The European Commission has announced a landmark piece of legislation, the 'Cybersecurity of Artificial Intelligence Act' or 'CYBER-AI Act'. This new regulation will complement the EU's AI Act by establishing legally binding cybersecurity obligations for organizations that develop, deploy, or use AI systems classified as 'high-risk' within the EU. The act mandates a 'secure-by-design' approach, requiring rigorous security practices throughout the AI lifecycle. It also introduces a 24-hour breach notification requirement and sets severe penalties for non-compliance, with fines reaching up to 6% of a company's global annual turnover.
The CYBER-AI Act is designed to address the unique security challenges posed by artificial intelligence systems, such as model evasion, data poisoning, and the misuse of AI for malicious purposes. It aims to build trust in AI by ensuring a high level of security and resilience.
Scope: The act applies to providers and users of 'high-risk' AI systems. This category, defined in the main AI Act, includes AI used in critical infrastructure, medical devices, law enforcement, and employment, among others.
Jurisdiction: The regulation has extraterritorial reach. Any company, regardless of its location, must comply if its high-risk AI system is used within the European Union.
Organizations falling under the act's scope will face a number of new obligations:
The act is expected to be formally adopted and enter into force in early 2027. Following that, companies will have a two-year transition period to bring their systems and processes into compliance, with the rules becoming fully enforceable in early 2029.
The CYBER-AI Act will have a profound impact on the technology industry and any sector that leverages AI for critical functions.
Enforcement will be carried out by the national data protection or cybersecurity authorities in each EU member state. The penalties for non-compliance are designed to be a strong deterrent:
This penalty structure is even more severe than GDPR in percentage terms, signaling the EU's serious intent to enforce AI security.
Organizations should not wait until the transition period begins to act. Proactive steps include:
The European Commission officially unveils the CYBER-AI Act.
Expected date for the CYBER-AI Act to enter into force.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.