AI compliance: what is it and why should SMEs care?

AI compliance refers to the adherence to all relevant legal, ethical and regulatory requirements in connection with the development, deployment and use of artificial intelligence (AI) in companies. Similar to general compliance, which ensures compliance throughout the company, AI compliance focuses specifically on the aspects associated with AI technologies. 

‍

This includes compliance with national and international laws such as the General Data Protection Regulation (GDPR) and specific EU regulations for AI such as the EU AI Act. In addition, AI compliance includes ethical guidelines for the responsible use of AI to minimize risks such as discrimination, data breaches or algorithmic bias. 

‍

AI compliance is particularly important for SMEs, as violations can not only lead to legal sanctions and loss of reputation, but also jeopardize the company's long-term competitiveness and innovative strength. Effective AI compliance management helps to identify and proactively manage these risks in order to build trust with customers and partners and ensure long-term business success.

‍

Various national and European regulations are important for German SMEs when it comes to the use of artificial intelligence (AI). These regulations ensure that companies use AI technologies responsibly and in accordance with the rules. The three most important regulations are:

1. European AI Regulation (EU AI Act)

The EU is working on a comprehensive legal framework for AI, the so-called AI Act. This legal framework classifies AI applications according to risk levels and sets out specific requirements, particularly for high-risk AI systems. Companies must ensure that their AI applications meet transparency, security and ethical standards to ensure compliance.

‍

2. General Data Protection Regulation (GDPR)

The GDPR plays a central role in the use of AI, as many AI applications require extensive data processing. In particular, the processing of personal data must comply with the strict requirements of the GDPR, including obtaining consent, ensuring data minimization and guaranteeing the rights of data subjects.

‍

3. German Corporate Governance Code (GCGC)

Even if the GCGC is not specifically aimed at AI, it contains fundamental principles of corporate governance and compliance that are also relevant to the use of AI. Companies should ensure that their AI strategies comply with the standards for transparency and accountability set out in the GCGC.

‍

German SMEs must deal comprehensively with the various national and European regulations in order to make the use of AI legally compliant and ethically responsible. In this article, we focus on compliance with the EU AI Act, in particular the requirements for high-risk AI systems and low-risk AI systems. If you would like to read more about how the classification is arrived at, you can find a summary here.

‍

It is important that we focus on the “operator perspective” in this example, i.e. we concentrate on the use of AI in a business context and the associated compliance issues and not on the provider perspective (= creating models yourself).

High-risk AI systems (e.g. social scoring & facial recognition) are subject to strict requirements in accordance with the EU AI Regulation (AI Regulation). These apply to both providers and operators. For German SMEs, this means in particular compliance with the requirements of Articles 16 to 27 of the AI Regulation.

‍

Obligations for operators of high-risk AI systems (Art. 26 AI Act):

• Technical and organizational measures: Operators must ensure that high-risk AI systems are used in accordance with the operating instructions, including protection against cyberattacks.
• Human supervision: Competent human supervision must be ensured in order to be able to intervene in the event of problems.
• Monitoring and reporting: Operators must continuously monitor the functioning of the AI and inform the provider and the authorities in the event of risks or malfunctions.
• Logging: Automatically generated logs must be kept for at least six months.
• Transparency: Data subjects must be informed about the use of AI systems, e.g. for emotion recognition (Art. 50 AI Act).

Further requirements:

• Risk management (Art. 9 AI Act): Operators must set up a risk management system to identify and minimize risks at an early stage.
• Data quality (Art. 10 AI Act): The quality of the data used must be ensured by appropriate management procedures.‍
• Fundamental rights impact assessment (Art. 27 AI Act): Public operators must assess the impact on fundamental rights before the system goes live.

For operators of low-risk AI systems (e.g. recruiting or lending systems), the requirements for ensuring sufficient AI competence and transparency must be observed in particular in accordance with the EU AI Act. These obligations are set out in Articles 4 and 50 of the AI Regulation. 

Establishing and ensuring AI competence (Art. 4 AI Act):

Operators must ensure that their personnel and all persons entrusted with the use of AI systems have sufficient knowledge and skills in dealing with AI. This includes (applies to all companies):

• Technical knowledge: Understanding of how the AI systems used work, including the underlying algorithms and data processing methods.
• Education and training: Regular training programs covering both technical aspects and ethical issues to keep staff up to date with the latest AI developments.
• Contextual knowledge: Knowledge about the specific area of application of AI in the company and the associated risks and responsibilities.

These measures ensure that employees are able to use AI systems effectively and responsibly, recognize potential risks at an early stage and act accordingly. Triebwerk.ai offers various training courses that provide the necessary knowledge and tools to develop your own AI innovations and make your company fit for the future. 

‍

Transparency obligations (Art. 50 AI Act):

Even for low-risk AI systems, operators should inform users that they are interacting with an AI system. The most important requirements are:

• Clear labeling: Users must be made aware that the system is an AI system when they first interact with it. This can be done through clear indications such as labels, banners or pop-up messages.
• Accessible information: Information must be understandable and easily accessible to ensure that all user groups meet the transparency requirements.

Avoidance of misleading information: Operators must not rely on users themselves to recognize that they are interacting with an AI. Clear labeling is therefore essential.