The AI Act: who faces new requirements, and who is largely unaffected?

When the General Data Protection Regulation (GDPR) was introduced, virtually every organisation was affected. Many leaders are therefore asking whether the AI Act will have similar consequences. The answer is more nuanced.

The AI Act is built around a risk-based approach, where the requirements depend on how artificial intelligence is used and what consequences it may have for individuals and society. Two organisations can therefore use AI every day whilst facing entirely different regulatory requirements.

For most organisations, it is not the industry alone that determines how significantly they are affected by the AI Act. What matters is which AI systems are in use, which data they process, and whether they feed into decisions that affect individuals.

The AI Act distinguishes between different risk levels. Whilst certain types of AI are prohibited, the most stringent requirements will apply to what are known as high-risk systems.

This means that many organisations will be able to use generative AI tools without extensive new obligations, whilst others must establish documented processes for risk assessment, control and follow-up.

It is therefore misleading to ask whether an organisation is “covered by the AI Act”. Every organisation that uses AI will be affected to a greater or lesser degree. The key question is how significant the regulation will be for each individual organisation.

For many organisations, AI is used primarily as a tool that supports employees in their day-to-day work.

Examples include:

• Generating text drafts and content
• Summarising meetings and documents
• Coding assistance for developers
• Language support and translation
• Analysis of large volumes of information

In such cases, it is humans who make the decisions, whilst AI functions as a productivity tool.

Although these organisations should still maintain an overview of which AI solutions are in use, they will not normally face the most extensive requirements under the AI Act.

A different picture emerges when AI becomes an integrated part of operational processes.

In industry, energy, transport and offshore, artificial intelligence is increasingly used for analysis, optimisation and predictive maintenance. AI can help identify anomalies, predict failures or recommend actions based on large volumes of data.

In such cases, the primary challenge is not necessarily human rights or discrimination. Rather, the need for control over data quality, traceability and an understanding of how AI models influence the basis for decisions becomes more pressing.

Many organisations in these sectors will therefore find that the AI Act creates a need for better documentation and governance, even if the solutions are not necessarily classified as high-risk systems.

The most extensive requirements under the AI Act are linked to AI systems that can affect individuals’ rights, opportunities or access to essential services. This applies, amongst others, to solutions used in the following areas.

AI used to rank candidates, filter applications or make recommendations in recruitment processes may fall within the high-risk categories of the regulation.

AI solutions that affect the assessment of students or decisions about educational pathways may trigger stricter requirements.

AI used for diagnostics or clinical decision support is among the areas subject to significant regulation.

Municipalities, directorates and other public bodies must be particularly attentive if AI is involved in case processing or decisions that affect citizens.

In such cases, the AI Act sets requirements for, amongst other things, risk management, documentation, human oversight and ongoing follow-up.

For leaders, it is therefore more relevant to map the organisation’s AI portfolio than to attempt to determine whether the organisation “is covered by the AI Act”.

Two organisations in the same industry can have very different risk profiles.

A university using AI for administrative tasks faces different requirements from one using AI to assess students. In the same way, a municipality using generative AI for content production will have a different risk profile from one using AI in case processing or decision-making.

The first step towards AI Act readiness is therefore to establish an overview of which AI systems are in use within the organisation, which processes they form part of, and what the consequences could be if they produce incorrect results.

For many organisations, the AI Act will not entail extensive new requirements in the near term. Nevertheless, the regulation helps to make visible a need that already exists: the need for control over how artificial intelligence is used within the organisation.

Organisations that establish an early overview of their AI portfolio will be better placed to handle both regulatory requirements and the rapid development of artificial intelligence.

We help organisations with advisory services, establishment and further development of AI management systems. Get in touch to find out how we can help you!