The article outlines how, under the evolving European legal framework, companies building or deploying AI-based or “smart” products now face a dense and sometimes overlapping set of regulations. The key laws involved are EU Artificial Intelligence Act (AI Act), Cyber Resilience Act (CRA), and the earlier Cybersecurity Act (CSA). Together, these laws impose a “cybersecurity by design” requirement — meaning cybersecurity must be considered right from the design and development phases of AI products, and maintained throughout their lifecycle.
Under the AI Act, “high-risk” AI systems must meet specific cybersecurity standards: they must be resistant to tampering, data-poisoning, adversarial inputs, unauthorized access, and other vulnerabilities. The Act does not prescribe one fixed set of technical defenses; instead, it mandates a risk-based assessment, meaning developers must tailor security measures to the context and risks of each system. Compliance must also be demonstrated as part of the mandatory conformity assessment before such AI systems can be placed on the market.
Meanwhile, the CRA applies more broadly to “products with digital elements” — meaning many connected software or hardware products (not just AI models) become subject to baseline cybersecurity obligations. These include secure defaults, regular updates, data protection, resilience to vulnerabilities, logging and secure data handling. For AI products that are also “connected,” the CRA’s requirements often overlap with those under the AI Act. However, a mechanism (Article 12 of CRA) is designed to harmonize the overlap: if a product satisfies the CRA’s essential security requirements, it can be deemed compliant with the AI Act’s cybersecurity demands, simplifying certification and reducing duplication.
The piece argues this regulatory “jungle” marks a turning point: for providers, deployers and distributors of AI-based systems and connected products, compliance is no longer optional — it’s a mandatory, complex mix of obligations across multiple regulations. Companies must proactively design security and governance from the start. At the same time, the coordinated interplay between AI-specific (AI Act) and general cybersecurity laws (CRA/CSA) aims to strike a balance: safeguarding consumers and data, while giving firms a clearer, unified path toward compliance and market access.
