7% global turnover at stake: Why compliance with the EU’s AI Act matters

As AI continues to integrate into business operations, organisations unprepared for forthcoming regulations risk penalties of up to seven per cent of their global turnover, underscoring the urgent need for compliance.

With the European Council’s approval of the Artificial Intelligence Act on 21st May 2024, businesses operating in or engaging with the European Union must navigate a transformative regulatory landscape.

The Act, which employs a risk-based approach, will be implemented over the next three years. Its provisions will impact companies of all sizes, including AI providers, users, distributors, and manufacturers.

Overview of the EU AI Act
The EU AI Act aims to safeguard fundamental rights while promoting technological innovation. AI systems are classified into four risk levels: unacceptable, high, limited, and minimal. This classification determines the degree of regulatory obligations, with the strictest requirements applied to high-risk systems in critical sectors such as healthcare, finance, and law enforcement.

Penalties vary depending on the severity of violations, ranging from fines of €750,000 to €35 million, or from 1 per cent to 7 per cent of the company’s global annual turnover. Providing false information may lead to fines of up to €7.5 million or 1.5 per cent of global turnover.

Non-compliance risks are particularly significant for businesses deploying high-risk AI systems, emphasising the need for effective compliance strategies.

Obligations for High-Risk AI Systems
High-risk AI systems, such as those used for biometric identification and employment decision-making, must meet stringent requirements under the EU AI Act:

• Risk management: Companies must continuously assess and mitigate foreseeable risks throughout the lifecycle of an AI system.
• Data governance: Robust data practices are required to ensure accuracy and mitigate biases, especially in sectors such as financial services, where biased outcomes can have profound implications.
• Technical documentation and event logging: Firms must maintain detailed documentation, including system descriptions, testing methods, and cybersecurity protocols. Automatic event logging facilitates the tracking of system usage and the identification of potential risks.
• Human oversight: To reduce automation bias, human intervention must be feasible, enabling operators to adjust or override AI outputs where necessary.

Impact on General-Purpose AI Systems
General-purpose AI (GPAI) models, such as those used for text generation, are subject to specific obligations due to their broad applicability. While most companies utilise third-party GPAI solutions, they are still required to conduct thorough due diligence and understand potential risks related to data handling and misuse.

Firms developing their own GPAI systems must invest in robust cybersecurity, copyright compliance, and ongoing monitoring protocols.

Strategies for Compliance
To align with the EU AI Act, businesses are advised to adopt proactive compliance strategies:

• Classify current AI models: By evaluating their AI systems against the Act’s framework, firms can proactively align with regulatory requirements.
• Integrate compliance by design: Organisations should incorporate governance measures that meet regulatory standards from the inception of product development.
• Train employees: Effective AI deployment requires a skilled workforce capable of mitigating risks associated with the misuse or misinterpretation of AI outputs.

The EU AI Act marks a significant shift in AI regulation. By promoting responsible innovation, it establishes clear rules while positioning businesses to succeed in an era where ethical AI use is paramount.

Adhering to the EU AI Act will ultimately serve as a competitive advantage, fostering trust and protecting corporate reputations.