Artificial Intelligence & Compliance with AI ACT: Business and Legal Realities

Greece
Written By Nexus Law Firm

The complexity of the nature and functioning of AI and its systems has led to the creation of numerous definitions by various organizations, yet to date, none of them can be considered complete. Regulation 2024/1689 (AI ACT), perhaps the most fundamental legislative text to date defining the operation of AI in the EU, identifies autonomy and adaptability as the key elements for classifying a system as AI. AI, therefore, is not an algorithm or a system of algorithms that is fed data by humans, thereby producing a result or solution for the intended purpose. Instead, AI systems have the ability to receive data, evolve without human intervention, and produce results tailored to their specific user and their needs.

How does Artificial Intelligence manifest itself in everyday business life?

The rapid development of AI is also evident in everyday life, as its systems are now being applied in various sectors. From internet search engines to various areas of government infrastructure, these systems now play a vital role. AI systems have begun to be applied in sectors such as Public and Private Healthcare, Education, the Military, as well as across a range of private-sector services, such as commerce, industrial sector, and tourism. As analyzed above, the complexity of AI systems, combined with their rapid development, poses significant risks both for the end users of these systems and for the entities that provide them, as the legislative and knowledge frameworks are still in their early stages, while the need to protect all parties involved is imperative, so that only the benefits are enjoyed and the risks are minimized as much as possible.

What is the legal framework for AI, and what is the AI Act?

In the recent past, the international community, as well as European and national legislators, have taken steps to establish a clear framework for the use of AI, with provisions covering all entities that are part of it. The most significant piece of legislation that is directly applicable in our country is Regulation 2024/1689 (AI Act).

The AI Act is the first comprehensive European legislation to establish clear rules for regulating the use of AI. The aim of the regulation is to establish a single legal framework for the development, placing on the market, putting into service, and using AI systems within the EU, while ensuring a high level of protection of health, safety, and fundamental rights from the harmful effects of these systems.

The practical significance of the AI Act for businesses is particularly important, as it introduces specific compliance obligations for all stakeholders, regardless of size or sector. The immediate application of the regulation in EU member states and the phased entry into force of its individual provisions make it necessary for businesses to adapt to the new regulatory framework in a timely manner.

Who does the AI Act apply to?

The AI Act does not apply exclusively to companies that develop AI systems, but to a much broader range of businesses as well. Specifically, it applies not only to providers but also to businesses that use AI systems in the course of their activities, as well as to importers and distributors of such systems.

In practice, this means that even companies that do not develop AI themselves may fall within the scope of the AI Act. The use of tools such as automated decision-making systems, data analysis applications, employee evaluation tools, or personalized advertising may trigger specific legal obligations.

At the same time, the AI Act has extraterritorial application, covering companies outside the EU in cases where they develop, offer, or use AI systems that affect individuals within the EU.

Consequently, the majority of modern businesses are required to assess whether and to what extent they fall under this new regulatory framework, a fact that necessitates an initial legal assessment of the development, distribution, or use of AI within the scope of their activities.

Finally, private users of AI systems must be aware of their rights as set forth in the provisions of the AI Act, as the liability of end-users of AI systems may not yet have been established; however, the nature of these systems necessitates both precautionary measures during their use and monitoring for potential violations of fundamental rights.

Risk Categories: How are AI systems classified?

A central pillar of the AI Act is the categorization of AI systems based on the risk they pose. This categorization is not merely theoretical; rather, it directly determines whether and to what extent a company is subject to specific legal obligations.

Specifically, AI systems are classified as:

  • Prohibited AI practices / Unacceptable-risk AI systems: Fully prohibited.

  • High-risk AI systems: Strict compliance framework.

  • Limited-risk systems: Fewer regulatory requirements

  • Minimal or zero-risk systems: Not subject to specific regulatory requirements

The categorization of AI systems and applications as described above is critical for businesses, as it determines the nature and scope of the compliance obligations they are required to meet. Correctly identifying the category to which an AI system belongs is not always obvious, especially in cases of complex or multiple uses, making a specialized legal assessment necessary.

What key compliance obligations does the AI Act impose on businesses?

The obligations introduced by the AI Act vary depending on the risk level of the specific AI system, with the strictest requirements applying to high-risk AI systems. In general, businesses are required to assess and manage the risks arising from the use of AI, ensure the proper use of data, and adopt measures that enhance transparency and accountability.

At the same time, the regulatory framework introduces requirements related to oversight, documentation, and the development of internal compliance procedures, the scope and intensity of which depend on the nature and use of the specific AI system in question.

These obligations do not operate in isolation but form a comprehensive regulatory compliance framework that requires continuous monitoring and adaptation, taking into account both technological developments and the phased implementation of the provisions of the AI s Act.

What are the risks of non-compliance?

Failure to comply with the regulatory framework of the AI Act may result in significant legal and business consequences. In particular, the Act provides for the imposition of strict administrative sanctions and substantial fines, which may amount to particularly significant sums depending on the severity of the violation. Beyond regulatory penalties, non-compliance may also expose the company to civil liability toward third parties in cases where damage is caused by the use of AI.

The relevant risks, however, are not limited to the legal sphere but also extend to the company’s operations and reputation, as potential violations may affect its credibility with customers, partners, and supervisory authorities.

At the same time, given the interaction between the AI Act and other regulatory frameworks, such as data protection legislation, companies may face a combination of obligations and penalties.

Conclusion

The development of AI is an inevitable reality to which all social and economic actors must adapt and educate themselves in order to safely and effectively leverage the opportunities it offers. In this new environment, understanding and properly applying the regulatory framework, and in particular the AI Act, is crucial for the lawful and sustainable operation of businesses.

Our firm provides comprehensive legal support and advice both to AI system operators and providers to help them develop their systems in compliance with the law, and to system users to ensure they are fully informed and protected when using them.

Nexus Law Firm
Next

Pledge The License, Breach the Lease: Court Upholds Anti-Pledge Provisions