The EU AI Act: 6 Steps to Take in 2024

5 minute read | September.13.2024

This update is part of our EU AI Act Series. Learn more about the EU AI Act here.

The EU AI Act has been formally adopted and the countdown to the start of enforcement has begun.

Here are six steps you can take to jump start your compliance efforts:

Identify the team responsible for AI governance and compliance.
Develop an AI governance framework.
Foster AI knowledge and literacy across the organization.
Inventory the organization’s AI.
Assess EU AI Act applicability and classification.
Start developing compliance measures that require a longer lead time.

1. Identify the team responsible for AI governance and compliance.

Addressing the AI Act’s obligations requires a combination of legal, technical and operational expertise.

Organizations that are most successful in addressing AI obligations and risks typically designate a diverse, cross-discipline group responsible for the company’s AI governance and compliance. Team members are often pulled from legal, compliance, information technology, engineering and product departments. This core team is then supported by AI champions within departments across the organization who act as the first point of contact for new policies, processes and tools.

2. Develop an AI governance framework.

To successfully navigate the evolving AI legal environment, organizations should develop and implement internal policies and procedures to align their use and development of AI with their mission, risk profile, legal obligations and ethical priorities.

While the AI Act may dictate some of the components of this AI governance framework, the most successful companies will build a foundational program upon which specific compliance obligations can attach. This approach allows for greater flexibility in adapting to new laws and technologies and helps to integrate AI governance into related compliance and operational frameworks, such as those related to data protection and cybersecurity.

Most organizations start by developing an AI Responsible Use Policy to guide their initial AI-related compliance efforts.

3. Foster AI knowledge and literacy across the organization.

Starting February 2, 2025, the AI Act will require covered organizations to train their employees and other AI-related workers to have a sufficient level of AI knowledge and competence to ensure appropriate development and use of AI and compliance with applicable law.

Organizations should consider implementing a standard, organization-wide training that provides all employees and relevant workers a baseline knowledge of the technology and related compliance requirements, as well as more specific role-based training where an individual has a greater involvement with AI development or use.

4. Inventory the organization’s AI.

The EU AI Act only regulates certain covered AI-related technologies.

As a first step in assessing the Act’s applicability and corresponding obligations, organizations should inventory AI they are developing, using, distributing, or selling and document:

Whether the AI is internally developed or provided by a third party.
Where applicable, the party providing the AI or developing the AI on behalf of the organization (along with any applicable contractual terms).
What the AI is designed to do, and in which settings and jurisdictions the AI will be used.
What type of content the AI uses as input to run, and what the AI produces as output when it finishes running.

Organizations should consider adopting a department-by-department approach to the inventory process, as this will often help identify less visible AI use cases.

5. Assess AI Act applicability and AI classification.

After the organization’s AI inventory is completed, it can be used to help determine whether the organization’s AI qualifies as an in-scope technology and, if it does:

Whether the company is acting as a provider, importer, distributor or deployer of the AI; and
Whether the AI qualifies as Prohibited AI, High-Risk AI, General-Purpose AI, or otherwise involves direct interaction with individuals or exposes individuals to AI-generated content (Individual-User-Facing AI).

Given the Prohibited AI prohibitions take effect on February 2, 2025, we recommend companies prioritize determining whether any of these prohibitions may apply. The other obligations and restrictions under the AI Act have a later effective date (see here for more details).

6. Start developing compliance measures that require a longer lead time.

As shown in our compliance timeline, the effective dates for the AI Act’s obligations are spread out over several years. Nonetheless, the AI Act is already influencing legislation in other countries (see our U.S. AI Law Tracker), with some laws jumping ahead of the AI Act in terms of implementation. In addition, compliance measures for many of the Act’s obligations and restrictions can require meaningful lead time prior to implementation.

