What is the primary objective of **EU AI Act**?

**The primary objective of the EU AI Act is to establish a risk-based regulatory framework ensuring AI systems are safe, transparent, and respect fundamental rights across the EU.** Regulation (EU) 2024/1689, effective from 1 August 2024, prohibits unacceptable-risk practices (Article 5), imposes lifecycle requirements on high-risk systems (Articles 9–15), mandates transparency for limited-risk systems (Article 50), and regulates general-purpose AI models (Chapter V), balancing innovation with protections for health, safety, and non-discrimination.

Who is legally or professionally required to comply with **EU AI Act**?

**Providers, deployers, importers, distributors, and authorized representatives of AI systems used in the EU must comply with the EU AI Act.** Providers develop or place high-risk systems on the market (Article 3(3)); deployers are professional users (Article 3(4)). Scope includes third-country entities if outputs are used in the EU (Article 2), covering high-risk uses in Annex I/III sectors like biometrics, employment, and critical infrastructure.

Does **EU AI Act** require an external audit or third-party certification?

**High-risk AI systems require conformity assessment, which may involve third-party notified bodies and external audits, but internal assessments suffice in some cases.** Article 43 mandates assessments (Annex VI internal or Annex VII third-party); notified bodies (Articles 28–39) issue certificates for certain Annex III systems, enabling CE marking (Article 48) and EU database registration (Article 49).

How often should an assessment for **EU AI Act** be performed?

**Conformity assessments for high-risk AI systems must be performed before market placement and after substantial modifications, with continuous post-market monitoring.** Article 61 requires reassessment post-modification (Article 3(23)); providers maintain ongoing risk management (Article 9) and monitoring plans (Article 72), including serious incident reporting (Article 73).

What are the consequences of non-compliance with **EU AI Act**?

**Non-compliance with the EU AI Act incurs tiered administrative fines up to 7% of worldwide annual turnover or €40 million for prohibited practices.** Article 99 sets fines up to 7% (€40M) for Article 5 violations, 3% (€20M) for other high-risk obligations, and 2% (€10M) for remaining breaches; remedies include market withdrawal, bans, and personal liability.

Can **EU AI Act** be mapped to other international frameworks?

**Yes, the EU AI Act can be mapped to other frameworks via harmonized standards (Article 40), creating presumption of conformity.** It aligns with existing EU product safety laws (Annex I) and supports voluntary codes like the GPAI Code of Practice, though sector-specific analysis is required for full interoperability.

What is the first step to begin implementing **EU AI Act**?

**The first step is to conduct an AI inventory and classify systems by risk tier (unacceptable, high, limited, minimal).** Map assets against Article 5 prohibitions, Article 6/Annex I/III high-risk criteria, and GPAI rules (Chapter V) to prioritize compliance, documenting decisions per Article 6(4).

What is the primary objective of **MAS TRM**?

**MAS TRM's primary objective is to establish sound technology risk governance and maintain cyber resilience through defence-in-depth and continuous improvement of IT processes to preserve confidentiality, integrity, and availability (CIA) of data and systems.** As per the January 2021 Guidelines (Preface 1.4), it promotes robust practices across financial institutions, with implementation proportionate to risk profile, service complexity, and technologies used.

Who is legally or professionally required to comply with **MAS TRM**?

**MAS TRM applies to all financial institutions (FIs) supervised by MAS, including banks, insurers, capital market intermediaries, payment service providers, and fintech sandbox participants.** Section 2.2 mandates proportionate implementation commensurate with risk and complexity; while supervisory guidance, non-observance is considered in MAS supervision, with enforcement precedents like fines and license revocations.

Does **MAS TRM** require an external audit or third-party certification?

**MAS TRM requires an independent internal audit function to assess controls, risk management, and governance effectiveness (Sections 3.1.7, 15), but does not mandate external audits or third-party certification.** FIs may use external penetration testing (e.g., annual for Internet-facing systems, Section 13.2.4) and industry standards, with deviations risk-assessed and approved.

How often should an assessment for **MAS TRM** be performed?

**TRM assessments, including vulnerability assessments and penetration testing, must occur regularly commensurate with system criticality and exposure, with annual penetration testing required for Internet-accessible systems or after major changes (Section 13.1.1, 13.2.4).** Risk frameworks, policies, and DR plans need periodic reviews (e.g., annual DR plan review, Section 8.2.2; regular policy updates, Section 3.2.1).

What are the consequences of non-compliance with **MAS TRM**?

**Non-compliance with MAS TRM risks supervisory actions including fines, remediation directives, license conditions, revocations, and executive prohibitions, as MAS considers observance in supervision (Section 2.2).** Examples: S$27.45M fines across nine FIs for AML/CFT lapses tied to tech gaps; CMS license revocation for governance failures.

Can **MAS TRM** be mapped to other international frameworks?

**Yes, MAS TRM can and should be mapped to international frameworks like NIST CSF 2.0 and ISO 27001, as Section 3.2.1 encourages incorporating industry standards and best practices.** It aligns with NIST's Identify-Protect-Detect-Respond-Recover-Govern and ISO's ISMS controls, facilitating ERM integration via risk registers and metrics (Section 4.5).

What is the first step to begin implementing **MAS TRM**?

**The first step is to establish board-approved technology risk appetite/tolerance and appoint competent CIO/CTO/Head of IT and CISO/Head of Information Security, approved by the CEO (Sections 3.1.3, 3.1.7).** This enables a sound TRM framework, asset inventory (Section 3.3), and proportionate controls.

EU AI Act vs MAS TRM

Standards Comparison

EU AI Act

Mandatory

2024

EU regulation for risk-based AI governance and safety

MAS TRM

Mandatory

2021

Singapore guidelines for technology risk management in finance.

Quick Verdict

EU AI Act mandates risk-based AI regulation across EU sectors with conformity and fines, while MAS TRM provides supervisory tech risk guidelines for Singapore FIs emphasizing governance and resilience. Organizations adopt AI Act for EU market access, TRM for regulatory compliance.

Artificial Intelligence

EU AI Act

Regulation (EU) 2024/1689 Artificial Intelligence Act

Cost

€€€

Complexity

Medium

Implementation Time

18-24 months

Key Features

Risk-based classification into four AI risk tiers
Prohibits unacceptable-risk AI practices outright
Requires conformity assessment and CE marking for high-risk AI
Imposes obligations on general-purpose AI models
Enforces via fines up to 7% global turnover

Technology Risk Management

MAS TRM

MAS Technology Risk Management Guidelines

Cost

€€€€

Complexity

Medium

Implementation Time

12-18 months

Key Features

Board and senior management accountability for oversight
Proportional controls based on risk and criticality
End-to-end lifecycle from governance to audit
Third-party risk assessment and ongoing monitoring
Annual penetration testing for internet-facing systems

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

EU AI Act Details

What It Is

EU AI Act (Regulation (EU) 2024/1689) is a comprehensive horizontal regulation for AI, entering force August 2024. It adopts a risk-based architecture prohibiting unacceptable risks, regulating high-risk systems, transparency for limited-risk, and minimal oversight for others. Scope covers AI value chain with extraterritorial reach.

Key Components

**Four risk tiersunacceptable (banned), high-risk (Annex I/III), limited-risk (transparency), minimal-risk.
High-risk obligations: risk management (Art. 9), data governance (Art. 10), documentation (Arts. 11-13), human oversight (Art. 14), cybersecurity (Art. 15).
GPAI rules (Chapter V) with systemic risk duties.
Conformity assessment, CE marking, EU registration; hybrid enforcement.

Why Organizations Use It

Mandatory for EU-market AI to avoid fines up to 7% global turnover. Builds trust, ensures market access, manages risks in sectors like employment, healthcare. Enhances governance, competitiveness via standards alignment.

Implementation Overview

Phased (6-36 months): inventory/classify AI, build QMS, conduct assessments. Cross-functional for all sizes; notified bodies for some high-risk. Ongoing monitoring required.

MAS TRM Details

What It Is

MAS Technology Risk Management (TRM) Guidelines (revised January 2021) are supervisory guidelines issued by Singapore's Monetary Authority of Singapore (MAS) for financial institutions. They provide principles-based guidance on managing technology and cyber risks across governance, operations, and resilience, emphasizing proportional implementation based on risk profile and complexity.

Key Components

15 main sections covering governance, risk frameworks, secure development, IT service management, resilience, access controls, cryptography, cyber operations, assessments, and audit.
Synthesized into 12 core principles like board accountability, asset classification, third-party oversight, and defence-in-depth.
No fixed controls; focuses on outcomes for CIA triad (confidentiality, integrity, availability).
Compliance via supervisory review, not formal certification.

Why Organizations Use It

Meets MAS supervisory expectations for licensed financial institutions.
Enhances cyber resilience, reduces incident impact, and builds stakeholder trust.
Supports digital transformation while mitigating systemic risks.

