EU AI Act: European AI regulation and its implementation

Your expert for questions

Hendrik Reese
Partner Responsible AI at PwC Germany
Email

The EU AI Act will have far-reaching effects

The EU AI Act is a regulation proposed by the European Commission to establish harmonized rules for AI systems. As part of the so-called trilogue, the Commission, Parliament and the Council of the European Union agreed on a joint version of the regulation in December 2023 after lengthy negotiations. The publication can be expected in 2024. The regulation is expected to provide for a transitional period of 24 months during which organizations must implement the requirements, whereby non-compliance can lead to significant fines and liability risks. However, bans are to take effect already after just 6 months and requirements for general purpose AI (GPAI) after just 12 months.

AI systems are generally regulated on the basis of the risks they pose. Some systems are completely prohibited and others must meet requirements in order to be used. All other systems can initially be operated without further restrictions, although the Commission reserves the right to extend the list of regulated systems if they are associated with considerable risks.

The central subject of the regulation are high-risk AI systems, which must meet comprehensive documentation, monitoring and quality requirements. The providers of high-risk AI systems bear the main burden of the requirements.

Furthermore, General Purpose AI (GPAI) systems and Foundation Models are subject to stricter regulation. They would have to meet special transparency requirements. If they additionally pose systemic risks, stricter rules apply with regard to their quality and risk management as well as reporting to government agencies.

All AI systems that interact with natural persons will be obliged to inform these about their use.

In addition to the general regulation of AI through the EU AI Act, there are other regulations that are relevant for AI use cases: Horizontal ones, such as the GDPR or the proposed EU Data Act, and vertical or sectoral ones, such as the EU Medical Devices Regulation (MDR) or the German Regulation on the Approval and Operation of Motor Vehicles with Autonomous Driving Functions in Specified Operating Areas (AFGBV).

The key to sustainable value creation with AI lies in successfully linking quality, regulation and scaling. To achieve this, recognised standards, best practices and appropriate tools are needed for the safe and efficient development and operationalisation of AI systems. In particular, flexible data, risk and lifecycle management systems are indispensable to enable organizations to rapidly and safely transition their AI systems from pilot to production at scale.

PwC has developed an AI Governance Introduction Framework that outlines an organization-specific AI governance and combines the concepts and principles of compliance management systems with the requirements of the EU AI Act. The first step is to prepare for setting up the necessary compliance and governance components and to develop a clear picture of the necessary measures for an organization's use cases.

As the EU AI Act is expected to enter into force in 2024, planning for its implementation should start now. Early preparation of a holistic AI governance can give companies a competitive advantage in terms of time-to-market and quality of their (high-risk) AI systems. The requirements of the regulation are complex and organizations should in any case leverage existing compliance structures and best practices in machine learning.

In the long run, the ability to combine quality, compliance and scaling of AI systems will be crucial for the success of companies using AI in the European market – especially vis-à-vis competitors in Asia and the US. Interdisciplinary competencies are necessary to create structures and processes for an AI governance that is technically, legally and organisationally fit for the future.