EU AI Act Goes Fully Live — What Japanese (and Any Non-EU) Companies Should Do Now
Business

EU AI Act Goes Fully Live — What Japanese (and Any Non-EU) Companies Should Do Now

The EU AI Act fully applies from August 2026. The 'Brussels effect' means even companies not selling into the EU can't ignore it. Risk tiering, data governance, transparency, and Japan's likely follow-on.

KIYODO00
#EU AI Act#AI regulation#compliance#corporate legal#Brussels effect

The EU AI Act became law in August 2024 and reaches full application with penalties in August 2026. As with GDPR, this is not just an EU story. Here's the work non-EU (especially Japanese) companies should be doing now.

Risk tiering is the core

The Act sorts AI systems into four tiers:

  1. Unacceptable Risk (social scoring, subliminal manipulation, real-time public face recognition with limited exceptions) → banned
  2. High Risk (hiring, credit, education evaluation, medical, critical infrastructure) → conformity assessment + registration + monitoring
  3. Limited Risk (chatbots, deepfakes, emotion recognition) → transparency obligations (disclose AI use)
  4. Minimal Risk (spam filters, game AI) → unregulated

Maximum penalty: €35M or 7% of global annual revenue (stricter than GDPR's 4%).

The Brussels effect doesn't spare you

Just as GDPR did, EU regulation becomes a de facto global standard:

  1. Selling into the EU at all puts you in scope
  2. Unifying a global AI policy at HQ is more practical than regional variants
  3. Japan's "AI Promotion Act" and "Important AI System" framework are expected to follow EU patterns around 2027

Translation: work done on EU compliance now lowers your eventual Japan compliance cost.

Five things Japanese companies should do now

1. AI inventory

List every AI/LLM/ML system in production: who, where, why, which vendor. OpenAI API, Claude API, Copilot, Gemini Workspace — all of it. Listed companies usually find 100+ touchpoints once they look.

2. Self-tier each use

Map each item to the EU AI Act's four tiers. If you have High Risk uses (hiring, credit, medical), start preparing conformity assessments.

HR Tech is the immediate red flag: AI resume screening, interview video analysis, personality/aptitude scoring — all high risk.

3. Transparency obligations

  • Customer chatbots → display "This is AI"
  • AI-generated text/image/video → machine-readable identifiers (C2PA, etc.)
  • AI used in significant decisions → notify the user

4. Data governance

High-risk AI training data requires representativeness, accuracy, bias verification. Fine-tuning on internal data demands records of PII handling and bias testing.

5. Standing AI policy committee

Monthly meeting between "departments using AI" and compliance/legal/infosec. Through 2027 at minimum, all new AI projects should go through review.

Mid-market and SMBs

"We don't sell to the EU" doesn't work either:

  • Major Japanese customers are starting supplier audits asking for EU AI Act compliance
  • Banks and insurers are running AI use surveys
  • Job listings are full of "AI ethics lead" and "responsible AI" roles

Companies over 500 employees should draft an AI policy this year. Sub-200-person teams can follow industry association guidelines.

When does Japan move?

METI, MIC, and the Cabinet Office are targeting 2027 for an "Important AI System Framework." Expect the EU "High Risk" concept to migrate, with a softer penalty model (guidelines + industry self-regulation).

Sector-specific regulation is already moving faster — medical AI, autonomous driving, financial AI all have their own ministry-driven tightening.

What this means for end users

  • Outputs from ChatGPT, Claude, Gemini will increasingly carry "AI-generated" labels (started in EU, spreading globally)
  • AI-using interview processes will require disclosure ("AI is involved, a human reviews")
  • Japan likely sees similar rules from 2027 onwards

The "overregulation" critique exists, but the goal — correcting information asymmetry — is sound. Companies that start six months early will be better off.

Frequently Asked Questions

When does the EU AI Act take full effect, and what are the penalties?

It entered into force in August 2024 and reaches full enforcement in August 2026, when penalties kick in. Fines run up to €35 million or 7% of annual worldwide turnover (whichever is higher) — a stricter ceiling than GDPR's 4%.

Does it apply to Japanese companies that don't sell in the EU?

Effectively, you can't stay out of it. Via the same "Brussels effect" as GDPR, EU rules become the de facto global standard: companies serving the EU are directly in scope, unifying AI policy globally is more practical than per-region variants, and domestic supplier audits plus bank/insurer AI-use surveys increasingly demand compliance evidence.

Which AI uses count as "high risk"?

Hiring, credit scoring, education assessment, medical, and critical infrastructure are high risk, triggering conformity assessment, registration, and monitoring duties. HR tech — AI resume screening, interview-video analysis, personality assessment — is entirely high risk. Chatbots and deepfakes fall under limited risk (transparency obligations only).

When will Japan regulate?

METI, MIC, and the Cabinet Office are targeting 2027 for an "Important AI System Framework," migrating the EU "high risk" concept with a softer, guidelines-plus-self-regulation penalty model. Medical AI, autonomous driving, and financial AI are already tightening under their respective ministries.

Read also

Comments (0)

No comments yet. Be the first to leave one.