As a result, organizations should consider:

Promptly establishing the AI team and governance framework outlined in Point #1 and Point #2 above.
Developing and implementing the AI knowledge and literacy measures outlined in Point #3 above.
Completing the inventory and assessment process outlined in Point #4 and Point #5 above in Q4.
Developing a general AI risk assessment framework designed to help keep the organization’s AI inventory up to date, assess whether the AI is subject to the Act or other legislation and provide a foundation for identifying and minimizing AI-related risk.
Update existing vendor management and contracting procedures to ensure diligence processes identify and document AI-related risks and obligations, and contractual provisions appropriately allocate compliance obligations and liability between the parties.
For Prohibited AI: Identifying any AI that may qualify as prohibited AI and either discontinuing its use in the EU or altering its use to qualify for an exception or fall outside of the Prohibited AI designation.
For High-Risk AI:

Developing a risk management framework for identifying, assessing and addressing risks presented by these higher risk systems; and
Determining when the system should be placed on the market or put into service in the EU (as the AI Act’s High-Risk AI System obligations trigger on different dates depending on these events).

For General-Purpose AI Models:

Preparing technical documentation that can be leveraged for the Act’s documentation requirements;
Understanding how choices today may impact the information included in such documentation (including data used to train the model and risk assessments performed in connection with the model); and
Determining when the model should be placed on the market in the EU (as the AI Act’s GPAIM obligations trigger on different dates depending on when the model is placed on the market).

For AI systems interacting directly with individuals or exposing individuals to AI-generated content (Individual-User-Facing AI), preparing product design elements to address applicable transparency obligations.

Check back in January for next steps to implement in 2025.

Want to know more? Reach out to a member of our team.

The EU AI Act Series: Key Takeaways for Companies Using and Developing AI

Authors

Julia Apostle Partner, Technology Transactions, Cyber, Privacy & Data Innovation

Paris

See my bio

D:+33153537500
E: [email protected]

Practice:

Technology & Innovation Sector
Technology Transactions
Cyber, Privacy & Data Innovation
Technology & Innovation

vCard

See full bio

Julia Apostle Partner

Paris

Julia counsels on compliance issues in relation to European and French tech and data regulations, including the GDPR, the Digital Services Act, the regulation of AI, the Data Act and other new and emerging legislation impacting online platforms, technology developers, and eCommerce businesses. She advises companies of all sizes on a wide range of compliance matters, ranging the drafting of internal policies, to assisting with regulatory investigations, and product counseling.

In the context of strategic transactions covering significant and complex technological issues, she is involved in the drafting and negotiation of agreements relating to data transfer, IT, software, content and brand licensing.

Qualified to practice in the UK and France, Julia is deeply familiar with the commercial considerations’ clients face, having practiced in-house at Twitter, Financial Times and CBS for more than a decade prior to joining Orrick.

Sarah Schaedler Partner, Technology & Innovation, Technology Transactions

San Francisco

See my bio

D:+1 415 773 5474
E: [email protected]

Practice:

Technology & Innovation Sector
Technology & Innovation
Technology Transactions
Intellectual Property
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Sarah Schaedler Partner

San Francisco

Sarah’s practice focuses on structuring and negotiating the intellectual property aspects of complex corporate transactions, including mergers and acquisitions, business divestitures and commercial transactions where software and technology are the principal assets. Sarah also advises on intellectual property and technology contracts related questions in the context of Artificial Intelligence (AI).

Sarah routinely advises on carve-outs and business separation transactions and helps clients with structuring and implementing their intellectual property and technology separation roadmap.

Sarah has counseled several companies in their preparation for a divestiture and understands the issues a buyer is focused on in the context of intellectual property matters. She regularly helps companies implement remediation steps around their intellectual property assets to help them to a successful closing.

She has significant experience advising private equity funds on investments involving companies that are driven by technology & innovation, as well as intellectual property reliant consumer product companies and companies that are stepping into digitalization.

Sarah is also a member of Orrick’s AI leadership group and involved in thought leadership projects related to AI matters on corporate transactions.

Educated and trained in Germany, France and the United States, Sarah’s international experience provides her with additional knowledge on cross-border transactions and international matters.

Related Areas

Artificial Intelligence (AI)