Are you considering using artificial intelligence to support your performance of specific tasks or generally to carry out work processes? In that case, you should already now consider any possible consequences of the European Commission’s proposal for a regulation on artificial intelligence - notwithstanding that the proposal is far from processed or adopted by the EU.

The proposal is part of the strategy “Shaping Europe’s digital future” the overall objective of which is to ensure the citizens’ rights and confidence in new technology focusing on a balanced approach to digitalisation.

It has not yet been clarified what the future regulation will mean to existing IT solutions with artificial intelligence, but it is still a good idea to prepare for any possible consequences. We will give you five tips to best prepare for the future regulation of artificial intelligence at the moment.

1. Assess under which category your IT solution falls

The proposal divides IT solutions with artificial intelligence into four categories, each with their own requirements: unacceptable risk, high risk, limited risk and low risk. To which category the IT solutions belongs and thereby which requirements must be fulfilled depends on a specific assessment of the artificial intelligence and the IT solution in which it is included. If your company or the authority with which you are employed is considering implementing IT solutions with artificial intelligence, you should already now investigate to which category the IT solution belongs and which requirements to address. Please note that it is also important whether you have developed the IT solution yourself or have purchased it from an IT supplier. The requirements are aimed at the actual IT solution and your specific role in relation to the IT solution (developer/supplier, importer, distributor or user).

If the requirements are not fulfilled, this may result in sanctions in the form of substantial fines according to the present proposal.

Below, we will go through the four categories of artificial intelligence.

Unacceptable risk

It is not allowed to develop and use artificial intelligence in this category. The category covers types of artificial intelligence that imply manipulation of individuals, evaluation of individuals for the purpose of categorisation based on social behaviour (social scoring) or special forms of person and/or face recognition in connection with monitoring of real time.

High risk

This category covers artificial intelligence supporting enforcement, exercise of authorities within the asylum area, credit assessments and biometric identification of individuals. There are a number of requirements for artificial intelligence in this category, including as to implementation of risk management and quality assurance systems and logging, use of artificial intelligence, supervision, declarations of conformity, CE labelling, central registration of IT solutions and safety.

Limited risk

This category covers only the requirement for informing the users about the specific use of artificial intelligence, including e.g. by way of chatbots.

Low risk

This category does not cover any specific requirements for the IT solutions. However, you may voluntarily choose to observe the codes of making good use of artificial intelligence covered by the regulation. The IT suppliers may then use these as competitive parameters.
If the IT solution and the artificial intelligence are updated or changed, you have to reassess the categorisation.

2. Prepare a detailed impact assessment

It is important to prepare a detailed impact assessment based on the potential risks of using the specific type of artificial intelligence compared to the purpose, the specific task and the risks of the individual persons using or included in the processing of the artificial intelligence in relation to relevant legislation.

When you have prepared the impact assessment, you can change the relevant parameters of the processing of the artificial intelligence so that the use of the artificial intelligence is less risky. It is also a good idea to include other relevant legal areas, for example personal data and administrative law when considering the risks. In this connection, it is necessary to include relevant legal competencies in the impact assessment. The impact assessment supports, among other, fulfilment of the requirements for data and documentation.

3. Consider data sources, data quality and data volume

As regards data quality, both the volume and the quality must be sufficient; data must be relevant and available. The data are the basis of the structure of the mathematical model - the algorithm - which constitutes the artificial intelligence. The data are thereby the basis of the artificial intelligence and decisive to the processing made by the artificial intelligence and its results. The importance of the data quality is also reflected in the proposal making special requirements for data and data control.

Make sure that you have the relevant data competencies to support the planned artificial intelligence being trained and based on the correct data, including historical, geographical and professional data. In this connection, you must map any lack of data or data insufficiencies and how to remedy these.

From the start, you should lay down the framework of and consider the use of data sets for regular training of the artificial intelligence and validation of the training.

4. Document the artificial intelligence regularly

It appears from the proposal that the IT supplier must prepare documentation of the IT solution before it is used. This documentation must be updated regularly.

The documentation must contain information on the structure of the artificial intelligence and how it works. This requires that updated technical documentation is made available on a current basis. The documentation must furthermore be sufficient to assess the IT solution’s fulfilment of relevant requirements. The documentation should include the IT solution’s general characteristics, capacity and limitations and processes concerning data, training, testing and validation.

We recommend that you implement a process to document the IT solution, especially in relation to updates and changes. This process may be made automatic. However, it is also a good idea to control that the documentation is generated as assumed, e.g. by way of a year wheel stating the areas of responsibility, the responsible employees and the dates when the data are controlled.

Such process will also support that the requirements for documentation under administrative law are fulfilled.

5. Use existing arrangements and tools

Today, other regulations already apply which to some extent address the requirements for data quality and security etc. You may therefore obtain synergies by taking into consideration the regulation of personal data.

You should also consider data ethics when developing artificial intelligence. In this connection, you may use the Data Ethics Council’s assessment scheme and impact assessment available on the Council’s website: www.dataetiskrå You may also become certified with the data ethical label (the D label) which will prepare your company or the authority with which you are employed even better for developing artificial intelligence fulfilling the requirements of the future regulation.


Emilie Loiborg

Assistant Attorney