Evaluation of the Impact of the AI Act on Transmission System Operators

Abstract

The AI Act is the first comprehensive legal framework that regulates the development and use of AI systems. It introduces a tiered categorization of AI systems, based on risk profiles. Because the safety components of high-risk AI systems operating in critical infrastructure fall into the highest tier, Transmission System Operators (TSOs) must achieve full compliance, covering both technical and organizational measures, and extensive documentation obligations.However, the Regulation leaves ambiguities regarding how compliance should be operationalized in the context of grid operations.This thesis addresses that problem. First, the entire legal text of the AI Act was systematically reviewed, with a focus on the typical TSO operational context. The result is a set of checklists covering (i) mandatory requirements for high-risk AI systems, (ii) obligations for providers, and (iii) obligations for deployers. Subsequently, key interpretative uncertainties were identified,specifically which operations qualify as management and operation of critical infrastructure,how safety components should be defined, and how AI-risk self-assessment can be performed in the absence of relevant guidelines.Building on TSO and ENTSO-E practice, OECD framework for classification of AI systems and principles from functional safety, a two-pillar classification framework was developed, which enables:1) a risk rating of operations (high / medium / low) supporting the identification of processes falling under the management and operation of critical infrastructure, and2) an assessment of the safety-criticality of the AI systems embedded in those processes.In the next step, a draft effective compliance process was created, based on theISO/IEC 42001 AI Management System. In that way, the legal requirements not covered bythe standard were identified. New controls were then written for these requirements and integrated with the existing ISO/IEC 42001 controls. Using this combined approach, a model compliance process was built. Finally, a RACI matrix was applied to divide responsibilities between subject-matter experts and IT experts, aligning each role with the actions from the process andthe phases of the AI system life cycle.The thesis also presents a case study of Austrian Power Grid AG, illustrating the organizational measures and risk mitigation strategies already in place to meet obligations of the AI Act. Supported by this real-world example, the work proposes actionable, practical steps that align with TSO operational reality and existing structures and that enable facilitating compliance without IVimposing unnecessary operational burden. Ultimately, the thesis proposes a structured compliance model in the context where harmonized standards are not yet available. It also provides an evaluation of the AI Act’s practical implications for TSOs.