EU AI Act: The final phase and what this means for business

You would be forgiven for thinking that 2023 has been the year of the chatbot. OpenAI, Amazon, Google, DeepMind, are among the world’s largest tech companies racing to improve their chatbot products by making them more efficient, secure, and user-friendly. We now see chatbots being utilised more and more by SME’s, as providers vie for a share of the market. While the potential practical applications of generative AI are exciting, with opportunity comes regulatory challenges. Following the European Parliament’s approval of the draft text for the EU AI Act (the Act) on 14 June 2023, we discuss the next legislative stage, when we can expect the Act to come into force, who is likely to be affected, and what can companies do already today.

What are the legislative next steps?

By way of a brief recap, in April 2021 the European Commission first proposed the Act. The objective was (and still is) to put in place the world’s first comprehensive legal framework on AI, to regulate developers and users alike. Fast forward to June 2023, the Commission, the Council of the EU, and the European Parliament will now start negotiations (known as the ‘trilogues’) to agree on the final text of the Act. If adopted, the EU AI Act would be directly applicable across the EU without the need for further implementation into Member State law (Art. 288 para. 2 sentence 2 TFEU). It is not yet clear how long these final negotiations will last. At the earliest, we could see an agreement reached later this year.

When will the Act come into force?

Once the trilogue procedure concludes and the Act becomes binding, the Act provides for a transitional period before coming into force. The current draft provides for a transitional period of 24 months (Art. 85 para. 2 AI Act). However, it remains to be seen whether this is shortened or extended. There is no concrete deadline. Given the above activity in the industry and depending on developments with generative AI generally, it is possible that EU lawmakers will cut the grace period in order to provide regulatory stability. Some commentators have speculated that this could be as soon as mid-2024. On the other hand, as seen with other types of EU legislative frameworks, it could be as long as 36 months, so late 2026. Going by the current draft wording, at the earliest, the Act would come into force in 2025.

Who is affected by the Act?

The Act will have a wide territorial reach and will apply horizontally (ie, across all sectors). It is a significant piece of legislation that will apply to providers, users, importers, and distributors of AI systems. It also imposes significant financial penalties for non-compliance. As an example, if you are a supplier of AI chatbot systems based solely in South Korea but deploy your products to customers in the EU, you will be caught by the Act. The key point is that if you are deploying AI tech on the EU market or using AI to generate outputs that will be used in the EU, you must prepare for the possibility that you will be regulated under the EU AI Act.

What should businesses be doing now?

Companies, investors, and developers should prepare for the legal implications of the Act and start to think about the potential impact on their businesses. As we saw with the advent of GDPR in 2018, non-compliance can generate additional costs for businesses as they seek to fulfil the requirements of the Act, especially as the enforcement date nears.

In particular, businesses should proceed with caution if they have AI systems being used in essential business operations or are considering sizeable investments in introducing AI systems. For instance, if a business already implements an AI system and it later transpires that the AI system is categorised as a high-risk or even a prohibited AI system, then its use might be significantly limited or completely prohibited from the date the Act comes into force.

In terms of preliminary compliance steps, these might include:

• critically assessing data governance policies and frameworks for training of AI products in light of the Act’s (draft) requirements;
• consider what processes need to be put in place for reporting incidents related to AI systems; and
• ensuring that your GDPR practices are fit for purpose. The AI Act will work in tandem with the GDPR. At the very least, compliance with the Act will likely build on the established GDPR practices, and GDPR rules will also be relevant if personal data is fed into an AI system.

In addition, existing cybersecurity rules and systems should also be reviewed when developing or deploying AI systems.

Overall, there is still some time for businesses to prepare for the impact the AI Act will have on them. If you have any queries or seek more information on the EU AI Act and how it may impact your business, please contact a member of our Tech and Innovation sector team.