Connect

The EU just released the world’s strictest AI law. Are you ready for AIA?

The new EU AI Act (AIA) is the EU’s new flagship artificial intelligence law. It is designed to heavily regulate the use of AI by companies that operate inside the European Union and who use AI to conduct a variety of activities that affect EU citizens. These activities are organized into categories and range from those that are relatively widespread (a company using AI to generate content for marketing purposes) to those that are now outright prohibited (a government using AI to rank residents via “social scores” as a means of manipulating behavior). It is important to understand how your company’s use of AI will affect its obligations to stay in compliance and avoid the law’s stiff fines and penalties (up to €35 million or 7% of global revenue).

 

Which companies must comply with the AIA?

Simply put, if your company is using AI tools that affect people living in the EU—directly or indirectly—you must comply with the new law. The AIA places risk and technology-based obligations on all companies that develop, use, distribute or import AI systems into the EU. 

Let’s take a look at what that means in more depth. For starters, a company operating inside the EU is bound by the new law. The same applies for companies based outside of the EU (including those in the US) that are operating in the EU or that use AI in ways that affect EU residents. For example, a US company that offers an AI-driven app to EU residents falls under the AIA. If, however, a US company only operates in the US (no EU customers and no interactions with EU users or markets), then the AIA wouldn’t apply. 

 

How does the AIA work?

The application of the AIA depends on a variety of factors, including: the specifics of the AI technology involved, how AI is used, and the role of the individual using that AI. The law also prohibits the use of certain types of AI systems which present an unacceptable risk to EU citizens. The law categorizes AI systems into tiers, each based on that system’s potential risk to EU citizens: prohibited, high-risk, limited risk, minimal risk, and general purpose.

 

1. Prohibited AI systems under the AIA include:

  • Certain AI systems for biometric categorization and identification
  • AI systems that deploy subliminal techniques, exploit vulnerabilities or manipulate human behavior
  • AI systems for emotion recognition in law enforcement, border management, the workplace and education
  • AI systems for the social scoring evaluation or classification of natural persons over a period of time based on their social behavior

 

2. High-Risk AI systems (HRAIS):

Because the EU considers these systems to pose a high-risk to the health, safety, or fundamental rights of EU citizens, they carry the most robust obligations.

Examples of high-risk AI systems include:  

  • AI systems used to determine prospective students’ access to institutions of higher learning, or in assessing students (for example, screening prospective students or using AI to grade exams)
  • AI systems used in the insurance and banking sectors
  • AI systems that are used by HR teams for the recruiting and hiring of employees (for example, placing job ads, scoring candidates, screening or reviewing job applications, and using AI for decisions related to employee performance, promotions or terminations.

 

Compliance requirements for high-risk AI systems:

The requirements for companies or individuals using HRAIS are robust. For example, they can require that a company using HRAIS include accompanying instructions for its use of that AI. These instructions may need to cover topics such as record-keeping, transparency, human oversight, accuracy, robustness, and cybersecurity (the requirement for resilience to cyber-attacks). Other requirements may include the obligation to carry out fundamental rights impact assessments and other requirements.

 

3. Limited risk AI systems:

This category covers risks associated with the lack of transparency about AI usage. It requires companies to be explicit and transparent in their use of AI. 

Examples of limited-risk AI systems include:

  • AI-driven chatbots that interact with customers
  • Automated decision-making tools to aid HR professionals in screening resumes
  • AI-powered content generation tools used to create marketing materials 

 

Compliance requirements for limited-risk AI systems:

Requirements focus on ensuring that EU citizens are aware of AI’s role as they interact or are affected by these systems. Requirements could include:

  • Clearly informing users when they are interacting with AI (rather than a human).
  • Providing documentation that explains how AI-driven decisions are made and allowing users to contest AI-driven decisions with a human being.
  • Indicating that content was generated with the use of AI.

 

4. Minimal-risk AI systems:

The minimal-risk category comprises using AI systems to perform relatively simple tasks for convenience or efficiency that involve no interaction with EU citizens.

Examples of minimal-risk AI systems include:

  • AI spelling and grammar checkers
  • AI-powered recommendations (algorithms) for suggesting content, like movies or articles
  • AI chat assistants that simply provide general information (no decision-making ability)

 

Compliance requirements for minimal-risk AI systems: 

While the minimal-risk category does not have any compliance requirements, the law does offer recommendations for responsible use (for example, ensuring that the content or algorithm doesn’t spread misinformation, providing user transparency, and maintaining privacy and security when processing personal data, to name a few).

