Who is affected

The AI Act applies to both public and private actors. It places the most stringent obligations on those who develop or place AI systems on the EU market, but it also applies to importers, distributors, product manufacturers, and users operating AI systems under their authority (deployers).

The regulation also applies to businesses that are located or established outside the EU, whether they put into service or place AI systems on the EU market or if the output produced by the system is used in the EU. In addition, the regulation covers affected persons located in the EU.

Why act now?

Non-compliance can have significant consequences. The AI Act allows regulators to impose fines up to €35 million or 7% of global turnover (depending on severity and type of breach) for non-compliance. Sanctions may also be imposed on deployers of AI Systems, in particular for high-risk systems such as those used in recruitment, as safety components in critical infrastructure (such as power supply) and regulated products (toys, medical devices etc.).

To comply, you need to be able to map where AI is used or procured across the business and classify the systems by risk category. Any use or provision of high-risk AI systems requires establishing a governance framework, which includes risk assessments, documented measures and human oversight. Supplier and customer contracts should be reviewed to allocate responsibility for compliance, transparency obligations and incident reporting.

Key obligations

The Act classifies AI applications into risk categories and sets out specific requirements and standards for each category.

• AI systems with unacceptable risk are prohibited. This includes, for example, subliminal or manipulative systems that distort behavior or decisions and real-time remote biometric identification in publicly accessible spaces
• Providers of high-risk AI systems, are obliged to implement a risk management system, ensure quality of training data, provide information to deployers etc. The system must also achieve an appropriate level of accuracy, robustness and cybersecurity.
• Deployers of high-risk AI systems, must, among other things, ensure and monitor that the systems are used in compliance with instructions from the provider, ensure human oversight, that input data is relevant and representative, and depending on the intended use, provide information to affected users etc.
• General Purpose AI Systems, are subject to transparency duties, providers must maintain technical documentation, publish summaries of training data content etc. High-impact general-purpose AI will face additional obligations, including risk assessment and reporting incidents.

Recommended actions

• Identify your business’ role within the AI value chain
• If you are established or located outside the EU/EEA, assess whether the AI Act still applies to you
• Build an AI inventory and classify your systems within the relevant regulatory categories
• Implement compliance routines based on classification, for example governance, documentation, oversight, monitoring, and incident processes
• Check whether registration in the EU database is required (art. 49)

How can we assist?

• Assessing whether your AI system falls within the scope of the regulation, and classify the risk level
• Conducting a compliance gap assessment by reviewing your governance, internal routines, and product or deployment processes against the AI Act
• Helping you set up a practical governance framework, including policies and procedures where these are not already in place, and supporting risk assessments where needed
• Supporting impact assessments and coordination with GDPR and other privacy rules

---

Contact us