Category: AI

On August 1, 2024, the EU AI Act officially came into force, establishing the world’s first comprehensive legal framework for regulating AI technology. In this exclusive interview, we speak with Gabriele Mazzini, the architect and lead author of the Act, to gain an insider’s perspective on its development. Mazzini offers a behind-the-scenes look at the complex policy-writing process, discussing how various stakeholders were consulted, and how consensus was reached on the Act’s risk-based approach. He also provides crucial advice for business leaders navigating compliance, shares important updates since the law took effect, and discusses the global implications of the Act. Most importantly, Mazzini reassures companies that now is not the time to panic, but to prepare for the future of AI regulation.

 

What motivated you to take on the role of the lead author of the EU AI Act? How did your background in law influence your policy-writing process?

I realized from the get-go that AI policy was fascinating. I have been passionate since the beginning, notably in trying to understand the intersection between AI as a technology and law as a tool to govern technology. I drafted a quite comprehensive paper about the intersection between AI and EU law in 2018, way before the Commission started working on the AI Act. At the time, I was working in a department in the Commission, which was not the department that ultimately led the work on the Act but was mostly focused on the liability implications of AI. We were reflecting on whether the liability regime in the EU needed to be changed to enable AI. My background in law and the study put in understanding the complexity of the intersection between AI and EU law was essential for the work I did afterwards on the AI Act. When working in policymaking as a regulator it is essential to think holistically, especially in a field like AI where implications are manifold and broad and where regulatory action takes the form of a horizontal legal framework, like the AI Act, which applies across all sectors. 

 

How did you engage with various stakeholders during the development process? What role did their input play in shaping the Act?

It’s a privilege to interact with many stakeholders as a policymaker and listen to many different views. You also start seeing how society sees your work, and whether they see opportunities or risks. At the same time, it’s also a major responsibility because you have to make sure that whatever choices you make as a policymaker are grounded on facts and evidence and you have as much as possible an up-to-date understanding and knowledge about the matter you regulate.  

It’s both a privilege and a responsibility. I’ve always interpreted that role with much respect and not as a tick-the-box exercise where the job is done after meeting X number of stakeholders. Consulting with and engaging with stakeholders is much more than that. On an individual basis, I’ve always had an open-door policy from the beginning and was willing to meet with whoever was interested in talking to me. The institution as a whole has of course also engaged with stakeholders in a structured way.  

This goes back to a time when the Act was not even in the conception phase. The Commission started engaging with stakeholders already in 2018 and 2019 when it set up an expert group on artificial intelligence. This expert group was composed of around 52 individuals from different backgrounds, namely industry, academia, NGOs, and civil society. That group already gave a broad perspective on the emergence of AI and the policy implications of AI. They also developed ethical guidelines for trustworthy AI which were not a deliverable of the European Commission but of this separate expert group. That work already initiated a structured dialog between the European Commission and the stakeholders.  

That work was also complemented by the establishment of an online platform (the AI Alliance) where citizens and any interested party could provide feedback and suggestions. Another important set of consultation processes took place after the adoption of the White paper. Before the Commission came up with the actual legal framework, which happened in 2021, it adopted a White paper on AI in February 2020, and this was essentially how the institution tried to identify a number of potential ideas for what could be the ultimate draft legal framework and aimed to catalyze feedback on those ideas. That was also another interesting way we consulted widely with stakeholders.  

 

Can you share any particularly challenging moments during the writing process? How did you balance competing interests and priorities to reach a consensus?

No process is perfect. It’s challenging to deal with a legal framework that is so complex and large and ensure everyone fully understands what you’re trying to do. This is because any stakeholder typically tends to have a peculiar perspective when looking at and considering the policy work that is unfolding, which is linked to the needs and interests they represent. When trying to build something horizontal, sometimes the input you receive from several stakeholders does not necessarily fit the overall picture. So, the skill of the policymaker is to try to merge the narrow focus or perspective into the ultimate goal, which is in this case, a broader framework. 

