What is the primary objective of EU AI Act?

The primary objective of the EU AI Act is to establish a risk-based framework regulating AI systems to ensure safety, fundamental rights protection, and market access while fostering trustworthy innovation. Regulation (EU) 2024/1689, effective 1 August 2024, prohibits unacceptable-risk practices (Article 5), imposes lifecycle obligations on high-risk systems (Articles 9–15), mandates transparency for limited-risk systems (Article 50), and regulates general-purpose AI models (Chapter V), with phased applicability up to 36 months.

Who is legally or professionally required to comply with EU AI Act?

Providers, deployers, importers, distributors, and authorized representatives of AI systems used in the EU or producing EU outputs must comply with the EU AI Act. Providers develop or place high-risk systems on the market (Article 3(3)); deployers are professional users (Article 3(4)). Scope captures third-country entities via extraterritorial reach (Article 2), including GPAI providers (Articles 51–56).

Does EU AI Act require an external audit or third-party certification?

High-risk AI systems require conformity assessment, which may involve third-party notified bodies and certification for certain categories. Internal assessments suffice under Annex VI; third-party via notified bodies (Articles 28–39, Annex VII) for Annex III biometrics or law enforcement uses. EU Declaration of Conformity (Article 47) and CE marking (Article 48) follow, with EU database registration (Article 49).

How often should an assessment for EU AI Act be performed?

Conformity assessments for high-risk AI must occur before market placement, after substantial modifications, and through continuous post-market monitoring. Risk management (Article 9) and monitoring (Article 72) are lifecycle processes; logs retained at least six months (Article 12); serious incidents reported without delay (Article 73).

What are the consequences of non-compliance with EU AI Act?

Non-compliance with the EU AI Act incurs tiered administrative fines up to 7% of worldwide annual turnover or €35 million for prohibited practices. Up to 3% or €15 million for high-risk/GPAI failures (Articles 99–101); market bans, product recalls, and personal liability apply via national authorities and AI Office (Articles 64–74).

Can EU AI Act be mapped to other international frameworks?

Yes, the EU AI Act can be mapped to international frameworks like ISO/IEC 42001 for AI management systems and the NIST AI RMF.

What is the first step to begin implementing EU AI Act?

The first step is to inventory all AI systems/models, classify by risk tier (prohibited, high-risk via Annexes I/III, limited, minimal), and document decisions. Screen for Article 5 prohibitions; identify provider/deployer roles; prioritize high-risk conformity per Article 6.

What is the primary objective of ISO 28000?

ISO 28000:2022 specifies requirements for establishing, implementing, maintaining, and continually improving a security management system (SMS) with explicit relevance to supply chain security. It operationalizes a Plan-Do-Check-Act (PDCA) cycle across Clauses 4–10, requiring organizations to assess security risks (malicious acts, disruptions, interdependencies), define scope including external processes, embed top management leadership, and ensure performance evaluation through monitoring, audits, and reviews. The standard is sector-agnostic, applicable to all organization sizes, focusing on holistic governance rather than prescriptive controls.

Who is legally or professionally required to comply with ISO 28000?

ISO 28000 is voluntary and not legally mandated, but professionally required for organizations facing contractual, regulatory, or market-driven supply chain security obligations. It applies to all types and sizes—logistics providers, manufacturers, retailers, ports, government agencies—handling goods transport, storage, or interdependencies. Compliance is driven by customer flow-down requirements, trade facilitation programs, insurer demands, or due diligence in high-risk sectors like pharmaceuticals or defense, where weakest-link vulnerabilities demand structured SMS assurance.

Does ISO 28000 require an external audit or third-party certification?

ISO 28000 requires internal audits at planned intervals but supports optional third-party certification via ISO 28003 guidelines for certification bodies. Clause 9.2 mandates a risk-based internal audit program to verify SMS conformity and effectiveness, with documented results. External verification (Stage 1 documentation review, Stage 2 implementation audit) follows, with surveillance audits post-certification. Certification demonstrates maturity to stakeholders but is an outcome of sustained PDCA, not a prerequisite.

How often should an assessment for ISO 28000 be performed?

