In brief
- Agentic AI has created new legal and cybersecurity challenges. Unlike conventional AI, agentic AI acts autonomously across systems and executes tasks without human approval at each step, meaning that providers and deployers face legal and cybersecurity obligations under multiple overlapping EU and UK frameworks - including the EU AI Act, the Cyber Resilience Act, GDPR, NIS2, and DORA - depending on what the agent does, where it operates, and who uses it.
- Agents are vulnerable to novel threats such as prompt injection, excessive agency, privilege escalation through tool chains, and oversight evasion. There is no single international standard currently covers all applicable EU legal requirements, leaving providers to operate within an incomplete and still-evolving compliance landscape.
- Compliance must be built into the architecture of the agent, not bolted on. Practical steps include mapping the agent's external actions to identify which laws apply, implementing strict access controls and permissions, building structural constraints, and incorporating monitoring and audit trails to detect and log anomalous behaviour.
AI is no longer just a tool that answers questions. The next wave - agentic AI - acts autonomously, executing tasks, and interacting with real systems on behalf of users. For in-house lawyers, product teams and CISOs, this shift creates a new set of legal and security obligations. This article maps out what agentic AI actually is, where the cybersecurity risks lie, and what the regulatory picture looks like today.
For those already navigating this space, or preparing to, the key questions are: which laws apply, what the cybersecurity obligations actually require, and how to build compliance into the architecture of the agent itself.
What Is agentic AI and how does it differ from conventional AI?
Most people are familiar with AI assistants that respond to prompts. An agentic AI system does something fundamentally different: it breaks a given goal into sub-tasks, and plans, decides, and executes them, often without a human approving each step. It can interact with the outside world to complete the tasks and connect to databases and browsers, learning from what it encounters.
Legal obligation to apply cybersecurity measures to agentic AI
For providers and deployers of agentic AI, the first question is: which cybersecurity laws actually apply? The answer depends on what the agent does, where it operates, and who uses it. The sections below set out the primary legal frameworks currently in force or coming into force across the EU and UK.
Providers and deployers of agentic AI with high impact are likely to be subject to legal requirements to apply cybersecurity measures in the EU and the UK mainly focused on the risks posed to users or those external to the provider of the AI agent. This is different to enterprise-level security that CISOs are used to handling, where the focus is on protecting the organisation. Therefore, it is likely that compliance efforts with the legal requirements around cybersecurity of AI agents will become a collaboration between product engineers, in-house lawyers and in-house CISO teams.
EU AI Act
If the AI agent is used in the EU, it could be subject to the EU AI Act depending on the agent's intended purpose and foreseeable use. For AI agents classified as 'high-risk' there are strict cybersecurity requirements to apply before they can be used in the EU to ensure safety, robustness and resilience against attacks throughout their lifecycle (Article 15). More specifically:
- Prevent data manipulation and data vulnerabilities
- Maintain logging
- Ensure resilience against adversarial attacks
For general-purpose AI models that enable agents, Article 55 of the EU AI Act creates obligations where systemic risk is present, i.e. AI systems with computational capabilities capable of producing harm on societal level. These obligations include model evaluation, adversarial testing, incident reporting to the AI Office, and cybersecurity measures.
Key milestones: Rules for high-risk AI apply from 2 August 2026 (potentially could be moved to 2 December 2027 due to the proposed EU Digital Omnibus, as discussed in our recent article: EU AI Act simplified? Unpacking the AI Omnibus Agreement of May 2026).
EU Cyber Resilience Act (CRA)
The CRA covers products with digital elements, including standalone software placed on the market with network connectivity, which means most AI agents fall within its scope. The CRA's essential requirements focus on cybersecurity: protecting against unauthorised access, manipulation, and disruption.
The CRA and the AI Act apply in parallel; however, if providers of AI agents comply with the requirements of the CRA they are deemed compliant with Article 15 of the EU AI Act if they are classified as high-risk AI systems.
Key milestones: vulnerability reporting obligations under the CRA apply from September 2026; full CRA conformity is required by December 2027.
Other laws that may also apply
Additionally, there may be security obligations under other laws that apply depending on what the AI agent touches or the entity using it. A useful diagnostic (not exhaustive):
| If the agent... |
Then consider... |
|
processes personal data (names, emails, financial records, health information)
|
GDPR (both UK and the EU) - near-universal obligation, including the obligation to implement technical and organisational measures to ensure the security of personal data processing (confidentiality, integrity, availability, and resilience of processing systems and services – Article 32)
|
|
is a smart device or a connected product
|
Revised Product Liability Directive (EU) – safety-relevant cybersecurity requirements apply to manufacturers or distributors
The Product Security and Telecommunications Infrastructure Act 2022 (UK) – obligation to apply minimum security requirements apply to manufacturers of connectable (or 'smart') products |
|
is used by an entity providing essential or important services
|
NIS2 Directive (EU) – obligation to apply cybersecurity measures to prevent any significant disruptions to services
Updates to NIS Regulation 2018 (UK) are expected to follow NIS2 in late 2026 or early 2027 |
|
is used by a regulated financial entity for credit or trading
|
DORA (EU) - obligation to protect ICT systems that support critical or important functions from security vulnerabilities and risks
OpRes rules (UK rules similar to DORA) – obligation to maintain systems that support important business services so that they withstand impacts of disruption through cyber security failures |
How do you comply with these requirements?
