AI Act: Two experts explain the impact of the EU's new artificial intelligence regulation

The European Council has given the final green light to the first worldwide rules on Artificial Intelligence (AI). The AI Act follows a ‘risk-based’ approach, which means the higher the risk to cause harm to society, the stricter the rules. It is the first of its kind in the world and it is dubbed to set a global standard for AI regulation.

Here's what two experts - Christiana Aristidou, Founder, Partner, Director of The Hybrid LawTech Firm and Monica Odysseos, Senior Manager, Head of AI and Data Lab, Grant Thornton (Cyprus) - told CBN, when asked about the new legislation's impact:

Christiana Aristidou

In practical terms, which companies would be most affected by the regulation? And how would it impact US-based companies, like OpenAI and Anthropic, operating in the EU? Considering the extraterritorial impact of the regulation, are there any parallels to the EU’s General Data Protection Regulation that took effect in 2018?

The EU's AI Act, is likely to have a significant impact on companies that develop or use AI technologies in various sectors. Some of the companies that would be most affected by the regulation include, Tech Giants (like Google, Facebook, Amazon, and Microsoft) which would be among the most affected, AI Startups, Healthcare and Finance.

In terms of US-based companies like OpenAI and Anthropic operating in the EU, they would need to ensure compliance with the EU's AI regulation if they offer AI products or services in the EU market, i.e. market placement or putting into service AI systems, embedded or standalone, in the course of commercial activity. This would involve adapting their AI systems to meet the regulatory requirements, such as ensuring transparency, accountability, and human oversight in their AI applications.

The extraterritorial impact of the regulation means that companies outside the EU, like those based in the US, would still need to comply with the regulation at all times, if they offer AI products or services to EU customers or operate within the EU market. And I was asked, how this is similar to the GDPR, which came into effect in 2018. Although not quite the same, it could be argued that the similarity here is with the extraterritorial effect that applies; in other words, the extraterritorial reach which requires companies worldwide to comply with its data protection standards when handling EU citizens' data. As said, although not quite the same, similar to the GDPR, the EU AI regulation's extraterritorial impact means that companies outside the EU must ensure compliance if they offer AI products or services in the EU. Just a reminder that all products with digital elements being market placed or put into service, need to comply to the relevant health., safety and Cybersecurity regulations (more than 30 horizontal and vertical for security only). So the extraterritorial scope does not mean that the AI act applies in the US jurisdiction per se or can be enforced. Any action (penalty, product exclusion etc.,) is only related to a manufacturer's activity in the EU jurisdiction and only affects the products placed in the EU market. In cases where the manufacturer has no legal presence (which most often needs an analysis) or the AI system was embedded before the final product has reached the EU market, the Regulation can apply equally to the deployers within the EU.

For US companies operating in the EU, the implications of the EU's AI regulation could be significantly huge in terms of compliance costs, operational changes, competitive disadvantage, data localisation, legal risks, and even reputational risks and Trust.

I am concluding this point by saying that, US companies operating in the EU will need to navigate the regulatory landscape introduced by the EU's AI regulation to ensure compliance and maintain their competitiveness in the market. By proactively addressing the implications of the regulation and adapting their operations accordingly, these companies can mitigate risks and seize opportunities presented by the evolving regulatory environment for AI technologies in the EU.

But since I am a lawyer, let me focus on the legal risks and say that operating in the EU under the EU Artificial Intelligence Act (AI Act) regime can pose various legal, regulatory, and compliance risks for US companies such as those I am highlighting below:

