Advisory And Consulting 13

Regulatory Cyber Compliance: Get ready for the EU's AI Act

– Sofie Bøttiger Hansen, Senior Business Consultant, NNIT

The EU's regulation on artificial intelligence, the AI Act, sets a regulatory framework for a rapidly growing technological area. But what do the new rules mean in practice? Here you will get answers on how to get ready for the AI Act and get better control of the overall approach to regulatory cyber compliance.

With the EU's recently adopted regulation on artificial intelligence (Artificial Intelligence Act), a framework is set for the use and development of artificial intelligence (AI) in Europe. The need for increased control and regulation has been hotly debated, but now that the legislation is a reality, it can be difficult to assess how you as a company or organization are covered by the rules.

In this article, we guide you through the most important questions about the AI Act, so that you can continue to use AI in a safe and compliant way.

What is the AI Act?

The AI Act regulates the development, marketing, and use of AI in the EU. The purpose is to ensure that AI is developed from a human perspective and that the use of AI harmonizes with European values and ethics, including democracy, legal certainty, and basic human rights.

The regulation's approach is risk-based and aims to support the deployment of safe and reliable AI solutions, without slowing efficiency or innovation.

In practice, this means that AI solutions are divided into four risk categories:

E.g. AI systems that can be used for mass surveillance, discrimination, or exploitation of vulnerable people such as children or the elderly.

AI systems that could potentially endanger safety, health, or fundamental rights, e.g. AI for vehicles, medical devices, or policing.

AI systems that pose minimal risk to safety, health, or fundamental rights are not regulated by the AI Act but may be subject to a Code of Conduct on a voluntary basis.

General purpose AI models (GPAI) include generative AI and the large language models (e.g. ChatGPT or Claude-3) that can be integrated into various AI solutions. The AI Act places demands for increased transparency and information requirements for providers of GPAI.

Who is covered by the AI Act?

The AI Act regulates the use of the individual AI solution and everyone who is part of the solution's value chain. That means providers, importers, distributors, product manufacturers, and users. The AI Act can therefore apply in all industries and sectors and for all types of companies and organizations.

The rules apply to all AI systems that are used within the EU or affect EU citizens, regardless of whether your company or organization operates in or outside the EU.

Which requirements does the AI Act place on your company?

The requirements of the AI Act vary according to your role and the risk profile of the AI system. The most important requirements for high-risk AI systems are presented below.

High-risk AI systems:

The AI system itself is subject to several basic requirements regarding compliance, technical documentation, logging, risk management and cyber security. There must always be human control and a certain degree of transparency towards the users.

If you have developed the AI system or changed it significantly, you as a supplier are responsible for ensuring that it complies with the system requirements.
You must establish systems for risk and quality management, document the work, register the AI system with the EU and meet all requirements for CE marking. In addition, you are obliged to monitor the use of the system, report serious incidents and correct errors.

As an importer, you must ensure that the AI system meets all requirements for CE marking, that the technical documentation is correct and that the supplier has appointed an authorized representative (if necessary).
You must also provide your own contact details, ensure proper transport and storage of the system, keep a copy of the system's declaration of conformity for 10 years and cooperate with relevant authorities to minimize risks.

As a distributor, you must ensure that the AI system meets all requirements for CE marking and that the supplier and importer have complied with their obligations.

Before deploying an AI system, ensure that it is being used correctly and under human supervision and control. If you have control over input data, you must also ensure that it is relevant and representative. If at any time you consider that the use of the system poses a risk, you must inform the supplier and relevant authorities. In addition, you must save logs for at least 6 months and use information from the supplier in connection with the required impact analysis in relation to personal data. If you work with financial services or law enforcement, you are subject to additional specific requirements.


For a more detailed review of roles and requirements, try NNIT's Quick Guide to the AI Act.

When will the AI Act come into force?

The EU Commission adopted the AI Act on 13 March 2024 and the law is expected to enter into force during May-June 2024.

Because the AI Act is a regulation, it does not first have to be implemented in the legislation of the member states, but enters into force across the entire EU 20 days after publication in the EU Official Journal and the rules take full effect 24 months after publication, except for:

  • Ban on AI systems of unacceptable risk level, which applies 6 months after publication
  • Codes of practice, which apply after 9 months
  • The rules for GPAI models, which apply after 12 months
  • Requirements for high-risk AI systems, which apply after 36 months.


Although the time horizon may at first seem long, it is our recommendation to start the preparation work as soon as possible.

What can your company do to get ready for the AI Act?

We recommend the following steps to prepare for the AI Act:

Start by mapping all your use of AI, from publicly available tools like ChatGPT to custom applications. Remember to also include Office 365 and other systems where AI has been introduced via updates.

When you have an overview of all your AI systems, you must assess for each one of them whether and how they are covered by the AI Act. As mentioned, it depends on both the system's risk profile (banned/high/low/GPAI) and your role(s) (provider/importer/distributor/deployer). This step can be quite extensive, so make sure you allocate sufficient time and resources and seek guidance if you lack the skills.

Establish a working group responsible for ensuring AI compliance across the organization. Include all relevant parts of the business, e.g. colleagues with responsibility for compliance/law, IT, purchasing and contact with suppliers and the like.

Use your existing compliance framework as a starting point and assess whether it is sufficient to ensure compliance with the requirements of the AI Act that apply to you.

Based on the above steps, it is time to examine where your current compliance procedures do not cover in relation to the AI Act and thus identify the gaps with your current compliance framework and what is necessary to ensure compliance with the AI Act.

How can NNIT help you?

At NNIT, we can help your company get ready for the AI Act and get better control of the compliance work as a whole.

You not only get advice from NNIT's compliance experts, but also deep technical and industry-specific knowledge and concrete tools that support compliance in daily work. This will ensure continued control over what needs to be documented, automated, and validated.

Overall, it is worth remembering that compliance with the AI Act is just one piece in the cross-cutting compliance work in the digital area, where many new legislations are currently being introduced. Therefore, the approach and tools will often be like those for other comprehensive legal requirements, for example NIS2 or GDPR.

For that reason, we recommend that you combine compliance with the individual rules in an ongoing regulatory cyber compliance effort, so that you can ensure compliance with all relevant rules without wasting resources on repetition.

Our experts are ready to help

Contact us, and we will find a solution that suits your needs

Contact Us
Nnnit Portrait Nhkap