What It Is

Regulation (EU) 2024/1689, the EU AI Act, is a comprehensive horizontal regulation establishing a risk-based framework for AI systems. It prohibits unacceptable-risk practices, regulates high-risk systems via lifecycle controls, mandates transparency for limited-risk AI, and oversees general-purpose AI models, applying extraterritorially to EU outputs.

Key Components

• **Four risk tiersunacceptable (banned), high-risk (conformity assessments), limited (transparency), minimal (voluntary).
• High-risk obligations: risk management (Article 9), data governance (Article 10), documentation (Articles 11-13), human oversight (Article 14), cybersecurity (Article 15).
• GPAI duties: technical documentation, systemic risk evaluations (Chapter V).
• Enforcement via AI Office, national authorities, fines up to 7% global turnover.

Why Organizations Use It

Mandated for EU market access, it mitigates legal risks, ensures product safety, builds trust, and enables compliant innovation amid penalties and surveillance.

Implementation Overview

Phased rollout (prohibitions 6 months, GPAI 12 months, high-risk 24-36 months). Involves AI inventory, classification, QMS integration, conformity assessments, CE marking, post-market monitoring. Applies to providers/deployers across sectors; requires cross-functional governance, documentation, audits.

What It Is

The Saudi Arabian Monetary Authority Cyber Security Framework (SAMA CSF), Version 1.0 (May 2017), is a mandatory regulatory framework for SAMA-regulated financial institutions in Saudi Arabia. Its primary purpose is to ensure cybersecurity resilience through governance, risk management, and controls, protecting confidentiality, integrity, and availability of information assets. It employs a principle-based, risk-oriented approach with a six-level maturity model, targeting at least Level 3 (structured and formalized).

Key Components

• Four main domains: Cyber Security Leadership and Governance, Risk Management and Compliance, Operations and Technology, Third-Party Cyber Security.
• Numerous subdomains with principles, objectives, and control considerations (over 100 subcontrols).
• Built on NIST, ISO 27001, PCI-DSS; compliance via self-assessment and SAMA audits, no external certification.

Why Organizations Use It

• Mandatory for banks, insurers, finance firms to avoid penalties, audits, fines.
• Enhances resilience, reduces incidents, improves efficiency; strategic edge in partnerships, market access.
• Builds stakeholder trust, supports Vision 2030 digital economy.

Implementation Overview

Phased roadmap: initiation/gap analysis, risk assessment, design/deployment, operate/monitor, audit/improve. Applies to all SAMA entities; requires board sponsorship, tools like SIEM/GRC, periodic self-assessments.