 

What led to the risk-based framework of the EU AI Act?

It was pretty clear to me since the beginning that regulating any AI application or AI technology as such did not make sense. At the same time, also for those applications that may have deserved to be regulated, it did not seem warranted to establish the same type of rules. Hence the idea of a ‘pyramid’-like approach tailored to the actual use case.  

This idea was quite fascinating because we realized that we did not want to regulate AI as a technology.  

We didn’t want to regulate any AI application as if AI always creates risks. To create a balanced legal framework that does not hinder development and intervenes only when necessary, you need to focus on the application level and the use case. Therefore, the risk-based approach was exactly that solution, because depending on the type of risk that the application would generate, the rules would be different. We identified three risk levels where binding legal frameworks apply, plus a fourth level for which no binding rules are foreseen, but certain forms of voluntary compliance are possible. Of course, this choice was not ‘carved in stone’. There is no ontological value in the risk levels either that could have been articulated differently. But I think it was an interesting and groundbreaking idea. 

 

The EU AI Act officially came into force on August 1st. What significant updates or events have unfolded since then that business leaders should take note of?

The fact that the Act entered into force doesn’t mean it’s immediately applicable. The Act is law, so it is binding, but it does not apply in its entirety until after three years.  

There is a so-called transition period. The first applicable rules that companies need to comply with will be the rules on the prohibitions. The top of the risk pyramid, if you want. The second set of rules is around the general-purpose AI models and will be applicable one year after 1 August 2024. Two years after that, on 1 August 2026, all the other rules of the AI Act are applicable except for certain provisions regarding high risk.  

Business leaders need to understand the timeline in which the rules become applicable.  

What has happened since the publication of the Act is that the administrations, both in the Commission and in the Member States, have started to set up internal processes and structures to ensure enforcement. Business leaders, notably those that may be concerned by the rules applicable to the general-purpose AI models, should pay attention to the work that has already started in developing the Code of Practice at the EU level, i.e. facilitated by the Commission. These Codes of practice should be finalized before the entry into application of the relevant chapter of the AI Act, which means before 1 August 2025. 

Another important fact business leaders should keep in mind is that the Act is not 100% clear on all its provisions. In fact, the European Commission will have to develop several executive actions called implementing acts and delegated acts as well as guidelines and templates for about 70 items. There are still many areas where clarification is needed, which is not ideal.  

Therefore, there is an opportunity for business leaders and companies to shape the process of finetuning and clarifying the AI Act in order to determine the actual extent to which certain rules may apply to them. In other words, it is time to make their voices heard. They should be active in the implementation phase now that the legislative phase is finalized, but  so much is still to be clarified.   

 

With penalties for non-compliance potentially reaching up to 35 million euros or 7% of annual turnover, what immediate steps should businesses take to ensure they are not at risk?

They should not consider themselves to be at the receiving end of a process they cannot influence. Instead, now is a time to engage critically with the provisions, especially when those rules provide a certain margin of appreciation. Companies need to proactively engage with the regulators and suggest interpretations, positions, and ideas to make sure that those rules are applied reasonably and sensibly. This is one of the challenges of regulating technology, where there is a knowledge gap between the regulators and the companies that develop those technologies.  

Of course, it goes without saying that regulators should not be dependent only on the company’s views. Although it was not obvious in our case, especially at the beginning of the process, regulators should invest heavily in having internal deepseated expertise on the matters that it intends to regulate. You need to know what you want to regulate in order to do that well. Only if you have your own technical expertise you can properly engage with external stakeholders constructively, while at the same time retaining the independence of judgment that is necessary to take broader societal considerations into account. On the other hand, those who developed the technology and the products must have a say in suggesting the best ways to comply. This exchange needs to happen. I understand sometimes companies, especially the smaller ones, don’t have the resources to engage extensively with the regulators, but I think at this time when so much still needs to be clarified it’s an exercise that is worth doing. It doesn’t have to be individual companies; it could be industry associations.  

