EU AI Act Compliance

1. Purpose and Scope

This document outlines how ISMS Copilot complies with the EU Artificial Intelligence Act (Regulation (EU) 2024/1689). It confirms the system’s classification as a non-high-risk AI system, ensures it avoids prohibited practices, and details transparency and governance measures. Our aim is to foster trust, protect health, safety, and fundamental rights, and align with the Act’s principles for a trustworthy AI ecosystem.

2. Classification as an AI System

ISMS Copilot is an AI system under Article 3(1) AI Act. It uses machine learning and algorithmic techniques, powered by third-party general-purpose AI (GPAI) models (e.g., Claude 3.7, GPT-4), to process user queries and generate advisory outputs, such as ISO 27001 compliance guidance, policy drafts, and gap analyses. Its automated reasoning subjects it to the Act’s provisions for AI systems.

3. Use Within the EU Market

ISMS Copilot is available to users across the European Union, constituting placement on the EU market per Article 3(9) AI Act. As the provider, we ensure deployment, documentation, and updates comply with EU law and are prepared to demonstrate adherence to authorities upon request.

4. No Military or National Security Application

ISMS Copilot is a civilian tool for compliance support, not used for military, defense, or national security purposes (Article 2(3) AI Act). It is fully subject to the Act’s requirements with no exemptions.

5. Not a General-Purpose AI System

Unlike general-purpose AI (GPAI) systems adaptable across domains (Article 3(63) AI Act), ISMS Copilot is specialized for compliance tasks, primarily assisting consulting firms with ISO 27001 certification and related infosec, AI governance, and data protection frameworks (e.g., SOC 2, GDPR, DORA, NIS2). This focused scope simplifies risk assessment and compliance, as outlined in the Commission’s GPAI guidelines (Section 3.1.1).

6. Provider and Deployer Roles

As the provider, we ensure ISMS Copilot meets AI Act requirements before market placement (Article 3(3)). As a deployer, when using the system to serve clients, we ensure responsible use, transparency, and alignment with its advisory purpose (Article 26). This includes:

• Informing users they are interacting with an AI system via in-app alerts and output labels.
• Advising verification of outputs with official standards (e.g., ISO 27001:2022) or experts.
• Preventing misuse through user guidance and system design.

7. No Engagement in Prohibited Practices

ISMS Copilot avoids prohibited practices under Article 5 AI Act, including:

• Manipulative or subliminal techniques causing harm.
• Exploiting vulnerabilities of specific groups.