Read time: 5 minutes
Background
The European Union has been at the forefront of regulating emerging technologies, and the introduction of the EU Artificial Intelligence (AI) Act (AI Act) is a testament to its commitment to ensuring the ethical and responsible use of AI. Taking effect in 2024, the Act aims to create a comprehensive regulatory framework for AI applications within the EU. This legislation has far-reaching implications for various sectors, including the supply chain. In this article, we will explore how the AI Act impacts the supply chain, focusing on compliance requirements, operational changes and the broader implications for businesses.
What is an AI System?
The core concept of the AI Act is the “AI System.” Organizations developing or using AI Systems must comply with the AI Act. The AI System is defined in Art. 3 para. 1 of the AI Act as “a machine-based system designed to operate with varying levels of autonomy, that may exhibit adaptiveness after deployment and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.” The central word around which the interpretation will revolve is the word “infers.” This expresses the autonomy of AI and excludes, for example, current spreadsheet software from the definition of AI.
European institutions are currently working on guidelines for organizations to clarify the determination of an AI System.
Risk categorization of AI Systems
The AI Act takes a risk-based approach to classifying the danger level of each AI application. Obligations under the AI Act are then linked to this classification, ranging from the recommendation to comply with codes of conduct (low risk) to a complete ban (prohibited AI) and additional special rules for generative AI and AI systems that are intended for interaction with natural persons (for example, AI systems that create images or other content for users).
Depending on the AI System’s categorization, organizations in the supply chain have certain obligations. Most important for the supply chain are the documentation and information obligations by the developer and the importer of the AI system toward the next link in the chain (for example, the deployer or user of the AI system).
The compliance obligations under the AI Act are in addition to “neighbouring” obligations (for example, the EU Data Protection Regulation, the EU NIS2-Directive or the EU Cyber Resilience Act). The intersections between the AI Act and these other laws are not always clear cut and often overlap.
- AI systems in supply chains must meet rigorous requirements, including risk management, data governance, transparency and human oversight
- EU AI Act will have impact on not only EU organizations but also all organizations where supply chain leads to EU
- Organizations must conduct regular AI audits, train employees on regulations, update agreements with AI vendors and evaluate AI vendors for compliance