Our thinking

AI Watch: Global regulatory tracker

What's inside

Keeping track of AI regulatory developments around the world.

The global dash to regulate AI

Artificial intelligence (AI) has made enormous strides in recent years and has increasingly moved into the public consciousness.

Explore Trendscape

Our take on the interconnected global trends that are shaping the business climate for our clients.

Increases in computational power, coupled with advances in machine learning, have fueled the rapid rise of AI. This has brought enormous opportunities, as new AI applications have given rise to new ways of doing business. It has also brought potential risks, from unintended impacts on individuals (e.g., AI errors harming an individual's credit score or public reputation) to the risk of misuse of AI by malicious third parties (e.g., by manipulating AI systems to produce inaccurate or misleading output, or by using AI to create deepfakes).

Governments and regulatory bodies around the world have had to act quickly to try to ensure that their regulatory frameworks do not become obsolete. In addition, international organizations such as the G7, the UN, the Council of Europe and the OECD have responded to this technological shift by issuing their own AI frameworks. But they are all scrambling to stay abreast of technological developments, and already there are signs that emerging efforts to regulate AI will struggle to keep pace. In an effort to introduce some degree of international consensus, the UK government organized the first global AI Safety Summit in November 2023, with the aim of encouraging the safe and responsible development of AI around the world. 

Most jurisdictions have sought to strike a balance between encouraging AI innovation and investment, while at the same time attempting to create rules to protect against possible harms. However, jurisdictions around the world have taken substantially different approaches to achieving these goals, which has in turn increased the risk that businesses face from a fragmented and inconsistent AI regulatory environment. Nevertheless, certain trends are becoming clearer at this stage:

  1. "AI" means different things in different jurisdictions: One of the foundational challenges that any international business faces when designing an AI regulatory compliance strategy is figuring out what constitutes "AI." Unfortunately, the definition of AI varies from one jurisdiction to the next. For example, the EU AI Act adopts a definition of "AI systems" that is based on (but is not identical to) the OECD's definition, and which leaves room for substantial doubt due to its uncertain wording. Canada has proposed a similar, though more concise, definition. Various US states have proposed their own definitions, which differ from one another. And many jurisdictions (e.g., the UK, Israel, China, and Japan) do not currently provide a comprehensive definition of AI. Because several of the proposed AI regulations have extraterritorial effect (meaning more than one AI regulation may apply simultaneously), international businesses may be forced to adopt a "highest common denominator" approach to identifying AI based on the strictest applicable standard.
  2. Emerging AI regulations come in different forms: The various emerging AI regulations have no consistent legal form – some are statutes, some are executive orders, some are expansions of existing regulatory frameworks, and so on. The EU AI Act is a "Regulation" (which means that most of it will apply directly in all EU Member States, without the need for national implementation in most cases). The UK has taken a different approach, declining to legislate at this early stage in the development of AI, and instead choosing to task existing UK regulators with the responsibility of interpreting and applying five AI principles in their respective spheres. In the US, there is a mix of White House Executive Orders, federal and state initiatives, and actions by existing regulatory agencies, such as the Federal Trade Commission. As a result, the types of compliance obligations that international businesses face are likely to be materially different from one jurisdiction to the next. Many other jurisdictions have yet to decide whether they will issue sector-specific or generally applicable rules and have yet to decide between creating new regulators or expanding the roles of existing regulators, making it challenging for businesses to anticipate what form their AI regulatory relationships will take in the long term.
  3. Emerging AI regulations have different conceptual approaches: The next difficulty is the lack of a consistent conceptual approach among emerging AI regulations around the world – some are legally binding while others are not, some are sector-specific while others apply across all sectors, some will be enforced by regulators while others are merely guidelines or recommendations, and so on. As noted above, the UK approach is to use existing regulators to implement five AI principles, but with no new explicit legal obligations. This has the advantage of meaning that businesses will deal with AI regulators with whom they are already familiar but has the disadvantage that different UK regulators may interpret these principles differently in their respective spheres. The EU AI Act is cross-sectoral and creates new regulatory and enforcement powers for existing bodies, including the European Commission, and also creates entirely new bodies such as the AI Board and the AI Office, while leaving EU Member States to appoint their own AI regulators tasked with enforcing the EU AI Act. In the US, the Federal Trade Commission, Equal Employment Opportunity Commission, Consumer Financial Protection Bureau, and Department of Justice issued a joint statement clarifying that their existing authority covers AI, while various state regulators are also likely to have competence to regulate AI. International organizations including the OECD, the UN, and the G7 have issued AI principles, but these impose no legal obligations on businesses. In principle, these initiatives encourage consistency across members of each organization, but in practice this does not seem to have worked.
  4. Flexibility is a double-edged sword: In an effort to create AI regulations that can adapt to technological advances that have not yet been anticipated, many jurisdictions have sought to include substantial flexibility in those regulations, either by using deliberately high-level wording and policies, or by allowing for future interpretation and application by courts and regulators. This has the obvious advantage of prolonging the lifespan of such regulations by allowing them to be adapted to future technologies. However, it also creates the disadvantage of uncertainty because it leaves businesses uncertain of how their compliance obligations will be interpreted in the future. This is likely to mean that it is harder for businesses to know whether their planned implementations of AI will be lawful in the medium-to-long term and may make it harder to attract long-term AI investment in those jurisdictions.
  5. The overlap between AI regulation and other areas of law is complex: A substantial number of laws that are not directly focused on AI nevertheless apply to AI by association within their respective spheres, meaning that any use of AI will often trigger compliance issues and legal challenges even where there is not (yet) any enforceable AI-specific law. These areas of overlap include: IP (e.g., IP infringement issues with respect to AI model training data, and questions about copyright and patentability of AI-assisted inventions); antitrust; data protection (which adds restrictions to processing of personal data, and in some cases imposes special compliance obligations for processing carried out by automated means, including by AI); M&A (where AI innovation is driving dealmaking in many markets); financial regulation (where financial regulatory requirements may limit the ways in which AI can lawfully be deployed); litigation; digital infrastructure; securities; global trade; foreign direct investment; mining & metals; and so on. This overlap will mean that many businesses need to understand not just AI regulations in general, but also any rules that affect the use of AI in the context of the relevant sector or business activity.

