Data, governance and high-risk systems: How to comply with the EU AI Act
"Without the right data, in the right place, firms could fall foul of not just the AI Act but also other privacy regulation."
It's been just over a month since the EU's AI Act partially came into force and placed new rules on European businesses.
On Sunday, February 2nd 2025, Chapters I and II of the EU AI Act took effect, introducing AI literacy requirements and the prohibition of a "very limited number" of use cases that "pose unacceptable risks in the EU".
The EU AI Act is the world’s first comprehensive AI regulation, setting a global precedent by introducing risk-based rules, transparency requirements, and strict compliance measures for AI developers and businesses. Find out more about the EU AI Act here.
We spoke to Adam Gale, Field CTO for AI and Cybersecurity at the intelligent data infrastructure company NetApp, to ask for his advice on how organisations should ensure they are ready to meet the full requirements of the Act.
How can leaders ensure their businesses is compliance-ready?
"Responsibility for meeting the requirements of the EU AI Act within an organisation will require preparation for compliance across all parts of a business. Engaging senior leadership to identify which artificial intelligence software is currently in use and what use is planned is the first step to a considered compliance strategy. By understanding where current and future AI fits within the EU AI Act’s risk framework, companies will be able to establish and drive requirements for compliance and identify which teams to involve in this process.
"Naturally, the data and storage team will play an important role here, as data management is a key requirement for AI. Having the right data strategy to meet compliance needs is more likely to make your AI a success. Data for AI needs to be accessible, secure and scalable. At NetApp, we provide intelligent data infrastructure and the most secure storage to manage and protect data.
"Everyone plays a role, from stopping AI usage in areas it has been prohibited, to making sure it is non-discriminatory, transparent and as environmentally friendly as possible. Working together will not only support companies to become compliance-ready but ensure that AI continues to abide by the regulatory framework."
How can companies ensure the correct protocols are in place to manage the risk categories underpinning the AI Act?
"It is as simple as reading the AI Act. Particularly, reading the requirements for each risk category. Once you have correctly identified which risk category your AI belongs to, you can then check and make sure that you are meeting the requirements.
"Most of the guidelines set out are good practice in developing new systems, so it is likely you are already meeting most of these requirements. However, some of the regulations require close attention, such as Article 12, ‘Record Keeping’, which requires automatic recording of an events ‘log’ for the lifetime of the system.
"Adopting the right tools as part of your AI strategy is critical. One of my favourite articles from the AI Act is Article 15, ‘Accuracy, Robustness and Cybersecurity’ which requires protection of AI from unauthorised third parties attempting to alter the use or performance of AI by exploiting the system vulnerabilities.
"Most of the tools to begin meeting this already exist, such as secure log storing which we offer with NetApp immutability, or the use of AI powered security solutions to leverage user behaviour, monitor for anomalies and send out an alert when a potential breach occurs.
"With the speed and force of attacks ever increasing, we need to protect AI with all the tools available to keep the door shut against threat actors. We can even use AI and automation for protection to identify, alert and respond to threats in real-time."
What data management practices are essential for meeting the AI Act’s requirements?
"Data governance plays a critical role in the success of AI, meeting the requirements of the AI Act and fuelling AI systems with clean data for more accurate and insightful results. Data cleansing ensures that the data put into AI is high-quality, while in-depth analysis of data helps identify patterns and potential biases.
"Categorisation allows for easier cleaning, analysing and labelling of data. Having all these practices in place is key to building and maintaining a well-oiled AI machine.
"Without the right data, in the right place, sorted, tagged and where needed, anonymised correctly, firms could fall foul of not just the AI Act but other privacy regulation.
"Depending on the industry a business operates in, the penalties for not managing data correctly may be severe."
How can establishing the right systems to record key events over an AI model’s lifetime ensure adequate traceability and legitimate authentication?
"High-risk AI requires thorough log-keeping and a level of traceability across the lifetime of the system, including inputting data, setting up a reference database and recording the identification of the person involved in verifying the results.
"This is paramount, especially when handling sensitive data in areas such as critical public sector infrastructure.
"Effective log-keeping means integrating secure storage to prevent information from being accessed and tampered with. Automating these systems streamlines data monitoring processes, speeds up compliance procedures, and alleviates burden on employees.
"Authentication and authorisation software can be leveraged to avoid accidental or deliberate attacks, with tools such as NetApp’s Multi-Admin Verification requiring dual-user authentication to complete sensitive tasks."
Have you got a story or insights to share? Get in touch and let us know.