ISO 28000 requires risk assessments to be maintained continuously, with internal audits at planned risk-based intervals and management reviews at defined periods. Clause 8.3 mandates ongoing risk assessment and treatment processes aligned with ISO 31000; Clause 9.1 specifies monitoring/measurement timing; Clause 9.2 requires an audit program considering prior results and risks. Management reviews (Clause 9.3) occur at planned intervals, typically annually, reviewing performance, changes, and nonconformities to drive continual improvement.

What are the consequences of non-compliance with ISO 28000?

Non-compliance with ISO 28000 results in operational risks like supply chain disruptions, loss of certification, contractual penalties, and heightened vulnerability to incidents. Without SMS discipline, organizations face increased theft, sabotage, or regulatory scrutiny, eroding stakeholder trust and market access. Internally, failed audits trigger corrective actions; externally, it invites customer rejection, insurer premium hikes, or legal liability from unaddressed risks, underscoring the standard's role in value protection.

Can ISO 28000 be mapped to other international frameworks?

Yes, ISO 28000:2022 aligns with ISO's high-level structure, enabling mapping to frameworks like ISO 31000 for risk management and ISO 22301 for business continuity. Its PDCA clauses (4–10) support integrated systems via shared elements: risk/opportunity planning (Clause 6), operational controls (Clause 8), and audits/reviews (Clause 9). Bibliography references facilitate consistency in vocabulary (ISO 22300), risk processes, and security plans, reducing duplication in multi-standard environments.

What is the first step to begin implementing ISO 28000?

The first step is determining the organization's context, interested parties, and SMS scope per Clause 4. Map internal/external issues (threats, regulations, supply chain dependencies), identify relevant requirements, and document boundaries including externally provided processes. This foundation informs leadership policy (Clause 5), risk planning (Clause 6), and ensures tailored, proportionate implementation.

Standards Comparison

EU AI Act vs ISO 28000

EU AI Act

Mandatory

2024

EU regulation for risk-based AI governance and compliance

ISO 28000

Voluntary

2022

International standard for supply chain security management systems

Quick Verdict

EU AI Act mandates risk-based AI compliance for EU market access, with hefty fines. ISO 28000 offers voluntary supply chain security certification. Companies adopt AI Act to avoid penalties and sell legally; ISO 28000 for resilience, trust, and contracts.

Artificial Intelligence

EU AI Act

Regulation (EU) 2024/1689 Artificial Intelligence Act

Cost

€€€

Complexity

Medium

Implementation Time

18-24 months

Key Features

Risk-based classification into four AI risk tiers
Prohibits unacceptable-risk AI practices outright
Mandates conformity assessments for high-risk systems
Imposes dedicated GPAI model obligations
Requires CE marking and EU registration

Supply Chain Security

ISO 28000

ISO 28000:2022 Security Management Systems Requirements

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Risk-based security management for supply chains
PDCA cycle with continual improvement requirements
Integration with ISO 31000 and 22301 standards
Top management leadership and commitment mandates
Operational security plans and incident response

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

EU AI Act Details

What It Is

Regulation (EU) 2024/1689, the EU Artificial Intelligence Act, is a comprehensive horizontal regulation establishing a risk-based framework for AI systems across sectors. It prohibits unacceptable risks, regulates high-risk AI via lifecycle obligations, mandates transparency for limited-risk systems, and minimally regulates others, with extraterritorial scope.

Key Components

Four risk tiers: prohibited, high-risk (Annexes I/III), limited-risk, minimal-risk.
High-risk requirements: risk management (Article 9), data governance (Article 10), documentation (Articles 11-13), human oversight (Article 14), cybersecurity (Article 15).
GPAI obligations (Chapter V), conformity assessments, CE marking, EU database registration.
Phased enforcement with fines up to 7% global turnover.

Why Organizations Use It

Mandatory for EU-market AI providers/deployers; mitigates legal risks, ensures market access, builds trust via safety/transparency. Enhances governance, reduces incidents, provides competitive edge in regulated sectors like employment, healthcare.

Implementation Overview

Cross-functional program: inventory/classify AI, build compliance systems (QMS, RMS), conduct assessments, monitor post-market. Applies to all sizes in EU-impacting operations; involves notified bodies for some high-risk cases. (178 words)

ISO 28000 Details

What It Is

ISO 28000:2022 is an international certification standard specifying requirements for a security management system (SMS) focused on supply chain security. It adopts a risk-based approach using the Plan-Do-Check-Act (PDCA) cycle to manage threats like theft, sabotage, and disruptions.

