AI regulation & governance
Industrial AI is entering the regulated era. The EU AI Act (Regulation (EU) 2024/1689) classifies each system by risk level and imposes dated, quantified obligations; ISO/IEC 42001 provides the management system to comply. For an engineer, three concrete questions: is my system "high-risk"? which obligations, by article? and can I put AI inside a safety function?
The texts that matter
Regulation (EU) 2024/1689
First comprehensive, risk-based frame. Published in the OJEU on 12 Jul 2024, in force 1 Aug 2024. Product approach: obligations on the provider and the deployer.
AI management system (AIMS)
Published 2023, certifiable. High-level structure shared with ISO 9001/27001 (clauses 4-10) + Annex A: 38 controls. The practical "how" of compliance.
Risk & impact assessment
23894: AI risk management, aligned with ISO 31000. 42005: AI system impact assessment. 5338: lifecycle. 22989: reference vocabulary.
US voluntary framework
Four functions — Govern, Map, Measure, Manage. Non-binding but widely adopted; a practical bridge to the EU AI Act for international groups.
The application timeline
The regulation does not land all at once: obligations switch on in stages. The date most relevant to industry is August 2027 — that of machine safety components.
| Date | What becomes applicable |
|---|---|
| 1 Aug 2024 | Regulation enters into force. |
| 2 Feb 2025 | Prohibited practices apply + AI-literacy duty for staff. |
| 2 Aug 2025 | General-purpose AI (GPAI), governance, notifying authorities, penalties regime. |
| 2 Aug 2026 | General application: Annex III high-risk systems + transparency obligations. |
| 2 Aug 2027 | High-risk "safety component" of regulated products (Annex I: machinery, medical devices…). |
The risk pyramid — where industrial AI lands
| Level | Industrial examples | Obligations |
|---|---|---|
| Unacceptable | Social scoring, subliminal manipulation, emotion recognition in the workplace. | Banned. Emotion recognition of operators is prohibited (outside safety/medical). |
| High | AI safety component of a machine (Machinery Reg. 2023/1230); critical-infrastructure management (power, water, gas). | Strong duties (Art. 8-15), QMS, conformity assessment, CE marking, EU-database registration. |
| Limited | Chatbots, copilots, generative AI producing text/images. | Transparency: inform the user they interact with AI, label generated content. |
| Minimal | Predictive maintenance, quality vision, process optimization — most industrial cases. | No specific obligation. Good practice (ISO 42001) recommended. |
Key point: the vast majority of industrial uses (predictive, vision, optimization) is minimal risk. It is AI acting on a safety function or driving critical infrastructure that flips to high-risk and triggers CE marking.
High-risk system: obligations, by article
| Article | Obligation | In plain terms |
|---|---|---|
| Art. 9 | Risk management | Continuous process across the lifecycle: identify, estimate, mitigate, residual risks acceptable. |
| Art. 10 | Data & governance | Training/validation/test sets relevant, representative, as error-free as possible; bias detection and mitigation. |
| Art. 11 | Technical documentation | Full file (Annex IV) demonstrating conformity, kept current before placing on the market. |
| Art. 12 | Logging | Automatic event logging over the lifetime for traceability and post-market monitoring. |
| Art. 13 | Transparency | Clear instructions for the deployer: capabilities, limits, expected performance, required oversight. |
| Art. 14 | Human oversight | Design enabling a human to understand, monitor, intervene and stop ("stop button"). |
| Art. 15 | Accuracy, robustness, cyber | Declared accuracy level, resilience to errors and attacks (data poisoning, adversarial), redundancy. |
Add: quality management system (Art. 17), conformity assessment (Art. 43), EU declaration and CE marking (Art. 47-48), EU-database registration (Art. 49). On the deployer side: use per instructions, oversight, log retention, and a fundamental-rights impact assessment (FRIA, Art. 27) for some.
AI & functional safety: the real question
Can a learning model sit inside a safety instrumented function (SIF)? Today, no — not directly. IEC 61508 and IEC 61511 rest on determinism, test coverage and demonstrable freedom from systematic faults — properties a trained neural network does not provide. Proven practice keeps AI out of the safety loop: it advises, alerts, optimizes — but the SIS that triggers the emergency shutdown stays deterministic, hard-wired or certified logic, independent of the model.
The topic is not frozen: ISO/IEC TR 5469 ("Functional safety and AI systems") maps how and where AI may intervene by its role. And the regulatory link is direct — software that performs a machine safety function, AI included, is a safety component under the Machinery Regulation (EU) 2023/1230 (applicable 20 Jan 2027), which classes it "high-risk" in the EU AI Act: dual conformity.
What to do in practice
- Keep an AI register — inventory of deployed models, use, data, provider, risk level. You only govern what you know.
- Classify each system — risk drives everything else; document the classification decision (minimal / limited / high).
- Document data & models — model cards, dataset sheets, versioning: origin, representativeness, bias, performance and limits.
- Ensure human oversight — a human must be able to understand, monitor and override. AI assists, it does not decide a safety action alone.
- Log & monitor post-market — event logs, drift monitoring, serious-incident reporting: a cross-cutting EU AI Act / ISO 42001 / NIST requirement.
ISO/IEC 42001: a management system, not a binder
42001 reuses the high-level structure of ISO 9001 and 27001 (clauses 4-10: context, leadership, planning, support, operation, evaluation, improvement) and adds an Annex A of 38 AI-specific controls — policy, roles, resources, impact assessment, data management, lifecycle, information for interested parties, third-party suppliers. Anyone already running a QMS or ISMS will recognize the PDCA logic. EU AI Act compliance provides the legal duty; 42001 provides the auditable, certifiable method to reach it — backed by ISO/IEC 23894 (risk), 42005 (impact assessment) and 5338 (lifecycle).
Penalties
| Infringement | Maximum fine (whichever is higher) |
|---|---|
| Prohibited practices | up to €35M or 7% of worldwide turnover |
| Breach of other obligations | up to €15M or 3% |
| Incorrect information to authorities | up to €7.5M or 1% |
For SMEs and start-ups, the lower of the two amounts (fixed sum or percentage) applies.
Harmonized standards & presumption of conformity
As with classic CE marking, meeting a harmonized standard will give a presumption of conformity with the EU AI Act. The CEN-CENELEC JTC 21 committee develops these standards (on the Commission's mandate), drawing heavily on ISO/IEC SC 42 work. For the engineer the strategy is clear: following ISO/IEC 42001 and its family today is preparing tomorrow's harmonized conformity.