Questions About the EU AI Act - Cybersecurity Law Articles

Brenda Leong
May 13, 2024

Matt Fleischer-Black reported on the EU AI Act for Cybersecurity Law Report in a 3-part series available here (paywall access required). This detailed review summarizes the overview and procedural history of the EU AI Act, and then dives into some of the important specifics that companies need to know. Our partner, Brenda Leong weighs in on some of the key points.

Part 1 concludes that:

  • This act clearly puts the burden on “big tech” (the  developers of AI systems) to set the standards around performance testing, disclosure and monitoring of these systems in high risk use cases such as employment or healthcare, and puts the burden on them to do so before it goes to market, so that consumers have less of the responsibility for assessing harm.
  • It not only imposes responsibility on those developers but also requires companies integrating or using these systems (“deployers”) to do their part in implementing sufficient controls and guidance, reporting bad outcomes, and keeping the systems up to date based on developer inputs.
  • Companies are watching this closely to understand where their models fall in the risk-rankings, and what requirements they will need to fulfill - many of which are not yet fully fleshed out. What type of testing will be required or sufficient; what level of detail must be included in disclosures for performance specs; and others remain to be seen.

As the first of its kind AI legislation - that is, comprehensive laws at a national or multi-national level applicable to all AI systems that impact its citizens - this Act will certainly continue to receive attention, attract criticism, and very likely influence many other national or state laws as legislators  consider how to approach the potential harms and risks created by AI systems.

Compliance with this act while also continuing to observe the requirements of the General Data Protection Regulation (GDPR) and other data-related legislation will not be an easy or obvious process, and organizations at all levels are gearing up for the challenges involved.

Part 2 of the series considers the implications of the risk tiers established by the Act, and the associated assessment that will be required. This includes identifying those systems which pose such an “unacceptable risk” that they are banned as a “prohibited use” in all but narrowly excepted cases.

Part 3 offers practical steps for those companies preparing to comply when the Act goes into effect.