Introduction
From autonomous-driving to ADAS (Advanced Driver Assistance Systems), to the potential for Artificial Intelligence (AI) to transform the aftermarket, AI is much-discussed as being transformational in the automotive sector; and there are numerous reported examples of AI being used already, for design, validation and performance management, connected with the manufacturing process.
However, automotive businesses developing, supplying and/or using AI tools now, or planning to do so in future, should be aware of emerging legislation that may impose mandatory legal obligations on parties involved in the AI system “life-cycle”.
Within the EU, for example, Regulation (EU) 2024/1689(the “EU AI Act”) was adopted in March 2024 and entered into force on 1 August 2024. It is a legislative framework relating to the development, placing on the market, putting into service and use of AI systems in the EU, partly with the intention of ensuring the protection of health and safety and “fundamental rights”, such as democracy, the rule of law and environmental protection, as well as supporting the proper functioning of the internal market, including fair and undistorted competition.
The requirements of this legislation intersect with the more-traditional realm of conformity assessment obligations for “physical” products. A key consequence is that many AI systems used in the automotive sector are likely to be treated as “high-risk AI systems” under the EU AI Act by virtue of being safety components of vehicles or parts subject to EU type-approval regimes, or other harmonised legislative frameworks, creating many regulatory obligations on the providers (as well as deployers, importers and distributors) of such systems. Since the EU AI Act provides for significant penalties for infringement, it is important that any company operating in the automotive sector that is using, or plans to use, AI systems or products that include AI systems as components, is aware of its obligations and ensures effective compliance.
Overview of EU AI Act
The EU AI Act lays down harmonised rules for the development, placing on the market, putting into service and use of AI in the EU; and there are obligations under the legislation for both providers and deployers (as well as importers and distributors) of AI systems in this context. The requirements are being introduced on a phased basis over a two-year period. Provisions relating to AI literacy and prohibited AI practices have applied since 2 February 2025. Automotive businesses are, therefore, already required to ensure compliance with these provisions, where relevant.
Other key provisions of the EU AI Act, including those related to AI systems that are classified as “high-risk”, mostly come into force on 2 August 2026, although the provisions relating to classification of an AI system as high-risk due to it being covered as a product, or safety component of a product, under certain EU harmonised legislation, and the corresponding obligations, do not apply until 2 August 2027.
The EU AI Act will impact businesses both inside and outside of the EU. To the extent that a non-EU business sells or otherwise places an AI system on the EU market, or if, when deployed, the output of an AI system developed by that business is intended to be used in the EU, the legislation will have extraterritorial effect. However, its application is role-specific and does not necessarily attach to both “ends” of the supply chain in every scenario.
So, for example, if a business that develops software is based in the US, China or the UK and sells that software to a German original equipment manufacturer (OEM) or a Spanish Tier-1 supplier for integration into a vehicle or component part, the requirements under the EU AI Act will apply to that software (assuming that the software is an AI system within the meaning of the legislation and is within scope, and not otherwise exempt). However, the non-EU developer would not typically be regarded solely by virtue of development as a provider under the EU AI Act. It will be the EU based supplier of the vehicle or component who will likely be regarded as the “provider” of the AI system where it integrates the AI system or AI-enabled component, as applicable, and places the resulting AI-enabled vehicle or component on the EU market under its own name or trademark (i.e., unless the non-EU software developer retains branding, defines the intended purpose, or otherwise assumes responsibility for conformity assessment).
Conversely, where a non-EU established Tier-1 supplier of a vehicle part embedding an AI system as a safety component of that part, supplies that part to OEM customer in France, the French customer of the non-EU business would likely be regarded as the “importer” of the relevant software, being a person located or established in the EU, that first makes available the software for distribution or use, on the EU market. Because importers must ensure that any high-risk AI system conforms with the requirements under the EU AI Act (by various means, including by verifying that the provider has appointed an authorised representative, established in the EU, with the authorised representative themselves separately obliged to verify certain matters and keep various records) the French customer should themselves insist that the non-EU provider supplies evidence of compliance, where relevant.
Furthermore, direct and certain downstream customers in the EU will be required to check that the non-EU provider has complied with the relevant requirements for an AI system, because there are additionally obligations for importers and distributors in the EU under the legislation.
Penalties and Compliance Jigsaw
The penalties for non-compliance with the EU AI Act could be significant. Historically, EU “product” legislation did not commonly provide for enforcement or penalties (this being addressed by domestic legislation, which provides for enforcement in each relevant member state).
However, (in common with other more recent EU legislation, such as those relating to deforestation and corporate sustainability due diligence), the EU AI Act provides that penalties must be effective, proportionate and dissuasive, and administrative fines for most non-compliances under the legislation are specified to be up to €15 million, or up to 3% of total worldwide annual turnover, for the preceding financial year, whichever is higher (except for small- and medium-sized enterprises (SMEs) where it is the lower figure that is relevant). Those are pretty eye-watering sums, but even those are not the highest penalties: for non-compliance with the prohibition of certain practices under the EU AI Act, the relevant sums are the higher of €35 million, or up to 7% of total worldwide annual turnover, respectively (or, again, the lower of those figures for SMEs). Therefore, the impact on those who don’t get this right could be very significant.
But even that is not where the story ends. Automotive businesses must also consider that the EU AI Act is just one piece of the puzzle that is the regulation of AI. Even those AI systems that are not classified as high-risk AI under the EU AI Act may be subject to requirements under other regimes (in addition to the requirements for lower-risk categories of AI under the AI Act).
Please read our full article for further details of: the link between the type-approval regime and high-risk classification under the EU AI Act; high-risk classification of components, spare parts and other products regulated under separate regimes (including “ancillary” branded products, such as toys or sunglasses); the relevance of the high-risk classification of machinery to the use of AI systems as safety components of such machinery in the production process; the conformity assessment processes that will be relevant to high-risk AI systems; and the other legal regimes that may also apply to the use of AI by automotive businesses.