Navigating the EU AI Act: A Guide for US-Based CxOs

Artificial intelligenceEuropean unionEU AI ActRegulatory environment
Written By Alexa Ellis

The European Union's AI Act, which came into force on August 1, 2024, establishes a pioneering regulatory framework for artificial intelligence, employing a risk-based approach. It imposes the strictest measures on "high-risk" systems, such as those used in employment or law enforcement, while entirely prohibiting AI systems deemed "unacceptable," like social scoring or police profiling. For "minimal-risk" AI, such as spam filters, no additional requirements are imposed, and for "limited-risk" systems like chatbots, companies are required to inform users that they are interacting with AI. As a US-based Chief Executive Officer (CxO), Chief Technology Officer (CTO), or Chief Compliance Officer (CCO) operating in or with the EU, it is imperative to understand the Act’s requirements and ensure compliance to avoid substantial penalties. This article outlines key actions, strategies, and tools to help you stay compliant with the EU AI Act

Key provisions of the Act include:

  1. General Purpose AI (GPAI) Models: Providers must maintain up-to-date technical documentation, cooperate with the Commission and national authorities, and ensure cybersecurity protection. GPAI models with systemic risks have additional obligations, such as standardized evaluations and incident reporting.

  2. Deep Fakes: The Act mandates clear disclosure of AI-generated or manipulated content unless used for authorized law enforcement purposes or clearly artistic work.

  3. Penalties: Compliance is mandatory. Non-compliance with the Act can lead to fines of up to 7% of a company's annual global turnover. Specific provisions for GPAI models include fines of up to 3% of annual turnover or EUR 15 million.

  4. Implementation Timeline: February 2, 2025: Prohibited AI practices must be withdrawn. August 2, 2025: GPAI models must comply. August 2, 2026: All rules of the Act become applicable.

This Act positions the EU as a global leader in AI governance, aiming to balance innovation with the protection of citizens' rights. Companies providing services within the EU must now navigate these regulations and establish compliance roadmaps to meet the new standards (Home | White & Case LLP) (TNW | The heart of tech) (Home).

Understanding the EU AI Act

The EU AI Act introduces a risk-based approach to AI regulation:

  • High-risk AI systems: Includes AI used in employment, law enforcement, and other critical areas.

  • Unacceptable risk AI systems: Prohibited entirely, including social scoring and police profiling.

  • Minimal-risk AI systems: Like spam filters, face no additional requirements.

  • Limited-risk AI systems: Such as chatbots, must inform users that they are interacting with AI.

Steps to Ensure Compliance

1. Conduct a Comprehensive Audit

Begin with a thorough audit of your AI systems to identify and classify them according to the risk categories defined by the EU AI Act. This involves:

  • Mapping all AI projects and use cases.

  • Evaluating each system's risk level based on its application and potential impact.

Tools:

  • AI Governance Platforms: Tools like FICO's Fair Isaac AI and IBM's OpenPages can help assess and manage the risk associated with your AI systems.

2. Develop a Compliance Roadmap

Based on the audit, create a detailed compliance roadmap:

  • Immediate actions: Withdraw prohibited AI practices by February 2025.

  • Short-term actions: Ensure general-purpose AI (GPAI) models comply by August 2025.

  • Long-term actions: Full compliance with all rules by August 2026.

Tools:

  • Project Management Software: Tools like Asana, Trello, and Microsoft Project can help manage and track compliance tasks.

3. Implement Documentation and Reporting Mechanisms

Maintain up-to-date technical documentation for your AI systems, including training and testing processes. Establish robust reporting mechanisms to track and report incidents.

Tools:

  • Documentation Tools: Confluence and Notion are effective for maintaining comprehensive documentation.

  • Incident Management Systems: Jira Service Management can help track and report AI-related incidents.

4. Establish Cybersecurity Protocols

Ensure your AI systems are protected against cybersecurity threats, especially for GPAI models. Implement regular security assessments and updates.

Tools:

  • Cybersecurity Platforms: Palo Alto Networks, CrowdStrike, and Fortinet offer robust security solutions tailored to AI systems.

5. Train Your Team

Educate your team about the EU AI Act requirements and their roles in ensuring compliance. Regular training sessions can help keep everyone informed and proactive.

Tools:

  • Training Platforms: Coursera for Business, LinkedIn Learning, and Udemy for Business provide courses on AI governance and compliance.

6. Monitor and Adapt

Stay updated with any changes or updates to the EU AI Act. Regularly review and adapt your compliance strategies as necessary.

Tools:

  • Regulatory Monitoring Services: LexisNexis Regulatory Compliance and Thomson Reuters Regulatory Intelligence can help track changes in regulations.

The EU AI Act sets a global standard for AI governance, and compliance is crucial for any US-based company operating in the EU. By conducting thorough audits, developing detailed compliance roadmaps, implementing robust documentation and reporting mechanisms, ensuring cybersecurity, training your team, and staying updated with regulatory changes, you can navigate the complexities of this Act effectively.

Implementing these strategies and leveraging the appropriate tools will not only help you stay compliant but also position your company as a leader in responsible AI innovation.

Alexa Ellis

https://www.linkedin.com/in/alexaellis/
Previous

With the start of Hurricane Season on the East Coast. What is your Disaster Recovery and Business Continuity Plan
Next

The Expiration of the Tax Cuts and Jobs Act: Impacts and Protective Measures for Employers and Employees