AI Legal Framework: Compliance Steps and Action Plan
Initial steps and stages of AI compliance
Below we provide some advice on the first, initial steps of artificial intelligence compliance.
The first step towards compliance with the AI Regulation: assessment and AI inventory
The first step towards compliance with the AI Regulation is to assess whether the given company uses artificial intelligence at all, an artificial-intelligence-driven system, and if not, to consider whether the company plans to introduce it. If such a system is already in use, the next step may be to define and map the purpose and function of the system, as well as the workflow and activity performed with the system. This provides the so-called AI inventory, which is necessary in order to determine whether the given AI system falls within the scope of the AI Regulation and also provides a basis for carrying out the legal risk assessment under the AI Regulation.
Transparency and information
In the case of the use of any artificial intelligence system, in order to ensure transparency it is necessary to inform employees, clients, contractual partners, and any person who may be affected by the operation of the given system, briefly and in an understandable manner about its use, operation and purpose.
Legal risk assessment and risk classification
The legal risk assessment is important because the AI Regulation defines, by risk level, what obligations must be fulfilled under the AI Regulation by the developers, distributors, deployers, and users of systems of a given risk level. On the basis of the obligations defined by the AI Regulation, AI systems can be classified into four risk levels: prohibited (unacceptable), high, limited, and low risk.
Within the framework of the risk assessment, it is first necessary to examine whether the AI system in question implements a prohibited AI practice. If the AI system implements a prohibited AI practice, it must be terminated without delay.
If, during the legal risk assessment, it is established that the AI system does not implement a prohibited AI practice, the next question to be examined is which of the high, limited or low risk classifications the given system can be assigned to. It is also necessary to determine what role the given company has with regard to the AI system, i.e. whether it develops, uses, distributes or imports the AI system, since the risk classification and the role together determine what actions the company must take under the AI Regulation in order to fulfil the requirements of the AI Regulation.
Following the identification of the obligations imposed on the given company by the AI Regulation and other legislation, it is advisable for the company to develop its plan as to how it will implement compliance with the legal requirements, by what deadlines, and which person is responsible for the implementation of each step.
Carrying out the risk assessment is in all cases individual, as it is based on the data and systems provided by the given company. Given that artificial intelligence and some of the obligations defined by the AI Regulation are of a technical nature, it is necessary to become familiar with the IT and technical background and capabilities of the given system; therefore cooperation is required between the decision-makers of the given company, employees dealing with the introduction of artificial intelligence, and the IT, technical and legal teams in order to carry out the most accurate risk assessment possible.
When is a system classified as high-risk?
Whether a system falls into the high-risk category may be established, on the one hand, by the list set out in the AI Regulation, which enumerates in an itemised manner what types of systems, with what purposes and functions, qualify as high-risk, and on the other hand it may also be established if the artificial intelligence system constitutes a safety component of products falling under the scope of certain legislation, or if the artificial intelligence system itself qualifies as such a product and product conformity assessment is required, i.e. it is necessary to assess whether the product complies with the requirements set out in the legislation. Such products may include, for example, toys, medical devices, motor vehicles and their components that use artificial intelligence.
A high-risk system is, for example, AI systems used in education and vocational training intended to determine admission to educational institutions or to assess learning outcomes, and similarly, in the field of employment, high-risk systems include AI systems used, among other things, to make decisions relating to the recruitment and selection of job applicants, promotion or termination of the employment relationship, or to monitor and assess employee behaviour and performance.
Exemption from high-risk obligations and documentation
If classification into the high-risk level is based on the list in Annex III of the AI Regulation, the affected company may be exempted from fulfilling the obligations prescribed for the high-risk classification if:
- the activity of the AI system serves to improve the result of a human activity, or
- the purpose of the system is to detect and prepare decision-making patterns, but it does not replace human decision-making, or
- the system performs a well-defined procedural task, or
- it does not pose a significant risk of causing harm to the health, safety or fundamental rights of natural persons, or
within the areas of use defined in Annex III of the AI Regulation it performs the preparation of an assessment.
If any of the cases of exemption applies, the assessment of the risk classification, its result, and the reason for the exemption must be documented before the AI system is placed on the market or put into service, and the system must be registered in the EU database for artificial intelligence systems.
The obligations related to high-risk systems are the broadest, while fewer requirements apply in the other risk categories. At the same time, it is also important to emphasise here that artificial intelligence is not a standalone area; due to its relationship with other areas of law, data protection, copyright or labour law tasks, etc. may also be significant.
Ensuring AI awareness and AI literacy
Irrespective of the risk classification, any person within a given organisation who deals with artificial intelligence and uses it is obliged to ensure appropriate AI awareness, i.e. to increase and develop so-called AI literacy. Within this obligation, companies must, to the greatest extent possible, ensure that their staff, and any other person who on their behalf deals with the development, operation or use of AI systems, has appropriate knowledge in the field of artificial intelligence, taking into account their existing knowledge and qualifications. AI literacy, of course, is not limited to knowledge of the legal framework, but also includes the development of technical knowledge. Within the framework of developing AI awareness, it must be ensured that all relevant stakeholders have the knowledge necessary to ensure compliance with and proper application of the AI Regulation. This obligation can best be ensured by the affected stakeholder paying attention to which obligations arising from the legal regulation apply to them and what steps they must take in order to fulfil them, and by training, at defined intervals, persons working within their organisation and cooperating with them, through trainings, e-learning, internal newsletters or other educational materials, on the legal and other aspects of AI.
Establishing a Code of Conduct
Another recommended compliance step for all organisations using artificial intelligence, regardless of the given risk classification, is the creation of a Code of Conduct regulating the internal framework for the use of artificial intelligence within the organisation. This is an internal policy that can serve as guidance for all persons working and operating within the organisation regarding the use of artificial intelligence. This policy may regulate, in particular but not exclusively, for what purposes within the organisation the use of artificial intelligence is not permitted and in which cases it is permitted and accepted, what the requirements are for human review of content generated by AI or created with it, which prohibited AI practices exist, who has what responsibilities in relation to artificial intelligence, at what intervals participation in training is required, what the rules are for investigating infringements related to artificial intelligence, etc. Naturally, the content and requirements of the internal policy must in all cases be tailored to the internal relations and operation of the given company and the AI system used by it, therefore in addition to the main points listed above it may also be necessary to regulate other issues.
Preparation and deadlines
It is advisable to start preparation as soon as possible and for the company to create and implement its action plan for the introduction of artificial intelligence or for compliance with the AI Regulation and other relevant legislation, since, with the exception of the provisions applicable to high-risk AI systems placed on the market as products (which are applicable from 2 August 2027), all obligations applicable to all artificial intelligence systems are applicable from 2 August 2026.
This article series highlights the initial stages of compliance with the AI Regulation and other legislation and a few basic obligations; however, beyond the above, many other tasks and issues may arise depending on the given company’s activity and the artificial intelligence system developed or used by it, therefore in all cases we recommend developing a specific compliance plan tailored to the given company with the involvement of experts.
The author of the article is Dr. Putnoki Poppea, cooperating attorney of CLM Bitai & Partners Law Firm.
The article was first published on the website of Grant Thornton Hungary: https://grantthornton.hu/en/audit-tax-valuation-accounting-digitax
