EU AI Act: Kai Zenner’s inside view

Kai Zenner, Digital Policy Adviser to MEP Axel Voss, on what makes the EU AI Act unique and what it can do for Europe’s digital competitiveness.

Kai Zenner is about as close to shaping European AI policy as you can get. Bringing an insider’s perspective to some of the thinking behind the forthcoming EU AI Act, he says: “It is no regulatory monster coming from Brussels without evidence or prep work to back it up.” On the contrary, the EU AI Act is founded on substantial and cooperative preparatory work at an expert national, European and international level.

Watch the recording here.

What makes the EU AI Act unique?

Two-into-one compliance: The EU AI Act adopts the New Legislative Framework (NLF), commonly used to certify products and services, like toys, radio equipment and medical devices. And it reinforces it with protections for “fundamental rights”, defined in the EU Charter. “This hybrid approach, not previously tested, requires two compliance worlds to cooperate and interact,” explains Kai.

Risk-based pyramid: The Act’s risk-based approach supports innovation while putting the burden of regulation onto systems that present the highest risks.

Value-chain approach: For faster information-sharing and cooperation along the value chain, the EU AI Act seeks to level up regulatory obligations. At the market-facing end, small AI system developers and deployers were expected to bear the brunt of the regulatory burden. Instead, the Act also catches larger market players further down the value chain — providers of data sets, models and other AI components — which would otherwise fall out of scope.

Is the EU digitally competitive?

Short answer: not yet.

The US leads. It hosts most top AI firms. It promotes private-sector innovation and attracts the best AI talent. It is big on AI venture capital investment and R&D spend. And it is quick to commercialise university research. It has a robust digital infrastructure and a coherent digital market.

China is getting up to speed. It considers AI key to the global tech race and could overtake the US to become the dominant national player.

The EU lags behind. It aims to replicate the global success of GDPR in the EU AI Act, presenting an ethical, trustworthy, risk-based framework, which is transparent on product safety and liability, and aligns with international organisations. It would create huge competitive advantage for the EU. But as Kai puts it: “We are far from it. The AI gap is widening.”

Kai considers that:

• EU companies lack confidence to invest in and develop AI systems because legal uncertainties hinder planning. Most deploy US AI tech.
• AI systems are too dynamic for the NFL framework. Modifications, new risk categories and more than one intended purpose require companies to repeatedly test their compliance.
• Companies spend on third-party conformity assessments and certifications they do not need because of inherent vagueness and uncertainties in the Act.

The EU AI Act is, in Kai’s view: “A principles-based, future-proofed and cooperative law. But vagueness and uncertainties make it ‘mission-impossible’ for companies that want to be fully compliant. It will take legal minds to make sense of everything that is out there.”

And by “everything”, Kai means 116 laws that are either enacted, under discussion or planned for the digital sector in the EU. As well as a further 65 governance mechanisms.

What next for the EU AI Act and how to influence the debate

All is not lost. The EU AI Act will be phased in over three years, so there is time to fix many of the challenges that stand in the way of the EU’s ambition. And time for stakeholders to adapt to the new requirements.

By the end of December 2024, banned AI systems must be withdrawn from the market. In August 2025, provisions for most general-purpose AI models will apply. In summer 2026, the majority of rules for high-risk AI systems come into effect, followed, in summer 2027, by rules for high-risk systems used in safety components.

Until then, Kai advises would-be AI developers and deployers to:

• Develop an internal AI strategy that considers existing AI technologies and anticipates future regulatory obligations.
• Engage with standardisation bodies. Help shape horizontal as well as vertical technical standards that may be incorporated into secondary legislation.
• Share use cases and best practices with the Commission and national competent authorities.
• Join regulatory sandboxes to build trusted relationships with enforcement bodies, improve dialogue and support joint learning.
• Identify and motivate AI talent to participate outside large tech companies.