The Complex Web of Governance: What I Learned About the EU Al Act

The EU AI Act is positioned to reshape the world of AI governance. Behind all the rules and regulations is a complex web of stakeholders and enforcement challenges.

EU AI Act: Striking a Balance Between Decentralization and Centralization

This week, I explored the EU AI Act, focusing less on its impact on organizations and more on how it functions as a governance framework itself, including how responsibilities and enforcement is structured.

What stood out to me is the EU AI Act follows a hybrid decentralized and centralized structure. The decentralized portion refers to member states, which each assign notifying authorities and market surveillance authorities. The notifying authority designates a third party to assess whether an AI system is ready to be deployed into the market and aligned with the Act. Market surveillance authorities then perform audits and checks after the system has been deployed.

In highly regulated sectors, specialized authorities may take on this responsibility. For instance, if an AI system is used for credit scoring, relevant financial regulators would ensure compliance. For this example, if a similar framework were applied in the United States, that could be the Consumer Financial Protection Bureau.

Key Stakeholders in the EU AI Act

The Act also establishes a European Artificial Intelligence Board (EAIB), which includes one representative from each member state, with the AI Office and the European Data Protection Supervisor as observers. The board serves in an advisory role, sharing relevant AI information, offering guidance on AI implementation, and facilitating cooperation among EU regulators. It does not have the power to enforce laws.

The centralized portion of the Act gives oversight authority to the EU Commission. The Commission will update the law over time, for example by identifying new high-risk use cases, making decisions regarding safeguard procedures, providing high level guidance, and setting specifications for high-risk use-cases. 

Part of the EU AI Act establishes an AI Office within the Commission. This AI Office is a resource for the EU Commission to develop and strengthen its knowledge and capabilities in AI. The Act also sets up a Scientific Panel, chosen by the EU Commission. The panel supports the AI Office by providing expertise on evaluating general-purpose AI (GPAI) and also assists market surveillance authorities in their evaluations. 

Last there is an advisory form composed of a selection of stakeholders (subject matter experts, startups, civil society and academia) chosen by the Commission. This group will offer opinions and recommendations on the AI Act enforcement framework. 

As you can see, the web of stakeholders is complex, and the communication channels between them are likely to get crossed, making it challenging for different parties to coordinate effectively.

Challenges in Enforcing Data Protection and AI Safety Regulations

Enforcing these rules becomes even more difficult. In fact, we can look to the General Data Protection Regulation (GDPR) to understand how enforcement of data protection policies and safety regulations has played out in practice. Enforcement under the GDPR has generally been uneven, inconsistent, or in some cases, virtually non-existent. In fact, the European Parliament concluded that the GDPR has not made as much of an impact as intended since its introduction (Söderlund & Larsson, 2024). 

Countries implement the GDPR differently based on their available resources, highlighting the resource gaps between various nations. With the expansion of privacy and AI safety policies like the EU AI Act, nations with limited resources are likely to be stretched even thinner. Use cases will likely be pushed through quickly to clear compliance backlogs, or they may face longer delays. For U.S. companies seeking to deploy AI systems in the European Union, this can slow down timelines as the EU AI Act requires more than simply aligning AI policies and systems with EU standards. Companies deploying high-risk AI will need to navigate a complex governance framework, financial constraints, notifying relevant authorities, engaging with conformity assessment bodies or advisors, and complying with market surveillance requirements. 

Exploring the EU AI framework has reconfirmed the critical nature of governance design, not only for compliance, but also in considering roles, responsibilities, resources, and communication channels. If governments are creating laws to oversee the safe implementation of AI, and bureaucratic procedures start slowing things down, investors may get nervous about delayed returns. That can create pressure, especially for governments with limited resources, to push these systems through faster.

Do you think the EU will be able to effectively enforce the EU AI Act across its member states?