Understanding the European Union AI Act: A Guide for Businesses in the U.S.

Following over two years of lobbying and maneuvering, and after final negotiations that lasted 36 hours and concluded on December 8, 2023, European lawmakers reached an agreement on the world’s first comprehensive law regulating artificial intelligence (AI) technologies. The EU AI Act is expected to enter into force in 2026 following a two-year grace period, similar to the grace period preceding the EU’s comprehensive data privacy law, the General Data Protection Regulation (GDPR). The EU AI Act, much like GDPR, is also expected to have cross-border implications for businesses in the United States, including and especially those businesses whose operations intersect with the European market. This article reviews the basics of the EU AI Act and the potential ramifications for US businesses.

What is the EU AI Act?

The EU AI Act is a comprehensive regulatory framework that fits different AI systems into several different categories based on perceived levels of risk:

1. Unacceptable Risk: AI systems that are considered to pose a clear threat to the safety, livelihoods, and rights of people are banned from being deployed in the EU. This includes AI that manipulates human behavior to circumvent users’ free will.
2. High-Risk AI Systems: These systems can be used to support critical infrastructures and provide essential private and public services, including law enforcement, population migration and border security, and the processing of asylum or employment applications, among other things. High-risk systems are subject to strict compliance criteria including data quality, transparency and human oversight requirements.
3. Limited and Minimal Risk: AI applications with limited risk, such as chatbots, must adhere to limited requirements such as the obligation to ensure transparency by, for example, informing users that they are interacting with an AI. Applications with minimal risk, spam filters, for example, will not be subject to the Act.

The EU AI Act generally aims to ensure that AI systems are safe, that they respect EU laws and values, and that they are used ethically. The Act covers any AI system deployed within the EU, regardless of where the provider is based, making it a crucial consideration for US businesses operating in the European market. Providers of essential services such insurance and banking will be required to conduct impact assessments regarding how their use of AI systems affects users’ rights.

Extraterritorial Reach

1. Global Reach and Compliance: Even if your business is based in the US, if your AI systems are used in the EU, your business will be subject to the Act and compliance will be mandatory.
2. Categorization of AI Systems: An understanding of what risk category the Act assigns to the AI systems that your business uses in the EU will be essential for understanding which requirements will apply.
3. Data Governance and Ethical Considerations: The Act emphasizes the ethical use of AI, including data protection and privacy. Aligning your AI-based business strategies with these standards will be important for legal compliance in the EU and for maintaining consumer trust in European markets.

Navigating Compliance: Checklist for US Businesses

1. Understand the Risk Categories: Assess your AI systems to understand which risk category they fall into. The requirements for compliance vary significantly based on this categorization.
2. Align AI Systems with EU Standards: Systems categorized as posing unacceptable risks are banned from deployment in the EU. If your systems are categorized as high-risk, they must meet strict compliance requirements, including transparency, data quality, and human oversight benchmarks.
3. Educate and Train Your Team: Ensure that your team is aware of the EU AI Act and its implications. Consider training sessions focused on ethical AI development and compliance strategies.
4. Consult with Legal Experts: Navigating international regulations can be complex. Consult with legal experts experienced with international AI regulations to minimize compliance risks.
5. Regularly Review and Update AI Practices: AI technologies and systems are continually evolving, and the same should be expected from the AI regulatory landscape. The EU AI Act is subject to a recurring review requirement every two (2) years, so it will likely remain relevant even as AI systems become increasingly sophisticated. Business owners will therefore need to regularly review their AI systems and practices to ensure ongoing compliance.

Enforcement—Europe as the World’s AI Police

Enforcement is the responsibility of the new European AI Office, and the consequences for noncompliance are serious. The AI Office will have the power to impose fines ranging from 1.5–7% of a company’s global sales turnover, depending on the company’s size and the seriousness of the violation. Persons located in the EU will also have statutory rights to not only launch complaints about AI systems, but also to demand explanations regarding how AI systems reached decisions impacting them.

Conclusion

Business owners shouldn’t regard the EU AI Act merely as a regulatory challenge but rather as an opportunity to be at the forefront of the ethical implementation and use of AI systems and related technologies. Now that compliance with the EU AI Act is a prerequisite for access to European markets, proactive engagement with this new regulatory landscape is not only a legal necessity but also a step towards fostering trust and responsible innovation in the era of AI.

Maximilian A. Julian, Esq., Partner at Gertsburg Licata, is a pragmatic, results-oriented litigator specializing in commercial litigation. His practice spans a diverse range of areas including bad faith, breach of contract, breach of fiduciary duty, business torts, class actions, construction disputes, debtor/creditor issues, employment and labor matters, fraud and misrepresentation cases, insurance coverage disputes, LLC member disputes, online defamation, partnership disputes, privacy, cyber security and data breach, restrictive covenants, shareholder disputes, trade secrets, and unfair competition. With extensive experience representing businesses in contested matters, Max provides strategic advice on information security and data privacy compliance, chairing the firm’s Compliance and Ethics Committee. For legal inquiries, Attorney Julian can be reached at [email protected] or (216) 573-6000 x7541.

This article is for informational purposes only. Nothing herein constitutes legal advice. This article does not, and nothing herein is intended to create, an attorney-client relationship. This article is merely intended to provide a very general overview of a specific statute. Do not rely on any information contained in this article without first consulting an attorney licensed to practice in your jurisdiction. Every person’s situation is unique; if you have questions about compliance with European laws, rules of regulations, or if you have specific questions about any other legal matter, contact an attorney licensed to practice in your jurisdiction.