Security activity does not automatically create governance evidence. Controls must be connected to responsibility, linked to the systems they protect, and reconstructable at audit time.
EAB's Cybersecurity Governance module connects security measures to the AI governance record — so cybersecurity is not a separate documentation effort, but part of the same audit trail.
“Security teams document controls. Compliance teams document obligations. Neither group can easily show that the controls they have are the controls the obligations require — because the connection was never made structural.”
The Cybersecurity Governance module addresses the gap between security operations and compliance documentation. Security measures exist — but they are not connected to the AI systems they protect, not attributed to responsible owners, and not evidenced in a way that is reconstructable at audit time.
EAB structures cybersecurity governance as a set of governed control records — each linked to the AI systems it protects, each with a named owner, and each with an evidence record. The module is designed for organisations where AI systems are subject to both EU AI Act obligations and cybersecurity governance requirements.
Because the module shares the EAB system inventory, evidence layer, and audit trail with the EU AI Act module, cybersecurity governance becomes part of the same record — not a parallel documentation effort that must be reconciled at audit time.
Each capability is connected to the shared system inventory, evidence layer, and audit trail.
Technical and organisational security measures are documented per AI system. Each measure is linked to the system it protects — not maintained as a generic security register separate from the AI governance record.
Every security measure has a named owner responsible for its implementation and maintenance. Unowned controls surface as governance gaps. Responsibility is structural — not assumed.
AI Act Art. 15 requires cybersecurity measures for high-risk systems. This module connects the security measure record to the Art. 15 obligation — so cybersecurity governance is evidence for AI Act compliance, not a separate effort.
Evidence that a security measure is implemented and effective is uploaded and linked to the measure record. Evidence is connected to the measure — not filed in a folder that must be matched manually at audit time.
Security incidents affecting AI systems are documented in the governance record — with system linkage, timeline, response measures, and resolution status. Incident records are part of the audit trail.
Security measures are not static. Controls are reviewed, updated, or replaced as the threat landscape changes. EAB tracks the history of each control — when it was implemented, when it was reviewed, and what changed.
The Cybersecurity Governance module uses the same system inventory as the EU AI Act module. Security measures are linked to systems that are already registered and governed — not entered into a separate cybersecurity tool.
Evidence collected for cybersecurity governance is available in the same evidence layer as AI Act evidence. An organisation does not need to maintain two parallel evidence systems — one for security and one for compliance.
At audit time, the cybersecurity governance record is part of the same audit trail as the AI Act record. Regulators reviewing both EU AI Act and NIS2 compliance see one coherent governance record — not two systems that need to be reconciled.
Available as an add-on for Professional and Enterprise. Shares one system inventory, one evidence layer, and one audit trail with the EU AI Act module.
EU-hosted · Anchored to CELEX 32024R1689
Tell us about your organization and what you’re looking to address. We’ll follow up with the relevant information.
