The AI Act Is Actually a Security Law
The AI Act is viewed by many as an ethics and compliance topic, a question of transparency and discrimination. For security teams, it is something else: a law with strict security requirements. Anyone operating a high-risk AI system must demonstrably secure it against manipulation. And artificial intelligence can be attacked in ways that classical IT security does not know.
Key Points in Brief
- Security Is Mandatory: The AI Act explicitly requires robustness, accuracy, and cybersecurity for high-risk AI throughout the entire lifecycle.
- New Attack Surfaces: Data poisoning, adversarial attacks, and model manipulation threaten AI systems where classical protective measures do not apply.
- The Timeline Is Running: On August 2, 2026, the next stage of applicability takes effect. Parts of the timeline have been adjusted, but the security requirements themselves remain.
Why the AI Act Is a Security Topic
The AI Act, Regulation (EU) 2024/1689, classifies AI systems according to their risk. For the class of high-risk systems, for example in critical infrastructure, human resources, or credit lending, strict requirements apply. A central component of this is security. The system must achieve an appropriate level of accuracy, robustness, and cybersecurity and maintain it over its entire lifecycle.
This requirement does not stand alone. It is flanked by mandatory risk management, requirements for data quality, automatic logging of system events, and effective human oversight. In sum, the AI Act thereby describes a security framework for AI that reads like a requirements document for a security team, not like a pure ethics guideline.
In practice, this means: A high-risk AI system that can be easily deceived or manipulated does not meet the requirements. Security is not a voluntary add-on, but a prerequisite for being allowed to use the system at all.
New Attack Surfaces
AI systems expand a company’s attack surface with categories of attacks that do not exist in this form in classical IT. In data poisoning, attackers inject manipulated data into the training so that the model later reacts incorrectly or in a deliberately faulty way. The attack then resides not in operations, but in the creation of the model.
Definition · Data Poisoning
Attackers inject manipulated data into the training of an AI model so that it later reacts incorrectly or in a deliberately faulty manner. The attack resides in the creation of the model, not in ongoing operation.
In adversarial attacks, inputs are altered so that a model misclassifies them without a human noticing the manipulation. This is joined by attempts to extract a model or its training data. In language-based systems, targeted manipulation via prepared inputs is a threat. All of this targets the model’s logic, not a classical software vulnerability.
This is exactly where the challenge lies. A firewall or a patch does not protect against these attacks. What is needed are protective measures tailored to the model and its data chain, from securing the training data to testing against manipulation to monitoring the running system.
The Timeline and Its Adjustments
The AI Act comes into force in stages. On August 2, 2026, the next stage of applicability takes effect. The European legislator has, however, adjusted the timeline at certain points over the course of 2026, so that specific obligations for high-risk systems take effect later than originally planned. Those preparing should check the current status of the deadlines rather than relying on a single date.
The adjustments change little in terms of substance. The security requirements for high-risk AI remain in place. Building the necessary capabilities takes time. A robust AI system does not arise shortly before a deadline, but through months of clean data work, testing, and securing. The shift is therefore not a reason to wait, but additional lead time.
What Security Teams Should Do Now
The first step is visibility. Many organizations do not know which AI systems they are using at all, neither the officially introduced ones nor those used quietly in departments. Without an inventory of AI applications, neither the risk can be assessed nor the classification under the AI Act performed.
The second step is securing the data chain. If manipulated training data represents the largest entry point, the origin and integrity of this data must be verified and protected. Added to this is the targeted testing of models against manipulation, red teaming for AI that finds the weaknesses before an attacker does.
The third step concerns suppliers. Anyone sourcing AI models or AI-supported products from third parties must evaluate their security and secure it contractually. Responsibility for a high-risk system does not end at the boundary to the supplier. It requires that the purchased component also meets the requirements.
Interaction with NIS2 and CRA
The AI Act does not stand on its own. It supplements existing regulation with an AI-specific perspective. NIS2 obliges operators to secure their IT, which will in future also include the AI systems deployed. The Cyber Resilience Act holds manufacturers responsible for products that may contain AI components.
For a security team, this means considering the requirements together. An AI system can simultaneously be part of the IT worth protecting under NIS2, a regulated high-risk system under the AI Act, and a component of a product under the CRA. Those who separate these perspectives build three silos. Those who connect them secure the system properly in one go.
Frequently Asked Questions
Each question is closed. Tap to unlock the answer.
Does the AI Act Really Require Cybersecurity?
Yes. For high-risk AI systems, the AI Act explicitly requires an appropriate level of accuracy, robustness, and cybersecurity throughout the entire lifecycle. Security is a prerequisite for deployment, not a voluntary add-on.
What Is a Data Poisoning Attack?
Attackers inject manipulated data into a model’s training so that it later reacts incorrectly or in a deliberately faulty manner. The attack resides in the creation of the model, not in ongoing operation. It can barely be addressed with classical protective measures.
When Does the AI Act Apply to High-Risk Systems?
The AI Act takes effect in stages; the next stage kicks in on August 2, 2026. Parts of the timeline were adjusted in 2026, which is why the current status of the deadlines must be checked on a case-by-case basis. The security requirements themselves remain in place.
Does a Firewall Protect Against Attacks on AI?
Only to a limited extent. Adversarial attacks and data poisoning target the model’s logic and data chain, not a classical software vulnerability. Protective measures tailored specifically to the model are required.
How Does the AI Act Relate to NIS2 and CRA?
The AI Act supplements both with an AI-specific perspective. An AI system can at the same time be IT worth protecting under NIS2, a regulated high-risk system under the AI Act, and part of a product under the CRA. The best approach is to secure it once in an integrated manner.
Editor’s Picks
Editor’s PickWhat Is NIS2? Definition, Obligations, and LiabilityEditor’s PickWhen a Phone Call Halted Car Production
More from the MBF Media Network
cloudmagazinKRITIS in the Cloud: What Secures the MigrationMyBusinessFutureThe AI oversight in Germany now has an addressDigital ChiefsThe AI writes the code. Who is liable for it?




