Carme Artigas: What the EU AI Act Means for MSPs and Tech Leaders

The European AI Act aims to provide transparency and trust to consumers and companies, specifically by preventing any harm related to safety and fundamental rights.

It is a pan-European regulation. That means that it applies at the same time, and in the same way, to all 27 member states.

The European AI Act is based on product and risk assessment. There’s a risk matrix where every single AI application will be classified as either no risk, low risk, mid-range risk or high risk.

The full Act really only applies to the high-risk use cases.

Low-risk cases need to do nothing, and mid-risk applications only have a register with the European AI Office, just in case they want to double-check any aspect of that application.

High risk includes those applications that can generate a physical risk, a risk about safety, a risk to health, or a risk to fundamental rights in high-risk domains.

These domains are health, education, labor, judiciary and government.

The Act is being deployed and adopted in several stages. One is already in place, where forbidden use cases had to be removed from the market.

The second phase involved partnering with the industry to agree on a code of practice for deploying conformity assessment, which affects high-risk use cases of AI applications. That is scheduled to go through the European Commission for approval in August. Then, every member state needs to appoint its supervisory agency, which will act at the national level.

Companies then have until August 2026 to adapt to these regulations, which require them to conduct conformity assessments for high-risk use cases.

Any company providing services to the European Union and European Union citizens, companies and industries must comply with the EU Act, regardless of where you are based.

We are not preventing European companies from competing globally. Therefore, it is permissible to provide a service that is forbidden within the EU to countries outside of it.

For example, the use of AI for social scoring is a forbidden use case, but an EU business could develop and sell those systems outside Europe.

The European AI Act provides different risks and different obligations depending on the value chain.

If you’re a small or medium-sized business using a third-party developed tool, such as a large language model, you should request that the provider provide all relevant documentation demonstrating compliance with the EU AI Act.

Every part of the value chain is responsible for their use or development of the tool. So, it’s important that you are provided with the quality control certification of your provider.

I understand that most MSPs will not be categorized as high-risk use cases.

If they’re using generative AI services, then they’ll need to have transparency on how they use the data, that it has the correct authorisations for copyright, and that it has been trained without biases.

These are all ethical requirements that the company and the customer expects from those tools.

I think against the common belief, I really see that European AI Act is a great opportunity for competitiveness for the European Union.

First of all, because the number one reason why companies are not adopting AI is lack of trust.

There’s a lack of trust in the models because people don’t understand how they work, because they are not reliable, they still hallucinate and they can involve cybersecurity risks. There are also concerns about the safety of proprietary industrial data.

If, in Europe, we can provide trust to the consumer, we could become the region that the world turns to when they want to use AI with no problems, with no concerns.

If you have a solution which complies with the AI EU Act, you will be recognized as a leader and a trusted partner giving you competitive advantage. But as with any regulation, there are sticks and carrots.

Non-compliance can involve a fine of up to 10% of total global income, so it is definitely worth everyone understanding and complying with the Act.