The AI governance landscape is rapidly evolving – most countries and various institutions have published AI strategies; some are drafting legislation and others building complex testing frameworks. It is vital that organisations monitor the regulatory space in which they operate, and ensure they are proactively engaging with policymakers and regulators. Concrete guidance is not possible while regulations are still in flux, but staying informed of developments can help organisations stay ahead.
This blog will accompany the GSMA’s Policy Guide for the EU’s AI Act, the first comprehensive regulation on AI by a major governance body anywhere. The guide itself looks at the content of the Act as it is most relevant to Mobile Network Operators (MNO), examining its influence and any lessons that can be taken from the GSMA engagement work on the AI Act.
To give some contemporary context to the policy guide, this blog looks at what can be expected from the AI Act itself as well as the EU’s wider AI strategy going forward.
Background and Timeline on the AI Act
The EU AI Act was formally agreed in 2024, but its implementation will be staggered over the subsequent three years, to allow time for compliance. The Act is split into different parts which will enter into effect at different times. The key dates are:
- 2 February 2025: General provisions and measures, and provisions for prohibited AI systems will apply
- 2 August 2025: Provisions for general-purpose AI models, and provisions on fines, notifying authorities, and governance structure will apply
- 2 August 2026: The remainder of provisions in the AI Act will apply, except for those addressing high-risk AI systems
- 2 August 2027: Provisions on high-risk AI systems will apply
What is next and how will it affect operators?
Work on the EU AI Act hasn’t finished. Still to be decided are implementing acts and delegated acts (parts of the text to be monitored and updated by the EU), guidelines for implementation (to further clarify the text) and codes of practice (to manage application of the text).
Most relevant for mobile network operators will be the following:
- The application of the requirements and obligations for high-risk AI systems and GPAI models e.g. exactly what form record keeping should take, and what information need be provided
- The practical implementation of responsibility along the value chain, e.g. the provisions related to substantial modification and when an organisation takes on the role and responsibilities of provider
- Guidance to authorities in determining a system that has been declared non-high risk is actually high risk, or GPAI model that has been declared without systemic risk in fact does present systemic risk
- A comprehensive list of practical examples of high risk and non-high risk use cases of AI systems e.g. clarity for the four points outlining what is considered ‘human oversight’
To do this the EU will conduct a public consultation and a mapping of use cases, as well as work with the EU’s independent standard setting organisations.
Relevant related governance
There is existing and proposed legislation which is relevant to AI.
- Proposed new Product Liability Directive – addresses liability for products such as software (including AI systems) and digital services that affect how a product works.
- Proposed new AI Liability Directive – aims to address the risks generated by specific uses of AI by adapting non-contractual civil liability rules to AI.
- GDPR – applies to AI systems, when there’s personal data processing of the dataset in the lifecycle of an AI system.
It is likely that the EU will create further legislation relating to AI. No information has been made public, but many predict that it will address specific areas e.g. cybersecurity and AI, workplace use of AI or AI and the health sector.
Wider strategy
Whilst legislating on AI, the EU has realised the importance of investment in AI for the EU’s competitiveness globally. They have launched a number of programmes to develop innovation and draw investment in developing technologies.
- CERN for AI proposal, a centralised hub for AI research and innovation, modeled on the success of the European Organisation for Nuclear Research (CERN).
- Digital Innovation Hubs, centres which provide tech expertise and testing facilities so companies can improve their processes, products, and services through digital technologies.
- Testing and Experimentation Facilities, in which technology providers can get primarily technical support to test their latest AI-based software and hardware technologies (including AI-powered robotics) in real-world environment.
- Regulatory sandboxes, mandated by the AI Act are controlled environments where innovators can test and explore their AI, with regulators, to understand the application of regulation, and allow regulators to better understand the technology.
These initiatives will be crucial to ensuring the EU delivers on its promise to balance protection of fundamental rights and Union values, while encouraging innovation and industry.
As the mobile industry takes the lead on uptake of responsible AI, and further develops AI solutions to improve performance, security and customer experience, it is vital also to stay aware of the AI governance landscape and to work with governments and institutions on a governance strategy that works for industry and society to boost economic growth, enhance research and innovation, address societal challenges, establish ethical guidelines, and ensure that the deployment of AI technologies is inclusive, transparent, and secure.
You can read the full policy guide for the EU AI Act here. If you would like to stay up to date with GSMA publications and insights, please sign up to our newsletter.
If you are interested in working with the GSMA on AI governance, you can join the AI for Impact Policy and Regulatory subgroup by emailing ewiltshire@gsma.com.