Verordnung der Europäischen Union zur Regulierung der Entwicklung von KI-Technologie
ulf mine / stock.adobe.com
2026-05-22 expert contribution

EU’s Multilayer Product-Safety Framework for AI Systems

The EU AI Act is described as the world's first comprehensive legal framework for artificial intelligence. But this view is incomplete. For providers of AI systems in the EU, complying with the AI Act is only one part of a much broader regulatory puzzle.

As Annex ZA of the emerging harmonized standards notes, "Other Union legislation may be applicable." The AI Act is designed to complement, not replace, existing EU legislation. Several provisions clearly state that AI systems, especially those integrated into regulated products, must comply simultaneously with sector-specific regulations, data protection requirements, and cybersecurity laws. Therefore, consideration of other EU legislation is a binding element of conformity rather than an interpretive remark.

In practice, AI systems must comply with a multi-layered product safety architecture based on the EU's New Legislative Framework (NLF). Understanding and operationalizing this layered approach is rapidly becoming a core competence for AI providers.
Contact
AI Projects & Services

A Multi-Layer Compliance Architecture

AI systems do not exist in isolation, normally they are embedded in digital, physical, and socio-technical environments. Consequently, they fall under multiple regulatory regimes, each addressing specific risks from different angles.

Key EU instruments that may apply alongside the AI Act include:

  • General Data Protection Regulation (GDPR) governs the processing of personal data, including AI training data and inference outputs.
  • Data Act regulates access and sharing of data generated by connected devices.
  • Digital Services Act (DSA) imposes transparency and accountability obligations on digital platforms.
  • Cyber Resilience Act (CRA) introduces lifecycle cybersecurity requirements for products with digital elements.
  • Product Liability Directive (PLD) expands strict liability to defective AI systems.
  • NIS2 Directive strengthens cybersecurity risk management in critical sectors.
  • Data Governance Act (DGA) facilitates trusted data-sharing mechanisms.

Each of these instruments addresses a specific dimension of risk - privacy, cybersecurity, safety, accountability, or data governance. For AI providers, the challenge lies not in understanding individual regulations, but in managing their cumulative impact.

Comparable Obligations from Different Perspectives

An important characteristic of this regulatory landscape is that similar requirements appear across multiple legal instruments - but from different perspectives.

Example: Cybersecurity

  • The AI Act requires high-risk AI systems to be resilient against manipulation and attacks.
  • The Cyber Resilience Act (CRA) imposes detailed cybersecurity requirements across the entire lifecycle of digital products, including vulnerability management and incident reporting.
  • The NIS2 Directive focuses on organizational risk management and resilience in critical sectors.

While the objective “robust cybersecurity” is shared, the scope, level of detail, and enforcement mechanisms differ.

Example: Data Handling

  • The AI Act regulates data quality and governance for training, validation, and testing of AI systems.
  • The GDPR focuses on lawful processing, data minimization, and individual rights.
  • The Data Act addresses data access and portability in connected environments.

Once again, these frameworks overlap but do not duplicate each other. Instead, they form a complementary web of obligations.

Sector-Specific Legislation: Adding Another Layer

For many AI systems, horizontal legislation is one piece of the big puzzle. Sector-specific regulations introduce additional, highly specialized requirements. Examples include:

  • Medical Device Regulation (MDR): Applies to AI-based diagnostic or therapeutic systems.
  • Machinery Regulation: Covers AI-enabled industrial and robotic systems.
  • Automotive regulations (e.g. type-approval frameworks): Relevant for autonomous driving technologies.

These sectoral frameworks are often supported by harmonized standards that provide technical guidance for demonstrating conformity.

In such contexts, AI is not regulated on its own — it becomes part of a regulated product ecosystem where safety, performance, and reliability are paramount.

From Fragmentation to Integration

The existence of multiple regulatory regimes can easily lead to fragmentation:

  • Duplicate documentation efforts
  • Inconsistent risk assessments
  • Overlapping conformity procedures

To address this, organizations must move towards integrated compliance management.

The Role of Quality Management Systems

A well-designed quality management system can serve as the foundation for integrating regulatory requirements. Rather than treating each regulation separately, organizations should:

  1. Map requirements across regulations and standards: Identify overlaps (e.g., cybersecurity, risk management, technical documentation).
  2. Define unified smart processes: Establish cross-cutting workflows for risk assessment, data governance, and incident handling.
  3. Leverage harmonized standards: Use standards as a bridge between legal requirements and technical implementation.
  4. Ensure lifecycle consistency: Align processes from design and development to deployment and post-market monitoring.
  5. Integrate governance structures: Combine legal, technical, and operational expertise within a single compliance framework.

Towards “Compliance by Design”

The overarching goal is to shift from reactive compliance to "compliance by design."

This means integrating regulatory requirements directly into:

  • System architecture and requirements
  • Development processes
  • Organizational governance

Such an approach not only reduces compliance risks but also strengthens trust, safety, and market acceptance.

Conclusion

The AI Act is a cornerstone of EU AI regulation - but it is not a standalone instrument. Providers of AI systems must navigate a complex, multilayered regulatory ecosystem, where product safety, cybersecurity, data governance, and sector-specific requirements intersect.

Instead of viewing this as a burden, forward-thinking organizations will recognize it as an opportunity to develop integrated, efficient, and future-proof compliance processes.

In this evolving landscape, the decisive factor will not be whether companies understand individual regulations - but whether they can orchestrate them into a coherent, intelligent system of governance.

Get in touch with us!

Briefumschlaege als Icons, Netzwerkkonzept
thodonal / stock.adobe.com

We offer our services in consulting projects and in-house workshops and would be happy to provide you with more information about our services and answer any questions.

AI Projects & Services: aips@vde.com

Follow Us
© 2026 VDE Verband der Elektrotechnik Elektronik Informationstechnik e.V.