EU AI Act and Cybersecurity — Security Obligations for AI Systems Every Business Must Know

A client called us a few months ago. They had built an AI system for resume screening. Nothing complex: a pre-trained model, fine-tuned on company data, an API for HR. Then they heard about the AI Act and NIS2. The question: “Are we at risk? What should we do?”

We hear this question more and more often. And the answer, as always, is: it depends. But it depends on precise, measurable things. In this guide we look at the intersection between EU AI Act and cybersecurity, with a practical approach — the one we use every day on real projects.

At Meteora Web, we think in terms of costs and returns. Compliance is not a tax — it's an investment that protects your revenue. If an AI system fails to meet security obligations, the risk is not just fines: it's lost customer trust, compromised data, operational downtime. We have direct experience: we manage servers, develop platforms, and we come from accounting. Balance sheets, double-entry bookkeeping, VAT. That's why we evaluate every technical choice with a “what does it cost and what does it yield?” mindset.

What cybersecurity obligations does the EU AI Act impose?

The AI Act classifies AI systems by risk. For high-risk systems (e.g., recruitment tools, credit scoring, critical infrastructure), cybersecurity obligations are strict. The regulation requires:

• Continuous risk management throughout the model's lifecycle.
• Robustness and accuracy: the system must resist manipulation or systematic errors.
• Transparency and documentation: decision logs, model explainability.
• Human oversight: mechanisms for manual intervention when needed.

In practice, if your AI system makes decisions that impact people's rights, you must prove you have implemented measures to counter adversarial attacks, data poisoning, or simple statistical drift.

Concrete example: a product recommendation model for an e-commerce store is low-risk. But if the same model is used to profile users for insurance purposes, it becomes high-risk. The classification changes everything.

How does the AI Act integrate with business cybersecurity and NIS2?

The NIS2 Directive focuses on network and information system security, with obligations for critical sectors (energy, transport, health, digital). The AI Act focuses on the specific security of AI systems, but the two regulations overlap on three key aspects:

1. Risk assessment: both require an evaluation of risks. With the AI Act you must assess bias, robustness, training data security. With NIS2 you assess operational and continuity risks.
2. Incident reporting: report serious incidents within defined timeframes. AI Act requires notification for malfunctions that violate fundamental rights; NIS2 for incidents compromising essential services' availability.
3. Governance and documentation: both require records, audit logs, and proof of compliance.

The main difference is scope: NIS2 looks at the overall IT infrastructure, the AI Act at model behavior. In practice, a high-risk AI system operating in a NIS2 sector (e.g., an AI-based medical diagnosis system) must meet both regimes. The good news? If you already have an information security management system (ISMS) for NIS2, integrating AI Act requirements is an extension, not a revolution.

Learn more about NIS2 compliance in our NIS2 & Cybersecurity EU pillar guide.

What to do to make an AI system compliant with AI Act cybersecurity?

Here are the operational steps we follow in our clients' projects:

1. Inventory and classify your AI systems

Every AI system must be cataloged: purpose, data used, technology, outputs produced. Then classify it according to AI Act risk categories. Use the official list published by the European Commission (Annexes II and III of the regulation).

2. Integrated risk assessment

Combine AI-specific risks (adversarial attacks, bias, data poisoning) with NIS2 risks (availability, integrity, confidentiality). Create a single risk register that tracks the regulatory source.

3. Technical measures: logging and monitoring

You need to trace every model decision. Enable detailed inference logs with timestamp, input, output, confidence score. Example command to check if logs exist on a Linux server:

find /var/log/ai -name "*.log" -mtime -7 | wc -l

If the count is zero, you're not recording anything — a clear warning sign.

4. Periodic robustness testing

Run tests with adversarial inputs and variations in training data. Document results. Open-source tools like Adversarial Robustness Toolbox (ART) can help.

5. Documentation and transparency

Prepare a technical sheet for each model: training data, performance metrics, implemented security measures. The AI Act requires this documentation to be available to authorities.

Tools and best practices we use at Meteora Web

We don't just deal with theory. Every day we work on real projects using these technologies:

• For centralized logging we use Loki + Promtail on Linux servers. Low cost, high efficiency.
• For vulnerability scanning in Python packages of our models, we integrated pip-audit into the CI/CD pipeline.
• For risk assessment management, we use a structured spreadsheet (yes, well-made Excel or Google Sheets) that cross-references AI Act and NIS2 requirements. Numbers must speak clearly: after mapping, some clients discovered they needed minimal changes, while others had to redesign the entire architecture.

At Meteora Web, we've learned first-hand that security is not optional. Since we started managing servers for third parties, we've seen everything: expired SSL certificates, backups never configured, unprotected forms. That's why we apply the same rules to AI systems: hardening, updates, continuous monitoring. And we do it with the same approach we used to manage the ERP of a clothing store: margins, inventory, seasons. If an AI model costs more than it produces, it needs optimization or shutdown.

In summary — what to do now

1. Inventory your AI systems: who uses them, what data, what decisions they make.
2. Classify them according to the AI Act: high-risk or low-risk? When in doubt, treat them as high-risk.
3. Integrate the AI risk assessment into your existing security management system (NIS2 or ISO 27001).
4. Enable logging and monitoring for every inference — you can't prove compliance without data.
5. Schedule periodic audits and update documentation. Regulations evolve, and so do your models over time.

If you need a hand, our team is used to working on these topics. Since 2017 we've been accompanying businesses from domain to revenue, with a single point of contact. Drop us a line for a no-obligation chat.