What is the primary objective of **EU AI Act**?

**The primary objective of the EU AI Act is to establish a risk-based regulatory framework that prohibits unacceptable-risk AI practices, imposes strict obligations on high-risk AI systems, mandates transparency for limited-risk systems, and fosters safe AI innovation while protecting health, safety, and fundamental rights.** Regulation (EU) 2024/1689, effective 1 August 2024, classifies AI into unacceptable, high, limited, and minimal risk tiers per Articles 5–6, Annexes I–III, emphasizing lifecycle controls like risk management (Article 9) and conformity assessments (Article 43).

Who is legally or professionally required to comply with **EU AI Act**?

**Providers, deployers, importers, distributors, and authorized representatives of AI systems used in or outputting to the EU are legally required to comply with the EU AI Act, regardless of location.** Providers (Article 3(3)) develop or place high-risk systems on the market; deployers (Article 3(4)) are professional users. Obligations apply extraterritorially if outputs affect the EU (Article 2), covering GPAI providers (Chapter V) and high-risk systems in Annex III sectors like biometrics, employment, and critical infrastructure.

Does **EU AI Act** require an external audit or third-party certification?

**High-risk AI systems require conformity assessment, which may involve external audits or third-party certification by notified bodies depending on the system type.** Article 43 mandates internal (Annex VI) or third-party (Annex VII) assessments; notified bodies (Articles 28–39) certify for certain Annex III uses or without full harmonized standards (Article 40). Providers issue EU Declaration of Conformity (Article 47) and CE marking (Article 48), with post-market surveillance (Article 72).

How often should an assessment for **EU AI Act** be performed?

**Conformity assessments for high-risk AI must be performed before placing on the market or into service, with continuous post-market monitoring and reassessment upon substantial modifications.** Article 61 requires reevaluation for changes (Article 3(23)); providers maintain ongoing risk management (Article 9), logging (Article 12), and monitoring plans (Article 72). Serious incidents trigger reporting (Article 73) without fixed intervals, tied to lifecycle changes.

What are the consequences of non-compliance with **EU AI Act**?

**Non-compliance with the EU AI Act incurs tiered administrative fines up to 7% of worldwide annual turnover or €40 million for prohibited practices, 4% or €20 million for other violations like high-risk obligations, and 2% or €10 million for remaining breaches.** Chapter XII (Articles 99–101) empowers national authorities (Article 70) and AI Office (Article 64); remedies include market withdrawal, bans, and personal liability, with hybrid enforcement via market surveillance (Article 74).

Can **EU AI Act** be mapped to other international frameworks?

**No, the EU AI Act cannot be directly mapped to other international frameworks in this FAQ, as it must stand alone.** Its unique risk-based structure (prohibited/high/limited/minimal), GPAI rules (Chapter V), and conformity regime (Articles 43–49) demand standalone compliance; intersections require sector-specific analysis per research gaps.

What is the first step to begin implementing **EU AI Act**?

**The first step to implement the EU AI Act is to conduct an AI inventory and risk classification to identify prohibited practices (Article 5) and high-risk systems (Article 6, Annexes I/III).** Map all systems/models, determine roles (provider/deployer), and document decisions; prioritize cessation of bans and GPAI obligations per phased timelines (prohibitions at 6 months, GPAI at 12 months post-1 August 2024).

What is the primary objective of **ISO 27017**?

**ISO 27017 provides cloud-specific implementation guidance for 37 ISO 27002 controls plus 7 additional cloud-focused controls (CLD.6.3.1, CLD.8.1.5, CLD.9.5.1, CLD.9.5.2, CLD.12.1.5, CLD.12.4.5, CLD.13.1.4).** Published in 2015, it addresses shared responsibilities between **cloud service providers (CSPs)** and **cloud service customers (CSCs)**, covering multi-tenancy segregation, virtual machine hardening, asset return/termination, administrative operations security, customer monitoring, and network alignment in public, private, or hybrid clouds.

Who is legally or professionally required to comply with **ISO 27017**?

**No organization is legally required to comply with ISO 27017, as it is a voluntary code of practice.** Professionally, **CSPs** and **CSCs** with significant cloud footprints adopt it to demonstrate due diligence, especially in regulated sectors or procurement demanding cloud security assurance; ~94% of organizations use cloud services, with 61% reporting incidents driving its relevance.

Does **ISO 27017** require an external audit or third-party certification?

**ISO 27017 does not support standalone third-party certification or require external audits.** It integrates into an **ISO 27001 ISMS**, where auditors assess its 37 extended and 7 **CLD controls** during ISO 27001 Stage 1/2 audits; certification bodies may reference ISO 27017 conformity as an extension on the ISO 27001 certificate.

How often should an assessment for **ISO 27017** be performed?