 

Many companies are facing a shortage of AI talent. How do you think this skills gap will impact the successful adoption of the EU AI Act?

Because those skills are rare, companies need to increase their strength in certain AI-related skills. The concern is that, as I mentioned before, companies at this stage may have to invest more in compliance than AI skills. That may impact the company’s ability to compete in the AI space.  

If you spend more money on compliance, as opposed to research and development or AI engineers which are also scarce, there is a risk of imbalance. The same may happen with authorities because they must ensure compliance with all these rules and need to equip themselves with several technical skills.  

I hope this set of rules will be somewhat clarified as soon as possible so that companies can hopefully shift more of their budget to AI skills rather than AI compliance. In my view, the successful adoption of AI in Europe depends on the ability to get this legal framework, and the tools needed to implement this framework, working effectively and sensibly as fast as possible. So there is still important work to do. 

 

Who holds the primary responsibility for implementing and enforcing the EU AI Act within organizations?

It should be a team effort. The Act does not foresee a figure like a data protection officer (DPO) in the privacy legislation. This is not an obligation, so the Act does not require, for instance, a Chief AI Officer in companies. The obligations that the Act establishes are on the economic actor, which is the provider, the deployer, so the company itself. This means that the companies can organize themselves as they wish. The Act gives total freedom to organizations to organize themselves depending on their size. I don’t think there is necessarily only one model. Ultimately, the legal responsibility is on the company. If there is a lack of compliance, the company will have to pay the fine.

 

How do you see the EU AI Act influencing AI regulation in other parts of the world?

There is a huge interest around the world. Since I left the Commission, I’ve traveled from South America to Asia, and I have witnessed a growing interest in understanding this piece of legislation. It’s quite normal in this phase because AI governance and regulation is something that is of interest globally. Governments are wondering how to deal with the ‘AI wave’.  

This interest is also reflected by the collective efforts at an international level. For instance, UN agencies are investing heavily in reflecting on AI governance frameworks. As the EU is the first regional actor to come up with such a comprehensive legal framework on AI, it’s normal that countries around the world are looking with interest at that framework and are asking themselves whether they should get inspiration.  

It’s too early to say whether the Act will turn into a regulatory model for other regions around the world. There is a need to understand whether those choices fit the socioeconomic or legal context in those countries. The capacity to implement a framework like the AI Act also differs from country to country. A legal framework is not just a piece of paper. It requires human resources, skills, funding, and structures to turn it into an effective tool that can achieve the objectives it was designed for. It needs to be managed and brought to life. Not all countries are in the same position, and they would be well-advised to consider questions of implementation and enforcement from the get-go, not after the law has been agreed. 

 

Are there any specific areas where you believe the Act could have a significant global impact?

I hope the risk-based approach can be considered as one of the foundational elements. The idea is to consider AI as a tool that has both benefits and risks and is not necessarily dangerous by its nature. It’s a technology with different risk levels depending on how it’s used. I’d like to see this risk-based approach adopted widely. 

The extent to which certain areas of the AI Act may have an impact beyond EU borders could also depend on certain company choices, especially for companies that sell their products and services in the EU. They may adjust their compliance system to the EU legal framework simply because they want to sell in the EU.  

Those companies may therefore decide to adopt the same or similar compliance structure when selling their products outside the EU. It’s up to the companies whether to have two systems, one for the EU market and one for the non-EU market. It’s not for me to say what is economically convenient for companies. But these considerations may be relevant in determining whether we may see a larger or a narrower adoption of certain areas of the Act. 

 

What are the key trends or developments shaping the AI landscape in the coming years? How might the Act need to evolve to address these future challenges?

