Regulations on AI you should know

Introduction

With the EU enacting regulations on AI, many businesses have expressed concerns about how it will affect them. Big tech giants have paused or restricted certain AI-powered features in response to the new rules. Recently, a petition was raised seeking regulatory certainty on artificial intelligence. Furthermore, tech giants are planning to push back on AI regulation.

Legislation

There are three main laws governing AI regulation:

1. Digital Markets Act
2. EU AI Act
3. GDPR

Digital Markets Act

The Digital Markets Act (DMA) entered into force on 1 November 2022 and became applicable on 2 May 2023. This law aims to prevent so-called gatekeepers from restricting access to digital markets for other companies. Currently, five major tech companies are classified as gatekeepers.

EU AI Act

The EU AI Act came into effect on 1 August 2024 and provides a general framework for regulating AI applications. As the world’s first regulation on AI, it has received significant scrutiny, particularly from industry leaders. The Act categorizes AI models into four distinct risk levels:

• Unacceptable Risk: AI systems that pose an unacceptable risk, such as social scoring or manipulative AI, are prohibited.
• High Risk: AI systems that handle personal data or operate in safety-critical areas are strictly regulated.
• Limited Risk: These systems face fewer regulations and transparency requirements.
• Minimal Risk: These systems are largely unregulated.

GDPR

The General Data Protection Regulation (GDPR) is a comprehensive regulation in EU law governing data protection and privacy across the European Union and European Economic Area. It also addresses the transfer of personal data outside these regions.

How might this affect AI strategies?

The EU AI Act makes it clear that some use cases are prohibited, but since these are relatively uncommon, we will focus on those use cases that remain viable. Implementing transparency mechanisms and ensuring proper record-keeping can help meet compliance requirements.

Conclusion

The current legislation, particularly the EU AI Act, requires businesses to make their AI systems transparent and subject to human oversight. GDPR adds additional requirements for data minimization, anonymization, and the right to be forgotten, impacting how AI training pipelines must be designed.