The European Commission has mandated the development of technical standards to support compliance with the EU AI Act and the CRA. There is no legal obligation to apply these standards but they have been specifically created to help businesses comply with the requirements of European legislation. As such, companies that apply them are 'presumed to be compliant with the legal requirements'.
The key standards are:
'prEN 18282 – Quality management system for EU AI Act Regulatory Purposes' is a standard designed for providers of high-risk AI systems.
M/606 technical standard supporting compliance with the CRA (products with digital elements, e.g. software).
Unfortunately, these are still in draft form. There are other international guidance documents that The EU Agency for Cybersecurity (ENISA) encourages to use to demonstrate compliance with the EU legislation, such as EN ISO/IEC 27002 (information security controls) that ENISA identified as relevant and covering six out of 13 cybersecurity requirements under CRA.
Currently, according to ENISA's CRA Requirements Standards Mapping report, there is no single international standard that would cover all the EU legal requirements around cybersecurity. ISO/IEC FDIS 27090 is a cybersecurity guidance specific to AI systems and addresses AI-specific threat categories including prompt injection (see description below), privilege escalation through tool chains, and adversarial manipulation. However, it is also still in draft form. So, an AI agent provider will struggle to identify which technical standard to follow to demonstrate compliance. The available draft standards can and should be used to demonstrate compliance; however, agentic systems are not fully addressed by those standards or not yet finalised.
What cybersecurity risks are unique to agentic AI systems?
The security community has been studying agentic systems closely, and the findings are insightful. Agents introduce a fundamentally different risk surface from conventional applications because they take autonomous actions across systems.
In one reported study, agents with shell access, email access, and persistent memory executed destructive system-level actions, complied with requests from non-authorised users, and enabled partial system takeover. This is of concern on many levels, but also demonstrates threats posed by AI agents.
The principal cybersecurity risks that are distinct to agentic AI systems can be summarised as follows:
- Prompt injection: an attacker embeds malicious instructions within content the agent processes — such as a web page, email, or tool output — causing the agent to act against the user's intentions while using its own legitimate permissions
- Excessive agency and over-broad permissions: agents are routinely granted access to systems far wider than any individual task requires, creating an unnecessarily large attack surface that amplifies the impact of any compromise
- Privilege escalation through tool chains: as an agent moves between connected tools and systems, it may acquire or exploit permissions beyond those it was originally granted, allowing it to reach sensitive resources outside its intended scope
- Oversight evasion: agents trained on goal-directed objectives can develop strategies to circumvent monitoring systems or misreport their own operational status, making detection of anomalous behaviour significantly harder
What this means in practice
For in-house lawyers and CISOs, several practical conclusions follow. These practical mitigations are unglamorous and familiar:
- Start with an external-action inventory. The regulatory compliance trigger flows from what the agent does to the world — what data it processes, what systems it connects to, what decisions it influences. Map that first.
- Cybersecurity measures may be a legal obligation. Check what laws apply. The CRA and the AI Act apply in parallel. There may be other legal acts that require security measures.
- Build external constraints, not just internal instructions. Providers of AI agents cannot rely on telling an agent to follow instructions. They need to build them so that it is structurally difficult for an agent to operate outside its intended boundaries. There needs to be monitoring built in also to detect and log it when it tries. Human-in-the-loop should be considered for high-consequence actions.
- Design using existing standards but plan to adapt. Use available draft standards — M/606, M/613 drafts, ISO/IEC 27090. Document your decisions clearly. There may still be gaps, but demonstrating good-faith engagement with the available guidance is both prudent and legally defensible.
- Implement access control. Ensure that permissions and accesses given to an agent are defined, including what data and systems it can access, what capabilities it can use and how it can interact with external systems. Academics recommend building constraints so that each tool connection requires authorization, and credentials are only provided for a specific action. One should also build audit trails to track tool connections, data accessed and outcomes produced for compliance purposes.
- Build agentic triggers into detection. Ensure that it is possible to monitor agentic workflows, and that they can be differentiated from human activity, and that access control rules are also in scope.
How can Mishcon de Reya help?
We advise providers, deployers, and users of AI agents on the full range of regulatory and cybersecurity compliance obligations arising under the EU AI Act, the Cyber Resilience Act, and intersecting UK and EU legislation. Please get in touch with a member of our Data team to discuss how we can help.