EU AI Act

The EU AI Act is a European Union regulation governing the use of artificial intelligence systems. Its backbone is a risk-based approach: systems are sorted into categories according to how great a threat they pose to health, safety and fundamental rights, and the scope of obligations grows with the level of risk. Some uses have been deemed unacceptable and banned, while systems classed as high-risk are subject to detailed requirements covering, among other things, data quality, documentation and human oversight.

The Act differs from internal AI governance in that it is binding law, not a voluntary set of principles. An organization may have its own governance policy, but it is this regulation that sets the minimum requirements to be met for systems within its scope. It also partly overlaps with data protection: wherever a system processes personal data, the obligations under the Act and the principles of data privacy must be satisfied in parallel.

For a company deploying AI in the European Union, the first thing that matters in practice is establishing which risk category a given system falls into, because the specific obligations follow from that. Meeting the requirements is documented and verified, which makes an AI audit a natural tool for demonstrating compliance. The detailed provisions, thresholds and application dates are laid down in the text of the regulation itself and in the guidance of EU authorities, so the specific requirements should always be checked at the source.