The EU AI Act, whose impact will be greater than the one of GDPR, has just been published in the Official Journal. When does it enter into force and what companies are impacted?

Simina Mut
Simina Mut

The EU regulation that establishes a uniform legal framework for the development, market placement, service provision, and use of artificial intelligence (AI) systems, called the EU AI Act, has just been published in the Official Journal. The act is directly applicable in Romania, without further transposition measures and will enter into force within 20 days as of its publication date.

Briefly, what companies need to know about this piece of legislation is that it regulates the usage of AI, not of the technology itself. This regulation is part of the EU digital package aimed to make the EU fit for the digital age. It was designed to support innovation and the uptake of human-centric and trustworthy AI, to protect health, safety, fundamental rights, democracy, the rule of law, and the environment from the potential harmful effects of AI systems. It also aims to improve the functioning of the European single market, offering legal certainty and regulatory sandboxes to promote further AI development, particularly by start-ups and SMEs.

What companies are impacted?

EU AI Act’s impact on companies will be major – even greater than the famous GDPR, according to Deloitte’s analysis, as it is an extremely comprehensive regulation, which includes a set of requirements for the usage of artificial intelligence systems. The requirements apply to all parties across the AI value chain and lifecycle, from developers to users.

While it applies to any companies, active in any field, the most affected sectors are financial services (especially banks), technology, life science and healthcare, as well as utilities. This is due to the fact that these sectors are likely to have the highest concentration of what the AI act classifies as “high risk systems”, meaning AI systems used for biometric categorization, emotion recognition, credit scoring, but also for recruitment and critical infrastructure.

Compliance with the AI Act becomes a condition for placing such systems on the market as well as for putting them into service or use.

How much time do companies have to become compliant?

The EU AI Act allows a transition period for the companies to comply with its requirements. The prohibition of the systems that are classified by the Act as “unacceptable” is effective within 6 months. This applies to systems which are seen as particularly harmful and abusive as they contradict European Union’s values, such as manipulating human behaviour, opinions and decisions, exploitation of vulnerabilities, social scoring.

For the other types of uses of AI systems, compliance with most of the requirements of the Act will be required within 24 months.

Failure of compliance can lead to sanctions of up to 7% of the global turnover for prohibited uses or 3% for other non-compliance.

So the first things that companies should focus on in order to ensure compliance and avoid negative effects are to review their existing or planned systems to determine if they qualify as AI under AI Act, to map the products and the roles, to carry out a risk and impact assessment and to determine the requirements that apply to them.

Simina Mut, Partner at Reff & Associates | Deloitte Legal, Leader of Deloitte Legal Central Europe