This document explains how the ISMS Copilot AI system meets obligations under the EU Artificial Intelligence Act (the Act). It covers the system’s classification, confirms that it does not fall under prohibited or high-risk categories, and outlines how it fulfills applicable transparency and safety requirements. The aim is to provide clear, comprehensive information that fosters trust, compliance, and alignment with the Act’s principles of protecting health, safety, fundamental rights, and supporting a trustworthy AI ecosystem.
ISMS Copilot qualifies as an AI system under the Act. It uses machine learning and algorithmic techniques to process user queries and generate outputs such as compliance insights, policy recommendations, and structured guidance. Because it transforms inputs into meaningful advisory outputs through automated reasoning, it is subject to the Act’s provisions governing AI systems.
ISMS Copilot is made available to entities and individuals within the European Union. By offering the system to users in the EU, it is considered placed on the EU market, and the relevant obligations of the Act apply. The provider ensures that the system’s deployment, documentation, and updates comply with EU law, and stands ready to demonstrate adherence to authorities upon request.
Certain AI systems used exclusively for military, defense, or national security purposes may lie outside the Act’s scope. ISMS Copilot does not serve these functions. Its focus is strictly civilian—assisting with compliance-related tasks such as interpreting standards, refining documentation, and providing preliminary advisory inputs. As a result, it does not benefit from any such exemptions and remains fully subject to the Act’s requirements.
General-purpose AI systems can be adapted broadly across multiple domains. ISMS Copilot, by contrast, is specialized. It targets compliance-related functionalities, helping to structure documentation, improve clarity in policy materials, and offer guidance for compliance processes. This focused scope simplifies the risk assessment and compliance approach.
The entity offering ISMS Copilot in the EU market acts as its provider. Before the system is introduced, the provider confirms that it meets applicable requirements. If the same entity also uses ISMS Copilot to deliver services to clients, it acts as a deployer, ensuring proper use, transparency, and alignment with the system’s intended purpose.
Fulfilling these dual roles involves informing users that they are interacting with an AI system, advising them to verify critical outputs, and preventing misuse. This integrated governance ensures responsible deployment and ongoing compliance with the Act.
The Act prohibits AI practices that pose unacceptable risks, including: