What is the primary objective of EU AI Act?

The primary objective of the EU AI Act is to establish a risk-based regulatory framework ensuring AI systems are safe, transparent, and respect fundamental rights across the EU. Regulation (EU) 2024/1689, effective from 1 August 2024, prohibits unacceptable-risk practices (Article 5), imposes lifecycle requirements on high-risk systems (Articles 9–15), mandates transparency for limited-risk systems (Article 50), and regulates general-purpose AI models (Chapter V), balancing innovation with protections for health, safety, and non-discrimination.

Who is legally or professionally required to comply with EU AI Act?

Providers, deployers, importers, distributors, and authorized representatives of AI systems used in the EU must comply with the EU AI Act. Providers develop or place high-risk systems on the market (Article 3(3)); deployers are professional users (Article 3(4)). Scope includes third-country entities if outputs are used in the EU (Article 2), covering high-risk uses in Annex I/III sectors like biometrics, employment, and critical infrastructure.

Does EU AI Act require an external audit or third-party certification?

High-risk AI systems require conformity assessment, which may involve third-party notified bodies and external audits, but internal assessments suffice in some cases. Article 43 mandates assessments (Annex VI internal or Annex VII third-party); notified bodies (Articles 28–39) issue certificates for certain Annex III systems, enabling CE marking (Article 48) and EU database registration (Article 49).

How often should an assessment for EU AI Act be performed?

Conformity assessments for high-risk AI systems must be performed before market placement and after substantial modifications, with continuous post-market monitoring. Article 61 requires reassessment post-modification (Article 3(23)); providers maintain ongoing risk management (Article 9) and monitoring plans (Article 72), including serious incident reporting (Article 73).

What are the consequences of non-compliance with EU AI Act?

Non-compliance with the EU AI Act incurs tiered administrative fines up to 7% of worldwide annual turnover or €35 million for prohibited practices. Article 99 sets fines up to 7% (€35M) for Article 5 violations, 3% (€15M) for other high-risk obligations, and 1.5% (€7.5M) for supplying incorrect information; remedies include market withdrawal, bans, and personal liability.

Can EU AI Act be mapped to other international frameworks?

Yes, the EU AI Act can be mapped to other frameworks via harmonized standards (Article 40), creating presumption of conformity. It aligns with existing EU product safety laws (Annex I) and supports voluntary codes like the GPAI Code of Practice, though sector-specific analysis is required for full interoperability.

What is the first step to begin implementing EU AI Act?

The first step is to conduct an AI inventory and classify systems by risk tier (unacceptable, high, limited, minimal). Map assets against Article 5 prohibitions, Article 6/Annex I/III high-risk criteria, and GPAI rules (Chapter V) to prioritize compliance, documenting decisions per Article 6(4).

What is the primary objective of MAS TRM?

MAS TRM's primary objective is to establish sound technology risk governance and maintain cyber resilience through defence-in-depth and continuous improvement of IT processes to preserve confidentiality, integrity, and availability (CIA) of data and systems. As per the January 2021 Guidelines (Preface 1.4), it promotes robust practices across financial institutions, with implementation proportionate to risk profile, service complexity, and technologies used.

Who is legally or professionally required to comply with MAS TRM?

MAS TRM applies to all financial institutions (FIs) supervised by MAS, including banks, insurers, capital market intermediaries, payment service providers, and fintech sandbox participants. Section 2.2 mandates proportionate implementation commensurate with risk and complexity; while supervisory guidance, non-observance is considered in MAS supervision, with enforcement precedents like fines and license revocations.

Does MAS TRM require an external audit or third-party certification?

MAS TRM requires an independent internal audit function to assess controls, risk management, and governance effectiveness (Sections 3.1.7, 15), but does not mandate external audits or third-party certification. FIs may use external penetration testing (e.g., annual for Internet-facing systems, Section 13.2.4) and industry standards, with deviations risk-assessed and approved.

How often should an assessment for MAS TRM be performed?

TRM assessments, including vulnerability assessments and penetration testing, must occur regularly commensurate with system criticality and exposure, with annual penetration testing required for Internet-accessible systems or after major changes (Section 13.1.1, 13.2.4). Risk frameworks, policies, and DR plans need periodic reviews (e.g., annual DR plan review, Section 8.2.2; regular policy updates, Section 3.2.1).

What are the consequences of non-compliance with MAS TRM?

Non-compliance with MAS TRM risks supervisory actions including fines, remediation directives, license conditions, revocations, and executive prohibitions, as MAS considers observance in supervision (Section 2.2). Examples: Additional capital requirements imposed on major banks for digital banking outages; CMS license revocation for governance failures.

Can MAS TRM be mapped to other international frameworks?

Yes, MAS TRM can and should be mapped to international frameworks like NIST CSF 2.0 and ISO 27001, as Section 3.2.1 encourages incorporating industry standards and best practices. It aligns with NIST's Identify-Protect-Detect-Respond-Recover-Govern and ISO's ISMS controls, facilitating ERM integration via risk registers and metrics (Section 4.5).

What is the first step to begin implementing MAS TRM?

The first step is to establish board-approved technology risk appetite/tolerance and appoint competent CIO/CTO/Head of IT and CISO/Head of Information Security, approved by the CEO (Sections 3.1.3, 3.1.7). This enables a sound TRM framework, asset inventory (Section 3.3), and proportionate controls.

Standards Comparison

EU AI Act vs MAS TRM

EU AI Act

Mandatory

2024

EU regulation for risk-based AI governance and safety

MAS TRM

Mandatory

2021

Singapore guidelines for technology risk management in finance.

Quick Verdict

EU AI Act mandates risk-based AI regulation across EU sectors with conformity and fines, while MAS TRM provides supervisory tech risk guidelines for Singapore FIs emphasizing governance and resilience. Organizations adopt AI Act for EU market access, TRM for regulatory compliance.

Artificial Intelligence

EU AI Act

Regulation (EU) 2024/1689 Artificial Intelligence Act

Cost

€€€

Complexity

Medium

Implementation Time

18-24 months

Key Features

Risk-based classification into four AI risk tiers
Prohibits unacceptable-risk AI practices outright
Requires conformity assessment and CE marking for high-risk AI
Imposes obligations on general-purpose AI models
Enforces via fines up to 7% global turnover

Technology Risk Management

MAS TRM

MAS Technology Risk Management Guidelines

Cost

€€€€

Complexity

Medium

Implementation Time

12-18 months

Key Features

Board and senior management accountability for oversight
Proportional controls based on risk and criticality
End-to-end lifecycle from governance to audit
Third-party risk assessment and ongoing monitoring
Annual penetration testing for internet-facing systems

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

EU AI Act Details

What It Is

EU AI Act (Regulation (EU) 2024/1689) is a comprehensive horizontal regulation for AI, entering force August 2024. It adopts a risk-based architecture prohibiting unacceptable risks, regulating high-risk systems, transparency for limited-risk, and minimal oversight for others. Scope covers AI value chain with extraterritorial reach.

Key Components

Four risk tiers: unacceptable (banned), high-risk (Annex I/III), limited-risk (transparency), minimal-risk.
High-risk obligations: risk management (Art. 9), data governance (Art. 10), documentation (Arts. 11-13), human oversight (Art. 14), cybersecurity (Art. 15).
GPAI rules (Chapter V) with systemic risk duties.
Conformity assessment, CE marking, EU registration; hybrid enforcement.

Why Organizations Use It

Mandatory for EU-market AI to avoid fines up to 7% global turnover. Builds trust, ensures market access, manages risks in sectors like employment, healthcare. Enhances governance, competitiveness via standards alignment.

Implementation Overview

Phased (6-36 months): inventory/classify AI, build QMS, conduct assessments. Cross-functional for all sizes; notified bodies for some high-risk. Ongoing monitoring required.

MAS TRM Details

What It Is

MAS Technology Risk Management (TRM) Guidelines (revised January 2021) are supervisory guidelines issued by Singapore's Monetary Authority of Singapore (MAS) for financial institutions. They provide principles-based guidance on managing technology and cyber risks across governance, operations, and resilience, emphasizing proportional implementation based on risk profile and complexity.

Key Components

15 main sections covering governance, risk frameworks, secure development, IT service management, resilience, access controls, cryptography, cyber operations, assessments, and audit.
Synthesized into 12 core principles like board accountability, asset classification, third-party oversight, and defence-in-depth.
No fixed controls; focuses on outcomes for CIA triad (confidentiality, integrity, availability).
Compliance via supervisory review, not formal certification.

Why Organizations Use It

Meets MAS supervisory expectations for licensed financial institutions.
Enhances cyber resilience, reduces incident impact, and builds stakeholder trust.
Supports digital transformation while mitigating systemic risks.

Implementation Overview

Risk-based approach: asset inventories, control mapping, testing regimes.
Applies to all MAS-supervised FIs; scalable by size/complexity.
Involves governance setup, policy development, training, and ongoing assurance. (178 words)

Key Differences

Aspect	EU AI Act	MAS TRM
Scope	AI systems risk classification, high-risk obligations	Technology/cyber risk governance, operations, resilience
Industry	All sectors using AI, EU-wide extraterritorial	Singapore financial institutions only
Nature	Mandatory EU regulation with fines	Supervisory guidelines, proportionate implementation
Testing	Conformity assessments, notified bodies	Penetration testing, vulnerability assessments annually
Penalties	Up to 7% global turnover fines	Supervisory actions, fines via other notices

Scope

EU AI Act

AI systems risk classification, high-risk obligations

MAS TRM

Technology/cyber risk governance, operations, resilience

Industry

EU AI Act

All sectors using AI, EU-wide extraterritorial

MAS TRM

Singapore financial institutions only

Nature

EU AI Act

Mandatory EU regulation with fines

MAS TRM

Supervisory guidelines, proportionate implementation

Testing

EU AI Act

Conformity assessments, notified bodies

MAS TRM

Penetration testing, vulnerability assessments annually

Penalties

EU AI Act

Up to 7% global turnover fines

MAS TRM

Supervisory actions, fines via other notices

Frequently Asked Questions

Common questions about EU AI Act and MAS TRM

EU AI Act FAQ

MAS TRM FAQ

You Might also be Interested in These Articles...

SEC Cybersecurity Rules Implementation Guide: Mastering Form 8-K Item 1.05 Materiality Determination and 4-Business-Day Reporting Workflow

Master SEC Form 8-K Item 1.05 compliance with step-by-step materiality assessment, incident workflows & Inline XBRL tagging. Beat the 4-business-day clock. Esse

Why the SEC Stepped In: The Investor-Driven Push for Cybersecurity Transparency

Discover why the SEC's 2023 cybersecurity rules treat cyber risks as material financial threats. Explore the 'stick and carrot' approach for standardized disclo

Top 10 Reasons CMMC Level 3 Certification Unlocks Competitive Edge for Primes Handling Critical DoD Programs

Discover top 10 reasons CMMC Level 3 certification unlocks competitive edge for DoD primes. Reduced APT risks, procurement prefs, NIST 800-172 compliance via v2

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how EU AI Act and MAS TRM compare against other standards

Other EU AI Act Comparisons

Other MAS TRM Comparisons

What It Is

Key Components

Four risk tiers: unacceptable (banned), high-risk (Annex I/III), limited-risk (transparency), minimal-risk.

High-risk obligations: risk management (Art. 9), data governance (Art. 10), documentation (Arts. 11-13), human oversight (Art. 14), cybersecurity (Art. 15).

GPAI rules (Chapter V) with systemic risk duties.

Conformity assessment, CE marking, EU registration; hybrid enforcement.

What It Is

Key Components

15 main sections covering governance, risk frameworks, secure development, IT service management, resilience, access controls, cryptography, cyber operations, assessments, and audit.

Synthesized into 12 core principles like board accountability, asset classification, third-party oversight, and defence-in-depth.

No fixed controls; focuses on outcomes for CIA triad (confidentiality, integrity, availability).

Compliance via supervisory review, not formal certification.

Aspect

EU AI Act

MAS TRM

Scope

AI systems risk classification, high-risk obligations

Technology/cyber risk governance, operations, resilience

Industry

All sectors using AI, EU-wide extraterritorial

Singapore financial institutions only

Nature

Mandatory EU regulation with fines

Supervisory guidelines, proportionate implementation

Testing

Conformity assessments, notified bodies

Penetration testing, vulnerability assessments annually

Penalties

Up to 7% global turnover fines

Supervisory actions, fines via other notices