欧盟人工智能法案合规性：总法律顾问和法律领袖的策略

Gartner for Legal, Risk & Compliance An EU AI Act ReadinessChecklist for Legal,Compliance, Risk and Audit The EU AI Act will place new transparency, consent and disclosure obligations onorganizations, while restricting high-risk uses of AI. With enforcement of some provisionslooming, assurance leaders must start preparing for compliance now. Overview Key Findings •The European Union AI Act (the Act) places new compliance obligations on deployers anddevelopers of AI that operate in the EU.•EU AI Act compliance requires changes to AI governance and oversight, risk assessment,monitoring and auditing, and policies, procedures and training.•Assurance leaders must partner with the board and senior leaders to achieve complianceby removing or preventing prohibited uses of AI and mitigating the impact of high-risk AIuse cases. Recommendations Assurance leaders should begin EU AI Act compliance efforts by: •Communicating regulatory changes to senior leadership stakeholders now to minimizepotential pushback for upcoming EU AI Act-required business process, projects andAI-systems assessments.•Shortening the time to compliance by leveraging existing privacy and security riskmanagement processes, policies and other resources that can or must be adaptedto meet new EU AI Act requirements.•Defining clear roles and responsibilities between legal, compliance, enterprise riskmanagement and audit to establish ownership in the execution of AI governanceand risk management processes. New Risk-Based Requirements for AI Use On 9 December 2023, the European Union Council presidency and the EuropeanParliament reached a provisional agreement on a bill for the European Union AI Act(the Act).1The Act provides a comprehensive “risk-based” approach to AI regulation.It imposes different levels of restrictions on use cases based on the level of risk theypose, and also prohibits certain use cases altogether (see Figure 1). Additionally, the Actexpands upon existing legal obligations like the General Data Protection Regulation(GDPR) and places new transparency obligations on enterprises using or developingGenerative AI and General Purpose AI systems (GPAI). Once finalized, the Act will apply to public and private sector organizations basedin the EU as well as organizations operating in — but not based in — the EU. Whileformal adoption by the EU Parliament and Council is still pending, enforcementof some provisions will begin as soon as six months after the law’s passage. Most ofthe remaining provisions will go into force two years after passage.2 Noncompliant Organizations Will Have to Pay Sizable Penalties The Act entails a progressive sanctioning scale, which determines fines bound to theseverity of the violations. The financial penalties will be expressed as a specific amountor a significant percentage of global annual turnover (up to 7% of the total worldwideannual revenue of the preceding financial year for the most egregious of violations).3Small-to-midsize businesses (SMBs) and startups will likely be fined in a way that isproportional to their size compared to larger technology firms. Since the Act buildsupon the GDPR and similar privacy obligations, it is possible that transgressors couldbe fined for both a violation of the Act and the GDPR contemporaneously. Assurance Leaders Must Begin Acting Now to Achieve Compliance With enforcement and potential financial penalties on the horizon, assurance leaders —legal, compliance, privacy, risk and audit roles — must start taking action now to builda path toward compliance and assurance. However, the wide scope of new obligationsposed by the EU AI Act and the cross-functional nature of AI strategy and implementationleave assurance leaders unsure of the role their functions should play in responding. Based on a review of the EU AI Act, Gartner has identified several key activitiesorganizations impacted by the Act should take, as well as common owners of, and partnersinvolved in, those actions. Our recommendations cover both direct requirements of theAct as well as activities designed to strengthen the organization’s overall governanceof AI risk. This checklist can be used as a starting point for achieving complianceand providing ongoing risk management for AI. To eliminate gaps, minimize overlapin risk management, and facilitate clear understanding of roles, responsibilities anddecision rights, assurance leaders should use an assurance map to account for newresponsibilities across various functions. Organizations can either build an assurancemap specifically for AI governance and risk management or update existing assurancemaps to cover this new risk area. The activities required for compliance fall into four buckets: •Governance and oversight•Risk assessment•Ongoing risk mitigation, monitoring, and auditing•Policies, procedures and training Governance and Oversight The EU AI Act establishes a category of banned AI uses and outlines several high-risk uses.As a result, boar