No. 101: Truly Risk-Based Regulation of Artificial Intelligence: How to Implement the EU’s AI Act
Abstract
The recently adopted Artificial Intelligence Act (AI Act) of the European Union (EU) claims to be based on a risk-based approach to avoid over-regulation and to respect the principle of legislative proportionality. This paper argues that risk-based regulation is indeed the right approach to AI regulation. At the same time, however, the paper shows that important provisions of the AI Act do not follow a truly risk-based approach – contrary to the claims of the European Commission and the co-legislators. Yet, this is nothing that cannot be fixed. The AI Act provides for sufficient tools to support future-proof legislation and to implement it in line with a genuine risk-based approach. Against this background, the paper analyses (i) how the AI Act should be applied and implemented according to its original intention of a risk-based approach, (ii) how the AI Act should be complemented by sector-specific legislation in the future to avoid inconsistencies and over-regulation, and (iii) what lessons legislators around the world can learn from the AI Act in regulating AI.
The following sections are structured as follows:
• Section 1 shows how risk-based regulation has become the dominant strategy for policymakers to regulate AI – not only in the EU, but globally.
• Section 2 outlines the key elements of risk-based regulation – discussing the notion of “risk”, the distinction between AI risk assessment, impact assessment, and risk management, and the key elements of risk-based regulation.
• Section 3 criticizes the AI Act, arguing that some of its main provisions are not truly risk-based, leading to over-regulation in some areas and under-regulation in others. In particular, it analyses several problems with the AI Act, such as the lack of a risk-benefit analysis, limited reliance on empirical evidence, and lack of case-by-case risk classification.
• Section 4 examines how the AI Act can be brought into line with a truly risk-based approach. To this end, the paper analyses the relevant instruments to implement the AI Act, such as guidelines, delegated and implementing acts, codes of practice, and harmonized standards.
• Section 5 analyses how the AI Act should be complemented by sector-specific legislation in the future to avoid inconsistencies and over-regulation.
• Section 6 draws conclusions on what policymakers outside the EU can learn from the AI Act when regulating AI.