Obligations for Companies under the EU AI Regulation incl. Checklist

Obligations for companies under the AI Regulation plus checklist

Introduction

The European Union’s AI Regulation (AI Act) represents a landmark step towards establishing a comprehensive legal framework for artificial intelligence. Designed to ensure that AI technologies are safe, trustworthy, and respectful of fundamental rights, the AI Regulation places significant obligations on companies that develop, deploy, or use AI systems. As organizations worldwide look to the EU as a global standard-setter, understanding these obligations is critical for compliance, competitiveness, and innovation.

Risk-Based Classification of AI Systems

At the heart of the AI Regulation lies a risk-based approach. Companies must first classify their AI systems into one of several categories:

• Unacceptable Risk: AI systems that pose a clear threat to safety, livelihoods, or fundamental rights are outright prohibited. Examples include social scoring by governments and manipulative AI practices.
• High Risk: AI applications in areas like critical infrastructure, education, employment, healthcare, and law enforcement are subject to strict requirements.
• Limited Risk: Systems with limited risks must comply with specific transparency obligations, such as informing users they are interacting with AI.
• Minimal Risk: Systems like spam filters or AI-driven video games are largely exempt from regulatory burdens but are encouraged to follow voluntary codes of conduct.

Obligation: Companies must correctly identify and categorize their AI systems to determine applicable legal requirements.

Core Obligations for High-Risk AI Systems

For high-risk AI systems, companies must fulfill a comprehensive set of obligations:

1. Risk Management System

Organizations must implement and maintain a proactive risk management system throughout the AI system’s lifecycle. This includes:

• Regular assessment and mitigation of risks.
• Monitoring for unexpected outcomes or performance degradation.

2. Data Governance and Data Quality

Training, validation, and testing data must be:

• Relevant, representative, and free of bias.
• Thoroughly documented regarding source, characteristics, and potential limitations.

This ensures fairness, safety, and prevents discriminatory outcomes.

3. Technical Documentation

Companies must prepare detailed technical documentation that demonstrates compliance with the AI Regulation. Documentation must be:

• Clear and comprehensive.
• Continuously updated to reflect system modifications or updates.

4. Transparency and Information Provision

Users must be provided with easily understandable information, including:

• The intended purpose of the AI system.
• Limitations and performance metrics.
• Instructions for safe use and foreseeable misuse scenarios.

5. Human Oversight

High-risk AI systems must be designed to allow effective human oversight to prevent or minimize risks. Companies must ensure that:

• Operators are properly trained.
• Systems offer override or shutdown mechanisms if necessary.

Registration Requirements

Certain high-risk AI systems must be registered in a public database managed by the European Commission. This transparency measure allows regulators and citizens to monitor and evaluate AI system usage more easily.

Obligation: Companies must ensure accurate registration, including submission of required data and system descriptions.

Obligations for Other Economic Operators

The AI Regulation doesn’t only affect developers. Importers, distributors, and users also have specific responsibilities:

• Importers must verify that AI systems imported into the EU comply with requirements.
• Distributors must ensure that systems they place on the market bear the required conformity markings and documentation.
• Users must operate AI systems in accordance with provided instructions and monitor their performance.

Enforcement and Penalties

Non-compliance with the AI Regulation can lead to significant financial penalties:

• Up to €30 million or 6% of the global annual turnover, whichever is higher.
• Fines depend on the severity and nature of the breach (e.g., use of banned AI systems results in the highest penalties).

Companies must also cooperate with authorities during audits and provide requested documentation promptly.

Opportunities and Challenges

The AI Regulation, while imposing strict compliance demands, offers several strategic advantages:

• Increased Trust: Certified compliance boosts consumer and business trust.
• Market Access: Easier access to the European market for compliant products.
• Innovation Drive: Focus on ethical, safe AI development can spark new technological advances.

However, challenges include:

• High compliance costs, especially for SMEs.
• Complexity in continuously evolving technical standards.
• Potential competitive disadvantage if global counterparts have lighter regulations.

Conclusion

The EU’s AI Regulation establishes a bold framework that reshapes how companies must approach AI development and deployment. By categorizing risks, mandating transparency, ensuring human oversight, and requiring accountability across the value chain, the Regulation aims to foster a safe and trustworthy AI ecosystem.

For companies, early preparation is key. Building robust compliance frameworks, investing in data quality, and fostering an internal culture of ethical AI development will not only help meet regulatory requirements but also strengthen brand reputation and market positioning in the age of regulated AI.

✅ Compliance Checklist: AI Regulation (AI Act)

1. Classification and Risk Assessment

• Identify all AI systems used, developed, or sold by your organization.
• Classify each AI system into risk categories: Unacceptable, High-Risk, Limited Risk, Minimal Risk.
• Ensure prohibited (unacceptable risk) AI systems are not in use.

2. Compliance for High-Risk AI Systems

• Establish and maintain a risk management system for each high-risk AI system.
• Ensure training, validation, and testing datasets are high-quality, relevant, representative, and bias-mitigated.
• Develop detailed technical documentation for all high-risk AI systems.
• Prepare and deliver clear user information and transparency notices (purpose, limitations, instructions).
• Implement robust human oversight mechanisms to intervene if needed.

3. Registration and Documentation

• Register all applicable high-risk AI systems in the EU’s official public database.
• Keep technical documentation, risk assessments, and records up to date.

4. Obligations for Importers, Distributors, and Users

• Verify conformity of AI systems before importing or distributing.
• Ensure proper CE marking and availability of required documents.
• Operate AI systems according to provided instructions.
• Monitor AI system performance and report significant incidents.

5. Audit and Monitoring Readiness

• Set up internal procedures for compliance audits and inspections.
• Train relevant employees on how to maintain and present documentation.

6. Legal and Organizational Measures

• Review and update contracts with suppliers, customers, and partners regarding AI compliance obligations.
• Appoint responsible persons or teams for AI compliance management.
• Monitor updates to harmonized standards and EU guidelines for AI.

7. Penalties Awareness and Incident Reporting

• Educate leadership on the financial risks of non-compliance (up to €30 million / 6% of global turnover).
• Establish procedures for incident detection, escalation, and reporting to authorities.

Note:

A proactive, systematic approach saves a lot of time and effort later on with audits and certifications and significantly reduces the risk of fines.