AI Act 2026: What the EU AI Act Means for Cybersecurity

3 min Reading Time

The EU AI Act has been in force since August 2024 and will gradually take effect from 2025. For IT security professionals, the regulation brings new obligations but also opportunities. An overview of the security-relevant requirements.

TL;DR

Gradual implementation: Bans effective from February 2025, high-risk rules from August 2026.
Risk categories: AI systems are classified into four levels – from minimal to unacceptable.
Security by Design: High-risk AI must meet cybersecurity requirements – robustness, integrity, confidentiality.
AI as an attack tool: Deepfakes, AI phishing, and automated exploits are real threats.
AI as a defender: AI-driven detection, automated incident response, and threat intelligence are gaining importance.

The Four Risk Categories of the AI Act

Unacceptable Risk (prohibited): Social scoring, real-time biometrics in public spaces (with exceptions), manipulative AI systems, emotion recognition at work.

High Risk: AI in critical infrastructure, employment, law enforcement, migration. These systems are subject to strict regulations: risk management, data quality, technical documentation, human oversight, and cybersecurity.

Limited Risk: Transparency obligations – such as labeling chatbots and AI-generated content like deepfakes.

Minimal Risk: No special requirements – such as spam filters or AI in video games.

Cybersecurity Requirements for High-Risk AI

Article 15 of the AI Act explicitly requires resilience against cyberattacks. High-risk AI systems must be robust against adversarial attacks (manipulated input data), data poisoning (tainted training data), model extraction (theft of the AI model), and prompt injection (manipulation of LLM instructions).

Companies developing or deploying high-risk AI must demonstrate a cybersecurity concept. This includes access controls, logging, integrity checks, and regular security tests.

AI as a Weapon: The Threat Landscape

Cybercriminals are already heavily using AI. Deepfake-based CEO fraud caused several million euros in damages in 2024. AI-generated phishing emails are grammatically perfect and personalized. Automated exploit generation accelerates attacks on known vulnerabilities. Voice cloning undermines telephone authentication.

The CrowdStrike Global Threat Report 2025 shows: Vishing increased by 442 percent with AI support, malware-free attacks make up 79 percent. AI significantly lowers the barrier to entry for cybercrime.

AI as a Defender: Opportunities for Security Teams

At the same time, AI is revolutionizing cyber defense. SOC analysts are relieved by AI-driven triage – automatic prioritization of alerts reduces false positives. Threat intelligence is analyzed and correlated in real-time. Anomaly detection identifies previously unknown attack patterns. Automated incident response shortens reaction times from hours to minutes.

Key Facts at a Glance

In Force: August 1, 2024

Bans Effective: February 2025

High-Risk Rules: August 2026

Fines: Up to 35 million Euros or 7% of annual turnover

Cybersecurity: Art. 15 – Resilience against adversarial attacks, data poisoning, model extraction

Transparency: Labeling requirement for deepfakes and AI-generated content

Fact: According to a PwC study, 72 percent of European companies already use AI tools in IT security – often without clear governance.

Fact: Violations of the EU AI Act can result in fines of up to 35 million Euros or 7 percent of global annual turnover.

Frequently Asked Questions

What is the EU AI Act?

The world’s first comprehensive AI regulation. It classifies AI systems by risk and defines obligations for providers and operators – from documentation to cybersecurity and human oversight.

Which AI systems are relevant for security teams?

AI in critical infrastructure, access control, network monitoring, and automated threat detection potentially falls under the high-risk category. SIEM systems with AI components should also be reviewed.

How do you protect AI systems against adversarial attacks?

Through robust training with diverse datasets, input validation, anomaly detection on input data, regular red teaming, and the implementation of guardrails and content filters.

What does the AI Act mean for existing security tools?

Many AI-based security tools (EDR, SIEM, SOAR) fall under minimal or limited risk. However, AI systems used in critical infrastructure or making automated decisions about access could be classified as high-risk.

How do the AI Act and NIS2 relate to each other?

Both regulations complement each other. NIS2 requires general cybersecurity risk management, while the AI Act specifies security measures for AI systems. Companies that must comply with both should implement the requirements in an integrated manner.