18 September 2024
The European Union's AI Act has now come into force as of August 1st, 2024, marking a significant milestone in the regulation of artificial intelligence. With a definitive roadmap towards implementation, this legislation represents a critical juncture for companies, governments, and stakeholders across the continent.
As we transition from summer into the autumn and winter months, we here at KPMG Law, working closely with our colleagues at KPMG, think it’s timely to recap the developments of the past few months and look forward to the key areas that will shape the regulatory landscape for AI in the coming months.
At the heart of the AI Act is the recognition of AI as a product with potential risks to safety, health, and fundamental rights, as enshrined in the European Charter of Fundamental Rights. Unlike traditional products, where risks are often associated with physical harm or financial loss, AI presents unique challenges that require a nuanced approach. The EU has adopted a risk-based and life-cycle approach to AI regulation, aiming to ensure trust across the entire AI value chain.
This approach is a core component of the EU's New Legislative Framework (NLF). The NLF, originally designed with machinery, medical devices, and toy safety in mind, now serves as the foundation for AI regulation. KPMG Law recognises that the key difference in the context of AI is how risk is defined - not simply as the probability of harm but as a combination of the likelihood of harm occurring and the severity of that harm. This definition aligns with the AI Act's focus on mitigating risks while fostering responsible innovation.
Articles 5 and 6 of the AI Act, along with the corresponding Annexes II and III, outline the specific obligations and requirements for AI systems, depending on their level of risk. For example, high-risk AI systems are subject to stringent conformity assessments, while other AI systems may require less rigorous oversight. There is a balance to be struck so that the regulatory burden is proportionate to the potential impact of the AI system in question.
A primary concern of AI chatbots is data privacy and security. For one, AI systems can become significant targets for cybercriminals. A recent report from the Dutch Data Protection Authority highlighted that personal data breaches occur when employees share personal data with chatbots, offering unauthorised access and opportunities for misuse.
Another significant risk is the possibility of providing inaccurate information. AI chatbots are only as good as the data and algorithms that power them. If not properly trained or updated, they can deliver incorrect or misleading information, potentially harming customer trust, leading to legal liabilities, or resulting in poor business decisions.
The summer of 2024 was a pivotal period for AI regulation in the EU. With the AI Act officially in force from August 1st, all obligations and milestones outlined in the legislation are now coming into view. It is now up to national governments to establish regulatory authorities to govern the AI Act, with each country likely adopting different approaches. Some may opt for unitary authorities that oversee all sectors, while others might establish sector-specific regulators, leading to significant national engagement across the continent.
France, for instance, has taken a proactive stance in the AI space, with its champion company, Mistral, continuing to lead the charge in AI innovation. This highlights the varying degrees of national involvement and the importance of localised strategies in implementing the AI Act.
As we move into the autumn and winter months, further EU consultations are on the horizon. One of the most significant is the General-Purpose AI Consultation, which is set to close on September 18th. This consultation is crucial for refining the regulatory framework for general-purpose AI systems. Additionally, a sector-specific consultation on AI in financial services will close on September 13th, underscoring the importance of industry-specific considerations in the broader regulatory context.
National consultations, such as those in Ireland, are also underway, further contributing to the evolving regulatory landscape. Companies across the EU must now begin planning for compliance with the new regulations. This includes developing IT AI development policies and AI-specific cyber and data breach policies, which will be crucial under the upcoming NIS 2 directive, expected to be confirmed in October 2024. Moreover, there will be an increasing focus on AI literacy and awareness obligations, with new requirements anticipated by February 2025.
These consultations and regulatory developments will extend into the next year, emphasising the need for continuous engagement and adaptation by all stakeholders.
As the regulatory environment around AI becomes more complex, organisations will need to navigate significant interactions between their legal, compliance, IT, and product delivery functions. This is where KPMG Ireland’s services can play a pivotal role. At KPMG Ireland, our unique selling point lies in our ability to offer comprehensive advice that integrates both legal and operational perspectives, ensuring that your organisation not only understands the law but can also effectively implement the required changes.
Our cross-functional expertise may be particularly valuable in the financial services sector, where the stakes are high, and the regulatory landscape is rapidly evolving. Our professionals are well-versed in the definitional issues, relevant certification processes, and technical requirements that are critical for compliance.
KPMG and KPMG Law LLP are uniquely positioned to provide a fully integrated response that addresses both legal and technical points. We stand out because of our ability to bridge the gap between regulation and implementation, ensuring that your organisation is prepared for the challenges ahead. As we approach February 2025, when the ban on prohibited AI practices comes into effect, KPMG’s services can help you navigate this critical period with confidence.
In conclusion, as the AI Act takes hold and the regulatory landscape continues to evolve, KPMG Ireland is here to support your journey, ensuring that your organisation remains compliant and competitive in this new era of AI regulation.
If you have any queries related to implementing AI in your business, please do not hesitate to contact our team below. We would be delighted to hear from you.
Director & Head of Technology & Digital Law, KPMG Law LLP
Director, KPMG in Ireland