EU AI Act: Parliament adopts groundbreaking regulatory framework

Why should I read this?

On 13 March 2024, the European Parliament formally adopted the EU AI Act. The legislative process for the world's first binding horizontal AI regulation is nearing completion!

The EU AI Act will impact operators across the whole AI value chain by setting rules and requirements for AI systems and models. It will have an extra-territorial reach, meaning that it will apply to in-scope AI systems that produce an effect in the EU, regardless of where the operator is located.

AI systems are to be classified into four different risk categories: (i) unacceptable-risk; (ii) high-risk; (iii) limited-risk; and (iv) minimal/no-risk. The higher the risk of an AI system, the stricter the rules that apply to it. In addition, the regulation takes a tiered approach to General Purpose AI (GPAI) models. While all GPAI models are subject to transparency obligations, those with ‘high impact capabilities’ that could pose a systemic risk face further requirements, including on their design and governance.

Final steps include the endorsement of the EU AI Act by the Council and its publication in the EU’s Official Journal. Once published, it will enter into force 20 days later. Countries have 12 months to nominate relevant national competent authorities, after which they must notify the Commission.

What should I do?

Internal implementation processes can take up to 24 months. Note that the Regulation shall apply from 24 months following its entrance into force – although some elements will be sooner. The general-purpose AI rules will apply one year after entry into force, in May 2025, and the prohibitions of AI practices - just six months. It is therefore advisable to start implementing an AI strategy as soon as possible.

Now that the final version is made available and organisations have legal certainty, they need to assess their operations and strategies and start taking action to achieve compliance with the EU AI Act:

• Understand and map AI systems used in your organisation
• Conduct a gap analysis to determine compliance and mitigate risks
• Establish a governance framework and organisational structures
• Update and implement policies, procedures and AI systems against the requirements of the EU AI Act
• Ensure compliance and an appropriate interplay with other applicable regulations
• Maintain awareness and training programs to empower your organisation
• Contract management and third-party engagement

Please reach out to your Eversheds Sutherland team to discuss any queries around the EU AI Act or its implementation.

What else do I need to know about the regulation of AI?

Now that the EU has made the first step in regulating AI, attention turns to other jurisdictions and their approach to AI. The UK government has stated that it will “not rush” into legislating AI before fully understanding the risks and opportunities it presents, although recognising legislative action will eventually be required. It appears that the UK is not intending to follow hot on the heels of the EU – although note that the extra-territorial reach of the EU AI Act means many UK organisations may already be caught.

At this stage, the UK is pushing forward with asking existing regulators to outline their approach to AI by 30 April 2024. This follows the government’s response to the consultation on the AI framework on 6 February 2024. Ahead of the April deadline, regulators will need to think about AI-related risks present in their sector and their mitigation approach. This may be welcome news for many businesses who feel in the dark about how their regulators will grapple with the regulation of AI in their industry.

Across the pond in the US, there is no sign yet of a comprehensive federal bill on AI regulation. There are a lot of proposals at the state level, and further activity is expected in this space in 2024, if not at federal level but state.

We expect that there will be a level of pace to legislative change globally – reflecting how fast moving the technology itself is.

Thanks to Domagoj Pavic for co-authoring this update.