The EU Artificial Intelligence Act – Regulation (EU) 2024/1689 – (hereinafter referred to as the "AI Act") has been in force since 1 August 2024.
Since then, many companies have been seeking clarity on whether they are affected by it. Given the potential for significant financial penalties in the event of violations, this is an essential question. The technical complexity and comprehensive legal framework of the AI Act present significant challenges for many. This article provides an overview of key questions companies should ask to determine whether the AI Act applies to them.
Am I Using an AI System, and Is It Covered by the AI Act?
The AI Act is based on the premise of an AI system. The definition of an AI system is intentionally comprehensive to encompass software that presents the typical risks associated with AI. The ability of the system to adapt and to infer, that is to say to engage in learning, reasoning and modelling processes, are key criteria.
An AI system may comprise one or more AI models, a user interface, or other components such as content filters or information processing systems. It is therefore possible that software which initially appears unremarkable may also fall under the scope of the AI Act if it forms part of an application or product. For example, the question of whether a customer chatbot on a company's website qualifies as an AI system under the AI Act requires an individual and comprehensive examination of various factors, possibly involving the assistance of experts.
The broad interpretation of AI systems has resulted in numerous software solutions that are now indispensable to the day-to-day operations of companies being subject to the AI Act. This has significant implications for industries and sectors such as quality control, logistics, financial services, and security, where AI is becoming an increasingly crucial technology. Examples of AI in action include machines that perform quality inspections as part of the production chain, algorithms for monitoring warehouse capacity, programs that process large amounts of data for personalised investment recommendations, and chatbots. Additionally, AI is present in many of the software applications we use daily, including search engines, streaming services with recommendation algorithms, voice assistants, facial recognition software, navigation systems, autonomous driving assistance systems, as well as in word processing and translation programs.
What Is My Role in Using the AI System?
The AI Act targets a broad range of entities and differentiates between providers, importers, distributors, and operators. While the majority of companies are unlikely to be importers or distributors, it would be prudent to examine the criteria for being a provider or operator in closer detail.
A provider is defined as the individual or entity responsible for developing or having developed an AI system or model and subsequently placing it on the market or putting it into operation under their own name. It should be noted that other individuals may subsequently be classified as providers. This may occur if they attach their name or brand to an AI system that has already been placed on the market or put into operation, make a significant change to such an AI system, or change the purpose of such an AI system so that it is classified as high-risk. In practice, this means that making changes to the purpose or retraining an AI system can be sufficient to make someone a provider.
An operator can be any natural or legal person, including authorities, institutions, or other entities that use an AI system under their own responsibility.
Is the Nature of My Use Covered by the AI Act?
It should be noted that not every use of an AI system falls within the scope of the AI Act. It is therefore important to ascertain whether your use may be exempt from the scope of the legislation.
In certain circumstances, an exemption may apply if services, procedures or components covered by the AI Act are provided free of charge and with disclosed parameters. There are also specific exemptions for scientific research and development, provided that testing does not occur under real-world conditions. Another exemption applies to operators if the use is exclusively for personal, non-professional purposes. Furthermore, certain exemptions apply to law enforcement authorities.
Outlook
The reality is that many companies are already utilising AI systems in their IT architecture or digitised production without being fully aware of it. While the AI Act will be implemented gradually, it is crucial for companies to conduct a comprehensive review now to ascertain whether and to what extent their activities fall under the AI Act. It is advisable to consider this aspect when acquiring new IT solutions that increasingly rely on AI or new digital production technology. The measures to be taken will depend on the risk assessment of the AI used and the role of the company. These may include the establishment of a quality management system, comprehensive documentation, reporting and registration obligations, and compliance verification.
In the event that the AI Act applies, it would be prudent to swiftly consider these measures in light of the potentially significant financial penalties.
The Intellectual Property and Information Technology team at Binder Grösswang is available to assist you with the practical implementation of the AI Act.
Please Note: The information provided is for general guidance only and does not constitute legal advice from Binder Grösswang Rechtsanwälte GmbH. It is not a substitute for seeking individual legal advice. Binder Grösswang Rechtsanwälte GmbH accepts no liability of any kind for the content and accuracy of the blog.
Author:
Ivo Rungg