With the increasing use of artificial intelligence models and systems, the need to protect them effectively against cyber threats, misuse, and systemic risks resulting from improper or intentionally malicious use is also growing. With the European Union’s AI Act approaching applicability, organizations are simultaneously facing the question of how to reconcile the cybersecurity of AI systems, regulatory requirements, and real operational needs.

The lecture will offer a combined perspective of a security manager and a lawyer on the practical design, implementation, and operation of AI systems so that they meet the requirements of the AI Act, NIS 2, the GDPR, and related regulations, while also being sustainable in day-to-day operations. We will explain the AI Act’s risk-based approach, from prohibited systems to low-risk ones, with a focus on obligations for high-risk systems: security, risk management, data quality and data governance, monitoring, and robustness.

We will also introduce the AI governance standard ISO/IEC 42001 and show how an AI management system (AIMS) can be built on top of an existing ISMS and cybersecurity processes to help fulfill and defend the requirements of this international standard and the AI Act. Using examples from cloud environments as well as regulated and unregulated sectors, we will demonstrate where the AI Act and ISO/IEC 42001 overlap (e.g., risk management, security, privacy, governance, documentation, monitoring) and where they impose different requirements. We will focus on typical security and contractual “blind spots” when deploying both generative and non-generative AI systems, the role of contractual arrangements with model providers and cloud platforms, and practical approaches for setting internal processes and organizational and technical controls: from design through the long-term operation of AI systems.

Michael Bátrla is CTU’s first CISO and an expert in cybersecurity, AI governance, and compliance. He has built his experience across AI startups (AISLE, Rossum), technology companies, and projects connected to the European space sector, defence, and NATO. At AISLE, he launched one of the first ISO 42001-certified AI governance programmes in the Czech Republic. He has long collaborated with Masaryk University in the field of IT law and is currently further deepening his expertise through the IT Law LL.M. programme. He is also a co-author of commentaries on the new Czech Cybersecurity Act and the EU AI Act.

Štěpánka Havlíková is an attorney specializing in IT law, artificial intelligence law, intellectual property, and data protection. She provides legal advice across the technology sector, including complex IT projects, the implementation of new technologies and AI systems, software contracts, and compliance with digital legislation. She spent more than a year on secondment with the legal team of a global big-tech provider of AI models. She is also a PhD candidate at the Institute of Law and Technology at Masaryk University.