It will be interesting to see whether the trend in generative AI will continue along the lines we have seen so far. This trend towards developing larger models that require more data, and more computing power, is based on certain underlying architectural choices. Perhaps intelligence will come from other foundational choices that do not necessarily rely on growing data sets or computing power. This will ultimately shape the investments around creating a technology stack to support this.  

From a regulatory and policy point of view, it’s a challenge to keep regulation up to date, but it’s not impossible. When I think about the AI Act, making sure it’s future-proof was one of my main concerns since the beginning. However, certain choices made after the adoption of the Commission proposal, such as regulating foundation models or deleting the possibility of updating the AI definition, do not necessarily go in that direction from my point of view. We will see whether the Act will be able to stand the test of future developments. 

Currently, I’m more concerned about ensuring the Act works now to enable trustworthy innovation in Europe. This is where the Act will prove its value. It should be applied in a way that is accessible, easy to understand, and provides legal certainty to companies so that they can rely on a stable legal framework and focus on building the products.  

 

*The interview answers have been edited for length and clarity.

The EU AI Act was finally passed on 9 December 2023, after a grueling 38-hour negotiation. In this exclusive interview with AI expert Walter Pasquarelli, learn about the groundbreaking developments following the EU AI Act’s announcement and key implications for European businesses. Pasquarelli also shares practical insights on how to get started with complying with the EU AI Act and how the Act will impact the progress of AI innovation in organizations.  

 

How does the EU AI Act adapt to the fast-paced changes in AI technology, and how does it categorize different AI applications based on risk levels?

When we started the conversation about an EU AI Act, it was before the launch of generative AI tools like ChatGPT, so we focused on a very different understanding of artificial intelligence. Some have argued that this used to be more of an approach towards products, but the launch of generative AI tools has transformed our understanding of the possibilities of AI. That meant the EU AI Act needed updating. I remember that in the final 38 hours, the amount of information from the trial log was incredible. I’m glad that we made it to where we are right now. 

It’s the world’s first comprehensive legislation that regulates how AI can be used in European markets and the European bloc. 

At its heart, the EU AI Act has four pillars, creating four risk buckets where different AI applications can fall – low risk that will face almost no regulatory action, medium risk, high risk, and prohibited risks at the top. The EU AI Act looks at the AI ecosystem in Europe and categorizes it into these four buckets. Based on that, companies developing tools will face various regulatory actions. Think about the four risk categories and the resulting regulations on products. 

One AI year passes in seconds. For example, the developments that have happened within the AI ecosystem and the technical possibilities that are out there. In two years, the whole environment has changed. We can now produce video generators that look hyper-realistic, and tools that can create entire marketing copy in hours. This will advance faster and faster. This creates a need for regulations that won’t be outdated in a year or two. Can the EU AI Act achieve this? Its broad approach positions it well, but it will certainly need more updates as technological breakthroughs happen. 

 

Will the EU AI Act’s broad approach addresss risks like bias?

The reason why it’s so broad is, on the one hand, the EU AI Act doesn’t seek to regulate AI products per se; it seeks to regulate the risk. It acknowledges that developing European legislation takes ages. The only way to tackle this is by producing something relatively broad. It’s different compared to China, which is very fast in creating regulations using a horizontal approach. They can do it because they have a different kind of legislative process. 

Now, when we look at specific provisions, how do we categorize these risks? The EU AI Act does provide a list of applications that are high-risk. For example, using AI tools for determining the creditworthiness of an individual and AI tools used by the police, which typically have shown elements of bias. If we look at issues such as money laundering, I think the EU will provide descriptions of what these applications are. Much of it will be judged by case law in the upcoming years, and keep in mind that there’s going to be an adaptation period where organizations can consult with the EU on that. 

 

Were AI experts consulted for the EU AI Act?

