Article 12 High-risk AI systems

Products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; classified as high-risk AI systems pursuant to Article 6 of Regulation (EU) 2024/1689 of the European Parliament and of the Council(²²)Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) (OJ L, 2024/1689, 12.7.2024, ELI: http://data.europa.eu/eli/reg/2024/1689/oj). which fall within the scope of this Regulation should comply with the essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation. Where those high-risk AI systems fulfil the essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation, they should be deemed to comply with the cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in Article 15 of Regulation (EU) 2024/1689 in so far as those requirements are covered by the EU declaration of conformity or parts thereof issued under this Regulation. For that purpose, the assessment of the cybersecurity risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; associated with a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; classified as a high-risk AI system pursuant to Regulation (EU) 2024/1689 that is to be taken into account during the planning, design, development, production, delivery and maintenance phases of such product, as required under this Regulation, should take into account risks to the cyber resilience of an AI system as regards attempts by unauthorised third parties to alter its use, behaviour or performance, including AI specific vulnerabilitiesmeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; such as data poisoning or adversarial attacks, as well as, as relevant, risks to fundamental rights, in accordance with Regulation (EU) 2024/1689. As regards the conformity assessmentmeans the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; procedures relating to the essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements for a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that falls within the scope of this Regulation and that is classified as a high-risk AI system, Article 43 of Regulation (EU) 2024/1689 should apply as a rule instead of the relevant provisions of this Regulation. However, that rule should not result in a reduction of the necessary level of assurance for important or critical products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; as referred to in this Regulation. Therefore, by way of derogation from that rule, high-risk AI systems that fall within the scope of Regulation (EU) 2024/1689 which are also important or critical products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; as referred to in this Regulation and to which the conformity assessmentmeans the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; procedure based on internal control referred to in Annex VI to Regulation (EU) 2024/1689 applies, should be subject to the conformity assessmentmeans the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; procedures provided for in this Regulation in so far as the essential cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements set out in this Regulation are concerned. In such a case, for all the other aspects covered by Regulation (EU) 2024/1689 the relevant provisions on conformity assessmentmeans the process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled; based on internal control set out in Annex VI to that Regulation should apply.