EU AI Act Compliance
The EU AI Act requires high-risk AI systems to be accurate, robust and secure. Learn how ImmuniWeb supports its Article 15 cybersecurity obligations by securing the systems and apps around your AI.
Conformité au règlement européen sur l'intelligence artificielle (IA)
What Is the EU AI Act?
The AI Act takes a risk-based approach, classifying AI systems as prohibited, high-risk, limited-risk or minimal-risk. Providers of high-risk AI systems must meet a set of requirements (Articles 8-15) covering risk management, data governance, technical documentation, logging, human oversight, and accuracy, robustness and cybersecurity, and must complete a conformity assessment.
Cybersecurity is a binding requirement for high-risk AI. Importantly, where a high-risk AI system also falls within the Cyber Resilience Act and meets its conditions, it may be deemed to comply with the AI Act's Article 15 cybersecurity requirement.
See how ImmuniWeb supports AI Act Article 15 - securing the web apps, APIs and infrastructure through which your AI systems are exposed. Request a demo · or run a free Community Edition test.
Who Must Comply with EU AI Act?
The AI Act applies to:
- Providers that develop or place AI systems on the EU market, including high-risk systems.
- Deployers that use AI systems in the EU.
- Organizations outside the EU whose AI systems or outputs are used in the EU (extraterritorial reach).
The web applications, APIs and infrastructure through which AI systems are accessed are part of the attack surface that must be secured.
Key AI Act Requirements for Application Security
Application security is driven by Article 15:
- Article 15 - Cybersecurity: high-risk AI systems must be resilient against attempts by unauthorised third parties to exploit vulnerabilities and to alter their use, behaviour or performance.
- Article 15 - Robustesse: les systèmes doivent fonctionner de manière cohérente et résister aux erreurs, aux défaillances et aux incohérences.
- Supporting systems: the apps, APIs and infrastructure that serve AI systems must themselves be secure.
AI Act Cybersecurity Requirements in Depth
Article 15 - Cybersecurity of High-Risk AI
Article 15 requires high-risk AI systems to be resilient against attempts to exploit their vulnerabilities. In practice, much of the real-world attack surface is the web applications, APIs and infrastructure through which AI systems are deployed and accessed - and these must be tested and secured.
Sécurisation des applications autour de l'IA
AI systems rarely operate in isolation; they are exposed through web and mobile applications and APIs. Penetration testing and vulnerability scanning of those applications and APIs reduce the attack surface that Article 15 expects providers to defend.
Risques courants des applications Web et mobiles à remédier
The vulnerabilities in the applications and APIs around AI systems map closely to the OWASP Top 10:
- Broken Access Control — users reaching data or actions they should not.
- Cryptographic Failures — weak or missing encryption exposing sensitive data.
- Injection — Injection SQL, de commande ou autre via des entrées non validées.
- Insecure Design — des contrôles de sécurité manquants par conception, et non pas seulement par bug.
- Mauvaise configuration de sécurité — configuration par défaut, incomplète ou non sécurisée.
- Composants vulnérables et obsolètes — bibliothèques et frameworks non patchés.
- Échecs d'identification et d'authentification — gestion faible des connexions, des sessions ou des identifiants.
- Software & Data Integrity Failures — untrusted updates, insecure CI/CD pipelines.
- Échecs de la journalisation et de la surveillance de la sécurité — attaques non détectées.
- Server-Side Request Forgery (SSRF) — the server tricked into making malicious requests.
For mobile apps, the OWASP Mobile Top 10 is the equivalent reference (insecure data storage, insecure communication, weak cryptography, and so on). Reliably finding these issues requires testing the running application, not just a documentation review.
How to Support AI Act Article 15 with ImmuniWeb
- Map the AI attack surface.Inventory the apps, APIs and infrastructure exposing AI systems with ImmuniWeb Discovery.
- Test web applications & APIswith On-Demand and Neuron.
- Test mobile front-endswith MobileSuite and Neuron Mobile.
- Remediate and retestwith actionable, zero-false-positive reports.
- Secure developmentwith Continuous in CI/CD.
- Monitor exposurewith Discovery.
How ImmuniWeb Helps You Achieve EU AI Act Compliance
ImmuniWeb supports Article 15 by securing the applications, APIs and infrastructure through which high-risk AI systems are exposed and accessed.
| Exigence | Ce que cela nécessite | Produits ImmuniWeb |
|---|---|---|
| Article 15 - cybersecurity | Resilience against exploitation of vulnerabilities. | On-Demand, Neuron, Continuous |
| Supporting apps & APIs | Secure the apps and APIs that serve AI systems. | On-Demand, Neuron, MobileSuite, Neuron Mobile |
| Attack surface | Map and monitor the AI-facing attack surface. | Discovery (ASM / Dark Web) |
ImmuniWeb On-Demand et MobileSuite offrent des tests d’intrusion web, mobile et API ; Neuron et Neuron Mobile fournissent des scans automatisés ; Continuous intègre les tests dans le CI/CD ; et Discovery cartographie la surface d’attaque autour de vos systèmes d’IA, soutenant ainsi l’exigence de cybersécurité de l’Article 15.
EU AI Act vs Cadres internationaux
Si vous respectez déjà des normes internationales, les mêmes tests ImmuniWeb les couvrent toutes:
| Framework | Perspective sécurité des applications | Comment ImmuniWeb s'aligne |
|---|---|---|
| Loi européenne sur l’IA | Article 15 cybersecurity of high-risk AI | Securing apps, APIs and infrastructure around AI |
| EU CRA | Product cybersecurity (may satisfy Art 15) | Web/mobile pentest + scanning |
| RGPD | Security of processing (Article 32) | Les mêmes tests couvrent les deux |
| ISO/IEC 27001 | Annexe A: contrôles techniques | Tests comme preuve de contrôle |
Tests d'intrusion vs scans de sécurité
Les deux sont nécessaires. Le scan automatisé (DAST) offre une couverture large et fréquente et est idéal pour les tests continus dans le CI/CD ; le penetration testing manuel trouve les vulnérabilités de logique métier et complexes que les scanners manquent et produit la profondeur attendue par les auditeurs et les régulateurs. Combinez le scanning continu avec du penetration testing manuel périodique, et re-testez après des changements significatifs.
Liste de contrôle de conformité (Sécurité des applications)
- Inventaire des applications, API et infrastructures exposées à l'IA
- Applications web et API testées contre le Top 10 de l’OWASP
- Mobile front-ends tested against the OWASP Mobile Top 10
- Supporting systems hardened and resilient to exploitation
- Les failles identifiées sont corrigées et retestées ; les enregistrements sont conservés
- Testing integrated into the development life cycle
- Attack-surface monitoring in place
Pourquoi la conformité à l'Acte IA de l'UE est-elle importante?
The AI Act carries significant penalties (up to EUR 35 million or 7% of global turnover for prohibited practices, and up to EUR 15 million or 3% for other violations), and high-risk obligations - including cybersecurity under Article 15 - apply from 2 August 2026. Conformity is a precondition for placing high-risk AI on the EU market.
Because the practical attack surface of AI systems is the apps, APIs and infrastructure around them, securing and testing those is one of the most direct ways to support Article 15.