EU AI Act

Security & Compliance intermediate

The EU AI Act (Regulation (EU) 2024/1689) is the European Union's risk-based law for regulating artificial intelligence, imposing obligations on AI systems according to their risk level.

Summary

The EU AI Act—Regulation (EU) 2024/1689—is the European Union's comprehensive law for regulating artificial intelligence. It takes a risk-based approach: AI systems are classified by the level of risk they pose, and obligations scale accordingly, from minimal requirements up to strict controls or outright prohibition for unacceptable uses.

What is the EU AI Act?

The regulation sorts AI systems into risk tiers. Unacceptable-risk practices are banned; high-risk systems (for example in critical infrastructure, employment, or essential services) face requirements such as risk management, data governance, transparency, human oversight, and conformity assessment; limited-risk systems carry mainly transparency duties. Obligations apply across the value chain, including providers and deployers.

Compliance is being phased in over time, with major obligations for high-risk systems taking effect in 2026, and significant penalties for non-compliance. For organisations, meeting the Act in practice means concrete technical work—inventorying AI systems, documenting them (including approaches such as an AI bill of materials), and enforcing controls in the delivery pipeline using tooling like Mondoo/cnspec. It sits alongside related frameworks such as NIST AI RMF and ISO/IEC 42001, and overlaps with the GDPR and the EU Data Act for systems that process data.

Why is the EU AI Act relevant?

  • Risk-based obligations: Requirements scale with the risk a system poses, up to bans for unacceptable uses
  • Broad scope: Applies to providers and deployers across the AI value chain
  • Named accountability: High-risk systems require defined responsibility for governance and oversight
  • Technical, not just paperwork: Real compliance means inventory, documentation, and enforced controls in CI/CD

Similar Solutions

NIS2 & ISO 27001 preparations

Compliance requires skills, not certificates. Our trainings can help you achieve exactly that. So you’re never "chicken" again when audits, incidents, or regulators come knocking.

Discover more

For Regulated Industries

<b>Regulated industries don’t fail audits because they lack policies. They fail because compliance requires skills, not certificates.</b> We works with organizations that operate under continuous regulatory pressure, including NIS2, ISO 27001, and sector-specific requirements. We’ve supported teams across multiple audits, security reviews, and compliance programs, always focusing on operational reality instead of theory.

Discover more

Related Terms

NIS2 Directive

The NIS2 Directive is an EU regulation setting minimum cybersecurity standards for critical and important sectors, significantly expanding scope beyond its predecessor.

Discover more

GDPR (General Data Protection Regulation)

GDPR is the EU regulation governing the collection, processing, and storage of personal data of EU residents.

Discover more

EU Data Act

The EU Data Act (Regulation (EU) 2023/2854) is European legislation governing access to and sharing of data generated by connected products and services, including rights to switch cloud providers.

Discover more

ISO 27001

ISO 27001 is the international standard for establishing, implementing, and maintaining an information security management system (ISMS).

Discover more

We are here for you

You are interested in our courses or you simply have a question that needs answering? You can contact us at anytime! We will do our best to answer all your questions.

Contact us