Businesses in almost all sectors need to keep a close eye on these developments to ensure that they are aware of the AI regulations and forthcoming trends, in order to identify new opportunities and new potential business risks. But even at this early stage, the inconsistent approaches each jurisdiction has taken to the core questions of how to regulate AI is clear. As a result, it appears that international businesses may face substantially different AI regulatory compliance challenges in different parts of the world. To that end, this AI Tracker is designed to provide businesses with an understanding of the state of play of AI regulations in the core markets in which they operate. It provides analysis of the approach that each jurisdiction has taken to AI regulation and provides helpful commentary on the likely direction of travel.

Because global AI regulations remain in a constant state of flux, this AI Tracker will develop over time, adding updates and new jurisdictions when appropriate. Stay tuned, as we continue to provide insights to help businesses navigate these ever-evolving issues.

Articles

Australia

Voluntary AI Ethics Principles guide responsible AI development in Australia, with potential reforms under consideration.

Australia

Brazil

The enactment of Brazil's proposed AI Regulation remains uncertain with compliance requirements pending review.

Sao Paulo

Canada

AIDA expected to regulate AI at the federal level in Canada but provincial legislatures have yet to be introduced.

Canada

China

The Interim AI Measures is China's first specific, administrative regulation on the management of generative AI services.

China

Council of Europe

The Council of Europe is developing a new Convention on AI to safeguard human rights, democracy, and the rule of law in the digital space covering governance, accountability and risk assessment.

European Union

Czech Republic

The successful implementation of the EU AI Act into national law is the primary focus for the Czech Republic, with its National AI Strategy being the main policy document.

Czech Republic

European Union

The EU introduces the pioneering EU AI Act, aiming to become a global hub for human-centric, trustworthy AI.

 

European Union

France

France actively participates in international efforts and proposes sector-specific laws.

Paris

G7

The G7's AI regulations mandate Member States' compliance with international human rights law and relevant international frameworks.