That’s the million-dollar question: how to involve experts in developing these legislations instead of policymakers. I think, particularly in the AI field, it’s even harder because AI skills are scarce in the government sector. When it comes to involving experts, what regulators and legislators did was conduct so-called stakeholder consultations, gathering opinions and feedback on the EU AI Act. However, only large organizations were able to provide feedback, as they have the necessary bandwidth and resources to formulate their policy positions and understand them. There has been criticism that there are insufficient experts from startups and small companies in drafting appropriate policies. 

 

Is the EU a frontrunner when it comes to AI legislation?

Yes, because it’s the main comprehensive regulation that is out there. China is very fast in regulating these tools, predominantly for their internal domestic reasons, such as a political agenda and economic prerogatives, but also simply because they want to compete internationally at the geopolitical stage, and AI is such an important element of their strategy. Europe has produced the most overarching legislation; it’s a fact of life, and it’s not going to change. It’s going to influence companies in the EU but also companies outside of the EU, which is known as the Brussels effect. The U.S. came up with its own Executive Order on AI, claiming to be the most sweeping act of legislation or policy there is. However, it’s just an executive order, an instruction by the President to various agencies to develop standards and regulations. There’s nothing concrete yet. 

 

How will the EU AI Act affect funding for AI initiatives?

The tech sector is a point of strategic advantage worldwide. In the U.S., legislation is laxer because it allows for wider experimentation by technology firms without worrying about visits from regulators. There are advantages, such as higher risk potential and risk appetite. But at the same time, many things can go wrong, especially for consumers. 

On the other hand, the EU wants to put consumer protection front and center. There is an advantage in having these regulations to produce predictability and legal certainty. If I want to invest in a company, I know what to expect in terms of regulatory risks. Another thing to consider is whether there is a direct link between regulation and venture capital. European investors are more reluctant to invest similar amounts of funds as their American counterparts, and it’s too early to say whether the EU AI Act will have a positive or negative effect on that. Legislation can support or harm it, but other elements might have an impact on VC funding. 

There are also arguments that legislation will slow down innovation because there’s less room for experimentation. Next, we’re trying to regulate a technology that hasn’t fully matured yet. That’s the challenge of regulating AI because it needs an evolutionary regulatory framework. After all, the technology is still developing and changing. It’s not like regulating nuclear energy, which is still high risk but won’t be much different in 10 years. It’s different for AI, especially in other regions with fully fragmented policy environments, different data governance regimes, and legislations between countries. 

The EU AI Act, although more stringent, has the potential to harmonize legislation across countries. 

 

How have lobbying groups affected the EU AI Act?

At the final stages of the EU AI Act development, a few countries, notably Germany, Italy, and France, said that this kind of legislation is not right for their markets. From what I know, this was a direct result of lobbying from companies saying, ‘No, don’t do this.’ But at the end of the day, they are still stuck with it. So, you could argue about how successful that has been. 

Among some of the larger technology firms, there is not a lot of positive thinking around the EU AI Act. That would imply to me that the lobbying efforts, which have been enormous with millions going into them, haven’t been particularly successful. There might have been certain provisions, minor ones that have been influenced. Surprisingly, most of the European Commission’s efforts to fend off lobbyists have been relatively waterproof. Public relations and public policy between the tech sector and the EU Commission are important because there are many provisions and interactions that need to happen to ensure the legislation matches the requirements of different sectors. 

So, lobbying is a dirty word, but it still needs to happen so that a harmonization process occurs. 

 

Who is responsible in enforcing the EU AI Act?

That is the Achilles’ heel of the EU AI Act. With their Data Protection Officers (DPO), particularly under the GDPR, this used to be a national effort whereby DPOs would enforce Pan-European legislation on a national level. The problem there is, and as I alluded to earlier, the scarcity of AI skills. You might have this big regulation with a huge overarching framework, but implementation will be difficult due to the skills shortage. That is going to be the make or break for the EU AI Act. My understanding from my sources is that even those responsible for developing the EU AI Act have an AI skills shortage. If we have a centralized European AI office, that’s possibly the better approach to combat the skills shortage.  

