DISC InfoSec blogBuilding Trust with High-Risk AI: What Article 15 of the EU AI Act Means for Accuracy, Robustness & Cybersecurity

Aug 06 2025

Building Trust with High-Risk AI: What Article 15 of the EU AI Act Means for Accuracy, Robustness & Cybersecurity

Category: AI,Information Security — disc7 @ 4:06 pm

As AI adoption accelerates, especially in regulated or high-impact sectors, the European Union is setting the bar for responsible development. Article 15 of the EU AI Act lays out clear obligations for providers of high-risk AI systems—focusing on accuracy, robustness, and cybersecurity throughout the AI system’s lifecycle. Here’s what that means in practice—and why it matters now more than ever.

1. Security and Reliability From Day One

The AI Act demands that high-risk AI systems be designed with integrity and resilience from the ground up. That means integrating controls for accuracy, robustness, and cybersecurity not only at deployment but throughout the entire lifecycle. It’s a shift from reactive patching to proactive engineering.

2. Accuracy Is a Design Requirement

Gone are the days of vague performance promises. Under Article 15, providers must define and document expected accuracy levels and metrics in the user instructions. This transparency helps users and regulators understand how the system should perform—and flags any deviation from those expectations.

3. Guarding Against Exploitation

AI systems must also be robust against manipulation, whether it’s malicious input, adversarial attacks, or system misuse. This includes protecting against changes to the AI’s behavior, outputs, or performance caused by vulnerabilities or unauthorized interference.

4. Taming Feedback Loops in Learning Systems

Some AI systems continue learning even after deployment. That’s powerful—but dangerous if not governed. Article 15 requires providers to minimize or eliminate harmful feedback loops, which could reinforce bias or lead to performance degradation over time.

5. Compliance Isn’t Optional—It’s Auditable

The Act calls for documented procedures that demonstrate compliance with accuracy, robustness, and security standards. This includes verifying third-party contributions to system development. Providers must be ready to show their work to market surveillance authorities (MSAs) on request.

6. Leverage the Cyber Resilience Act

If your high-risk AI system also falls under the scope of the EU Cyber Resilience Act (CRA), good news: meeting the CRA’s essential cybersecurity requirements can also satisfy the AI Act’s demands. Providers should assess the overlap and streamline their compliance strategies.

7. Don’t Forget the GDPR

When personal data is involved, Article 15 interacts directly with the GDPR—especially Articles 5(1)(d), 5(1)(f), and 32, which address accuracy and security. If your organization is already GDPR-compliant, you’re on the right track, but Article 15 still demands additional technical and operational precision.

Final Thought:

Article 15 raises the bar for how we build, deploy, and monitor high-risk AI systems. It doesn’t just aim to prevent failures—it pushes providers to deliver trustworthy, resilient, and secure AI from the start. For organizations that embrace this proactively, it’s not just about avoiding fines—it’s about building AI systems that earn trust and deliver long-term value.