The new EU AI Regulation

From February 2, 2025, the general provisions and prohibitions of the AI Act, which came into force on August 2, 2024, will apply in the European Union.

The regulation is intended to ensure the safe use of artificial intelligence (AI). The AI Act is an important step towards protecting the rights of citizens in the EU while promoting innovation in the AI sector. By combining conformity assessments, user competence requirements and the development of stand-alone AI systems, the EU is taking a unique approach to balance innovation and responsibility.

A central component of the new regulation is the ban on AI systems that pose an unacceptable risk. This includes, in particular, applications that carry out social behavioral assessments in which people are divided into certain categories or rewarded/punished. Another target of the ban is facial recognition systems in public spaces, which are only permitted with a few exceptions, such as the prosecution of criminal offenses by the police or other security authorities.
Translated with www.DeepL.com/Translator (free version)

The regulation also focuses on the competence of users of high-risk AI systems. From February 2, 2025, employees may only use AI in the workplace if they have sufficient knowledge, experience and training. This relates to technical knowledge, understanding of the application context as well as experience and training in dealing with AI.

The obligation for AI competence applies to all providers and operators, regardless of their size or orientation.

A guideline for General Purpose AI (GPAI) is expected in the coming months, which will describe the legally compliant use of these systems. In this context, requirements will also be placed on technical documentation, the disclosure of training data and legal issues relating to copyrights.

The EU is also planning to develop its own AI models in order to reduce its dependence on US providers. The aim is to create open, multilingual language models that are accessible to all citizens, companies and authorities. This should also ensure that languages that are less widely used are not neglected.

You can find the entire AI regulation here.

The AI Regulation classifies AI systems into four risk levels: unacceptable risk, high risk, limited risk and minimal risk. For companies that use AI in IT and OT environments, this results in clear requirements and new challenges:

• Risk assessment of AI systems: Existing IT/OT security processes must be adapted to identify and minimize AI-specific risks. This includes analyzing malfunctions, potential manipulation and unintended consequences of AI-supported decisions.
• Documentation requirements: Companies must provide comprehensive proof of the security and integrity of their AI applications. This also applies to the OT security landscape, in which the use of AI is increasingly being used for automation and optimization processes. The transparency requirements include the disclosure of algorithms, training data and decision-making processes.
• Synergies with existing standards: The AI Act is closely linked to existing IT security standards such as ISO 27001, NIS-2 and industry-specific guidelines such as TRBS 1115-1. Companies can use these synergies to optimize their security concepts and efficiently integrate new compliance requirements.

• Carrying out a quick health check (QHC): An initial inventory of the existing IT/OT security architecture helps to identify potential weaknesses in dealing with AI. This straightforward approach provides valuable insights and forms the basis for further measures.
• Extended risk assessments (GBU): AI-specific risks must be integrated into existing risk assessments. These include threats such as bias in training data, faulty decision-making processes or the manipulation of AI systems in OT environments.
• Training and awareness-raising: Managers and OT staff should be specifically prepared for the new regulatory requirements. In addition to technical know-how, an understanding of the legal and ethical aspects of AI use is crucial.
• Integration of AI governance structures: Companies should develop internal guidelines and control mechanisms to ensure the safe and responsible use of AI systems. This includes the appointment of AI officers and the establishment of compliance teams.

The AI regulation is not only a regulatory challenge, but also an opportunity to safely exploit innovation potential. Companies that respond to the new requirements at an early stage can position themselves as pioneers in the safe and responsible use of AI. This not only strengthens the trust of customers and partners, but also increases competitiveness on the international market.

Particularly in the area of industrial control systems (OT), the AI regulation offers the opportunity to implement AI-supported optimizations safely and transparently. As a result, companies can not only increase their efficiency, but also develop new business models.

The AI Regulation sets new standards for dealing with artificial intelligence and challenges companies to adapt their IT/OT security strategies. With a proactive approach, companies can not only meet the legal requirements, but also strengthen their innovative power and competitiveness. The combination of regulatory clarity and technological progress provides the basis for the responsible and future-proof use of AI in Europe.
Translated with www.DeepL.com/Translator (free version)

Sources:

Zdf heute | handelsblatt | heise | https://ai-act-law.eu/de/