The EU AI Act: What it Means for Your Business

Authors

• 

  Richard Wingfield

  Director, Technology Sectors, BSR

  

  ---

  

  Richard Wingfield

  Director, Technology Sectors, BSR

  

  London

  ---

  Richard works with tech companies—particularly those based in or with operations in Europe, the Middle East, and Africa—to build human rights considerations and practices into their products, services, and policies. He brings a strong understanding of international human rights law and standards and how to translate the corporate responsibility to respect human rights into practice for companies of different sizes and sectors. ​

  ​Prior to joining BSR, Richard led the legal and policy team at Global Partners Digital, an international human rights organization focused on the impacts of digital technologies on human rights. He is also a trustee of the Kaleidoscope Trust, a UK-based charity that campaigns for the human rights of LGBTIQ+ people in countries where they are discriminated.

  Richard holds a LLB in Law and European Law from the University of Nottingham and is a qualified lawyer in England and Wales.

  Close
• 

  Asako Nagai

  Managing Director, Technology Sectors, BSR

  

  ---

  

  Asako Nagai

  Managing Director, Technology Sectors, BSR

  

  Tokyo

  ---

  With more than 20 years of sustainability experience, Asako advises global technology companies as well as BSR members and partners in Japan to better integrate sustainability into core business strategies.

  Prior to joining BSR, Asako was Head of the CSR Management Section at Sony Corporation, and she has more than 10 years of experience leading global sustainability strategies. She has experience in sustainability reporting, stakeholder engagement, supply chain management, and responsible mineral sourcing and human rights. She also played a key role in shaping the industry framework for the Electronic Industry Citizenship Coalition.

  Asako holds dual master’s degrees in Business Administration and Science from the Ross School of Business and School of Natural Resources and Environment at the University of Michigan.

  Close
• 

  Hannah Darnton

  Director, Technology and Human Rights, BSR

  

  ---

  

  Hannah Darnton

  Director, Technology and Human Rights, BSR

  

  San Francisco

  ---

  Hannah works with multinational companies to align business and human rights strategies and facilitate incorporation of sustainable practices into business operations across sectors.

  She focuses on the intersection of human rights and new, disruptive technology and leads the Tech Against Trafficking collaborative initiative.

  Prior to joining BSR, Hannah worked with the Skoll Foundation, where she co-led the portfolio and investments team’s efforts to identify social entrepreneurs with the potential to drive large-scale social change. Her work led to over US$20 million in grants and investments between 2015 and 2018. Before Skoll, Hannah spent six years working in anti-human trafficking in West Africa, Southeast Asia, and the Bay Area. She is fluent in French.

  Hannah holds a Master’s in NGOs and Development from the London School of Economics and a B.A. in Political Science and French from the University of Michigan. She currently serves on the advisory boards of Oxfam’s Women in Small Enterprise initiative and Convening17.

  Close
• 

  J.Y. Hoh

  Manager, Technology Sectors, BSR

  

  ---

  

  J.Y. Hoh

  Manager, Technology Sectors, BSR

  

  Singapore

  ---

  J.Y. works with technology companies to incorporate effective human rights practices.

  Before joining BSR, J.Y. worked as an international human rights lawyer at NGOs. He was previously a Legal Officer at the Centre for Law and Democracy, an international human rights NGO promoting freedom of expression and the right to information globally. Before that, he was a Staff Lawyer at the Canadian Civil Liberties Association, Canada’s national human rights organization, where he was a recipient of the Law Foundation of Ontario’s Public Interest Articling Fellowship. He also acted as an international trade negotiator for the government of Singapore and was part of the negotiating team that closed the EU-Singapore Free Trade Agreement.

  J.Y. holds a BA in Law from the University of Oxford, Somerville College and a LLM (International Law) from the School of Law at the University of California, Berkeley.

  Close

Key Points

• With the EU’s Artificial Intelligence Act soon to come into force, leaders around the world are considering the implications for business.
• The Act will have impacts well beyond the borders of the EU, and will apply to any companies developing, deploying or using AI—meaning it does not apply uniquely to technology companies.
• BSR’s Technology and Human Rights teams discuss the key features of the Act, and who will be affected.

The Artificial Intelligence Act (or “AI Act”) is a new piece of legislation that will regulate the development, deployment, and use of AI within the EU, but will impact businesses well beyond its borders. Its overall objectives are to ensure a well-functioning internal market for AI systems within the EU, as well as to a high level of protection of health, safety, human rights, and environmental protection.  

