Artificial intelligence (AI) is already revolutionizing numerous areas of society and the economy. It opens up new opportunities for growth and innovation by automating processes, using resources more efficiently and enabling completely new business models. Accordingly, the demand for AI is high. Developing and operating your own AI models is costly and time-consuming, and requires high initial investments and extensive specialist knowledge. To meet the demand for cost-effective alternatives, the market has found a solution that has been used in the IT sector for a long time. Under the catchy name Software-as-a-Service (SaaS), software and hardware resources are offered as cloud-based solutions. This means that resources can be provided to users in a scalable and cost-effective way. The new star in the sky of cloud-based services is called AI-as-a-Service (AIaaS). This service allows companies to use predefined or self-trainable AI models that run on the infrastructure of large cloud providers via API. The advantages in terms of cost, time, scalability and access to the latest AI technologies are immense. This means that even small or medium-sized companies can implement AI projects that would otherwise only be available to large technology companies. Although it is similar to SaaS solutions, AIaaS raises a number of legal issues that need to be addressed before AIaaS projects can be implemented.
A Fresh Take on Old Favorites
A range of different AI applications are already on the market, serving a variety of functions. These range from chatbots to document processing and innovative investment tools. As with SaaS, the right contract design plays a crucial role in AIaaS. The contract must meet the requirements of the respective application. In particular, the contractual parties’ performance obligations must be regulated. The contractual parties should take the time to clearly describe the services in order to avoid misunderstandings and to create clarity for the interpretation and legal classification. Service level agreements should be concluded to ensure sufficient availability and quality of the AIaaS service, maintenance times and response times in the event of disruptions. Another important topic is the correct handling of data protection in accordance with the GDPR, since personal data is usually processed. Often, the use of cloud-based AIaaS solutions also involves a transfer of personal data to a third country, which is only permitted under the strict conditions of the GDPR. It must be clarified who is the responsible party, whether there is joint responsibility or order processing. Also, it needs to be clarified whether the use of the AIaaS is to be regarded as an outsourcing from the own company to the AIaaS service provider and whether this results in specific legal obligations. IT security also plays an important role. This applies in particular to financial companies that are subject to Regulation (EU) 2022/2554 (DORA). AIaaS providers are likely to regularly qualify as third-party ICT service providers within the meaning of DORA, which is why the far-reaching requirements of DORA must be observed. The requirements for contract design, project organization and monitoring can be high in individual cases, but there are also many design options that can best be used for a successful implementation of the project through careful planning and close exchange between the parties involved.
New Territory: Artificial Intelligence Act
In addition to the aspects mentioned above, the Regulation (EU) 2024/1689 (AI Act) is another piece of legislation that has been introduced recently at the European level and that the parties involved in an AIaaS relationship must comply with. In some cases, the requirements can be very extensive. For example, the AI Act prohibits certain practices in the field of AI. It also defines special risk management requirements for high-risk AI systems and obligations for actors in relation to such systems. It also imposes transparency requirements on certain AI systems and requires providers and operators of AI systems to take measures to ensure to the best of their ability that their personnel and other persons involved in the operation and use of AI systems on their behalf have an adequate level of AI competence. This may also mean that appropriate training is necessary. In most cases, the requirements for companies that integrate AIaaS solutions into their business are limited and do not present any significant obstacles. It is also a stated aim of the regulation to promote innovation and employment and to give the Union a leading role in the introduction of trustworthy AI.
Attorney Anton Schröder
subscribe to Newsletter-
Book Launch Party for the Crypto Assets MiCAR Commentary in Vienna
Attorney Lutz Auffenberg, LL.M. (London) at the book launch party for the commentary work “Crypto Assets”. -
Attorney Lutz Auffenberg, LL.M. (London) has Once Again been Awarded
Lexology, the renowned online portal specializing in the evaluation and recommendation of lawyers, has included our founding partner, Attorney Lutz Auffenberg, LL.M.(London), as one of the leading experts in Germany in its Lexology Index: Fintech & Blockchain (formerly known as Who’s Who Legal). -
Attorney Anja von Rosenstiel Contributes Chapter to MiCAR Handbook
Attorney Anja von Rosenstiel, LL.M. (Boston University), M.A. (Viadrina) and of counsel at FIN LAW, has provided a comparative legal analysis of the MiCAR with US regulations in the handbook MiCAR, edited by Johannes Meier, which is expected to be published in February 2025.
