EU AI Act Compliance
The EU AI Act requires high-risk AI systems to be accurate, robust and secure.
Learn how ImmuniWeb supports its Article 15 cybersecurity obligations by securing the systems and apps around your AI.
EU Artificial Intelligence (AI) Act Compliance
What Is the EU AI Act?
The AI Act takes a risk-based approach, classifying AI systems as prohibited, high-risk, limited-risk or minimal-risk. Providers of high-risk AI systems must meet a set of requirements (Articles 8-15) covering risk management, data governance, technical documentation, logging, human oversight, and accuracy, robustness and cybersecurity, and must complete a conformity assessment.
Cybersecurity is a binding requirement for high-risk AI. Importantly, where a high-risk AI system also falls within the Cyber Resilience Act and meets its conditions, it may be deemed to comply with the AI Act's Article 15 cybersecurity requirement.
See how ImmuniWeb supports AI Act Article 15 - securing the web apps, APIs and infrastructure through which your AI systems are exposed. Request a demo · or run a free Community Edition test.
Who Must Comply with EU AI Act?
The AI Act applies to:
- Providers that develop or place AI systems on the EU market, including high-risk systems.
- Deployers that use AI systems in the EU.
- Organizations outside the EU whose AI systems or outputs are used in the EU (extraterritorial reach).
The web applications, APIs and infrastructure through which AI systems are accessed are part of the attack surface that must be secured.
Key AI Act Requirements for Application Security
Application security is driven by Article 15:
- Article 15 - Cybersecurity: high-risk AI systems must be resilient against attempts by unauthorised third parties to exploit vulnerabilities and to alter their use, behaviour or performance.
- Article 15 - Robustness: systems must perform consistently and be resilient to errors, faults and inconsistencies.
- Supporting systems: the apps, APIs and infrastructure that serve AI systems must themselves be secure.
AI Act Cybersecurity Requirements in Depth
Article 15 - Cybersecurity of High-Risk AI
Article 15 requires high-risk AI systems to be resilient against attempts to exploit their vulnerabilities. In practice, much of the real-world attack surface is the web applications, APIs and infrastructure through which AI systems are deployed and accessed - and these must be tested and secured.
Securing the Applications Around AI
AI systems rarely operate in isolation; they are exposed through web and mobile applications and APIs. Penetration testing and vulnerability scanning of those applications and APIs reduce the attack surface that Article 15 expects providers to defend.
Common Web & Mobile Application Risks to Address
The vulnerabilities in the applications and APIs around AI systems map closely to the OWASP Top 10:
- Broken Access Control — users reaching data or actions they should not.
- Cryptographic Failures — weak or missing encryption exposing sensitive data.
- Injection — SQL, command or other injection via unvalidated input.
- Insecure Design — missing security controls by design, not just by bug.
- Security Misconfiguration — default, incomplete or unsafe configuration.
- Vulnerable & Outdated Components — unpatched libraries and frameworks.
- Identification & Authentication Failures — weak login, session or credential handling.
- Software & Data Integrity Failures — untrusted updates, insecure CI/CD pipelines.
- Security Logging & Monitoring Failures — attacks going undetected.
- Server-Side Request Forgery (SSRF) — the server tricked into making malicious requests.
For mobile apps, the OWASP Mobile Top 10 is the equivalent reference (insecure data storage, insecure communication, weak cryptography, and so on). Reliably finding these issues requires testing the running application, not just a documentation review.
How to Support AI Act Article 15 with ImmuniWeb
- Map the AI attack surface.Inventory the apps, APIs and infrastructure exposing AI systems with ImmuniWeb Discovery.
- Test web applications & APIswith On-Demand and Neuron.
- Test mobile front-endswith MobileSuite and Neuron Mobile.
- Remediate and retestwith actionable, zero-false-positive reports.
- Secure developmentwith Continuous in CI/CD.
- Monitor exposurewith Discovery.
How ImmuniWeb Helps You Achieve EU AI Act Compliance
ImmuniWeb supports Article 15 by securing the applications, APIs and infrastructure through which high-risk AI systems are exposed and accessed.
| Requirement | What it requires | ImmuniWeb products |
|---|---|---|
| Article 15 - cybersecurity | Resilience against exploitation of vulnerabilities. | On-Demand, Neuron, Continuous |
| Supporting apps & APIs | Secure the apps and APIs that serve AI systems. | On-Demand, Neuron, MobileSuite, Neuron Mobile |
| Attack surface | Map and monitor the AI-facing attack surface. | Discovery (ASM / Dark Web) |
ImmuniWeb On-Demand and MobileSuite deliver web, mobile and API penetration testing; Neuron and Neuron Mobile provide automated scanning; Continuous embeds testing into CI/CD; and Discovery maps the attack surface around your AI systems - supporting the Article 15 cybersecurity requirement.
EU AI Act vs International Frameworks
If you already work to international standards, the same ImmuniWeb testing supports all of them:
| Framework | Application-security angle | How ImmuniWeb maps |
|---|---|---|
| EU AI Act | Article 15 cybersecurity of high-risk AI | Securing apps, APIs and infrastructure around AI |
| EU CRA | Product cybersecurity (may satisfy Art 15) | Web/mobile pentest + scanning |
| EU GDPR | Security of processing (Article 32) | Same testing supports both |
| ISO/IEC 27001 | Annex A technical controls | Testing as control evidence |
Penetration Testing vs Security Scanning
Both are needed. Automated scanning (DAST) gives broad, frequent coverage and is ideal for continuous testing in CI/CD; manual penetration testing finds business-logic and complex vulnerabilities that scanners miss and produces the depth auditors and regulators expect. Combine continuous scanning with periodic manual penetration testing, and re-test after significant changes.
Compliance Checklist (Application Security)
- AI-facing apps, APIs and infrastructure inventoried
- Web applications and APIs tested against the OWASP Top 10
- Mobile front-ends tested against the OWASP Mobile Top 10
- Supporting systems hardened and resilient to exploitation
- Findings remediated and re-tested; records retained
- Testing integrated into the development life cycle
- Attack-surface monitoring in place
Why EU AI Act Compliance Matters
The AI Act carries significant penalties (up to EUR 35 million or 7% of global turnover for prohibited practices, and up to EUR 15 million or 3% for other violations), and high-risk obligations - including cybersecurity under Article 15 - apply from 2 August 2026. Conformity is a precondition for placing high-risk AI on the EU market.
Because the practical attack surface of AI systems is the apps, APIs and infrastructure around them, securing and testing those is one of the most direct ways to support Article 15.