What Is the EU AI Act?

The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive AI law. Entered into force August 2024 with phased application through August 2026. It establishes a risk-based framework: prohibited practices, high-risk AI systems with conformity assessment + post-market monitoring, limited-risk transparency obligations, and minimal-risk free-use. For security teams: red-teaming (adversarial testing) of general-purpose AI models (GPAI) with systemic risk is mandatory under Article 55.

For high-risk AI systems (Annex III: critical infrastructure, employment, law enforcement, biometric ID, migration, justice administration, education, essential services), Article 15 requires "appropriate levels of accuracy, robustness, and cybersecurity" throughout the lifecycle. Article 9 mandates a continuous risk-management system. Article 17 mandates a quality-management system. Pentesting evidence supports all three.

For GPAI models with systemic risk (Article 51 threshold: 10²⁵ FLOPs training compute or designated by the Commission), Article 55 explicitly requires adversarial testing (red-teaming) before market placement and on a continuing basis.

• Feb 2025: Prohibited practices ban + AI-literacy obligations apply
• Aug 2025: GPAI obligations + governance + penalties framework
• Aug 2026: High-risk AI system obligations apply
• Aug 2027: AI components in regulated products (medical devices, machinery, etc.)

SQUR's autonomous-pentest validator falls under "limited-risk AI system" classification per current interpretation. We publish a model card describing the validator's role and limitations. For customers building high-risk AI systems, SQUR pentest reports map to Article 15 (cybersecurity) and Article 9 (risk management) evidence. We also offer adversarial-testing-style red-team scans against AI-powered features (LLM prompt injection, model extraction surfaces) — see LLM Prompt Injection.

Related terms

Try SQUR

60-second free attack-surface scan. No signup, no credit card.