Skip to main content
9 – 17 UHR +49 8031 3508270 LUITPOLDSTR. 9, 83022 ROSENHEIM
DE / EN
AI AI Officer

NIS2, Critical Infrastructure, and the EU AI Act: What Mid-Sized Companies Need to Know Now

Tobias Jonas Tobias Jonas | | 4 min read

The European regulatory landscape is changing rapidly, especially in the areas of Artificial Intelligence (AI) and cybersecurity. For mid-sized companies that may fall under the KRITIS regulation or the NIS2 directive and are involved with AI, it is crucial to understand the upcoming changes and act proactively. In this article, we examine what impact the new regulations have on your company and how you can optimally prepare.

Introduction to KRITIS and the NIS2 Directive

What is KRITIS and Why is it Relevant?

Critical Infrastructure (KRITIS) encompasses sectors such as energy, healthcare, transportation, and IT. Companies in these areas are particularly worth protecting, as failures can have serious impacts on society. Mid-sized companies should check whether they belong to these sectors, as they are then subject to special requirements.

The NIS2 Directive Overview

The NIS2 Directive is the updated version of the EU directive on Network and Information Security. It expands the scope to more companies and tightens requirements for cybersecurity and reporting obligations in the event of security incidents.

Important NIS2 Requirements for AI Companies

  • Mandatory Cybersecurity Measures: Companies must implement robust security practices to protect their networks and systems.
  • Reporting Obligations for Security Incidents: Security incidents must be reported immediately to enable rapid response.
  • Risk Management and Service Continuity: It is required to conduct risk assessments and develop plans for maintaining services in crisis situations.
  • Supply Chain Security: Companies must ensure cybersecurity throughout their entire supply chain, which is particularly important when using AI systems.

The EU AI Act and Additional Regulation

What is the EU AI Act?

The EU AI Act is a proposed legal framework aimed at regulating the development and use of AI systems in the EU. It sets standards for the trustworthiness and security of AI.

New Obligations for Companies

  • Risk Classification of AI Systems: AI systems are categorized by risk, from minimal to unacceptable.
  • Specific Compliance Requirements: Strict requirements apply to high-risk AI systems, including transparency, accuracy, and human oversight.
  • Technical Documentation and Conformity Assessment: Companies must provide extensive documentation and have their systems regularly reviewed.
  • Sufficient Knowledge: Companies must ensure that a sufficient level of AI competence exists within the company.

ISO 42001 as a Useful Tool

What is ISO 42001?

ISO 42001 is an international standard for management systems in the field of Artificial Intelligence. It provides a framework for effective AI risk management and supports companies in meeting legal requirements.

How Does ISO 42001 Complement NIS2 and the EU AI Act?

  • Holistic Approach: ISO 42001 covers both technical and organizational aspects and helps fulfill the requirements of both regulatory frameworks.
  • Proactive Risk Minimization: By implementing the standard, companies can identify and address risks early.

Synergies and Overlaps Between NIS2, EU AI Act, and ISO 42001

  • Common Focus on Security: All three regulatory frameworks emphasize the need for security measures and risk management.
  • Different Emphases: While NIS2 focuses on general cybersecurity, the EU AI Act specifically addresses the risks of AI systems. ISO 42001 provides a practical framework for implementing both requirements.
  • Additional Requirements: The EU AI Act and ISO 42001 go beyond NIS2 in some areas, particularly regarding ethical considerations and specific AI risks.

Fundamental Provisions That Always Apply

  • General Data Protection Regulation (GDPR): The protection of personal data remains central. AI companies must ensure that their systems are GDPR-compliant.
  • Ethical Guidelines for AI: Principles such as transparency, fairness, and non-discrimination are essential for responsible AI.

Strategic Steps Toward Compliance

  • Conduct Risk Assessment: Evaluate whether your company falls under KRITIS or NIS2 and which AI risk categories are relevant.
  • Implement ISO 42001: Use the standard to build an effective AI management system.
  • Employee Training: Train your team on the new requirements to strengthen awareness and competence.
  • Cooperation and Industry Networking: Exchange ideas with other companies to share best practices and address common challenges.

Recommendations for Action

  • Proactive Adaptation: Start implementing the required measures now to achieve compliance.
  • Leverage Opportunities: Through early adaptation, you can gain competitive advantages and strengthen the trust of customers and partners.
  • Further Training: Use our training opportunities for AI Officers to build AI competence in your company and manage AI projects.
Tobias Jonas
Written by

Tobias Jonas

Co-CEO, M.Sc.

Tobias Jonas, M.Sc. ist Mitgründer und Co-CEO der innFactory AI Consulting GmbH. Er ist ein führender Innovator im Bereich Künstliche Intelligenz und Cloud Computing. Als Co-Founder der innFactory GmbH hat er hunderte KI- und Cloud-Projekte erfolgreich geleitet und das Unternehmen als wichtigen Akteur im deutschen IT-Sektor etabliert. Dabei ist Tobias immer am Puls der Zeit: Er erkannte früh das Potenzial von KI Agenten und veranstaltete dazu eines der ersten Meetups in Deutschland. Zudem wies er bereits im ersten Monat nach Veröffentlichung auf das MCP Protokoll hin und informierte seine Follower am Gründungstag über die Agentic AI Foundation. Neben seinen Geschäftsführerrollen engagiert sich Tobias Jonas in verschiedenen Fach- und Wirtschaftsverbänden, darunter der KI Bundesverband und der Digitalausschuss der IHK München und Oberbayern, und leitet praxisorientierte KI- und Cloudprojekte an der Technischen Hochschule Rosenheim. Als Keynote Speaker teilt er seine Expertise zu KI und vermittelt komplexe technologische Konzepte verständlich.

LinkedIn

Related Articles

AI AI Officer

When Do I Need an AI Officer?

05.10.2024
AI Officer AI Security

Bring Your Own AI (BYOAI): Challenges for Medium-Sized …

09.09.2024
AI AI Act

AI Security: Why Global Standards and Safeguards Are …

12.08.2024
Back to Blog