Why This Mapping Matters for Critical Infrastructure AI
Critical infrastructure operators are increasingly deploying AI for threat detection, predictive maintenance, incident triage, and operational optimization. In the EU, three regulatory regimes frequently converge on the same systems:
- EU AI Act: governs AI systems based on risk, with stringent obligations for high-risk AI and additional transparency rules for certain AI uses.
- NIS2 Directive: strengthens cybersecurity and incident reporting requirements for essential and important entities across many sectors.
- CER Directive (Critical Entities Resilience): focuses on all-hazards resilience—including physical, organizational, and supply chain—of entities critical to society.
For professionals responsible for compliance, security, risk, or engineering, the goal is not to treat these as separate checklists. The goal is to build one integrated control set so the same evidence, governance, and operational processes satisfy overlapping requirements.
Step 1: Decide Whether Your AI System Sits in the “Critical Infrastructure + High-Risk” Zone
Start by answering three scoping questions.
1) Are you an in-scope entity under NIS2 and/or CER?
- NIS2: applies to many operators and service providers in sectors such as energy, transport, banking, health, digital infrastructure, water, public administration, and more (exact national transpositions define boundaries).
- CER: applies to entities identified as “critical” for essential services, typically in similar sectors, with an emphasis on service continuity.
Actionable output: a list of your legal entities, services, and locations that are in scope, with owners assigned.
2) Is the AI system “high-risk” under the EU AI Act?
Many AI systems used in critical infrastructure contexts may qualify as high-risk depending on function and sector use. High-risk classification triggers requirements around risk management, data governance, technical documentation, logging, human oversight, and more.
Actionable output: an AI system inventory with a preliminary risk category per system and rationale.
3) Does the AI system affect “essential service” delivery?
Even if an AI system is not legally high-risk, if it materially influences:
- operational decision-making,
- access to critical services,
- safety-related controls,
- incident response, it should be treated as a high-impact system internally. This drives stronger controls and audit readiness.
Actionable output: a “service impact” label per AI use case (e.g., low/medium/high impact).
Step 2: Build a Unified System Inventory Across AI, Cybersecurity, and Resilience
A frequent failure mode is having three partial inventories: an AI registry, an IT/OT asset register, and a resilience criticality list. Create one merged view.
Minimum fields to capture
- System name, owner, and business purpose
- AI model type, versioning approach, and deployment pattern (cloud, on-prem, edge)
- Data inputs/outputs, including sources and data sensitivity
- Connectivity and dependencies (APIs, identity systems, OT networks, vendors)
- Where it is used in the service chain (monitoring, control, customer-facing, back-office)
- Failure modes and impact (safety, availability, integrity, confidentiality, physical harm)
- Incident playbooks and escalation paths
Actionable advice: Use a single identifier per system across GRC, security tooling, and engineering tracking so evidence can be joined without manual reconciliation.
Step 3: Map Requirements into One Control Set (AI Act × NIS2 × CER)
Instead of mapping article-by-article, map by control domains. Below are the domains that most often overlap for critical infrastructure AI.
Governance and accountability
- AI Act: demands organizational measures for compliance, including defined roles and responsibilities for high-risk AI lifecycle controls.
- NIS2: requires management accountability and risk management measures, typically involving board-level oversight and policy enforcement.
- CER: requires resilience governance, including planning, responsibility assignment, and coordination.
Do this:
- Assign a single AI System Owner and a separate Operational Risk Owner for each critical AI system.
- Establish a cross-functional AI Risk Review Board that also covers cyber and resilience implications.
Risk management (one process, three lenses)
- AI Act: requires a risk management system focused on harms from AI, including foreseeable misuse.
- NIS2: emphasizes cyber risk management measures (prevention, detection, response, recovery).
- CER: emphasizes all-hazards resilience (including physical threats, supply chain disruption, staffing constraints).
Do this:
- Run a single risk assessment workshop per system, producing three outputs:
- AI-specific risk register (bias, performance drift, unsafe automation)
- Cyber risk register (attack surfaces, data poisoning, adversarial inputs)
- Resilience risk register (site outages, vendor concentration, operational fallback)
Data governance and integrity
- AI Act: expects appropriate data governance (quality, relevance, representativeness, handling of errors).
- NIS2: requires measures to protect data and systems (including integrity and confidentiality).
- CER: expects resilience measures that include supply chain and operational continuity—data availability and integrity are key to continuity.
Do this:
- Define “golden datasets” and controls for:
- provenance tracking,
- access control and segregation,
- change management,
- validation and periodic re-checks.
- Treat training data and feature pipelines as critical assets, not just engineering artifacts.
