AI Act compliance - the keys to understanding and applying the law

While the Artificial Intelligence Regulation was voted on by the Member States on 2 February 2024, it is now highly likely that the AI Act will come into force by June 2024 after a final vote in the European Parliament.

France Digitale has teamed up with Wavestone and Gide to publish a practical guide in which they decipher the text voted on 2 February 2024, to enable businesses – startups, SMEs and large groups – to quickly understand what is at stake with this new AI regulation and anticipate the next steps in bringing their AI systems into compliance.

 

What are the direct consequences of the AI Act for businesses?

According to Marianne Tordeux Bitker, Director of Public Affairs at France Digitale: « This decision has a bitter-sweet taste. While the AI Act responds to a major challenge in terms of transparency and ethics, it nonetheless creates significant obligations for all companies that use or develop artificial intelligence, despite a few adjustments planned for start-ups and SMEs, notably through regulatory sandboxes. We fear that the text will simply create additional regulatory barriers that will benefit American and Chinese competition and reduce our opportunities to develop European champions in AI« .

In practice, the AI Act creates product regulations, ranging from a marketing ban to CE marking, applicable to artificial intelligence systems that are marketed. It applies to all companies that develop, supply or deploy artificial intelligence systems. The AI Act also contains special provisions for companies developing generative AI models.

Companies that develop, supply or deploy AI systems in the European Union will have to adapt their compliance to the level of risk posed by AI.

In practical terms, companies will have to map AI systems and their level of risk, in order to adapt their compliance obligations:

• AI systems presenting an unacceptable risk will be banned from the market,
• AI systems presenting a high risk will have to obtain CE marking,
• and low- or minimal-risk AI systems will have to incorporate user information obligations or follow a voluntary code of conduct.

According to Chadi Hantouche, Partner at Wavestone: « To achieve compliance, companies will have to carry out tests, provide the required documentation, interact with the planned governance and follow the compliance process over time.
3 pieces of advice to help you get there with peace of mind: follow the step-by-step method we suggest in the guide, set up a dedicated team and anticipate the budgetary impact for your company. »

 

Generative AI models – such as those developed by Mistral, ChatGPT or Bard – will also have to comply, whether or not they are open source.

In practical terms, the level of regulation will differ depending on whether the model is basic or systemically risky. To date, only the criterion of computing power (greater or less than 1025 FLOPS) has been used to determine ‘systemic’ risk, but the AI Office may supplement this definition at a later date to take account of additional criteria, such as the number of business users.

 

Businesses need to plan ahead to ensure compliance

Although the AI Act will be applied in stages, the first obligations will come into force within 6 months of its publication in the Official Journal of the European Union.

According to Julien Guinot-Deléry, Partner, and Matthieu Lucchesi, Counsel at Gide: « The application of the AI Act is going to happen very quickly. The opportunities but also the challenges posed by this new regulation are significant and affect a very wide range of players and industries. It is essential that companies prepare now and anticipate the compliance of their AI systems, taking into account other regulations, including those on copyright. »