AIRiskAware
All urgent situations
Regulatory Response

A regulator wrote to you about AI. Here is what happens next.

Your initial response shapes the trajectory of the matter. The instinct to respond quickly is usually wrong. The instinct to delay is also wrong. There is a structured approach that produces better outcomes.

Before you respond

Every regulator interaction sets a precedent. Voluntary statements made in the first response are difficult to retract and can be used against you later. Treat the initial response as a formal legal communication from the moment you read the notice, even if the notice tone is informal.

The first 24 hours

  1. 1

    Read the notice carefully and identify the legal mechanism

    Is this a request for information, a notice of investigation, a show-cause notice, or an enforcement decision? Each has different procedural implications and different response options. Do not assume.

  2. 2

    Identify the deadlines

    Note every deadline in the notice and the consequences of missing each one. Calculate them from the date specified in the notice, not the date you received it. Deadlines may not be extendable.

  3. 3

    Engage external counsel before internal investigation

    Privilege over internal materials generated in response to the notice typically requires that the investigation be conducted under legal direction from the start. Privilege does not retroactively attach to materials created before counsel was engaged.

  4. 4

    Implement a document preservation hold

    From the moment you become aware of the regulatory interest, document destruction in the normal course (including automated email purging) may give rise to spoliation arguments. Suspend routine destruction immediately.

  5. 5

    Do not respond yet

    Acknowledge receipt if required by the notice. Do not respond on substance until you have completed steps one through four and developed a deliberate position.

The substantive response

The temptation in a regulatory response is to demonstrate sophistication by providing more information than was asked for. This is almost always a mistake. Respond to what was asked, accurately and completely. Do not volunteer information about systems, practices, or issues that were not the subject of the inquiry. Volunteered information expands the scope of regulatory interest.

Where the notice asks about specific AI systems, answer about those systems. Where it asks about your governance framework, answer about your framework. The line between responsiveness and over-disclosure is critical.

Common AI regulatory inquiries

AI regulatory inquiries typically fall into a small number of categories. Identifying which category yours fits within helps you anticipate where the inquiry is heading.

  • System classification disputes: the regulator believes your AI system is classified differently than you have classified it (typically that it is high-risk where you have treated it as limited risk).
  • Conformity assessment gaps: the regulator believes you should have completed conformity assessment for an AI system that is operating in the market.
  • Transparency obligations: the regulator has received complaints that you have not adequately disclosed AI use to affected individuals.
  • Discrimination complaints: the regulator is investigating allegations that an AI system has produced discriminatory outcomes for protected groups.
  • Data protection breach inquiry: personal data processing in connection with AI has been the subject of a complaint or breach notification.
  • Industry-wide thematic review: the regulator is examining a category of AI use across multiple operators and your organisation is one of several being asked.

You need experienced support

Regulatory responses to AI inquiries are not a do-it-yourself exercise. Engage external counsel with AI regulatory experience immediately. We work alongside your legal advisors to provide the technical and governance dimension of the response.

Get in touch