 The AIaaS component: legal requirements for AI as a ServiceBjørn Aslak Juliussen Chapter 5 in Compliance by Design in AI Systems, 2026, pp 214-276 from Edward Elgar Publishing Abstract: This chapter examines legal complexities when using AI-as-a-Service (AIaaS) platforms. The chapter highlights how further processing of personal data on AIaaS platforms to develop AI models may require a separate legal basis under the GDPR and may shift controllership to the AIaaS provider. Cross-border transfers of personal data and global processing chains further complicate compliance, particularly with regard to the transfer rules in Chapter V of the GDPR. The current chapter also addresses cybersecurity obligations under the NIS 2 Directive and the CRA for AIaaS, focusing on API vulnerabilities. Finally, it argues that AIaaS obfuscates traditional legal roles, suggesting a need to rethink static responsibilities such as controller, processor, provider, and deployer across the GDPR, the AI Act, and cybersecurity regulations. Keywords: AI as a Service; AIaaS; Controllership; Third-Country Transfers; NIS 2-Directive (search for similar items in EconPapers) Downloads: (external link) Related works: Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text Persistent link: https://EconPapers.repec.org/RePEc:elg:eechap:25422_5 Ordering information: This item can be ordered from Access Statistics for this chapter More chapters in Chapters from Edward Elgar Publishing |
Is your work missing from RePEc? Here is how to contribute.
Questions or problems? Check the EconPapers FAQ or send mail to .
EconPapers is hosted by the
School of Business at Örebro University.