulate the development and use of AI within the EU internal market while ensuring a high level of protection for health, safety, and fundamental rights. The legislative process began with the adoption of the text by the European Parliament on March 13, 2024, followed by editorial adjustments on April 19, 2024. The Council of the EU approved the regulation on May 21, 2024. The regulation entered into force on July 13, 2024, and will apply from August 2, 2024, in a phased procedure.
Risk-based approach of the AI Regulation
The AI Regulation pursues a risk-based approach, which classifies various AI systems according to their potential risk to society. The higher the risk, the stricter the regulations. The regulation distinguishes a total of five risk categories:
- Prohibited AI systems: Systems that pose unreasonable risks, such as manipulative techniques for influencing behavior or biometric remote identification in publicly accessible spaces.
- High-risk AI systemsThese systems require extensive security and transparency measures. Examples include AI applications in biometrics, critical infrastructure, human resources management, and law enforcement.
- AI systems with limited risk: These systems are subject to specific transparency obligations, such as the labeling of deep fakes or the disclosure of the use of emotion recognition systems.
- AI systems with minimal risk: Systems that neither have a significant impact on society nor require specific regulations, such as spam filters or AI components in video games.
- General-purpose AI models: Large language models such as ChatGPT, which serve as the basis for special applications, are subject to special documentation and transparency requirements.
Scope of the AI Regulation
Geographical and material scope of application
The AI Regulation applies to all providers and operators of AI systems placed on the market or operated in the EU, regardless of whether they are based inside or outside the EU. Exceptions exist for national security applications, military purposes, and AI systems developed exclusively for scientific research.
Roles of the actors
The main addressees of the AI Regulation are:
- Provider (“Provider”)
- Operator (“Deployer”)
- Importer
- Distributor
Depending on how their AI systems are used, companies can assume one or more of these roles, which entails different obligations.
Obligations of providers and operators
High-risk AI systems
Providers and operators of high-risk AI systems must:
- Risk management systems to implement
- Technical documentation create and maintain
- Transparency obligations and provide system-related information
- Human supervision guarantee
- logging of events throughout the entire life cycle of the AI system
Limited risk
For AI systems with limited risk, transparency measures are particularly necessary. These include, for example, labeling content generated or manipulated by AI to prevent deception.
Minimal risk
These systems do not require specific measures under the AI Regulation, but may voluntarily follow codes of conduct to create additional trust among users.
Sanctions and enforcement
Violations of the AI Regulation can result in significant fines of up to EUR 35 million or 7% of the group's worldwide turnover from the previous year. In addition, claims for damages may be asserted under other legal areas. Enforcement is carried out by national supervisory authorities and specialized EU institutions such as the AI Office.
Recommendations for business
To successfully implement the AI Regulation, companies should take the following steps:
- Development of an AI compliance framework
• Determine clear responsibility for AI compliance, for example by appointing an AI officer
• Develop internal guidelines that link to other existing compliance and data protection regulations. These should define where AI systems may be used, what risk assessments are performed, and how violations are to be handled.
• Keep an eye on legal changes and technological developments and regularly adapt your AI compliance framework to new requirements. - Mapping all AI systems
• Gain an overview of all AI systems running in your company—including those of suppliers and third parties. AI functions often enter operations "through the back door" in the form of automatic updates.
• Evaluate each identified AI system based on the AI Regulation's categories (prohibited, high-risk, limited, minimal). The more precisely you document the criteria for classification, the more secure you will be in your discussions with regulators.
• Maintain a central directory of all AI systems with all relevant information such as purpose, functionality, data types, and responsibilities. Update this directory regularly to stay up-to-date. - Implementation of first measures
• Train your employees on the opportunities and risks of AI systems.
• Ensure that interactions with AI systems make it clear that they are using AI. Label AI-generated content (e.g., deepfakes) in accordance with the AI Regulation and make transparent the data basis on which a system operates.
• Regularly record how your AI system was designed and trained, what data is used, and what testing has taken place. - Expansion of monitoring and continuous optimization
• Integrate a monitoring concept that allows you to continuously check the performance and compliance of AI systems. Respond quickly to any error messages or security vulnerabilities.
• Schedule internal or external audits to review the effectiveness of your AI compliance framework. This allows you to identify deficiencies early and initiate optimization measures.
• Involve users and those affected so that feedback on unexpected results or incorrect behavior of the AI system can be exchanged promptly and incorporated into improvement processes. - Involvement of external expertise
If you have any questions or problems with the implementation, the law firm Gabler & Hendel here. - Addressing risks along the supply chain
Review which AI systems enter your company through suppliers, service providers, and partners. Make it clear in contracts that these systems must also meet AI Regulation requirements. - Establish communication and crisis management
• Ensure that all relevant departments – from IT to HR – are up to date on updates and obligations regarding AI compliance.
• Establish adequate processes in advance to ensure that you can respond quickly and provide appropriate information in the event of suspected or actual violations of the rules.
Conclusion
The EU AI Regulation represents an important step toward creating a safe and trustworthy environment for the use of artificial intelligence. Companies are required to address the new regulations early on and implement appropriate compliance measures. Raising employee awareness and establishing robust AI management are particularly crucial for successful compliance with the regulation. Through proactive measures, companies can not only minimize legal risks but also strengthen the trust of their customers and partners.
Your comment
Participate in discussion?Leave us your comment!