**ISO 27017 assessments occur as part of annual ISO 27001 surveillance audits and triennial re-certification.** Controls must support continuous monitoring, with formal reviews triggered by significant changes like new cloud services; the standard, under 5-year ISO review (last confirmed 2024), aligns with ongoing ISMS risk assessments.

What are the consequences of non-compliance with **ISO 27017**?

**Non-compliance with ISO 27017 carries no direct legal penalties, as it is non-mandatory.** Indirect risks include failed ISO 27001 audits, procurement disqualification (e.g., missing cloud control evidence), heightened breach exposure from unaddressed multi-tenancy or shared responsibility gaps, and regulatory scrutiny under data laws for inadequate cloud security.

Can **ISO 27017** be mapped to other international frameworks?

**Yes, ISO 27017 maps directly to ISO 27001/27002 control structures for integrated ISMS use.** Its **CLD controls** and 37 guidance points align with NIST SP 800-53, CSA STAR, SOC 2, and PCI-DSS via shared themes like segregation and monitoring; ~70% of CSPs map it for multi-framework compliance.

What is the first step to begin implementing **ISO 27017**?

**Conduct a cloud-specific risk assessment within your ISO 27001 ISMS to identify applicable controls.** Define scope (IaaS/PaaS/SaaS), document **CSP/CSC shared responsibilities** per CLD.6.3.1, update the Statement of Applicability with the 7 **CLD controls** and 37 guidance areas, then implement via configurations and policies.

EU AI Act vs ISO 27017

Standards Comparison

EU AI Act

Mandatory

2024

EU regulation for risk-based AI system governance

ISO 27017

Voluntary

2015

International code of practice for cloud security controls.

Quick Verdict

EU AI Act mandates risk-based compliance for AI systems in EU with hefty fines, while ISO 27017 provides voluntary cloud security guidance extending ISO 27001. Companies adopt AI Act for legal EU market access; ISO 27017 for cloud assurance and audits.

Artificial Intelligence

EU AI Act

Regulation (EU) 2024/1689 Artificial Intelligence Act

Cost

€€€

Complexity

Medium

Implementation Time

18-24 months

Key Features

Risk-based four-tier AI classification framework
Prohibits unacceptable-risk AI practices outright
Mandates high-risk conformity assessments and CE marking
Regulates general-purpose AI models separately
Phased implementation with staggered deadlines

Cloud Security

ISO 27017

ISO/IEC 27017:2015 Code of practice for cloud security controls

Cost

€€€

Complexity

Medium

Implementation Time

6-12 months

Key Features

Introduces 7 cloud-specific CLD security controls
Clarifies shared responsibilities for CSPs and CSCs
Provides guidance for 37 ISO 27002 controls in cloud
Addresses multi-tenancy and VM segregation risks
Integrates with ISO 27001 ISMS certification

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

EU AI Act Details

What It Is

Regulation (EU) 2024/1689, the EU AI Act, is a comprehensive horizontal regulation establishing a risk-based framework for AI systems across sectors. It prohibits unacceptable risks, regulates high-risk systems via lifecycle controls, mandates transparency for limited-risk AI, and minimally regulates others. Its product-safety approach treats AI as regulated products with conformity requirements.

Key Components

**Four risk tiersprohibited, high-risk (Annex I/III), limited-risk, minimal-risk.
**High-risk obligationsrisk management (Art. 9), data governance (Art. 10), documentation (Arts. 11-13), human oversight (Art. 14), cybersecurity (Art. 15).
GPAI rules (Chapter V) for foundation models, including systemic risk duties.
**Enforcementfines up to 7% global turnover; CE marking, EU database registration.

Why Organizations Use It

Mandated for EU market access, it mitigates legal risks, ensures compliance with extraterritorial scope, builds trust via transparency, and provides competitive edges in regulated sectors like HR, biometrics, infrastructure.

Implementation Overview

Phased rollout (6-36 months); involves AI inventory, classification, QMS integration, conformity assessments, post-market monitoring. Applies to providers/deployers EU-wide; requires cross-functional governance, no universal certification but notified bodies for some high-risk systems.

ISO 27017 Details

What It Is

ISO/IEC 27017:2015 is a code of practice extending ISO/IEC 27002 with cloud-specific information security controls. It provides implementation guidance for cloud services across IaaS, PaaS, SaaS, using a risk-based approach within an ISO 27001 ISMS.

