A is correct: Under the EU AI Act, cybersecurity is an essential requirement for high-risk AI systems as defined in Article 15. A high-risk AI system that is not cybersecure is by definition not safe under the Act. Providers must implement technical measures to ensure resilience against adversarial attacks, prevent data manipulation, and protect against unauthorized access. These cybersecurity measures must remain active throughout the entire operational lifecycle, not just at the initial deployment stage.
B is incorrect: The EU AI Act requires that cybersecurity measures for high-risk AI systems span the entire lifecycle, not just the conformity assessment phase. Article 9 mandates an iterative risk management process that must remain active throughout the systems operational life. Post-market monitoring obligations further require providers to continuously collect and review information relevant to system performance and security, applying corrective actions as needed.
C is incorrect: The EU AI Acts cybersecurity requirements for high-risk AI systems apply regardless of whether the system processes personal data. Cybersecurity is an essential requirement tied to system safety, not data privacy. While GDPR may apply concurrently when personal data is involved, the AI Acts mandate for resilience against adversarial attacks, data manipulation prevention, and unauthorized access protection applies to all high-risk AI systems based on their risk classification alone.
D is incorrect: For high-risk AI systems under the EU AI Act, cybersecurity is a mandatory requirement, not a voluntary recommendation. Voluntary codes of conduct apply to minimal-risk AI systems. High-risk systems must demonstrate compliance with cybersecurity requirements as part of their conformity assessment before market placement, including technical measures for robustness, resilience against adversarial attacks, and protection against unauthorized manipulation.