G7 flags

Germany

Germany evaluates AI-specific legislation needs and actively engages in international initiatives.

Germany

India

National frameworks inform India’s approach to AI regulation, with sector-specific initiatives in finance and health sectors.

India

Israel

Israel promotes responsible AI innovation through policy and sector-specific guidelines to address core issues and ethical principles.

Israel

Italy

Italy engages in political discussions for future laws.

Milan

Japan

Japan adopts a soft law approach to AI governance but lawmakers advance proposal for a hard law approach for certain harms.

Tokyo

Kenya

Kenya's National AI Strategy and Code of Practice expected to set foundation of AI regulation once finalized.

Kenya
Kenya

Nigeria

Nigeria's draft National AI Policy underway and will pave the way for a comprehensive national AI strategy.

Nigeria
Nigeria

Norway

Position paper informs Norwegian approach to AI, with sector-specific legislative amendments to regulate developments in AI.

Norway

OECD

The OECD's AI recommendations encourage Member States to uphold principles of trustworthy AI.

country flags

Saudi Arabia

Saudi Arabia is yet to enact AI Regulations, relying on guidelines to establish practice standards and general principles.

Riyadh_Hero_1600x600 Saudi Arabia

Singapore

Singapore's AI frameworks guide AI ethical and governance principles, with existing sector-specific regulations addressing AI risks.

Singapore

South Africa

South Africa is yet to announce any AI regulation proposals but is in the process of obtaining inputs for a draft National AI plan.

Johannesburg

South Korea

South Korea's AI Act to act as a consolidated body of law governing AI once approved by the National Assembly.

Korea

Spain

Spain creates Europe's first AI supervisory agency and actively participates in EU AI Act negotiations.

Madrid

Switzerland

Switzerland's National AI Strategy sets out guidelines for the use of AI, and aims to finalize an AI regulatory proposal in 2025.

Switzerland

Taiwan

Draft laws and guidelines are under consideration in Taiwan, with sector-specific initiatives already in place.

Taiwan city

Turkey

Turkey has published multiple guidelines on the use of AI in various sectors, with a bill for AI regulation now in the legislative process.

Türkiye

United Arab Emirates

Mainland UAE has published an array of decrees and guidelines regarding regulation of AI, while the ADGM and DIFC free zones each rely on amendments to existing data protection laws to regulate AI.

UAE

United Kingdom

The UK prioritizes a flexible framework over comprehensive regulation and emphasizes sector-specific laws.

London hero image

United Nations

The UN's new draft resolution on AI encourages Member States to implement national regulatory and governance approaches for a global consensus on safe, secure and trustworthy AI systems.

United Nations

United States

The US relies on existing federal laws and guidelines to regulate AI but aims to introduce AI legislation and a federal regulation authority.

New York city photo

Contacts

Tim Hickman
Partner
London
Erin Hanson
Partner
New York
Dr. Sylvia Lorenz
Partner
Berlin
European Union

AI Watch: Global regulatory tracker - European Union

The EU introduces the pioneering EU AI Act, aiming to become a global hub for human-centric, trustworthy AI.

Insight
|
13 min read

Laws/Regulations directly regulating AI (the “AI Regulations”)

The primary legislative framework for regulating AI in the EU is the EU AI Act (here). The EU has also proposed the AI Liability Directive (here) which is designed to ensure that liability rules are appropriately applied to AI-related claims.

Status of the AI Regulations 

The EU AI Act was published in the EU Official Journal on July 12, 2024, and is the first comprehensive horizontal legal framework for the regulation of AI across the EU. The EU AI Act enters into force on August 1, 2024, and will be effective from August 2, 2026,1 except for the specific provisions listed in Article 113. 

The AI Liability Directive is in draft form and is yet to be considered by the European Parliament and Council of the EU.2 Timing remains uncertain.

On September 5, 2024, the Council of Europe's Framework Convention3 on AI was signed by Andorra, Georgia, Iceland, Norway, the Republic of Moldova, San Marino, the United Kingdom, Israel, the United States, and the European Union4. The treaty will enter into force on the first day of the month following three months after five signatories, including at least three Council of Europe Member States, have ratified it. Countries from all over the world will be eligible to join and commit to its provisions.

