This report does not constitute a rating action.
The EU AI Act establishes a regulatory framework for restricting and limiting AI use that will likely influence companies and regulators across the globe. The legislation, which is the first major framework of its kind, employs a human-centric and risk-based approach to manage AI systems' safety, and includes measures designed to ensure systems are transparent, traceable, non-discriminatory, environmentally friendly, and aligned with fundamental rights.
What's Happening
On March 13, 2024, the EU parliament overwhelmingly approved the EU AI Act. Companies have about two years to comply with the regulation, which includes stricter obligations for providers and users of AI systems that pose greater risks, and a lighter review (to encourage innovation) for AI systems deemed low risk. The act requires providers, distributors, and users of AI to deploy robust governance and processes that mitigate AI-related financial, operational and reputational risks. While there is some time for official compliance, many organizations will need to act swiftly to ensure adequate governance and implementation of infrastructure, systems, and staff training.
Why It Matters
The act is likely to set the tone for global AI regulation. Because it is first, and because it applies to all sectors and all parties involved in an AI value chain (including providers, importers, users, and distributors) and the generalized nature of how integrated global economies are now, S&P Global Ratings believes the framework's influence will stretch across the globe. An example of how that could look is provided by the far-reaching impacts of the EU General Data Protection Regulation (GDPR).
Entities operating in, or with operations in, the EU will have to familiarize themselves with the regulations, including:
- Its risk-based approach that defines four levels of risk, from unacceptable to minimal, and applies different levels of scrutiny to each (including outright bans on some AI applications).
- Its requirements for (and definitions of) best practice in AI model design, including those dictating robustness, safety, transparency, and fairness.
The financial and reputational risk resulting from infringements could be material to credit worthiness. Fines could be as much as 7% of a company's global annual turnover. Beyond the financial impact, the regulation could also expose underlying risks relating to failures in operational resiliency and the quality of AI governance frameworks, which could have credit quality implications.
What Comes Next
The next three years are key. Once the act enters into force, likely by the second quarter of 2024, EU-based companies will, for the most part, have 24 months to be compliant. However, in line with the act's risk-based approach, AI systems that pose an unacceptable risk will be banned in six months, while general-purpose AI rules will apply in 12 months. On the other hand, obligations relating to high-risk systems will be applicable in 36 months. More immediately, many organizations will need to act swiftly in areas of process assessment, design and deployment, monitoring, and governance to support compliance.
Related Research
- Can Generative AI Create A Productivity Boom, Jan. 10. 2024
- The AI Governance Challenge, Nov. 29, 2023
Primary Credit Analyst: | Miriam Fernandez, CFA, Madrid + 34917887232; Miriam.Fernandez@spglobal.com |
Secondary Contact: | Bruno Bastit, Madrid +34 914233215; bruno.bastit@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.