The AI Act is ambitious, not only in the sense that it is the world’s first major piece of AI-related regulation, but also in its scope. The definition of “AI system” (in Article 3) is “a machine-based system designed to operate with varying levels of autonomy, that may exhibit adaptiveness after deployment and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.  

Defining a Risk-based Approach 

Within that broad scope, however, the approach taken is a risk-based one, with different rules and requirements depending on the level and nature of the risk with the AI Act categorizing five types: 

1. Prohibited AI practices: The AI Act designates and prohibits a number of AI practices deemed to be particularly harmful, such as deceptive techniques that influence behavior resulting in harm, or which exploit people’s vulnerabilities. These prohibitions will come into force in six months. 
2. High-risk AI systems: The AI Act designates other types of AI systems as “high-risk”. Examples include biometrics and the use of AI in a critical infrastructure, education and vocational training, employment, essential private and public services, law enforcement, and the administration of justice. For these, the Act sets out a number of requirements relating to their development, include establishing risk management systems, maintaining technical documentation, and ensuring accuracy and robustness, as well as human oversight. The Act also includes rules relating to placing these systems onto the EU market, putting them into service, and using them, such as establishing quality management systems, documentation-keeping, cooperating with national authorities, and complying with conformity assessments. These requirements will come into force in three years. 
3. General purpose AI models (including large language models): The AI Act creates a number of requirements specific to general purpose AI models, such as maintaining technical documentation, providing instructions on safe use, and ensuring that copyright law is respected. These requirements will come into force in twelve months. 
4. AI systems requiring transparency: The AI Act’s focus on AI systems that are intended to interact directly with natural persons, and will require providers to ensure that people are aware that they are interacting with AI. In addition, deployers of AI systems that create “deep fakes” or that generate or manipulate text for general information purposes must disclose that the content is artificially generated or manipulated. These requirements will come into force in two years. 
5. Low risk AI systems: While the AI Act does not impose any requirements on AI systems that don’t fall into the above categories, it does require the drawing up of voluntary codes of conduct for these lower-risk systems. 

The AI Act also contains measures intended to support AI innovation, start-ups, and SMEs, including through AI regulatory sandboxes. It will be implemented and enforced both at an EU-wide level (including through the AI Office, a new body being developed within the European Commission, empowered to develop codes of practice, guidance, and take infringement action) and designated national authorities in each EU member state. A range of potential fines and sanctions will be available (under Article 99), with the most serious breaches (non-compliance with the prohibited AI practices) punishable by fines of up to 35 million or seven percent of a company’s total worldwide annual turnover for the preceding financial year. 

Who will the AI Act affect? 

The legislation sets out different requirements for different types of companies in the AI lifecycle: 

• Companies placing on the market or putting into service AI systems or placing on the market general-purpose AI models in the EU (“providers”); 
• Companies that deploy AI systems and have their place of establishment or are located within the EU (“deployers”); 
• Companies, whether providers or deployers of AI systems, where the output produced by an AI system is used in the EU; 
• Importers and distributors of AI systems; and 
• Product manufacturers placing on the market or putting into service an AI system together with their product and under their own name or trademark. 

As such, the requirements are not limited to companies developing AI technology, but any company using AI systems or their outputs in the EU, meaning that the AI Act will be important for a wide range of companies of all sectors using AI (whether that use is specific to a particular sector, such as AI-based creditworthiness assessments for financial service companies, or general uses such as using AI for recruitment decisions).  

Finally, it does not matter whether providers or deployers are established or located in the EU or outside, meaning that the requirements will be relevant for companies across the world where the AI system or general purpose AI model is placed into the EU market, or where its outputs are used in the EU. 

With the AI Act now coming into force, understanding its requirements will be important for any company developing or using AI. The legal framework is novel and complex, but broad both in scope and in the range of companies to whom it will apply, both inside and outside of the EU. By understanding the Act's classifications of risk levels, and your company’s role within the AI lifecycle (provider, deployer, etc.), you can ensure compliance. Our next blog post will delve into how to take a human rights-based approach to address some of the risks posed by AI which the AI Act seeks to mitigate. For more information on the AI Act or to discuss its implications for your business, feel free to contact our Tech and Human Rights team.