Key Components

37 adapted ISO 27002 controls with cloud guidance
7 additional CLD controls (e.g., shared responsibilities, VM segregation, asset removal)
Structured around 14 security domains
Integrated into ISO 27001 certification via audit scope extension

Why Organizations Use It

Addresses shared responsibility in cloud models
Meets procurement, regulatory demands (e.g., GDPR alignment)
Mitigates multi-tenancy, virtualization risks
Builds stakeholder trust, competitive differentiation for CSPs/CSCs
Enables efficient risk management

Implementation Overview

Extend existing ISO 27001 ISMS with cloud risk assessments
Implement controls, update SoA, train staff
Applies to CSPs, CSCs globally, all sizes
Audited jointly (9-12 months typical)

Key Differences

Aspect	EU AI Act	ISO 27017
Scope	Risk-based AI systems, prohibitions, high-risk obligations	Cloud-specific information security controls
Industry	All sectors using AI in EU, global extraterritorial reach	Cloud providers and users, all industries globally
Nature	Mandatory EU regulation with fines	Voluntary guidance extending ISO 27001
Testing	Conformity assessments, notified bodies for high-risk	ISO 27001 audits including cloud controls
Penalties	Up to 7% global turnover fines	No legal penalties, certification loss only

Scope

EU AI Act

Risk-based AI systems, prohibitions, high-risk obligations

ISO 27017

Cloud-specific information security controls

Industry

EU AI Act

All sectors using AI in EU, global extraterritorial reach

ISO 27017

Cloud providers and users, all industries globally

Nature

EU AI Act

Mandatory EU regulation with fines

ISO 27017

Voluntary guidance extending ISO 27001

Testing

EU AI Act

Conformity assessments, notified bodies for high-risk

ISO 27017

ISO 27001 audits including cloud controls

Penalties

EU AI Act

Up to 7% global turnover fines

ISO 27017

No legal penalties, certification loss only

Frequently Asked Questions

Common questions about EU AI Act and ISO 27017

EU AI Act FAQ

ISO 27017 FAQ

You Might also be Interested in These Articles...

SOC 2 Audit Survival Guide: Auditor Questions, Red Flags, and Evidence Prep for First-Time Pass

Ace your SOC 2 audit with predicted auditor questions, model answers, red flags, and evidence checklists from CPA best practices & SignWell's journey. Reduce st

How to Implement CIS Controls v8.1 as a ‘Control Backbone’ for NIS2 & DORA (Step-by-Step Implementation Guide)

Deploy CIS Controls v8.1 as a control backbone for NIS2 & DORA compliance. Step-by-step roadmap (IG1→IG2), deliverables, metrics & evidence model for hybrid/clo

CIS Controls v8.1, Operationalized: Top 10 Reasons Compliance Monitoring Software Accelerates Real-World Implementation

Operationalize CIS Controls v8.1 with compliance monitoring software. Turn checklists into dashboards, tickets, and audit-proof workflows. Top 10 reasons it acc

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

FERPA vs GLBA

Discover FERPA vs GLBA: Compare education records privacy (FERPA) with financial data safeguards (GLBA). Unlock key differences, compliance tips, and strategies to protect sensitive info now.

RoHS vs CSA

Compare RoHS vs CSA: EU hazardous substance bans in electronics vs Canadian safety standards (Z1000/Z1002). Key differences, exemptions, testing & compliance. Achieve global market access!

GMP vs NIST 800-171

Explore GMP vs NIST 800-171: Compare pharma quality standards with CUI cybersecurity controls for compliance mastery. Safeguard ops & boost market access now!

EU AI Act

ISO 27017

Quick Verdict

EU AI Act

Key Features

ISO 27017

Key Features

Detailed Analysis

EU AI Act Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

ISO 27017 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

EU AI Act FAQ

What is the primary objective of EU AI Act?

Who is legally or professionally required to comply with EU AI Act?

Does EU AI Act require an external audit or third-party certification?

How often should an assessment for EU AI Act be performed?

What are the consequences of non-compliance with EU AI Act?

Can EU AI Act be mapped to other international frameworks?

What is the first step to begin implementing EU AI Act?

ISO 27017 FAQ

What is the primary objective of ISO 27017?

Who is legally or professionally required to comply with ISO 27017?

Does ISO 27017 require an external audit or third-party certification?

How often should an assessment for ISO 27017 be performed?

What are the consequences of non-compliance with ISO 27017?

Can ISO 27017 be mapped to other international frameworks?

What is the first step to begin implementing ISO 27017?

You Might also be Interested in These Articles...

SOC 2 Audit Survival Guide: Auditor Questions, Red Flags, and Evidence Prep for First-Time Pass

How to Implement CIS Controls v8.1 as a ‘Control Backbone’ for NIS2 & DORA (Step-by-Step Implementation Guide)

CIS Controls v8.1, Operationalized: Top 10 Reasons Compliance Monitoring Software Accelerates Real-World Implementation

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

FERPA vs GLBA

RoHS vs CSA

GMP vs NIST 800-171