At INCYBER 2025 ForumEuropean meeting on cybersecurity and technological regulation, the round table GENERATIVE SECURING AI in MATTER OF URGENCY brought together experts in law, cybersecurity and data governance around a central question: Can we build a common language to supervise the generative AI on a large scale?
The answer is emerging around three regulatory and normative pillars: the GDPRL’AI Actadopted in March 2024, and the standard ISO 42001first to structure the governance of AI within organizations.
“You have to get out of the post-market logic of the GDPR. AI Act imposes compliance from design. »»
– Charlotte Barreauexpert ia at the CNIL.
Three texts, three logics … the same goal
THE GDPRin force since 2018, has defined the first principles for the protection of personal data: minimization, consent, transparency, right of access. But it does not target specific technologies. It is agnostic by nature.
L’AI Acton the other hand, introduces a different logic: to classify AI systems according to their level of risk (minimal, limited, high, unacceptable), and impose compliance obligations prior to their deployment. He treats AI as a Product to be secured before marketing.
Finally, the standard ISO 42001published at the end of 2023, provides a Operational IA governance frameworkaligned with the main principles of risk management. It does not replace the law, but structures the implementation.
“The ISO 42001 is proof of intention. It formalizes arbitrations between innovation, security and responsibility. »»
– Julien RichardBritish Standards Institution (BSI).
A risk approach, not by the tool
One of the major contributions of AI Act is to put a new equation: it is not the technologies that are problematic, but their impact. A medical chatbot or an algorithmic scoring HR tool have the same implications as a recommendation engine on an e-commerce site.
“AI Act transposes the Logics to AI AI AI AI ALAGIC OR to medical devices. »»
– Charlotte Barreau, Cnil.
The other break: The burden of proof Now is the responsibility of the designers. Documenting the datasets, ensuring the robustness of the models, drawing iterations, explaining decision -making logics.
Standardization: implementation tool, not easy compliance
The ISO 42001 standard does not create a legal obligation, but facilitates compliance with texts. It allows companies to structure:
-
- Their governance IA (roles, responsibilities, processes)
- Risk analysis specific to models
- Monitoring of life cycles IA
- Alignment with European regulatory requirements
“We got out of frozen standards. We are now talking about living, co-constructed, interoperable standards. »»
– Julien Richard, BSI.
It is particularly useful for companies that want anticipate auditsalign their AI policy with CSR objectives, or reassure B2B customers in sensitive sectors (health, finance, defense).
From individual right to systemic responsibility
The GDPR remains focused on the rights of the individual: consent, forgetfulness, portability. AI Act and ISO 42001 introduce a new layer: collective responsibilityfaced with systemic risks (biases, opacity, discrimination, content manipulation).
“The GDPR asks the question: to whom do the data belong to? Ai Act asks: What do we do with it? »»
– Summary of the CNIL / BSI cross intervention at the INCYBER 2025 forum.
Compliance = transformation lever
Long perceived as a constraint, compliance IA becomes an opportunity for structuring. Florence Moutet, Ciso de Zalando, recalled it by explaining how her business uses regulation as a governance engine:
“Preparation for AI Act has enabled us to formalize a methodology common to all our teams. »»
By framing uses from the ideation, Zalando secures innovation, avoids uncontrolled uses (Shadow AI), and prepares the company for an environment where the traceability, robustness and transparency will become non -negotiable.
A common grammar under construction
These three texts – GDPR, AI Act, ISO 42001 – do not have the same statutes, nor the same perimeters. But they converge on one point: require organizations a more strategic maturity in the face of AI.
“The law cannot follow technology in real time. But he can fix the rules of the game. “
– Charlotte Barreau, Cnil.
The compliance IA becomes a language shared between lawyers, engineers, managers, product designers. It allows you to go beyond silos, to orchestrate expertise, andanchor responsibility in each line of code.
