The impact of the EU AI Act on business operations and governance

Like its counterparts, the AI Act intends to safeguard the rights and freedoms of EU citizens, protect civil liberties and ensure societal safety. It has a broad extraterritorial scope, meaning, as like the GDPR, it applies to any organisation worldwide that impacts EU citizens. But what implications does this have for Irish businesses?

The AI Act adopts a risk-based approach and applies to various players in the AI value chain. Providers of high-risk systems bear the most significant obligations, followed by those who deploy these systems. An organisation could be a provider, a deployer, or both. The Act’s requirements include:

• Risk management system.
• Quality management system.
• AI literacy for users.
• Technical documentation.
• Transparency.
• Data governance framework.
• Robust record keeping.
• Human oversight.
• Fundamental rights impact assessments.

A central theme of these requirements is the responsibility organisations must take for the AI systems they use, ensuring proper governance, decision-making and accountability.

Ensuring compliance

Compliance with the AI Act is closely tied to existing EU legislation such as the GDPR, the Digital Operations Resilience Act, the Digital Markets and Digital Services Acts, the Data Act and the Data Governance Act, among others. Data protection regulators, already familiar to those who must comply with the GDPR, have indicated that they will continue to regulate any AI system that uses personal data but may also be competent regulators under the AI Act.

Given the regulatory landscape, the most efficient course of action is to leverage existing risk and compliance governance frameworks within the organisation and adapt them to the technological change brought about by Artificial Intelligence. Existing tools that can assist include:

• Guidance from data protection regulators.
• Risk management frameworks such as those from NIST and ISO.
• Data protection impact assessments.
• Vendor management practices.
• Internal risk management practices.
• Change control processes.

Compliance deadlines

The Act is being rolled out at different phases, with the most imminent being the banning of unacceptable risk systems from the 2 February 2025. However, the obligations for the vast majority of organisations will be enforced from 2 August 2026, giving organisations time to prepare. We have created a timeline with more detailed information, available here.

Addressing the real challenge

For senior executives keen on leveraging AI, the most pressing challenge is ensuring that it delivers a sustainable return on investment. This means recognising that compliance with the AI Act and other relevant legislation is only part of the governance puzzle. Key considerations when embarking on the AI journey include:

• Understanding the objectives; change for the sake of change is not always successful.
• Developing principles for the use of AI, focusing on being human centric.
• Appointing a senior executive responsible for AI to ensure adequate support.
• Assessing the organisation’s current capabilities and determining if a change of technology infrastructure is required.
• Being accountable to all stakeholders, including employees.

The AI Act is here and will come fully into force for most organisations in two years. In the world of AI, this timescale feels like several generations, but in the world of business, it’s not enough time. Organisations should start their AI journey now, not with compliance as an end goal, but with good governance, which all organisations should strive for to enable the best use of AI.

To learn more about the AI Act, responsible AI and AI governance reach out to our team.