The EU's 2030 Digital Agenda sets the course for a European digital future, with accompanying new legislation. This new legislation brings numerous changes and obligations for various organizations and is therefore also relevant for M&A practice, as the scope of due diligence investigations will expand significantly as a result of the new legislation.

Legal Data Due Diligence

We're now accustomed to conducting privacy due diligence based on regulations such as the General Data Protection Regulation (GDPR). However, a privacy due diligence investigation will now be too narrow in scope. Before conducting due diligence, it's important to understand which regulations are relevant to a transaction, the obligations this entails for organizations, and (potentially) the risks for a buyer. Therefore, consult our online tool at www.legaldataduediligence.nl to determine which EU data laws may apply to the target company before a transaction. This blog provides M&A practitioners with guidance on the Artificial Intelligence Act (AI Act). For each law, we discuss the core obligations, scope, risks, and considerations for M&A practitioners.

AI Act

The European Artificial Intelligence Act (AI Act) is the world's first law on AI. The AI ​​Act aims to promote the development and use of safe, trustworthy, transparent, traceable, and non-discriminatory AI systems in the EU. The AI ​​Act was approved by the Council of the EU in May 2024. The AI ​​Act will enter into force on August 1, 2024. The AI ​​Act will take effect two years after its entry into force. However, certain obligations will apply earlier, such as the prohibition on prohibited practices (February 2025) and provisions on general-purpose AI and governance (August 2025). On the other hand, certain provisions on high-risk AI systems will apply later (probably August 2027).

Does the law apply to the target?

The AI ​​Act applies to various entities involved in the development, distribution, and use of AI systems within the European Union. This includes providers and users of AI systems, as well as importers and distributors of such systems. Manufacturers of products that integrate AI systems and market or deploy them under their own name or brand are also subject to this legislation. Furthermore, authorized representatives of providers not established in the EU but wish to market AI systems in the EU are subject to the rules of the AI ​​Act. Finally, the Act also protects affected persons located in the Union who encounter AI systems. Furthermore, the risk classification of the AI ​​system determines which obligations under the AI ​​Act apply to the organization. The AI ​​Act categorizes AI systems as unacceptable risk (prohibited AI practices), high risk, or limited risk.

What are the core obligations?

To determine which obligations apply to the organization, it's important to first establish the organization's role and risk qualification. The following key obligations are relevant to identify:

• Monitoring and Risk Management
  For high-risk AI systems, a post-market monitoring system must be established, implemented, documented, and maintained. This system collects and analyzes data on the performance of AI systems throughout their lifecycle to ensure continued conformity. Based on this analysis, appropriate and targeted risk management measures must be established where necessary. In the event of serious incidents, providers must report these to the market surveillance authorities of the relevant Member States.
• Quality management
  Providers of high-risk AI systems must implement a quality management system that ensures compliance with the AI ​​Act. This system includes, among other things, documented policies, procedures, and instructions. In addition to the aforementioned obligations, other obligations also apply to importers, distributors, and user representatives.
• Transparency
  The AI ​​Act also imposes certain transparency obligations. For example, providers and users of certain AI systems, such as those that interact directly with individuals, must inform data subjects that they are interacting with an AI system. Other transparency obligations, such as those under the GDPR, naturally remain in effect.
• EU Declaration of Conformity
  Providers of high-risk AI-systems must prepare EU declarations of conformity and make them available to national competent authorities. The declaration states that the AI-system complies with the applicable requirements and must include certain information, such as a declaration that the AI-system complies with the General Data Protection Regulation (GDPR) if the AI-system processes personal data.

What are the risks (fines, etc.)?

Failure to comply with the AI ​​Act could pose significant risks to entities. Failure to comply with prohibited practices or data management system requirements for high-risk AI systems could result in fines of up to €35,000,000 or 7% of annual global turnover, whichever is higher. Failure to comply with other obligations could result in fines of up to €15,000,000 or 3% of annual global turnover, whichever is higher. Enforcement of the AI ​​Act will be carried out by a national authority, which has yet to be designated. In addition, a European AI Board will be established to oversee and provide guidance on compliance with the legislation.

What should you pay attention to during a transaction?

• Does the AI ​​Act apply? Check the entity's role and the risk assessment of the AI ​​system.
• Is all technical documentation complete and accurate?
• Have any serious incidents been reported to market surveillance authorities?
• Is the risk qualification of the AI ​​systems correct?
• Is there a system in place for post-commercial monitoring of the AI?
• Are there ethical guidelines for the use of AI?
• Are AI systems regularly audited?
• Is there a clear policy for AI data training?
• Are there mechanisms for users to challenge AI decisions?
• Are there measures for transparency and explanation of AI decisions?
  

Conclusion

The new EU data regulation has a significant impact on M&A practice, particularly on the due diligence process. The scope must be expanded to include "Legal Data Due Diligence" to identify applicable legislation, compliance, and risks.

Non-compliance can lead to high costs, fines, reputational damage, and loss of value. Both buyers and sellers are advised to check beforehand whether the legislation applies and whether the organization is compliant.

Want to know more?

Contact one of our specialists.