Why Take Action Now?
The AI Act has major impact on energy and telecom
August 2025
First obligations for high-risk AI systems in critical infrastructure come into effect
Critical Infrastructure = High-risk
AI in energy and telecom networks automatically falls under the strictest AI Act rules (Annex III)
Fines up to €35 million
Or 7% of global annual turnover — ACM and sector regulators will enforce
Safety Components
AI as safety component in networks requires conformity assessment and CE marking
High-risk AI in Energy & Telecom
These AI applications fall under strict AI Act requirements (Annex III)
Smart Grid Management
AI systems managing energy networks, distributing load and predicting grid congestion — essential for supply security.
Predictive Maintenance Critical Infra
Systems predicting maintenance for power plants, transformer stations and telecom towers — outage can have societal impact.
Network Monitoring & Cybersecurity
AI for detecting cyber threats and anomalies in energy and telecom networks — crucial for national security.
Energy Pricing & Customer Decisions
Algorithms determining energy prices, assessing customers or applying dynamic tariffs — direct impact on consumers.
Specific Challenges for Energy & Telecom
The AI Act brings unique compliance questions for the sector
NIS2 and AI Act Overlap
How to combine NIS2 cybersecurity obligations with AI Act requirements? Where do they overlap and where do they conflict?
Real-time Decisions
Energy networks require millisecond decisions. How to comply with human oversight without compromising network stability?
Safety Component Classification
When is AI a safety component under the Machinery Regulation? And what does that mean for CE marking?
Legacy SCADA & OT Systems
Much operational technology is decades old. How to integrate AI Act compliance into existing industrial systems?
Supply Chain Complexity
Energy and telecom chains are complex. Who is provider, who is deployer in integrated AI solutions?
Sector-specific Supervision
ACM, RDI and State Supervision of Mines — how do these regulators interpret the AI Act for the sector?
AI Act Compliance Roadmap
Practical steps for energy and telecom companies
AI Inventory
2-4 weeksMap all AI systems. Which systems manage critical infrastructure or make customer decisions?
Risk Classification
1-2 weeksDetermine per system if it is high-risk due to critical infrastructure, safety component or consumer decision.
Gap Analysis
3-6 weeksCompare current documentation with AI Act, NIS2 and sector-specific requirements.
Remediation
3-12 monthsImplement technical documentation, risk management, human oversight and cybersecurity measures.
Ongoing Monitoring
OngoingSet up processes for continuous monitoring, incident reporting and periodic review.
Implementation Roadmap
Detailed 6-phase trajectory with concrete deliverables
Phase 1.Inventory
Month 1-2Phase 2.Classification
Month 2-3Phase 3.Gap Analysis
Month 3-5Phase 4.Governance Framework
Month 5-7Phase 5.Implementation
Month 7-14Phase 6.Audit-ready
Month 14-18AI System Inventory
Typical AI systems in energy & telecom and their likely classification
Note: many OT systems contain AI without it being explicitly labeled as such. Also inventory embedded AI in SCADA, DCS and network management.
Grid & Network Management
Usually high-riskAnnex III — AI in critical infrastructure management is automatically high-risk
Predictive Maintenance
Context-dependentHigh-risk if failure poses safety risk; otherwise possibly limited risk
Cybersecurity AI
Context-dependentHigh-risk for autonomous blocking; limited risk for alerting-only
Customer & Market
Often high-riskHigh-risk when impacting access to essential services
Content Moderation (Telecom)
Limited riskTransparency obligations (Art. 50); DSA overlap for platforms
Internal Operations
Usually minimal riskMinimal risk unless it makes autonomous decisions about individuals
Classification Decision Tree
Quickly determine the risk classification of your AI system
Does the system manage critical infrastructure (energy grid, telecom network)?
Automatically high-risk
Go to next question
Is it a safety component in a machine or installation?
High-risk + CE marking required
Go to next question
Does it make autonomous decisions about consumers (pricing, access, disconnection)?
Probably high-risk
Go to next question
Is it supporting with human override and no safety impact?
Possibly limited risk
Consult an expert for classification
This is a simplified decision tree. Consult your legal team for definitive classification.
Governance Structure
Recommended organizational structure for AI governance in energy & telecom
Link AI governance to existing NIS2 compliance structure and asset management — don't build from scratch.
Key Roles
AI System Owner
Responsible per AI system for compliance and performance — both IT and OT
OT/IT Security Lead
Ensures cybersecurity of AI systems in operational environments
Human Oversight Officer
Oversight for high-risk systems — adapted for real-time environments
Regulatory Affairs Lead
Coordinates between AI Act, NIS2, Energy Act and sector supervision
Compliance Checklist for Energy & Telecom AI
Concrete checkpoints for each high-risk AI system
This checklist applies per high-risk system. Combine with NIS2 compliance requirements for efficiency.
Common Mistakes
Avoid these pitfalls in AI Act implementation
Forgetting OT systems
SCADA, DCS and embedded AI in network equipment are often not included in the inventory.
NIS2 and AI Act as separate tracks
Both regulations overlap significantly. Integrate compliance tracks for efficiency.
Deeming human oversight impossible
Real-time systems require creative solutions: monitoring dashboards, anomaly alerts, escalation processes.
Not inventorying vendor AI
Network equipment often contains third-party AI. As deployer you are co-responsible.
Only involving IT department
OT engineers, network specialists and operations must participate from day one.
Underestimating smart meter data
Consumption data is personal data. AI analyses on smart meter data fall under GDPR and AI Act.
What Makes Energy & Telecom AI Different?
Sector-specific considerations
Critical Infrastructure Status
Energy and telecom AI falls under both AI Act and NIS2 cybersecurity directive
Real-time Requirements
Networks require uninterrupted AI decisions — human oversight must be implemented differently
Societal Impact
Energy or telecom outage affects millions of people — reliability requirements are extremely high
Converging Regulation
AI Act, NIS2, Machinery Regulation and sector legislation require an integrated compliance approach
Regulatory Overlap
How the AI Act connects with existing energy and telecom regulation
NIS2 Directive
Overlap: Cybersecurity, incident reporting, supply chain security
Practical tip: Combine AI Act monitoring with NIS2 security operations center (SOC)
Energy Act
Overlap: Supply security, consumer protection, smart meters
Practical tip: AI Act transparency requirements reinforce existing consumer protection
Telecommunications Act
Overlap: Network integrity, interception, content filtering
Practical tip: AI Act adds specific requirements for AI-driven content moderation
GDPR
Overlap: Smart meter data, customer profiling, automated decision-making
Practical tip: FRIA can partially overlap with DPIA — combine where possible
Machinery Regulation
Overlap: AI as safety component in installations
Practical tip: CE marking requires combined conformity assessment
Related Articles
Deepen your knowledge of AI Act compliance in energy & telecom
FRIA: Complete Guide to Article 27 AI Act
Everything about the mandatory fundamental rights impact assessment for high-risk AI systems.
DPIA vs FRIA: Practical Comparison
Understand the difference between a DPIA and FRIA and when you need which.
AI Governance 2025: Operational Reality
How AI governance translates from policy to daily practice.
Ready to Start AI Act Compliance?
Practical tools and guidance for energy and telecom companies