How to Prepare for the EU AI Act - A Guide for Business Leaders

Landmark, seismic, pivotal – whichever adjective you prefer to use, there’s no doubt the AI Act is a game-changer. It is the first proposed set of rules to take a comprehensive approach to AI regulation in one of the world's biggest markets, the European Union.

The Act has been commended for its joined-up thinking, its risk-based approach to AI regulation, and its emphasis on safety and transparency. However, when the legislation takes effect, businesses will be operating in an entirely new paradigm when it comes to developing and deploying AI systems.

Here, we’ll explore the EU AI Act and explain how businesses can comprehensively prepare for the EU AI Act. With penalties for non-compliance  of up to €40 million or 7% turnover, organisations can scarcely afford to be slow to react.

What is the timeline for the EU AI Act?

The bill has been subject to bureaucratic to-and-fro since it was first proposed in April 2021, but recent developments signify that the legislative process is now entering its end game. On 14 June 2023, the European Parliament voted to move forward with the EU AI Act, with the bill garnering overwhelming support.

The next stage, the last final hurdle in the legislative process, will see the Act progress to the Trilogues stage, where the European Commission, European Parliament, and Council of the EU will informally convene to arrive at the final version of the legislation.

Published in the Official Journal of the EU on July 12, 2024, the EU AI Act became effective on August 1, 2024, with a phased enforcement schedule. Businesses have approximately two-and-a-half years to prepare, as full enforcement is expected by 2026. This preparatory period is critical for enterprises, especially those operating in or with the EU, to ensure compliance and avoid risks.

EU AI Act proposal

The first step to preparing for the Act is establishing a thorough understanding of the proposal.

The text of the Act itself is long – 394 pages to be precise – and most enterprises will not have time to forensically examine the legislation, but there are some core points that are essential to consider.

Significantly, the Act grades AI systems according to four levels of risk – minimal, limited, high, and unacceptable. A system’s obligations under the terms of the Act correspond with its risk classification. For example, a spam email filter deemed to have a low level of risk has no associated obligations, while systems with limited risk have transparency obligations where users must be made aware that they are interacting with an AI system.

At the top end of the spectrum, high-risk applications such as systems deployed in critical aspects of the healthcare or welfare sectors, have the most stringent obligations. Systems classified as having an unacceptable level of risk meanwhile are banned altogether. These include real-time biometric identification systems, as well as those that use subliminal techniques.

For a detailed analysis of the risk-based systems and the obligations across the various classifications, read our paper.

Who needs to prepare for the EU AI Act?

The following entities are covered within the EU AI Act and must prepare for the legislation:

• Providers of AI systems established in the EU.
• Providers located in third countries that place AI systems on the market in the EU.
• Providers located in the EU that use AI systems.
• Deployers based in third countries if the output of their AI systems is used within the EU.

There are some exemptions, such as pre-market AI research and testing, international public authorities, military AI systems, and most free/open-source AI components.‍

Preparing for the EU AI Act in 2025

The EU AI Act, hailed as a "game-changer," mandates a transformative approach for businesses in the development and deployment of AI systems. With enforcement starting in 2026, enterprises have a short runway to adapt and ensure compliance while maintaining competitiveness. This section provides actionable steps tailored to C-suite executives and business leaders to address key challenges and implement solutions effectively.

1. Audit Your AI Ecosystem

• Action: Create an exhaustive inventory of all AI systems used or developed in your organization.
• Details to Include:
  • Purpose of the system
  • Risk classification (minimal, limited, high, or unacceptable risk)
  • Data sources and governance standards
• Goal: Build a central database to identify which systems fall under the Act’s purview​​.

2. Risk-Based Categorization

• Action: Categorize AI systems based on the Act's four risk levels.
  • Minimal Risk: No obligations but ensure compliance with other regulations.
  • Limited Risk: Implement transparency mechanisms (e.g., notifying users they are interacting with AI).
  • High Risk: Meet stringent obligations (e.g., pre-market conformity, data governance, and human oversight).
  • Unacceptable Risk: Ban these systems (e.g., social scoring, subliminal manipulation)​​.
• Outcome: Gain clarity on compliance priorities and focus resources on high-risk systems.

3. Build Governance and Oversight Mechanisms

• Governance Policies:
  • Set clear AI ethics guidelines emphasizing transparency and fairness.
  • Develop protocols to handle complaints and risks related to AI systems.
• Human Oversight:
  • Assign dedicated personnel to oversee high-risk systems.
  • Establish decision-making checkpoints for human intervention in critical systems​​.
• Tools to Use: Compliance platforms like Holistic AI for monitoring and reporting​.

4. Invest in Infrastructure and Technology

• Deploy systems for:
  • Data lifecycle management (to maintain compliance with quality requirements).
  • Continuous risk monitoring (detecting biases, robustness issues).
  • Automated reporting for audits​​.
• Example Tools:
  • AI system tracking tools
  • Compliance dashboards for real-time insights

5. Train Teams and Foster Culture

• Develop in-depth training programs on:
  • Risk categorization of AI systems
  • Transparency requirements
  • Governance practices
• Make compliance part of organizational culture by including it in performance metrics​​.

6. Establish a Compliance Task Force

• Create cross-functional teams comprising:
  • Legal experts (to interpret compliance clauses)
  • Technical experts (to ensure systems meet technical standards)
  • Business executives (to align compliance with strategic goals)​.
• Role: Ensure readiness for audits and timely adherence to updates in legislation.
  

Ensure compliance with Holistic AI

The EU AI Act enforcement date may appear distant, but implementing the necessary systems and processes to achieve compliance can take time. With the Act on the horizon, it is never too early to begin preparing.

Holistic AI offers a comprehensive solution for AI risk management, covering the entire lifecycle of AI systems to minimise risks from design to deployment. With a strong commitment to helping organisations achieve EU AI Act compliance, our platform provides benefits such as:

• ‍AI Governance: Register, assess, and track AI use cases confidently. Evaluate risk levels and identify areas for compliance improvement.‍
• AI Compliance: Stay updated with AI policies and regulations, including the EU AI Act. Ensure alignment with compliance requirements.‍
• Integration and Workflow Enhancement: Seamlessly integrate with AI systems and tools, simplifying governance and incorporating responsible AI practices.‍
• Transparency: Enhance trust by communicating AI system details through customisable report templates.

Schedule a call to learn how Holistic AI can assist your organisation prepare for EU AI Act compliance.