EU AI Act
EU regulation for risk-based AI governance and compliance
ISO 28000
International standard for supply chain security management systems
Quick Verdict
EU AI Act mandates risk-based AI compliance for EU market access, with hefty fines. ISO 28000 offers voluntary supply chain security certification. Companies adopt AI Act to avoid penalties and sell legally; ISO 28000 for resilience, trust, and contracts.
EU AI Act
Regulation (EU) 2024/1689 Artificial Intelligence Act
Key Features
- Risk-based classification into four AI risk tiers
- Prohibits unacceptable-risk AI practices outright
- Mandates conformity assessments for high-risk systems
- Imposes dedicated GPAI model obligations
- Requires CE marking and EU registration
ISO 28000
ISO 28000:2022 Security Management Systems Requirements
Key Features
- Risk-based security management for supply chains
- PDCA cycle with continual improvement requirements
- Integration with ISO 31000 and 22301 standards
- Top management leadership and commitment mandates
- Operational security plans and incident response
Detailed Analysis
A comprehensive look at the specific requirements, scope, and impact of each standard.
EU AI Act Details
What It Is
Regulation (EU) 2024/1689, the EU Artificial Intelligence Act, is a comprehensive horizontal regulation establishing a risk-based framework for AI systems across sectors. It prohibits unacceptable risks, regulates high-risk AI via lifecycle obligations, mandates transparency for limited-risk systems, and minimally regulates others, with extraterritorial scope.
Key Components
- **Four risk tiersprohibited, high-risk (Annexes I/III), limited-risk, minimal-risk.
- High-risk requirements: risk management (Article 9), data governance (Article 10), documentation (Articles 11-13), human oversight (Article 14), cybersecurity (Article 15).
- GPAI obligations (Chapter V), conformity assessments, CE marking, EU database registration.
- Phased enforcement with fines up to 7% global turnover.
Why Organizations Use It
Mandatory for EU-market AI providers/deployers; mitigates legal risks, ensures market access, builds trust via safety/transparency. Enhances governance, reduces incidents, provides competitive edge in regulated sectors like employment, healthcare.
Implementation Overview
Cross-functional program: inventory/classify AI, build compliance systems (QMS, RMS), conduct assessments, monitor post-market. Applies to all sizes in EU-impacting operations; involves notified bodies for some high-risk cases. (178 words)
ISO 28000 Details
What It Is
ISO 28000:2022 is an international certification standard specifying requirements for a security management system (SMS) focused on supply chain security. It adopts a risk-based approach using the Plan-Do-Check-Act (PDCA) cycle to manage threats like theft, sabotage, and disruptions.
Key Components
- Clauses 4-10 cover context, leadership, planning, support, operation, evaluation, and improvement.
- Emphasizes risk assessment (aligned with ISO 31000), security policies, operational controls, and incident response plans.
- Built on harmonized ISO structure for integration with standards like ISO 22301 and ISO 27001.
- Certification via third-party audits per ISO 28003.
Why Organizations Use It
- Reduces supply chain risks, ensures compliance, and meets partner requirements.
- Delivers business continuity, insurance savings, and market access.
- Builds stakeholder trust through auditable governance.
Implementation Overview
- Phased: gap analysis, risk assessment, controls deployment, training, audits.
- Applicable to all sizes/industries; 12-18 months typical for certification.
Key Differences
| Aspect | EU AI Act | ISO 28000 |
|---|---|---|
| Scope | AI systems by risk levels, lifecycle controls | Supply chain security management system |
| Industry | All sectors using AI in EU, global reach | Logistics, manufacturing, any supply chain |
| Nature | Mandatory EU regulation with fines | Voluntary ISO certification standard |
| Testing | Conformity assessments, notified bodies | Internal audits, management reviews |
| Penalties | Up to 7% global turnover fines | Loss of certification, no legal fines |
Scope
Industry
Nature
Testing
Penalties
Frequently Asked Questions
Common questions about EU AI Act and ISO 28000
EU AI Act FAQ
ISO 28000 FAQ
You Might also be Interested in These Articles...
CMMC Level 3 Implementation Guide: Integrating NIST SP 800-172 Enhanced Controls for APT Defense
Step-by-step CMMC Level 3 guide for DIB contractors. Implement 24 NIST SP 800-172 controls on Level 2. Prep for DIBCAC, C3PAO scoping & 180-day POA&Ms. Boost cy
Top 10 NIST CSF 2.0 Myths Busted: Separating Hype from Reality for Smarter Adoption
Bust 10 NIST CSF 2.0 myths like 'only for critical infrastructure' or 'Govern replaces Identify'. Plain-English breakdowns, evidence, and fixes for flexible ris
SOC 2 Audit Survival Guide: First 5 Steps to Ace Your Type 2 Audit with Infographic
Ace your SOC 2 Type 2 audit with the first 5 essential steps: evidence collection, auditor tips, red flags from SignWell's experience. Get checklists & infograp
Run Maturity Assessments with GRADUM
Transform your compliance journey with our AI-powered assessment platform
Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.
Check out these other Gradum.io Standards Comparison Pages
SAFe vs ISO/IEC 42001:2023
SAFe vs ISO/IEC 42001:2023: Scale agile enterprises with SAFe's PI planning & competencies, or govern AI risks ethically via ISO's PDCA & AIIAs. Key diffs & insights!
GDPR vs COPPA
Dive into GDPR vs COPPA: EU's global privacy powerhouse vs US child data shield. Unpack scopes, consent rules, fines & enforcement. Master compliance now!
AS9100 vs AS9110C
Compare AS9100 vs AS9110C: Key differences in aerospace QMS for manufacturing (AS9100) vs MRO (AS9110C). Learn requirements, benefits & paths to certification success. Boost compliance now!