Related laws affecting AI

There are many laws applicable in the EU that may affect the development or use of AI in the EU. A non-exhaustive list of common examples includes:

  • The EU General Data Protection Regulation (EU) 2016/679
  • The Product Liability Directive, which, if adopted, will allow people harmed by software (including AI software) to receive compensation from the software manufacturer (replacing Directive 85/374/EEC)
  • The General Product Safety Regulation 2023/988/EU, replacing Directive 2001/95/EC
  • Various intellectual property laws under the national laws of EU Member States

Definition of “AI” 

AI is defined in the EU AI Act using the following terms:

  • "AI system" means "a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments"
  • "General-purpose AI model" means "an AI model, including where such an AI model is trained with a large amount of data using self-supervision at scale, that displays significant generality and is capable of competently performing a wide range of distinct tasks regardless of the way the model is placed on the market and that can be integrated into a variety of downstream systems or applications, except AI models that are used for research, development or prototyping activities before they are placed on the market"
  • "General-purpose AI system" means "an AI system which is based on a general-purpose AI model and which has the capability to serve a variety of purposes, both for direct use as well as for integration in other AI systems"5

The AI Liability Directive will likely adopt the same definition as the EU AI Act.6

Territorial scope 

The EU AI Act applies extraterritorially to:7

  • Any provider placing, or otherwise putting into service, an AI system or general-purpose AI models on the EU market, regardless of whether the provider is established or located within the EU or in a third country
  • Any deployers of AI systems who have their place of establishment in, or who are located in, the EU
  • Any provider or deployer of an AI system that have their place of establishment or are otherwise located in a third country, if the output produced by the AI system is intended to be used in the EU8

The AI Liability Directive applies to non-contractual fault-based civil law claims within the EU.9

Sectoral scope 

The EU AI Act is not sector-specific. It applies to all sectors. 

The AI Liability Directive is not sector-specific. It applies to non-contractual fault-based civil law claims brought before national courts.

Compliance roles

Under the EU AI Act:

  • Any developer of an AI system or general-purpose AI model, or any natural or legal person, public authority, agency or other body that has an AI system or general-purpose AI model developed and places them or puts the system into service on the EU market are "providers" under the AI Act10
  • Any natural or legal person in the supply chain that is not a provider or importer and makes an AI system available on the EU market is a "distributor" under the AI Act11
  • Any natural or legal person located or established in the Union that places on the market an AI system that bears the name or trademark of a natural or legal person established in a third country are "importers" under the AI Act12
  • Any natural or legal person, public authority, agency or other body using an AI system under its authority except where the AI system is used in the course of a personal non-professional activity are "deployers" under the AI Act13
  • Any provider, product manufacturer, deployer, importer, distributor or authorized representative are "operators" under the AI Act14

Each of these roles comes with a set of compliance obligations.

The AI Liability Directive would increase the likelihood of a successful claim against an AI system developer or the user of an AI system that relied on its output.15

Core issues that the AI Regulations seek to address

The EU AI Act is intended to promote the uptake of human-centric and trustworthy AI and to ensure a high level of protection of health, safety, fundamental rights, democracy, and rule of law from harmful effects of AI systems while supporting innovation and the functioning of the internal market.16

The AI Liability Directive aims to ensure that persons harmed by AI systems enjoy the same level of protection as persons harmed by other technologies in the EU. Current fault-based liability rules are not suited to handling liability claims for damage caused by AI-enabled products and services. Specifically, it may be difficult (or prohibitively expensive) for victims to prove the fault of a potentially liable person, and/or the causal link between the fault and the damage suffered, owing to the complexity, autonomy and opacity of AI systems.

