News

The 10 Commandments of the New AI Law

Nueva Ley de IA - Excelia

August 2nd has been set as the date for the general application of most of the obligations of European Regulation on Artificial Intelligence, Officially Regulation (EU) 2024/1689, with some exceptions and relevant transitional periods, this Regulation, known as the new AI Law, has been approved by the European Union to establish a common framework for the development, marketing, and use of Artificial Intelligence systems. This regulatory framework is more than necessary, as more and more companies are incorporating AI processes into their daily operations, whether officially or unofficially. In fact, according to a report by European Central Bank of this year, The 38% of companies in the eurozone is already in an advanced stage of AI adoption.

The new AI Law aims to create common rules so that Artificial Intelligence can be developed and used safely, transparently, and with respect for fundamental rights, without stifling innovation. This regulation, which affects both companies that develop Artificial Intelligence and any organization that uses, integrates, distributes, imports, or implements it within its processes, products, or services, establishes penalties of up to 35 million euros or 71% of global annual turnover, depending on the severity of the infraction. Excelia, a Spanish consulting, technology and professional services firm, has established in its new report AI Law: A practical guide to preparing your company, which ones The 10 obligations implied by the new AI Law for organizations:

  • Identify where AI is being used: The first step is to identify and inventory all Artificial Intelligence systems and tools used in the organization, indicating area, purpose, data processed, provider and responsible for use.
  • Classify the uses according to their level of risk: After identifying the AI systems, the organization must assess their impact and classify them according to the European AI Regulation to define the necessary controls, documentation, and monitoring.
  • Prevent uses not authorized by regulations: Organizations must review their AI uses to detect practices prohibited by the Regulation and discard from the outset those that are not permitted, especially in sensitive areas such as manipulation, vulnerabilities, biometrics or emotion recognition.
  • Train teams in the responsible use of AI: The AI Act requires training for people who work with these systems so that they understand how they work, their limitations, risks, and how to use them safely according to their role.
  • Establish internal policies and responsibilities: The adoption of AI requires a governance model that defines permitted uses, data, authorizations, and responsibilities between areas to prevent uncontrolled uses and ensure common approval and monitoring criteria.
  • Controlling what data is used with AI: Organizations must establish what data can be used in AI tools, what information should be excluded, and which providers can access it, ensuring privacy, security, and confidentiality.
  • Report when AI is used: Companies must clearly disclose when interacting with AI or when content has been generated or manipulated with Artificial Intelligence, especially if it could be mistaken for human content.
  • Ensure human supervision: Relevant processes that incorporate AI must have effective human oversight, especially when they may affect people, rights, safety, health, or sensitive decisions.
  • Document decisions, controls, suppliers, and evidence: Organizations must document their AI systems, uses, risks, providers, controls, and monitoring measures to demonstrate controlled use and respond to audits or requirements.
  • Maintaining control over time: It is necessary to periodically review the uses of AI, update policies and controls, and maintain a clear view of the associated risks, changes, and responsibilities.

“The AI Law comes at a time when more and more companies are incorporating Artificial Intelligence into their processes, often without a complete understanding of all the uses, tools, and providers involved. Complying with the Regulation requires undertaking this review, understanding the risks, and establishing clear controls. It's a matter of compliance, but also of trust and corporate responsibility.”, he says Josep Bardallo, Cybersecurity & Cloud Director at Excelia, which adds: “Many organizations know they need to prepare, but they aren’t always clear on how to translate the regulations into their daily operations. AI affects technology, data, processes, suppliers, security, and business decisions, so it needs well-defined governance. Having a specialized partner like Excelia helps to organize this work, prioritize actions, and build a model that allows them to comply with the AI Law without sacrificing their capacity for innovation.”.

Excelia supports companies in adopting the Artificial Intelligence From a practical and secure perspective, they help organizations transform their business objectives into tangible projects while establishing a governance framework that enables the controlled, responsible, and compliant use of AI. Their expertise combines technological knowledge, consulting, cybersecurity, and data analysis to empower organizations to integrate AI into their processes, protect information, mitigate risks, and move forward on a solid foundation.