Background

The AI Act (i.e., regulation laying down harmonised rules on artificial intelligence) is the European Union’s answer to recent developments in the field of artificial intelligence. It is aimed at securing intelligent systems by addressing both the wide range of AI applications and safety-critical sectors. The AI Act, along with the Data Act, the Data Governance Act, and other regulations (GDPR, OTA update rules), not only defines the requirements for essential infrastructure, but also what AI is in the context of critical software. However, there are still several unresolved issues (for example, the AI Act, AI testing and auditing) that need to be cleared up, and on which several projects across Europe are already working.

Project Content and Goals

The overarching goal of the current project is to explore and examine the new EU-wide regulations on the use of AI. A key focus of our investigations are high-risk areas and the critical infrastructure. The findings will then serve as a foundation for the Federal Ministry of the Interior (BMI) and critical infrastructure operators to take appropriate action and to provide input to the European Commission (EC). Aside from the AI Act, the Data Act and the Data Governance Act, we take into account other regulations, standards and best practices. Additionally, we make an effort to predict likely future developments and include them into the conclusions and recommendations.

The following sub-objectives are to be achieved:

• Developing a methodology that allows for a quick systematic analysis of the key EU-Acts and giving a structured overview of challenges, consequences for SMEs and critical infrastructures, especially with regard to the risk definitions in the AI Act.
• Conducting a survey to ascertain the most pressing issues for businesses in light of the new regulations.
• Identifying the most important regulations, standards and best practices which are affected by the Acts and analysing what impact they have on AI systems.
• Conducting an exploratory scenario analysis to anticipate developments of the coming years and take them into consideration.
• Make the knowledge gained available to SMEs (through guidelines documents etc.).

Methods

The analysis of the legal texts is carried out by experts from the technical sciences and the legal sciences. The main focus of the investigations is on the AI Act, but the Data Act and the Data Governance Act are considered as well. Standards and best practices affected by the Acts are identified and building on the conclusions drawn recommendations and guidelines are developed. To assess potential future developments, an exploratory scenario analysis is also performed. Findings of the analyses are turned into recommendations and guidelines, which predominately consist of check lists that allow evaluations to be made fast and efficiently. To deal with specific aspects of the investigations in an organized manner we follow the processes given in the "Procurement Guide for Secure AI".

Results

The European Union started several initiatives (the AI Act, Data Act, and Data Governance Act), to regulate the use of AI. In the current project, we take a closer look at these regulations and develop a methodology for analysing them in a structured manner. Using this methodology, it is possible to describe in concrete terms what it takes to conform with the new regulations and what they entail for SMEs, key infrastructures, and law enforcement. In addition to that we try to foresee future developments in the field of AI and find appropriate solutions to security issues that may emerge as a result of these developments. Based on our findings, we create manuals and guidance documents for SMEs. Moreover, the project's extensive consideration of legal and technical issues not only aids the Ministry in putting the Acts into practice in Austria but also gives it an idea what problems might arise during practical implementation.