Risk categorization

The EU AI Act classifies AI systems, and imposes requirements, according to different levels of risk:

  • Unacceptable risk:  AI systems that present an "unacceptable" risk are prohibited.17 This includes (among others) AI systems used for social scoring and AI systems that use deceptive or exploitative techniques to materially distort a person’s behavior in a manner that can cause harm.18
  • High risk: AI systems that present a "high" risk are subject to the most detailed compliance obligations under the EU AI Act and include AI systems falling within two categories: (i) AI systems used as a safety component of a product (or otherwise subject to EU health and safety harmonization legislation); or (ii) AI systems deployed in eight specific areas, including (among others) education, employment, access to essential public and private services, law enforcement, migration, and the administration of justice.19
  • Limited risk: AI systems that present "limited" risk include those that directly interact with natural persons (e.g., chatbots), emotion recognition systems, biometric categorization systems, and AI systems that generate "deep fakes" (i.e., audio or visual content that appears genuine, even though it is created by an AI system). These systems are required to disclose the fact that the content has been artificially generated or manipulated.20 The transparency obligations imposed on deployers of these AI systems do not apply where the use is authorized by law to detect, prevent, investigate and prosecute criminal offenses. If the content is "evidently" an artistic, creative, satirical, fictional analogous work or program, these obligations are limited to the disclosure of existence of "deep fakes" in an appropriate manner that does not hamper the display or environment of the work.21
  • Low or minimal risk: Any AI system not caught by the above are of low or minimal risk.22

For general-purpose AI models, the EU AI Act distinguishes between those that entail a systemic risk and those that do not. If the computational power of the general-purpose AI model exceeds a certain threshold, the AI model is presumed to entail a systemic risk. In addition, the European Commission has the power to designate certain general-purpose AI models as having systemic risk.23

The AI Liability Directive does not directly govern the risks posed by AI systems.

Key compliance requirements

Compliance obligations are primarily determined by the level of risk associated with the relevant AI system:

  • Unacceptable risk: AI systems posing an unacceptable risk are not subject to compliance requirements; they are prohibited outright
  • High risk: AI systems and their providers (or where applicable, the authorized representative) must be registered in an EU database before being placed onto the EU market or put into service, and must comply with a wide range of requirements on data training and data governance, technical documentation, recordkeeping, technical robustness, transparency, human oversight, and cybersecurity24
  • Limited risk: Providers and deployers of certain AI systems and general-purpose AI models are subject to transparency obligations25
  • Low or minimal risk: AI systems do not have specific obligations or requirements under the EU AI Act26

All providers of general-purpose AI models are subject to certain technical documentation and transparency obligations and are required to cooperate with the Commission and national competent authorities as well as respect national laws on copyright and related rights.27 Compliance may be demonstrated through adhering to approved codes of practice.28 Providers of general-purpose AI models with systemic risk have additional obligations, including the obligations to perform standardized model evaluations, assess and mitigate systemic risks, track and report incidents, and ensure cybersecurity protection.29

The EU AI Act also provides for the development of codes of conduct for AI systems, which the Commission hopes all AI system providers will voluntarily apply.30

The AI Liability Directive does not contain compliance requirements.

Regulators

Enforcement of the EU AI Act involves a combination of authorities. EU Member States will establish or designate at least one notifying authority and at least one market surveillance authority (together, the "national competent authorities") and ensure that the national competent authorities have adequate technical, financial and human resources, and infrastructure (that are sufficiently knowledgeable) to fulfill its tasks under the EU AI Act.31

The notifying authority is responsible for setting up and carrying out the assessment and designation procedures that are required under the EU AI Act, in an objective and impartial manner.32

The market surveillance authority may vary for "high" risk AI systems, AI systems used by financial institutions subject to EU legislation on financial services, and other EU institutions, agencies, and bodies.33

The market surveillance authority is primarily responsible for enforcement at the national level.34 If an AI system is non-compliant, the market surveillance authorities can exercise the enforcement powers described below. The market surveillance authorities will report to the Commission and relevant national competition authorities on an annual basis.35

Additionally, an AI Office within the Commission will enforce the common rules across the EU.36 Enforcement will be supported by a scientific panel of independent experts.37 An AI Board with Member States' representatives will advise and assist the Commission and Member States on the consistent and effective application of the AI Act.38 Finally, an advisory forum for stakeholders will provide technical expertise to the AI Board and the Commission.39

National courts of EU Member States will be responsible for implementing the AI Liability Directive in the case of non-contractual fault-based civil law claims brought before them.