Key Components

Clauses 4-10 cover context, leadership, planning, support, operation, evaluation, and improvement.
Emphasizes risk assessment (aligned with ISO 31000), security policies, operational controls, and incident response plans.
Built on harmonized ISO structure for integration with standards like ISO 22301 and ISO 27001.
Certification via third-party audits per ISO 28003.

Why Organizations Use It

Reduces supply chain risks, ensures compliance, and meets partner requirements.
Delivers business continuity, insurance savings, and market access.
Builds stakeholder trust through auditable governance.

Implementation Overview

Phased: gap analysis, risk assessment, controls deployment, training, audits.
Applicable to all sizes/industries; 12-18 months typical for certification.

Key Differences

Aspect	EU AI Act	ISO 28000
Scope	AI systems by risk levels, lifecycle controls	Supply chain security management system
Industry	All sectors using AI in EU, global reach	Logistics, manufacturing, any supply chain
Nature	Mandatory EU regulation with fines	Voluntary ISO certification standard
Testing	Conformity assessments, notified bodies	Internal audits, management reviews
Penalties	Up to 7% global turnover fines	Loss of certification, no legal fines

Scope

EU AI Act

AI systems by risk levels, lifecycle controls

ISO 28000

Supply chain security management system

Industry

EU AI Act

All sectors using AI in EU, global reach

ISO 28000

Logistics, manufacturing, any supply chain

Nature

EU AI Act

Mandatory EU regulation with fines

ISO 28000

Voluntary ISO certification standard

Testing

EU AI Act

Conformity assessments, notified bodies

ISO 28000

Internal audits, management reviews

Penalties

EU AI Act

Up to 7% global turnover fines

ISO 28000

Loss of certification, no legal fines

Frequently Asked Questions

Common questions about EU AI Act and ISO 28000

EU AI Act FAQ

ISO 28000 FAQ

You Might also be Interested in These Articles...

Top 5 Unseen Complexities Modern Compliance Software Effortlessly Manages

Uncover top 5 unseen complexities modern compliance software manages effortlessly—from sensitive data mapping to real-time regulatory shifts. Automate audits, i

The CIS Controls v8.1 Evidence Pack: What Auditors Ask For (and How to Produce Proof Fast)

Fail CIS Controls v8.1 audits due to missing evidence? Get the blueprint: exact artifacts auditors want, repository structure, and automation from security tool

ISO 27701 Standalone Certification in 2025: Debunking Myths and Navigating the New Reality

Debunk myths on ISO 27701 standalone certification post-2025. Clarify viability, accreditation bodies, ISO 27001 audit differences & procurement benefits. Guide

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how EU AI Act and ISO 28000 compare against other standards

Other EU AI Act Comparisons

Other ISO 28000 Comparisons

What It Is

Key Components

Four risk tiers: prohibited, high-risk (Annexes I/III), limited-risk, minimal-risk.

High-risk requirements: risk management (Article 9), data governance (Article 10), documentation (Articles 11-13), human oversight (Article 14), cybersecurity (Article 15).

GPAI obligations (Chapter V), conformity assessments, CE marking, EU database registration.

Phased enforcement with fines up to 7% global turnover.

Key Components

Clauses 4-10 cover context, leadership, planning, support, operation, evaluation, and improvement.

Emphasizes risk assessment (aligned with ISO 31000), security policies, operational controls, and incident response plans.

Built on harmonized ISO structure for integration with standards like ISO 22301 and ISO 27001.

Certification via third-party audits per ISO 28003.

Aspect

EU AI Act

ISO 28000

Scope

AI systems by risk levels, lifecycle controls

Supply chain security management system

Industry

All sectors using AI in EU, global reach

Logistics, manufacturing, any supply chain

Nature

Mandatory EU regulation with fines

Voluntary ISO certification standard

Testing

Conformity assessments, notified bodies

Internal audits, management reviews

Penalties

Up to 7% global turnover fines

Loss of certification, no legal fines