The EU AI Act: A New Regulation Governing Artificial Intelligence
Check out Responsible Cyber website : Cybersecurity and Risk Management.
Recently, the European Parliament passed a groundbreaking regulation that governs the use of artificial intelligence (AI) technology and its applications worldwide. Known as the “Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) and amending certain Union legislative acts,” this regulation has attracted significant attention since its proposal in 2021. Now, three years later, it has been approved in the European Parliament. The act is set to enter into force at the end of the legislative session in May 2024 and will become fully applicable 24 months after its publication in the official journal.
The Impact on Third-Party Risk Management Programs
This new regulation is expected to have a transformative impact on third-party risk management (TPRM) programs, particularly for companies based outside of Europe that wish to conduct business within the European Union. To understand the implications for your TPRM program, let’s delve deeper into the EU AI Act and provide some context.
Understanding the EU AI Act
The EU AI Act aims to establish a governance and compliance framework for AI within the European Union. Its primary objective is to set boundaries on the use of AI technology and outline the responsibilities of companies operating in Europe that seek to develop AI tools or apply AI to their existing technology.
By implementing this act, the European Union aims to ensure that AI is developed and used in a manner that aligns with its values and principles. It seeks to strike a balance between fostering innovation and safeguarding individuals’ rights and societal well-being.
Key Provisions of the EU AI Act
The EU AI Act encompasses several key provisions that companies need to be aware of when it comes to their TPRM programs:
1. High-Risk AI Systems
The act categorizes certain AI systems as high-risk and imposes stricter requirements on their development and deployment. High-risk AI systems include those used in critical infrastructure, transportation, healthcare, and law enforcement. Companies developing or using such AI systems will need to comply with specific obligations, such as conducting risk assessments, ensuring transparency, and implementing human oversight.
2. Transparency and Accountability
The EU AI Act emphasizes the importance of transparency and accountability in AI systems. Companies must provide clear information to users regarding the use of AI and any potential risks involved. They must also ensure that their AI systems are auditable, allowing for accountability and the identification of potential biases or discriminatory practices.
3. Data Governance and Privacy
The act places great emphasis on data governance and privacy. Companies must adhere to strict data protection regulations when collecting, processing, and using data for AI purposes. They must also ensure that individuals’ privacy rights are respected and that appropriate safeguards are in place to prevent unauthorized access or misuse of personal data.
Implications for Your TPRM Program
The EU AI Act introduces a new set of considerations for companies operating in Europe or seeking to enter the European market:
1. Compliance Requirements
Companies must familiarize themselves with the requirements outlined in the EU AI Act and ensure that their TPRM programs align with these regulations. This may involve conducting thorough risk assessments, implementing robust oversight mechanisms, and establishing clear accountability structures.
2. Vendor Due Diligence
When engaging with third-party vendors, companies must assess whether the AI systems or technologies they provide fall under the high-risk category. If so, additional due diligence measures should be undertaken to ensure compliance with the EU AI Act. This may include reviewing vendors’ risk assessment processes, data governance practices, and transparency measures.
3. Data Protection and Privacy
Given the focus on data governance and privacy, companies must prioritize the protection of personal data when engaging in AI-related activities. This involves implementing robust data protection measures, obtaining appropriate consent for data usage, and ensuring compliance with relevant data protection regulations, such as the General Data Protection Regulation (GDPR).
Conclusion
The EU AI Act represents a significant milestone in the regulation of AI technology. By establishing a comprehensive governance and compliance framework, it aims to harness the benefits of AI while safeguarding individuals’ rights and societal well-being. For companies operating in Europe or looking to do business within the European Union, understanding the implications of this act on their TPRM programs is crucial. By staying informed and adapting their practices accordingly, companies can navigate the evolving landscape of AI regulation and ensure compliance with the EU AI Act.