Enforcement powers and penalties

Where the market surveillance authority finds that there is: (i) non-compliance with the obligations of the EU AI Act; or (ii) compliance from a high-risk AI system with the obligations of the EU AI Act, but still presents a risk to the health and safety of persons, the fundamental rights of persons, or other aspects of public interest protection; then the relevant market surveillance authority can (a) require the relevant operator to take all appropriate corrective actions (in the event of (ii), to ensure the AI system concerned no longer presents that risk) or withdraw/recall the AI system from the market; or (b) where the operator fails to do so, the relevant authority shall prohibit/restrict the AI system being made available on its national market or put into service, or withdraw/recall the product or the standalone AI system from the market.40

Penalties range from (i) the higher of €35,000,000 or up to 7 percent of a company’s total worldwide annual turnover for non-compliance with prohibited AI practices, to (ii) the higher of €7,500,000 or up to 1 percent of a company’s total worldwide annual turnover for the supply of incorrect, incomplete, or misleading information to notified bodies and national competent authorities.41

The AI Liability Directive increases the claimants’ likelihood of a successful claim by creating a rebuttable presumption of causality on the defendant. In practice, the new rule means that if a victim can show that someone was at fault for not complying with a certain obligation relevant to their harm, and that a causal link with the AI performance is reasonably likely, the court can presume that this non-compliance caused the damage.42

The AI Liability Directive also gives national courts the power to order disclosure of evidence about high risk AI systems that are suspected of causing damage, to help victims access relevant evidence to identify the person(s) that could be held liable.43

1 See EU AI Act, Article 113.
2 See
Procedure File: 2022/0303(COD) | Legislative Observatory | European Parliament (europa.eu).
3 See Convention text
here
4 See European Commission press release
here.
5 See EU AI Act, Articles 3(1), 3(63) and 3(66).
6 See AI Liability Directive, Article 2(1).
7 See EU AI Act, Articles 2(1)(a) to (c). Responsibilities along the AI value chain (including distributors, importers, deployers) are set out in Article 25.
8 See EU AI Act, Recital 22.
9 See AI Liability Directive. Article 1(2).
10 See EU AI Act, Article 3(3).
11 See EU AI Act, Article 3(7).
12 See EU AI Act, Article 3(6).
13 See EU AI Act, Article 3(4). 
14 See EU AI Act, Article 3(8). 
15 See AI Liability Directive, Article 4(b).
16 See "Purpose" in the Procedure File: printficheglobal.pdf (europa.eu); and EU AI Act, Article 1(1).
17 See EU AI Act, Recital 179.
18 See EU AI Act, Article 5.
19 See EU AI Act, Article 6(1), (2) and Annex I, Annex III. 
20 See EU AI Act, Articles 50(1) to 50(4).
21 See EU AI Act, Article 50(4).
22 See page 4 of the briefing note.
23 See EU AI Act, Article 51.
24 See EU AI Act, Articles 8-15 and 49.
25 See EU AI Act, Article 50.
26 See page 4 of the briefing note.
27 See EU AI Act, Article 53.
28 See EU AI Act, Article 56.
29 See EU AI Act, Article 55.
30 See EU AI Act, Chapter X (Codes of Conduct and guidelines).
31 See EU AI Act, Article 70.
32 See EU AI Act, Article 31(6).
33 See EU AI Act, Article 74(6).
34 See EU AI Act, Article 74.
35 See EU AI Act, Article 74(2).
36 See EU AI Act, Article 64.
37 See EU AI Act, Article 68.
38 See EU AI Act, Article 65 and 66.
39 See EU AI Act, Article 67.
40 See EU AI Act, Articles 79(2) and 82 (1).
41 See EU AI Act, Articles 99(3) and (5).
42 See AI Liability Directive, Article 4(1).
43 See AI Liability Directive, Article 3(1).

Timo Gaudszun (Legal Intern, White & Case, Berlin), Jeffrey Shin (Trainee Solicitor, White & Case, London) contributed to this publication.

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2024 White & Case LLP

Top