AI Regulatory Pressure Mounts in US and EU

- While the EU's NIS2 Directive does not explicitly name AI, its mandate requires entities in critical sectors to manage and secure their digital supply chains, which includes third-party AI platforms and tools. This creates an obligation for organizations to assess risks originating from AI providers, contractually stipulate security standards, and continuously monitor for vulnerabilities. - The NIS2 directive imposes strict incident reporting timelines—requiring notification to national authorities within 24 hours of a significant cyber incident—which has significant implications for AI systems that might be implicated in a breach. Non-compliance carries substantial penalties, with fines reaching up to €10 million or 2% of the company's total global annual turnover. - In the U.S., the federal approach to AI is focused on fostering innovation to maintain a competitive edge over China, as outlined in policy papers like "Winning the Race: America's AI Action Plan". This has led to a "patchwork" of state-level regulations, with at least 40 states introducing AI-related bills and states like Colorado, Utah, and New York enacting their own specific laws. - The federal government is asserting its role through executive action, with a DOJ-led AI Litigation Task Force established to potentially challenge state laws that are seen as conflicting with a national "minimally burdensome" framework. This creates a complex compliance landscape for companies operating nationwide. - The Tennessee "ELVIS Act" (Ensuring Likeness Voice and Image Security Act) is the first state law in the nation to protect the voice and likeness of artists from unauthorized use by AI. It creates a new property right for an individual's voice and allows for civil action against those who use technology to create unauthorized reproductions. - Recent U.S. Senate hearings have emphasized themes of transparency and risk management, with frequent reference to the National Institute of Standards and Technology (NIST) AI Risk Management Framework as a foundational standard. There is also a strong link being drawn between AI regulation and broader data privacy concerns, with some senators arguing that privacy legislation is a necessary precursor to effective AI governance. - Bipartisan focus in Congress is also directed at the physical infrastructure of AI, with legislative proposals to investigate the impact of data center construction on local electricity costs and national security-focused bills like the AI OVERWATCH Act, which would restrict exports of advanced AI chips to foreign adversaries.