Leveraging ISO 42001 and NIST AI RMF for EU AI Act Compliance

Utilizing ISO 42001 & NIST AI RMF for Compliance with the EU AI Act

The adoption of artificial intelligence (AI) technologies has dramatically increased in recent years. In 2019, 58% of organizations used AI for at least one business function; by 2024, that figure surged to 72%. Notably, the use of generative AI nearly doubled from 33% in 2023 to 65% in 2024.

Understanding the EU AI Act

The European Union Artificial Intelligence Act (AI Act), Regulation (EU) 2024/1689, establishes a comprehensive regulatory framework for AI within the EU. It came into effect on August 1, 2024 and applies to all AI types across various sectors, excluding systems used solely for military, national security, research, and non-professional purposes.

The landmark AI Act is designed to balance innovation and safety in the realm of AI. It provides guidelines for risk management, ongoing system monitoring, and human supervision, thereby establishing a foundation for trustworthy AI systems.

This act safeguards fundamental rights, such as privacy, and ensures that AI systems do not engage in unfair discrimination. Crucially, it offers AI developers and companies a unified regulatory framework, aiding them in innovating confidently while protecting consumer interests.

Who Will Be Affected?

Organizations that utilize AI and operate within the EU, as well as those outside the EU developing or using AI systems for business in the EU, will be impacted by the AI Act.

Who Will Not Be Affected?

It is essential to note that military and national security applications, whether developed by public or private entities, are excluded from the AI Act’s scope. Furthermore, AI systems dedicated purely to scientific research and development are exempt, allowing researchers the freedom to innovate without regulatory constraints. The Act only applies when AI systems are deployed or commercialized; during development, these rules remain inactive.

EU AI Act Fines

Organizations face significant penalties for non-compliance:

Fines up to EUR 35,000,000 or 7% of worldwide annual turnover for non-compliance with prohibited AI practices, whichever is higher.
Fines up to EUR 15,000,000 or 3% of worldwide annual turnover for non-compliance with high-risk AI system requirements, whichever is higher.
Fines up to EUR 7,500,000 or 1% of worldwide annual turnover for supplying incorrect, incomplete, or misleading information to authorities, whichever is higher.

Key Players Under the EU AI Act

The Act addresses various stakeholders in the AI ecosystem, ensuring all parties understand their responsibilities and compliance requirements.

EU AI Act Risk-Based Approach

The Act categorizes AI systems into four risk levels:

1. Unacceptable Risks:

AI systems that enable manipulation, exploitation, and social control practices are deemed unacceptable risks. Examples include:

Deploying subliminal or manipulative techniques.
Exploiting vulnerabilities related to age, disability, or socio-economic circumstances.
Social scoring and real-time remote biometric identification (RBI).

Such systems are prohibited in the EU market.

2. High Risks:

AI systems that negatively impact safety or fundamental rights are classified as high risk. Examples include:

Biometric systems.
Critical infrastructure applications, such as water supply management.
Law enforcement and judicial processes.

High-risk AI systems can only be deployed in the EU market after implementing adequate risk mitigation strategies.

3. Limited Risks:

Some AI systems, such as chatbots and deepfakes, may present risks of impersonation or deception but do not qualify as high risk. These systems are subject to lighter transparency obligations and must ensure that end-users are aware they are interacting with AI. They can be deployed with appropriate human oversight and monitoring activities.

4. Minimal Risks:

This category includes AI systems not classified elsewhere, such as AI-enabled video games or spam filters. These systems are unregulated in the EU market and can be deployed without restrictions.

Understanding NIST AI Risk Management Framework (RMF) & ISO/IEC 42001

The NIST AI Risk Management Framework (RMF) and ISO/IEC 42001 provide structured approaches to managing risks associated with AI technologies. These frameworks assure the responsible, ethical, and trustworthy development, deployment, and use of AI systems.

What is ISO/IEC 42001:2023?

ISO/IEC 42001 is an international standard that outlines requirements for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System (AIMS) within organizations. It is applicable to entities involved in developing or utilizing AI-based products or services across all industries, ensuring responsible development and usage.