EU ARTIFICIAL INTELLIGENCE ACT: IMPLICATIONS FOR MALAYSIAN BUSINESSES
Introduction
Artificial Intelligence (“AI”) applications shape various aspects of your life in profound ways. They determine the information you encounter online by predicting the content most engaging to you, analyze facial data to enforce laws or tailor advertisements, and assist in diagnosing and treating cancer. In short, AI significantly impacts many areas of your daily life.
On 1 August 2024, the European Union (“EU”) AI Act (“Act”) has entered into force, with different provisions of the same going into effect in stages:
- February 2, 2025: Prohibitions on prohibited AI practices will take effect.
- August 2, 2025: Rules for general-purpose AI will take effect for new models.
- August 2, 2026: Rules for high-risk AI systems will take effect.
- August 2, 2027: Rules for AI systems that are products or safety components of products regulated under specific EU laws will apply.[1]
The Act, set to become the world’s first comprehensive regulatory framework for AI, is poised to significantly impact businesses worldwide, including those in Malaysia. Similar to the EU’s General Data Protection Regulation (GDPR) implemented in 2018, the Act has the potential to set a global standard that shapes the positive or negative impact of AI on your life wherever you may be. While primarily governing AI usage and development within the EU, its extraterritorial scope means that Malaysian businesses interacting with the EU market must align with its requirements.
This article explores the key aspects of the Act, its implications for Malaysian businesses, and practical steps to ensure compliance.
Overview of the EU Artificial Intelligence Act
The Act applies to a broad spectrum of AI systems, which it defines as machine-based systems capable of making predictions, recommendations, or decisions that impact their environments.[2] This definition covers diverse technologies, including machine learning models, natural language processing systems, and general-purpose AI (GPAI) models. GPAI models, trained on vast datasets, are versatile and can be integrated into various downstream applications or systems.
The Act adopts a risk-based approach to regulating AI systems, categorizing them into four risk levels:
- Unacceptable Risk: AI systems that violate fundamental rights, such as social scoring by governments and manipulative AI, are prohibited.
- High Risk: These include AI systems used in sensitive areas like recruitment, credit scoring, healthcare, and transportation. High-risk systems are subject to specific legal requirements, including risk management, data governance, and human oversight.
- Limited Risk: A smaller section addresses limited-risk AI systems, which are subject to lighter transparency obligations. Developers and deployers must ensure that end-users are informed when they are interacting with AI technologies, such as chatbots and deepfakes.
- Minimal or No Risk: Most AI systems, such as entertainment applications (such as AI enabled video games and spam filters), which are not explicitly banned or listed as high-risk are largely left unregulated.[3]
Penalties for non-compliance with the Act are significant, highlighting the need for businesses to take the regulation seriously. The penalties are:
- Prohibited AI practices: Up to €35 million or 7% of the organization’s total worldwide annual turnover for the preceding financial year, whichever is higher.
- Other obligations: Up to €15 million or 3% of the organization’s total worldwide annual turnover for the preceding financial year, whichever is higher.
- Incorrect or misleading information: Up to €7.5 million or 1.5% of the organization’s total worldwide annual turnover for the preceding financial year.[4]
Implications for Malaysian Businesses
The broad applicability of the EU AI Act means Malaysian businesses, even without a physical presence in the EU, must ensure compliance when engaging with EU markets.
1. Extraterritorial Reach
While the Act primarily focuses on regulating AI activities within the EU, its extraterritorial reach extends to businesses outside the EU, including those in Malaysia, if their AI systems or outputs are deployed or utilized within the EU i.e.,:
- Non-EU businesses offering AI products or services within the EU market; and
- Non-EU entities whose AI systems affect individuals in the EU.[5]
For instance, a Malaysian e-commerce platform using AI-powered recommendation engines for EU customers or a fintech company using AI for credit scoring in the EU must comply with the Act.
2. Supply Chain Adjustments
Malaysian businesses in the supply chain of EU companies must ensure their AI systems and components comply with the Act, as non-compliance at any level could disrupt operations.
For example, a Malaysian semiconductor manufacturer supplying AI chips to EU-based tech firms must meet design transparency requirements to avoid jeopardizing partnerships.
3. Regulatory Costs and Challenges
Compliance entails significant costs, particularly for businesses using high-risk AI systems. These systems require:
- Comprehensive documentation of algorithms and datasets;
- Regular testing for bias and discriminatory impacts; and
- Implementation of robust cybersecurity measures.
4. Impact on SMEs
For SMEs, the regulatory burden may seem daunting due to limited resources. However, the Act includes provisions aimed at supporting smaller enterprises through guidance and reduced compliance obligations.[6] For example, Malaysian SME developing AI-powered language translation tools for EU clients may benefit from simplified procedures if their systems are classified as limited-risk AI.
5. Opportunities for Competitive Advantage
Early adopters of the Act’s ethical AI principles can enhance their marketability and reputation. Malaysian businesses that align with EU standards may find it easier to expand their operations globally.
Expanding Malaysian AI Governance to Align with Global Trends
As the Act sets a global benchmark, it signals the need for countries like Malaysia to refine our AI governance frameworks. While Malaysia has laid a foundation with initiatives such as the National AI Roadmap and MyDIGITAL Blueprint, aligning with international standards could enhance Malaysia’s competitiveness.
Currently, Malaysia’s AI strategy emphasizes innovation, talent development, and ethical AI adoption. The key components include National Cloud and AI Framework which focuses on fostering AI-driven economic growth, Personal Data Protection Act 2010 and sector-specific guidelines e.g., Bank Negara Malaysia’s risk management guidelines for AI in financial services.
To align with the Act, Malaysia can introduce a classification system similar to the Act for industries using AI in high-risk domains like healthcare and finance. Besides that, Malaysia can also expand its regulatory sandbox initiatives for AI, allowing companies to test solutions in controlled environments. For example, Bank Negara Malaysia’s Fintech Regulatory Sandbox could include AI-driven financial products, facilitating smoother compliance for cross-border operations. By embedding robust governance structures, fostering talent development, and supporting cross-border collaborations, Malaysia can ensure its AI ecosystem thrives on a global stage.
Conclusion
While the Act introduces challenges, it also offers Malaysian businesses the opportunity to innovate responsibly and to gain a competitive edge in the global market. Industries such as healthcare, finance, and technology are ripe for collaboration with EU partners to co-develop AI systems that meet global standards.
Additionally, the Act’s focus on ethical AI aligns with Malaysia’s broader goals under initiatives like the National AI Roadmap, fostering synergy between compliance and local innovation strategies. By investing in responsible AI practices, Malaysian companies can position themselves as trusted players in an increasingly regulated global economy.
Author: Fakhrullah Fadzilah
References:
[1] https://www.ibm.com/topics/eu-ai-act#:~:text=The%20supply%20of%20incorrect%2C%20incomplete,specific%20EU%20laws%2C%20will%20apply.
[2] https://artificialintelligenceact.eu/article/3/
[3] https://artificialintelligenceact.eu/high-level-summary/
[4] https://artificialintelligenceact.eu/article/99/
[5] https://artificialintelligenceact.eu/article/2/
[6] https://artificialintelligenceact.eu/article/62/#:~:text=The%20EU%20is%20asking%20member,is%20a%20machine%2Dgenerated%20translation.