 

How can multinational companies handle legislation is different countries?

It depends on the strategy that you would prioritize.  

To ensure you’re not infringing any regulations, stick with the EU AI Act as a general regulatory yardstick, and you will be safe in most countries.  

This is because the Act has the strictest interpretation of AI products. It’s more difficult if you come from the U.S., where there is a different understanding of how data should be used and what is ethical or not. Some of my U.S. clients don’t want to deal with the GDPR. It’s easier if you go from Europe to the U.S., or Europe to other regions such as the Middle East. It’s harder if you go from the U.S. to the EU because that means you must adapt.  

 

What business leaders can do to stay ahead of the EU AI Act?

I would advise every company to join the AI Pact. It’s a voluntary association that helps you have a forum for exchange and a direct source of information. Embrace the idea; it’s there, and you have to accept it. 

Another thing to consider is to scan existing AI tools and products for issues. For example, what kinds of data do you use? Who’s your target audience? How have the models been trained? This assessment helps categorize your company’s AI products and determine where they fall into the four risk categories. However, extra considerations are needed for sensitive sectors such as healthcare and insurance, where data needs to be handled carefully. 

After the assessment, plan the right types of regulations and provisions to put in place. It’s not going to happen overnight; the EU AI Act won’t be enforced immediately. I also advise organizations of all sizes to read the EU AI Act; surprisingly, it’s accessible to read. Be aware of the risks of your own products. You want to understand the issues based on the EU AI Act that your products will face. 

Read the piece of legislation, reflect on your products, and I guarantee compliance with the EU AI Act will be achievable. 

 

*The interview answers have been edited for length and clarity 

The AI landscape is innovating at full speed. From the recent release of Google’s Bard and OpenAI’s ChatGPT Enterprise to growing implementation of AI tools for business processes, the struggle to regulate AI continues.

In Europe, policymakers are scrambling to agree on rules to govern AI – the first regional bloc to attempt a significant step towards regulating this technology. However, the challenge is enormous considering the wide range of systems that artificial intelligence encapsulates and its rapidly evolving nature.

While regulators attempt to ensure that the development of this technology improves lives without threatening rights or safety, businesses are scrambling to maintain competitiveness and compliance in the same breadth.

We recently spoke to two experts on AI governance, Gregor Strojin and Aleksandr Tiulkanov, about the latest developments in AI regulation, Europe’s role in leading this charge, and how business leaders can manage AI compliance and risks within their organizations.

   

Europe Trailblazing AI Governance

 

Why does AI need to be regulated?

Aleksandr: Artificial intelligence is a technology that we see almost everywhere nowadays. It is comparable to electricity in the past, but more influential. Crucially, it’s not always neutral in how it affects society. There are instances where technologies based on artificial intelligence affects decisions which, in turn, affect people’s lives. In some cases where there is a high risk of impact, we should take care and ensure that no significant harm arises.

Gregor: Regulations are part of how we manage societies in general. When it comes to technology that is as transformative as AI, we are already faced with consequences both positive and negative. When there is a negative impact, there is a responsibility either by designers, producers, or by the state to mitigate and minimize those negative effects on society or individuals. We’ve seen the same being done with other technologies in the past.

 

Former President Barack Obama said that the AI revolution goes further and has more impact than social media has. Do you agree?

Gregor: Definitely. Even social media has employed certain AI tools and algorithms that grab our attention and direct our behavior as consumers, votes, schoolmates – that has completely changed the psychology of individuals and the masses. AI is an umbrella term that encompasses over a thousand other types of users.

AI will change not only our psychology but also logistics and how we approach problem solving in different domains.

Aleksandr: The change is gradual. As Gregor said, we already see it in social media – for example, in content moderation. Those are largely based on language and machine learning models. AI is driving what we see on the platform as well as what we can write and even share. To some extent, it means that some private actors are influencing freedom of speech.

