‍Removed on April 10^th 2024 based on the version and article numbering approved by the EU Parliament on March 13^th 2024.

‍

[Previous version]

Updated on Feb 6^th 2024 based on the version endorsed by the Coreper I on Feb 2^nd‍

Without prejudice to the requirements related to robustness and accuracy set out in this Regulation, high-risk AI systems which fall within the scope of the Regulation 2022/0272, in accordance with Article 8 of the Regulation 2022/0272 may demonstrate compliance with the cybersecurity requirement of this Regulation by fulfilling the essential cybersecurity requirements set out in Article 10 and An 272.When high-risk AI systems fulfil the essential requirements of Regulation 2022/0272, they should be deemed compliant with the cybersecurity requirements set out in this Regulation in so far as the achievement of those requirements is demonstrated in the EU declaration of conformity or parts thereof issued under Regulation 2022/0272. For this purpose, the assessment of the cybersecurity risks, associated to a product with digital elements classified as high-risk AI system according to this Regulation, carried out under Regulation 2022/0272, should consider risks to the cyber resilience of an AI system as regards attempts by unauthorised third parties to alter its use, behaviour or performance, including AI specific vulnerabilities such as data poisoning or adversarial attacks, as well as, as relevant, risks to fundamental rights as required by this Regulation. The conformity assessment procedure provided by this Regulation should apply in relation to the essential cybersecurity requirements of a product with digital elements covered by Regulation 2022/0272 and classified as a high-risk AI system under this Regulation. However, this rule should not result in reducing the necessary level of assurance for critical products with digital elements covered by Regulation 2022/0272. Therefore, by way of derogation from this rule, high-risk AI systems that fall within the scope of this Regulation and are also qualified as important and critical products with digital elements pursuant to Regulation 2022/0272 and to which the conformity assessment procedure based on internal control referred to in Annex VI of this Regulation applies, are subject to the conformity assessment provisions of Regulation 2022/0272 insofar as the essential cybersecurity requirements of Regulation 2022/0272 are concerned. In this case, for all the other aspects covered by this Regulation the respective provisions on conformity assessment based on internal control set out in Annex VI of this Regulation should apply. Building on the knowledge and expertise of ENISA on the cybersecurity policy and tasks assigned to ENISA under the Regulation 2019/1020 the European Commission should cooperate with ENISA on issues related to cybersecurity of AI systems.