Cyber & IT Supervisory Forum - Additional Resources

A multilayer framework for good cybersecurity practices for AI June 2023

The operators of ICT infrastructures need to be aware of and comply with all EU legislation, recommendations and directives, from the cybersecurity strategy in 2013 to the NIS 2 directive and the Cybersecurity Resilience Act in 2022.

Figure 6: Cybersecurity legal/policy EU instruments

Several pieces of legislation and policies have been developed to ensure the most effective responses and the ICT infrastructure needed to comply with these policies. NIS 2 30 and the CSA 31 are considered to be Europe’s two most important and far-reaching pieces of cybersecurity legislation 32 and the general data protection regulation (GDPR) 33 is the key personal data protection act , emphasising supply chain security and privacy respectively, which are most relevant for the life cycle of the AI systems as well. The EU’s common security and defence policy (CSDP) 34 is another important element, since it is the main instrument of the EU for dealing with new and unconventional security threats and serves to prepare a possible common European defence of the EU. Since AI is considered a technology that will play a crucial role for defending the EU, it is also important that this policy is considered . The CSA 35 establishes a cybersecurity certification framework for products and services. This framework provides EU-wide certification schemes as a comprehensive set of rules, technical requirements, standards and procedures. This way it is possible to ensure the general public trust in the cybersecurity of IT products and services. It is important that we can see that a product has been checked and certified to conform to high cybersecurity standards. AI-related products will gain trustworthiness if they are certified and, in the years to come, various cybersecurity schemes will be developed for AI products to specify the security requirements. Another important initiative is the European Cybersecurity Competence Centre 36 , which aims to increase Europe’s cybersecurity capacities and competitiveness, working together with a Network of National Coordination Centres 37 to build a strong cybersecurity community. Also, the establishment of national computer security incident response 30 Revised Directive on Security of Network and Information Systems (NIS 2), https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM:2020:823:FIN. 31 https://eur-lex.europa.eu/eli/reg/2019/881/oj. 32 https://digital-strategy.ec.europa.eu/en/policies/nis-directive. 33 The GDPR applies to the processing of personal data regardless of the means by which personal data is processed and thus applies to AI systems that process personal data. However, a number of AI-related data protection issues are not explicitly answered in the GDPR and need to be specified. For additional information on this topic, see: https://www.europarl.europa.eu/RegData/etudes/STUD/2020/641530/EPRS_STU(2020)641530_EN.pdf. 34 https://www.eeas.europa.eu/eeas/common-security-and-defence-policy_en.

35 https://eur-lex.europa.eu/eli/reg/2019/881/oj. 36 https://cybersecurity-centre.europa.eu/index_en. 37 https://cybersecurity-centre.europa.eu/nccs_en.

12