Implementation Overview

Risk-based approach: asset inventories, control mapping, testing regimes.
Applies to all MAS-supervised FIs; scalable by size/complexity.
Involves governance setup, policy development, training, and ongoing assurance. (178 words)

Key Differences

Aspect	EU AI Act	MAS TRM
Scope	AI systems risk classification, high-risk obligations	Technology/cyber risk governance, operations, resilience
Industry	All sectors using AI, EU-wide extraterritorial	Singapore financial institutions only
Nature	Mandatory EU regulation with fines	Supervisory guidelines, proportionate implementation
Testing	Conformity assessments, notified bodies	Penetration testing, vulnerability assessments annually
Penalties	Up to 7% global turnover fines	Supervisory actions, fines via other notices

Scope

EU AI Act

AI systems risk classification, high-risk obligations

MAS TRM

Technology/cyber risk governance, operations, resilience

Industry

EU AI Act

All sectors using AI, EU-wide extraterritorial

MAS TRM

Singapore financial institutions only

Nature

EU AI Act

Mandatory EU regulation with fines

MAS TRM

Supervisory guidelines, proportionate implementation

Testing

EU AI Act

Conformity assessments, notified bodies

MAS TRM

Penetration testing, vulnerability assessments annually

Penalties

EU AI Act

Up to 7% global turnover fines

MAS TRM

Supervisory actions, fines via other notices

Frequently Asked Questions

Common questions about EU AI Act and MAS TRM

EU AI Act FAQ

MAS TRM FAQ

You Might also be Interested in These Articles...

5 Ways Modern Compliance Software Makes Evolving Regulations Your Strategic Advantage

Discover 5 ways modern compliance software turns evolving regulations into strategic advantage. Automate monitoring, cut 3x non-compliance costs, stay audit-rea

Top 5 Reasons TISAX Tabletop Exercises Prevent €10M+ Supply Chain Breaches for ADAS Tier 1 Suppliers in 2025

Unlock top 5 reasons TISAX tabletop exercises deliver 4:1 ROI preventing €10M+ supply chain breaches for ADAS Tier 1 suppliers. ENX case studies & VDA ISA contr

Beyond the Checkbox: Why Maturity Assessments are the Secret to Sustainable Compliance

Discover why maturity assessments beat binary compliance checks by uncovering hidden gaps and enabling continuous improvement for sustainable success. Read now!

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

MLPS 2.0 (Multi-Level Protection Scheme) vs ISO 41001

Discover MLPS 2.0 vs ISO 41001: China's cybersecurity framework meets global facility mgmt std. Key gaps, compliance strategies & integration tips for resilient ops. Dive in!

CCPA vs ISO 31000

Compare CCPA vs ISO 31000: Privacy law mandates meet risk framework guidelines. Unlock compliance strategies, fines avoidance & resilience. Explore key differences now!

PCI DSS vs PRINCE2

PCI DSS vs PRINCE2: Compare payment security standard & project mgmt methodology. Uncover differences, compliance benefits & when to use each for success. Boost your strategy now!

EU AI Act

MAS TRM

Quick Verdict

EU AI Act

Key Features

MAS TRM

Key Features

Detailed Analysis

EU AI Act Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

MAS TRM Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

EU AI Act FAQ

What is the primary objective of EU AI Act?

Who is legally or professionally required to comply with EU AI Act?

Does EU AI Act require an external audit or third-party certification?

How often should an assessment for EU AI Act be performed?

What are the consequences of non-compliance with EU AI Act?

Can EU AI Act be mapped to other international frameworks?

What is the first step to begin implementing EU AI Act?

MAS TRM FAQ

What is the primary objective of MAS TRM?

Who is legally or professionally required to comply with MAS TRM?

Does MAS TRM require an external audit or third-party certification?

How often should an assessment for MAS TRM be performed?

What are the consequences of non-compliance with MAS TRM?

Can MAS TRM be mapped to other international frameworks?

What is the first step to begin implementing MAS TRM?

You Might also be Interested in These Articles...

5 Ways Modern Compliance Software Makes Evolving Regulations Your Strategic Advantage

Top 5 Reasons TISAX Tabletop Exercises Prevent €10M+ Supply Chain Breaches for ADAS Tier 1 Suppliers in 2025

Beyond the Checkbox: Why Maturity Assessments are the Secret to Sustainable Compliance

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

MLPS 2.0 (Multi-Level Protection Scheme) vs ISO 41001

CCPA vs ISO 31000

PCI DSS vs PRINCE2