Cyber & IT Supervisory Forum - Additional Resources

A multilayer framework for good cybersecurity practices for AI June 2023

3. SURVEY ANALYSIS

The proposal for the AI Act 95 regulation contains various requirements for providers and operators of AI systems, including cybersecurity requirements for high-risk AI systems. The objective of the survey was to collect information from the EU NCAs about existing national cybersecurity requirements for AI, to determine how compliance with these requirements is monitored and enforced nationally and to evaluate whether certain practices/requirements established under the AI Act have already been implemented at the MS level. In this section of the report, the methodology used to develop the survey is described and the results of the survey are analysed. The complete questionnaire is available in Annex I. 3.1. METHODOLOGY The questionnaire is based on the cybersecurity concepts described in the FAICP framework, on the main principles (related to cybersecurity) of the proposed AI Act and the Coordinated Plan on AI 96 and on the harmonised rules related to cybersecurity as reported in the explanatory memorandum.

Figure 11: Methodology to structure the questionnaire

Based on this, we identified and structured the survey according to five policy areas identified in the AI national strategies. • Human capital (education, training and lifelong learning / labour market / intelligence and skills demand). This area targets all policies to foster the educational development of people. The focus of the survey is to identify whether and how AI security is being considered in all forms of education and existing awareness initiatives, and about hands-on skills and practical capabilities about AI. • From the lab to the market (R & D/innovation/testing). This encompasses policy initiatives to encourage research and innovation in AI towards business growth in the private sector and increased efficiency of public services. The focus here is to understand national funding and research activities on the security of AI, along with sandboxes, cyber-ranges, simulation, testing environments and methodologies and tools. • Networking (collaboration/dissemination and uptake). This includes policy initiatives related to AI collaborations across private and/or public sectors and directed to increasing the (inter)national attractiveness of the country. It also includes policies related to the dissemination and uptake of AI.

95 See footnote 1 . 96 See footnote 4 .

27