The European Parliament has approved the EU AI Act, but it still needs approval from the Council of the European Union. The Act must undergo further scrutiny before becoming law and will be published in the Official Journal of the EU before becoming enforceable. The application of the Act's provisions will be phased, with some provisions likely to apply before the end of this year. Businesses should start preparing for the Act's enforcement.

The EU AI Act is the first comprehensive legal framework governing AI use across different applications, with a risk-based approach for different AI systems. It includes entities based in the EU and organizations that employ AI in interactions with EU residents. AI systems are classified as prohibited, high-risk, or minimal risk, with general-purpose AI (GPAI) models subject to further assessment and different obligations. There are design-related requirements for high-risk AI systems, and transparency obligations for limited risk AI systems. Non-compliance with the Act carries significant penalties. It is crucial for organizations to determine their system's classification and establish a risk management framework to prepare for the Act.

The EU has proposed the Harmonised Rules on Artificial Intelligence (EU AI Act) to lead the world in AI regulation and build trust in AI systems. The Act sets out a risk-based approach for AI systems, defines three levels of risk, and subjects certain AI systems to transparency obligations. The Act also introduces a three-tiered model of penalties for violators, with the heftiest fines imposed on those who violate the prohibition of specific AI systems. The EU AI Act has gone through an extended consultation process and has been subject to amendments throughout. Penalties can be issued to providers, deployers, importers, distributors, and notified bodies. The EU AI Act emphasizes proportionality and offers lower penalties for SMEs and startups. There is no union-wide central authority for imposing fines on AI operators, so penalties depend on the national legal system of Member States. The fines for providers of GPAI models and Union bodies are imposed by the Commission and the European Data Protection Supervisor, respectively.

The EU AI Act reached a provisional agreement on 9 December 2023 and was unanimously endorsed by Coreper I on 2 February 2024, making it likely to be official once voted on by the European Parliament in April 2024. After adoption, there will be a two-year grace period for implementation and enforcement, during which the Commission will conduct the AI Pact to encourage early commitment to the Act's rules and principles. Companies should begin preparing for compliance with the Act to maximize alignment. Holistic AI offers governance, risk, and compliance platforms and innovative solutions to help companies navigate the Act's rules and requirements.

The EU has set the gold standard for data protection regulation with the GDPR and is on its way to doing the same in the AI space with the AI Act. The Data Act, which is part of the European Data Strategy, governs connected products and related services' handling of data, including IoT devices, and requires full disclosure from companies on how they collect, store and share users' data. Data holders are bound to provide free, secure, and fair data access while safeguarding trade secrets and user confidentiality, affecting AI systems' deployment and functionality. The Data Act does not have specific provisions for AI systems, but it affects AI systems deployed in connection with connected products or related services. Compliance with the Data Act and the EU AI Act cannot automatically provide compliance with the other, but the requirements may affect each other. A holistic approach, using technical as well as regulatory tools concurrently, is needed to comply with both regulations.