 

Let’s talk about the role of Europe in AI compliance regulations. Can you explain why Europe is a trailblazer here?

Gregor: Europe has a special position geopolitically due to its history. It’s not one country. It’s a combination of countries that are joined by different international organizations or multi-supranational organizations such as the European Union and the Council of Europe to which individuals’ countries have given parts of their sovereignty. This is a huge difference compared to the United States or China which are completely sovereign in their dealing.

When it comes to the European Union in particular, many types of behaviors are regulated by harmonizing instruments of the EU to have a uniform single market and provide some level of quality in terms of safety and security to all citizens – so we don’t have different rules in Slovenia, Germany, France of Spain. Instead, this is one market of over 500 million people.

 

Gregor, can you give us a brief overview of the latest developments in AI regulation and compliance in the EU?

Gregor: There are two binding legal instruments that are in the final phases of development. The most crucial one is from the European Union, the AI Act. It is directed at the market itself and is concerned with how AI is designed, developed, and applied by developers and users. The AI Act addresses a large part of the ecosystem, but it does not address the people who are affected by AI. Here is where the second instrument comes in, the Convention on AI that is being developed by the Council of Europe.

Another thing to mention is that the EU’s AI Act only applies to EU members and is being negotiated by the 27 member states. The Council of Europe’s instrument is being negotiated by 47 member states as well as observer states and non-member states such as the United States, Canada, Japan, Mexico, and Israel. The latter has a more global scope.

In this way, I see the EU’s AI Act as a possible mode of implementation of the rules set by the conventions of the Council of Europe. This is still partially theoretical, but it’s likely we’ll see both instruments finalized in the first half of next year. Of course, there will be a transitory period before they come into effect. This is already a good indication of how businesses must orient themselves to ensure compliance in due time.

 

Should what the EU is doing be a blueprint for the rest of the world?

Gregor: Yes, if they choose to. I think many in Europe will acknowledge that we have different ways of approaching problems and freedom of will, but if you want to do business in Europe, you have to play by Europe’s rules. This is an element in the proposed AI Act as well as the General Data Protection Regulation (GDPR) legislation from the past decade which employs the Brussels effect – meaning that the rules applied by Europe for Europe also apply to companies outside of Europe that do business here even if they do not have a physical presence here. So, if producers of AI from China or the United States wish to sell their technology in Europe, they have to comply with European standards.

 

What are the business implications of the European approach?

Aleksandr: The European approach harmonizes the rules for a single market. It’s beneficial for businesses as they won’t have to adapt to each country’s local market. I say it’s a win-win for businesses who are approaching the European continent. We’ve already seen this happening with the GDPR. As long as they have a European presence, they adopt the European policy globally. This could happen with AI regulations as well.

If you look at the regulatory landscape, we can see some regulatory ideas coming up in North America and other continents. In China, there are some regulatory propositions. But I would say that the European approach is the most comprehensive. Chances are it will be taken as a basis by many companies.

 

Balancing Innovation and Compliance

 

What do you say to concerns that this is just another set of regulations to comply with in a landscape that is constantly innovating at speed?

Gregor: I’ve been working with technology for more than 20 years. I also have experience with analog technology that is regulated, like construction building.

What we’re dealing with here is not just regulation for regulation’s sake, but it benefits corporations in the long run because it disperses risk and consequences of their liabilities. It creates a more predictable environment.

There are many elements of regulation that have been proposed for AI that have been agreed to by different stakeholders in the process. We must consider that the industry was involved in preparing both these regulatory instruments I’ve mentioned.

Some issues like data governance are already regulated. There are, of course, disagreements on elements like transparency because there may be businesses advantages that are affected by regulation. On the other hand, technology does not allow for everything. There are still open questions on what needs to be done to ensure a higher quality in the processes development to mitigate risk.

 

So there needs to be a balance between regulation, competitiveness, and the speed of innovation. How can we be assured that AI regulation does not harm competitiveness in business?

