Read time: 5 minutes
Background
The European Union has been at the forefront of regulating emerging technologies, and the introduction of the EU Artificial Intelligence (AI) Act (AI Act) is a testament to its commitment to ensuring the ethical and responsible use of AI. Taking effect in 2024, the Act aims to create a comprehensive regulatory framework for AI applications within the EU. This legislation has far-reaching implications for various sectors, including the supply chain. In this article, we will explore how the AI Act impacts the supply chain, focusing on compliance requirements, operational changes and the broader implications for businesses.
Regulatory and compliance challenges
What is an AI System?
The core concept of the AI Act is the “AI System.” Organizations developing or using AI Systems must comply with the AI Act. The AI System is defined in Art. 3 para. 1 of the AI Act as “a machine-based system designed to operate with varying levels of autonomy, that may exhibit adaptiveness after deployment and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.” The central word around which the interpretation will revolve is the word “infers.” This expresses the autonomy of AI and excludes, for example, current spreadsheet software from the definition of AI.
European institutions are currently working on guidelines for organizations to clarify the determination of an AI System.
Risk categorization of AI Systems
The AI Act takes a risk-based approach to classifying the danger level of each AI application. Obligations under the AI Act are then linked to this classification, ranging from the recommendation to comply with codes of conduct (low risk) to a complete ban (prohibited AI) and additional special rules for generative AI and AI systems that are intended for interaction with natural persons (for example, AI systems that create images or other content for users).
Depending on the AI System’s categorization, organizations in the supply chain have certain obligations. Most important for the supply chain are the documentation and information obligations by the developer and the importer of the AI system toward the next link in the chain (for example, the deployer or user of the AI system).
The compliance obligations under the AI Act are in addition to “neighbouring” obligations (for example, the EU Data Protection Regulation, the EU NIS2-Directive or the EU Cyber Resilience Act). The intersections between the AI Act and these other laws are not always clear cut and often overlap.
Consequences
The AI Act may apply either directly to one or more organizations along the supply chain, indirectly through contractual rules to other members, or both.
Compliance requirements
Compliance requirements stemming from the AI Act fall into five important categories.
- Risk and quality management. Robust risk and quality management systems must be implemented and documented to identify, assess and mitigate risks associated with weaknesses in AI systems.
- Monitoring. Operation of the AI System must be monitored and security incidents reported.
- Data governance. Ensuring the quality and integrity of data used by AI Systems is crucial. Accurate and up-to-date data must be maintained and measures implemented to prevent data bias.
- Transparency and ‘explainability.’ AI systems must be transparent, and their decision-making processes should be explainable. Developers must maintain and make available tailored documentation to their customers in the supply chain.
- Human oversight. High-risk AI systems must include mechanisms for human oversight to ensure that AI-driven decisions can be reviewed and, if necessary, overridden by human operators.
Operational changes
The implementation of the AI Act will necessitate several operational changes within supply chain management.
- AI System audits. Regular audits of AI systems will be required to ensure compliance with the Act. These audits will assess the performance, accuracy and fairness of AI applications.
- Training and education. Employees involved in supply chain operations will need training on the new regulatory requirements and the ethical use of AI. This will help ensure that they can oversee and manage AI systems effectively.
- Vendor management. Companies will need to carefully evaluate their AI vendors and partners to ensure that their AI solutions comply with the AI Act. This may involve renegotiating or entering into agreements and implementing new compliance checks.
- Supply chain agreements. Organizations must check not only their own duties under the AI Act but also whether they need information or other input from their suppliers. Agreements with suppliers must be adjusted accordingly.
- Global impact. The AI Act is likely to influence AI regulations globally. Non-EU organizations will have to meet AI Act requirements via contractual obligations even if the AI Act does not apply to them.
Conclusion
The AI Act represents a significant step toward regulating AI technologies and ensuring their ethical use. For the supply chain sector, this legislation brings both challenges and opportunities. Companies will need to invest in compliance, training and risk management to meet the Act's requirements. The impact of the AI Act on innovation remains to be seen. However, those who successfully adapt to the new regulatory environment can leverage AI to enhance their supply chain operations and gain a competitive edge. As the AI landscape continues to evolve, staying informed and proactive will be key to navigating the complexities of the AI Act and its impact on the supply chain.