Logging, monitoring, and detection
- AI Act: requires logging capabilities and traceability for high-risk AI operation.
- NIS2: requires detection and response capabilities, including monitoring and incident handling.
- CER: relies on situational awareness to maintain service continuity under disruption.
Do this:
- Standardize on logging that supports both:
- AI accountability (model outputs, confidence scores, human overrides)
- security monitoring (auth events, data access, anomalous input patterns)
- Ensure logs are tamper-evident and retained per internal policy aligned to legal needs.
Human oversight and operational fallback
- AI Act: mandates effective human oversight to prevent or minimize risks.
- NIS2: expects strong operational practices and incident handling, including recovery.
- CER: requires continuity of essential services, often implying manual workarounds.
Do this:
- Define explicit “stop conditions” and override procedures.
- Document and test fallback modes:
- manual operation,
- degraded service,
- alternative routing,
- model rollback to last known good version.
Supply chain and third-party risk
AI in critical infrastructure frequently depends on external providers: model vendors, cloud, telemetry, managed security, data suppliers.
- AI Act: imposes obligations depending on role (provider, deployer, importer, distributor), including documentation and instructions for use.
- NIS2: requires supply chain security and vendor risk management.
- CER: emphasizes resilience of supply chains and critical dependencies.
Do this:
- Classify vendors by criticality and role in AI lifecycle.
- Contract for:
- security requirements (hardening, vulnerability handling),
- incident notification,
- access to technical documentation and change notices,
- resilience commitments (continuity, capacity, and recovery support).
Step 4: Implement a Practical “One Evidence Pack” for Audits and Assessments
Build an evidence structure that can answer questions from AI compliance, cybersecurity regulators, and resilience authorities without rework.
Recommended evidence folders (conceptual)
- System description: purpose, architecture, dependencies, data flows
- Risk management file: identified risks, mitigations, test results, residual risk acceptance
- Operational controls: monitoring, logging, incident playbooks, access management
- Model lifecycle: training/validation approach, drift monitoring, updates, rollback
- Human oversight: staffing, training, escalation paths, override records
- Third-party dossier: vendor assessments, contracts, SLAs, assurance artifacts
- Testing and exercises: tabletop exercises, red teaming where appropriate, resilience drills
Actionable advice: Require every critical AI system to have a named “evidence steward” who maintains the pack as part of change management—not as a last-minute compliance scramble.
Step 5: Align Incident Response Across AI Act, NIS2, and CER
Critical infrastructure incident handling is rarely just “cyber” or “AI.” It is typically a blended event: a cyber intrusion triggers model manipulation, which triggers operational disruption.
Build one incident taxonomy
Include categories such as:
- model performance degradation or drift
- data poisoning or integrity compromise
- adversarial inputs and evasion
- unauthorized model or pipeline changes
- outage of AI dependency (cloud, telemetry, identity provider)
- unsafe automation or incorrect AI-driven decisions
Operationalize response
- Create a playbook that includes:
- immediate containment steps (disable model features, switch to fallback)
- forensic steps (preserve logs, snapshot versions, isolate datasets)
- communications path (management, regulators, affected stakeholders)
- recovery criteria (validation gates before re-enabling automation)
Actionable advice: Run joint exercises that combine OT/IT security teams, AI engineers, and operations leaders. Include scenarios where the right decision is to de-automate quickly.
Step 6: Establish Ongoing Controls: Change Management, Testing, and Continuous Monitoring
Critical infrastructure AI systems change continuously—new data, retraining, patches, vendor updates. Your integrated compliance posture must be continuous too.
Minimum ongoing controls
- Change control for models, prompts (if applicable), pipelines, and dependencies
- Pre-deployment validation aligned to the system’s safety and service impact
- Drift and anomaly monitoring with alert thresholds and response actions
- Periodic access reviews for data, model repositories, and deployment platforms
- Resilience testing for dependency failures and degraded operations
Actionable advice: Treat “model update” as a regulated change similar to a production OT configuration change—requiring risk review, documentation updates, and rollback plans.
A Practical Checklist to Start Next Week
- Create one inventory linking AI systems to essential services, assets, vendors, and locations.
- Classify AI risk (AI Act) and service impact (business continuity).
- Run one combined risk assessment covering AI harms, cybersecurity threats, and resilience disruptions.
- Implement unified logging that supports traceability, detection, and post-incident reconstruction.
- Write and test fallback procedures and human override conditions.
- Consolidate evidence into one system file per critical AI deployment.
- Contract for vendor transparency and notification across security, changes, and continuity.
When done well, this approach reduces duplication, strengthens operational readiness, and makes regulatory compliance a byproduct of building safer, more resilient critical infrastructure AI systems.