The EU AI Act has ushered in a new era for AI governance. After three years of deliberations on how to regulate AI to safeguard citizens, businesses, and government agencies from potential risks, the Act is about to officially become law – setting a new standard for AI policy globally.
IBM welcomed the Act and its risk-based approach to regulating AI. It aligns with our work on AI ethics, which shows that openness, transparency, and accountability are the hallmarks of best-practice AI deployment.
While the Act will soon be published in the Official Journal of the European Union and become law 20 days later, it will take up to three years for all aspects of the legislation to come into full effect. During this time, policymakers and businesses have a collective responsibility to make the implementation of the Act a success. That starts with ensuring compliance, encouraging AI adoption, and ultimately spurring innovation across Europe.
The main goal of the Act is to make AI development and use safer and more transparent. By providing guidelines and guardrails for AI developers and deployers, the Act intends to bring more trust and certainty to the use of AI technologies in Europe. This clarity will facilitate compliance and help organizations make more informed decisions about their AI investments and strategies. While the Act includes a phased transition and implementation period, IBM advises all clients to take AI governance seriously and prepare for compliance today.
Understanding the Act’s risk-based approach is key. The Act categorizes AI systems into four tiers based on the level of risk their use poses, including “unacceptable,” high,” “limited,” and “minimal” risk applications. AI practices that pose an unacceptable risk to society – such as using deceptive or manipulative techniques and social scoring – are outright banned. High-risk use cases require more regulation to mitigate issues like security and bias across all sectors of the economy, from critical infrastructure management to employment. Notably, generative AI is not classified as high risk, although certain usage requirements must be met.
To achieve compliance, organizations must undertake three critical steps:
This is not the end of the road for the EU AI Act. Companies, governments, and other organizations whose activities are in the scope of Europe’s AI rulebook will need to pay close attention to upcoming developments in the months ahead. For instance, the EU is expected to publish codes of conduct on transparency obligations and on general purpose AI models, provide templates for fundamental rights risk assessments, publish information on training data for foundation models, offer more guidance on the definition of high-risk AI, and establish governance bodies. Companies that keep up with the Act as it evolves will be well-positioned to ensure compliance and future-proof their companies for further innovation and regulation.
We’ve known for years that AI will touch all aspects of our lives. The EU AI Act is a significant step toward balancing those impacts with responsible AI governance. By prioritizing compliance and corporate accountability, organizations can capitalize on regulatory clarity, build trust and confidence in AI systems, and foster a culture of open, responsible innovation.
-Christina Montgomery, Chief Privacy and Trust Officer, IBM
-Jean-Marc Leclerc, Director of EU Affairs, IBM Government and Regulatory Affairs