 

5. General purpose AI systems (GPAI):  

Apart from the prohibited or high-risk categories, general purpose AI models (GPAI) are the category with the most rigorous requirements. These requirements chiefly focus on documentation and transparency. For larger systems however, there are also requirements for risk mitigation.

This category covers General Purpose AI Systems (GPAI), which are AI models designed for broad applications across multiple sectors. These systems (including foundation models from which other systems can be built) and generative AI, can be integrated into various industries, from healthcare to finance and machine learning. Examples of these AI systems include:

  • Large language models (LLMs) that generate text, images, or provide translations. Examples of these include Gemini and ChatGPT and Google Translate or DeepL.
  • AI image or video generators
  • Speech recognition models used for voice assistants or automated transcription services

 

Compliance requirements for general purpose AI systems (GPAI):

These requirements generally center around providing technical documentation to show how the model functions and providing training data (for transparency). There are many other requirements, ranging from adhering to copyright laws to rigorous testing, reporting, and risk mitigation for more powerful models.

 

Which area of the AIA is most likely to affect your company?

No matter the industry, most companies are likely to be affected by the high-risk AI category under the AIA. This is because the law explicitly classifies common HR activities as high-risk, meaning they will be subject to strict compliance requirements.

For example, AI systems used in recruitment and hiring—common HR responsibilities—would be classified as high-risk. Tasks such as placing targeted job ads, filtering and screening potential employee applications all use AI to assist in evaluating candidates in some form—thus falling into the high-risk s category. Similarly, AI tools that influence decisions on promotions, task assignments, terminations, or performance monitoring based on personal traits or behaviors are also considered high-risk by the AIA.

There’s a good chance that your company is already using (or will use) AI in some of these ways. If your company’s AI systems affect or interact with EU citizens, you’ll now need to ensure that you meet the AIA’s strict obligations for transparency, reporting, and accountability. Fines for non-compliance range from €7.5 million or 1.5% of global annual turnover (whichever is higher) for lower tier infractions and up to €35 million or 7% of global annual turnover (whichever is higher) for higher tier infractions.

 

Who should have responsibility for AI compliance within your organization?

As you’ve probably seen, the topic of AI governance and the people responsible for it is still in its nascent stages. Despite the fact that this is a relatively new field of compliance, there are considerable similarities and overlap between data privacy compliance and AI governance. 

Thus, if your company already has a Data Protection Officer (or even an external third party fulfilling this role), consider using this person to oversee AI compliance as well. If that’s not a possibility, you can assign this to someone with the necessary technical skills and appropriate seniority and ability to understand the operation of the AI system in your business.

 

3 Steps you can take now to stay compliant with the AIA

If you are currently using AI to interact with EU citizens (or are considering doing so), here are three steps that you can take immediately to avoid the AIA’s strict penalties:

  • Become familiar with the law immediately and review your systems closely to identify any that may fall within the AIA’s risk categories.
  • Make sure that you have assigned an expert individual or third party to oversee AI compliance and make the necessary changes to meet the requirements based on your current usage of AI systems.
  • Leverage proven legal expertise to help you understand the impact of the law on your company’s current and future use of AI systems. HSP’s team of legal and global expansion experts can quickly help you assess your exposure to these new AI regulations in the EU.

 

HSP is an end-to-end global expansion solutions provider focused on helping companies scale their operations overseas effectively and efficiently. We are the only global expansion expert to offer growing companies a full suite of end-to-end solutions designed to help them scale to any size and country. 

Contact us to discover how our full suite of technical consulting services can help your company successfully expand overseas in any environment. Critical to maintaining your business’s integrity, our compliance consulting services cover everything from the EU AI Act, data privacy and GDPR assessments to broader regulatory compliance across all aspects of your operations. We provide the insights and frameworks needed to ensure that your business adheres to all necessary legal standards, minimizing risk and enhancing operational transparency.

Relevant Blogs

Payroll Management Technology and How it Can Help You

The Differences in VAT Rates Across Europe 

The Role of Employer of Record (EoR) in Successful Overseas M&As

Unlocking the Power of Duty Drawback: A Game-Changer for US Companies with Global Ambitions

HR Support for International Employees: Addressing 10 Frequently Asked Questions

Have Questions? Click Here to Get Them Answered!

Contact Us

Join 20,000+ Global Expansion Leaders for expert insights, updates, and exclusive resources.

Sign Up