1. Non-Compliance Penalties: One of the most immediate risks for US companies operating in the EU under the AI Act is the potential for non-compliance penalties. The AI Act imposes fines of up to 6% of a company's total annual worldwide turnover for serious violations, which can be substantial for large organisations.
2. Liability for AI Systems: The AI Act introduces a concept of "provider's liability" for AI systems, holding companies accountable for any harm caused by their AI applications. US companies will need to ensure that their AI systems comply with the Act's requirements to mitigate the risk of liability claims.
3. Transparency and Accountability Requirements: The AI Act mandates transparency and accountability for AI systems, requiring companies to provide explanations for AI-generated decisions and ensure human oversight. Failure to meet these requirements could lead to regulatory scrutiny and potential penalties.
4. Data Protection and Privacy: US companies operating in the EU must also consider the intersection of the AI Act with existing data protection regulations, such as the General Data Protection Regulation (GDPR). Ensuring compliance with both frameworks is essential to avoid data privacy violations and associated penalties.
5. Risk Assessment and Management: The AI Act requires companies to conduct risk assessments for high-risk AI applications and implement risk management measures to address identified risks. US companies must carefully assess and manage risks associated with their AI systems to comply with these obligations.
6. Ethical and Social Implications: The AI Act emphasises the ethical and societal implications of AI technologies, requiring companies to consider the broader impact of their AI systems on individuals and society. Non-compliance with ethical guidelines could lead to reputational damage and regulatory repercussions.
7. Regulatory Oversight and Enforcement: US companies operating in the EU may face increased regulatory oversight and enforcement actions under the AI Act. Regulatory authorities have the power to conduct audits, and investigations, and impose sanctions on companies that violate the Act's provisions.
8. Cross-Border Data Transfers: The AI Act may introduce restrictions on the cross-border transfer of AI-generated data, requiring companies to implement appropriate safeguards for international data transfers. US companies must navigate these requirements to ensure compliance with data protection regulations.

And I have to close it here, by stressing that, US companies operating in the EU under the EU AI Act regime face a range of legal, regulatory, and compliance risks that require careful attention and proactive measures to mitigate. So, I guess, that, by understanding and addressing these risks, companies can navigate the evolving regulatory landscape for AI technologies in the EU and maintain compliance with the requirements of the AI Act.

Monica Odysseos

The EU's AI Act has been received with mixed feelings as some argue it would set the bloc back in the global competitive landscape. What are your views on the matter? Will the regulation impede the bloc's efforts to become a leader in AI?

I believe the regulation is a positive step forward for several reasons. Firstly, it emphasises the protection of human rights and intellectual property, which are crucial in ensuring that AI technologies are developed and utilised responsibly. The Act mandates transparency, particularly with provisions requiring AI-generated content, such as deepfakes, to be clearly labelled. This measure is vital in protecting consumers from misleading or fake content.

While there are concerns about the balance between innovation and regulation, I view the Act as a necessary framework to safeguard individuals and society at large. It ensures that AI systems are developed with ethical considerations and public safety in mind. By laying down harmonised rules, the regulation aims to foster the uptake of human-centric and trustworthy AI while preventing market fragmentation within the EU.

In terms of innovation versus regulation, it is worth noting that regulation can actually drive innovation. By setting high standards for compliance, the Act encourages the development of new, innovative methods for creating AI technologies that adhere to these regulations. This can lead to advancements in AI that are both ethical and cutting-edge.

Moreover, the Act’s requirement for providers (developers) of AI systems, irrespective of their location, to comply with EU standards if their products are used within the EU, extends its impact globally. This approach helps level the playing field and ensures that EU countries are not disadvantaged in the global AI landscape. It promotes a high level of protection for fundamental rights, including non-discrimination, data protection, and the right to a fair trial, while supporting innovation and economic growth.

Additionally, to assist organisations in preparing for compliance with the EU AI Act, we (Grant Thornton) have developed a custom training programme. This training is designed to help organisations understand the regulatory requirements and implement necessary measures to ensure their compliance with the Act. By providing this support, we aim to facilitate a smooth transition and promote adherence to the regulation, ultimately contributing to the responsible development and use of AI technologies.

Overall, the EU Artificial Intelligence Act sets a strong precedent for the responsible development and deployment of AI technologies, fostering trust and promoting a competitive yet ethical AI industry.

Read more about the AI Act here