Gregor: The regulation proposed by the European Commission is just one element in the basket of proposals of the so-called Digital Agenda. There are, of course, some other proposals on content moderation that came into existence just recently that are binding. But there are also several instruments which address the promotion and development of AI systems, both in terms of subsidies for companies and individuals to develop digital skills and to create a comprehensive and stable environment for IT technology in Europe. There are billions being thrown into subsidies for companies and innovators. There is a big carrot, and the stick is in preparation, but it is not here yet.

Aleksandr: I must also underline that there are things in place that facilitate the upcoming EU regulation, such as the Regulatory Sandboxes. You may have seen an example of this in Spain. Businesses will be able to test out their hypothesis on how they want to operate these AI systems that could potentially be harmful.

It’s important to understand that the scope of the regulation is not over extensive. I would say it only covers really high-risk systems to a large extent, and some lower risk systems but only where it’s important. For example, there are transparency obligations when it comes to defects for lower risk systems. Then there are meaningful rules for high-risk systems which affect people’s lives – like government aid or the use of AI in law enforcement or hiring.

It’s important to have proper data governance and risk management in place for systems that affect people on a massive scale.

Also, if you look at mature organizations with this technology already in the market, they are making sure that the data used to train their AI systems is good enough. They are doing it themselves as they don’t want to get in trouble with their clients. Regulations are not so unusual.

 

In that case, will innovation be faster than the regulations can keep up with?

Gregor: That’s a pertinent question when it comes to technology. It is imprudent, from the position of a policymaker, to try to regulate future developments as that would impede innovation.

I don’t think there’s any impediment of innovation happening at this moment. Perhaps you could categorize getting subsidies for being compliant with ethical recommendations as that, but it’s not really an impediment.

In the future, there will be limitations to innovation of AI in the same degree as biotechnology, for example, where there are clear limits on what is allowed and under what conditions to prevent harm. That is narrowly defined. The general purpose, of course, is to increase the quality of these products, and create a safe environment and as predictable a playing field for customers in the market.

 

Business Focus: AI-Risk Management

 

What’s coming up next on AI governance that business leaders should consider?

Gregor: At this point, what’s coming up next for policy development is the fight back from those who do not want such legislation. It’s something we’ve already seen this year. Many think we had an AI revolution only this year. No. It’s a technology that’s been around for a few years and there have been calls for regulation of AI on the basis of existential threats.

If we take those calls seriously, we must completely backtrack and change the direction of what is already being developed.

But I do think if we follow through with what has been proposed to ensure the safety and security of this technology, we will also solve the problem of a so-called super intelligence taking over humanity. First, we need to ensure correct application of existing rules to human players.

 

With all this in mind, what advice do you have for business leaders when it comes with regulations and compliance in the field of AI? What can they start with tomorrow?

Aleksandr: Technical standards will be the main thing. I would advise all those developing this technology to take part in technical committees in their national standard setting bodies which can then translate into work on the European level of standards.

Take into account your practical concerns and considerations so that these technical standards can address business concerns in terms of product development. It is important to follow and participate in this work on regulation development for the AI ecosystem.

Another thing is to consider risk management frameworks to address AI-specific risks. The NIST or ForHumanity Risk Management Frameworks are a practical tool for organizations to control how they operate and deploy AI systems in a safe and efficient manner. Business leaders can also begin to appoint people who would be responsible for setting up processes.

There will be a transitional period, as there was with the GDPR. If companies can demonstrate that they are compliant with European standards that are still under development, they will automatically be considered compliant with the EU AI Act. But this is ongoing work.

Start considering broader risk management frameworks as a first step to get the ball rolling in organizations.

Gregor: Technical development skills alone are not sufficient to build a competitive and scalable organization, especially as not only Europe but other regions are preparing to introduce regulatory measures. My advice is similar to Aleksandr’s; build on your capacities for risk and compliance management. I think it will pay back quite soon.