Skip to main content
P. Fischer, Encore une règlementation européenne à vocation extraterritoriale ? : Application du Règlement sur l’IA à des entreprises suisses, (03 février 2025) <https://cdbf.ch/1397/>
P. Fischer, Encore une règlementation européenne à vocation extraterritoriale ? : Application du Règlement sur l’IA à des entreprises suisses (03 février 2025) <https://cdbf.ch/1397/>
 CC BY

Articles en relation

Plus d'articles en relation

Yet another European regulation with extraterritorial application?

Application of the AI Act to Swiss companies

(Translated by DeepL)

Following on from the EU’s General Data Protection Regulation (GDPR), the European Regulation on Intelligence artificial (AI Act) provides for a broad territorial scope, covering not only companies incorporated within the EU, but also some located in third countries such as Switzerland. Swiss financial intermediaries may therefore be affected by the AI Act, the extraterritorial dimension of which is presented in this commentary.

A. Criteria for determining the territorial scope of the AI Act

We will discuss here the two alternative criteria that determine whether a non-EU provider or deployer falls within the scope of the AI Act. It should be noted that other roles provided for in the AI Act – such as distributor or product manufacturer – may also lead to extraterritorial application of the AI Act.

Criterion 1 (article 2 (1) (a) AI Act) : applicable only to suppliers

The AI Act applies to suppliers, regardless of their location (EU or non-EU), who :

  • “place on the market” or “put into service” in the EU an AI system (AIS) ; or
  • “place on the market” in the EU a general purpose AI model (GPAIM).

There are therefore four variables underlying this criterion : AIS, GPAIM, “placing on the market” and “putting into service”. On the concepts of AIS and GPAIM, we refer to Caballero Cuevas, cdbf.ch/1382/ . On the other hand, the other two concepts merit some explanation :

  • The concept of “placing on the market” is defined in Article 3(9) of the AI Act as “the first making available of an [AIS] or [GPAIM] on the Union market”. The text refers to the first distribution within the EU, which can be explained by the fact that the AI Act is a regulation on market access and product safety (the AI Act is thus different from the RGPD, which regulates behaviour). This criterion is therefore not met by anyone who makes an AIS available to a customer in the EU if that AIS has already been marketed in the EU. Similarly, the importation of an AIS by a person for his or her own use (e.g. a mobile phone equipped with an AIS) does not constitute ‘placing on the market’.
  • The concept of “putting into service” is defined in Article 3 (11) AI Act as the “delivery” into the EU (in the sense of “making available”) of an AIS (i) for first use by a deployer or (ii) for the supplier’s own use. The concept of “putting into service” applies to AIS, but not to GPAIMs, which, according to the AI Act concept (cf. in particular Article 3 (63) AI Act), are only one component of an AIS (Caballero Cuevas,cdbf.ch/1382/ ).

Criterion 2 (article 2 (1) (c) AI Act) : applicable to non-EU suppliers and deployers

Even in the absence of a “placing on the market” or “putting into service” in the EU according to Criterion 1, the AI Act may apply to a Swiss supplier or deployer when the “output” (the term used by the RIA to designate what is commonly called the output) is used in the EU

Recital 22 of the AI Act suggests that this criterion was introduced to avoid regulatory arbitrage by relocating activities outside the EU that could have an influence on the European internal market. The text of Article 2 (1) (c) AI Act is, however, broader and encompasses any use of an output within the EU.

A supplier or deployer may therefore fall within the scope of the AI Act simply because the output is intended for use in the EU and is actually used in the EU.

On the other hand, a simple unintended ‘spillover effect’ resulting from the fortuitous presence of the output in the EU should not be sufficient to trigger the application of the AI Act. In the absence of published practice on the matter, we can naturally only speculate on what such an unintended “spillover effect” might be : in our view, we could take the fictitious and no doubt somewhat simplistic example of a US company which has developed an AIS to analyse trends in certain asset classes on the US stock market and which generates publications based on US market data. An investor based in the EU accesses these publications via an online subscription and uses them to invest in European stock markets (as this investor intends to implement an investment strategy based on the interconnections between financial markets). In this case, the US company could, in our view, take the position that the AIS was not “intended for use in the EU”.

Furthermore, some authors argue that the criterion of intention (which is mentioned in recital 22 of the AI Act : “intended to be used”) implicitly contains a de minimis threshold. However, the text of the AI Act does not expressly say so. It will no doubt be up to the European Artificial Intelligence Committee (AI Committee) to flesh out the concept of “use” of an output in the EU.

On the assumption that most Swiss financial intermediaries will probably act as deployers (the concepts of “provider” and “deployer” will be the subject of a forthcoming commentary), the AI Act could, for example, be triggered when a Swiss financial intermediary provides services using AI to clients resident in the EU.

B. Illustrations

We can illustrate the above with the help of a few practical cases. The descriptions below reflect the current interpretation of the text of the AI Act and are subject to further clarification by the authorities.

  1. Chatbot on the website : A Swiss bank makes available on its website a chatbot that it has created itself and that provides answers to general questions about its services (see Jotterand, cdbf.ch/1377/). The chatbot can be used by EU residents. The Swiss company will be subject to the AI Act (application of Criterion 2 : output used in the EU).
  2. AIS used for marketing purposes : A Swiss bank has developed an AIS and is using it to create marketing campaigns (text and images). Prospects in the EU are expected to receive the content generated by the AIS (for example in the form of a promotional email). The Swiss company will be subject to the AI Act (application of Criterion 2 : output used in the EU).
  3. AIS used by the HR department : A Swiss company uses an AIS to analyse and filter applications (an activity that would fall under the definition of “high risk processing” as defined in Annex II of the AI Act) for a position in Switzerland. This company should not be subject to the GDPR, even if applications from the EU are analysed, provided that the output is only used at the company’s headquarters in Switzerland (Criterion 1 : not met as no “placing on the market” / “putting into service” in the EU / Criterion 2 : not met as no output used in the EU).

C. Practical consequences of applying the AI Act

Certain Swiss companies subject to the AI Act will have to take these regulations into account as soon as they come into force (see the timeline available at the following link : cdbf.ch/1359). The material obligations arising from the AI Act will be the subject of a separate commentary to be published on this platform. However, it can already be said at this stage that the main obligations are likely to concern the non-EU supplier of a high-risk AIS (including the need to appoint a representative within the EU / Article 22 AI Act). On the other hand, the non-EU deployer of a high-risk AIS or the non-EU supplier/deployer of a limited-risk AIS will mainly have to worry about complying with the transparency obligation.