Cyber & IT Supervisory Forum - Additional Resources

A multilayer framework for good cybersecurity practices for AI June 2023

(21) Do you impose dynamic risk assessment to be conducted by the AI stakeholders? Please elaborate.

Nothing related to AI was mentioned.

(22) What kind of sanctions have you set up for non-compliance with integrity of data and models? Please elaborate.

One MS mentioned the creation of a legislative framework for ethical and credible AI, focusing also on cybersecurity requirements.

Conclusions Figure 14 illustrates the number of AI-related networking questions, including two questions that did not receive any answers: ‘( 19) Have you defined/developed/used specific cyber measurements/metrics at the national level that AI stakeholders are required to use?’ and ‘( 21) Do you impose dynamic risk assessments to be conducted by the AI stakeholders?’ . Incident handling, collaboration and threat intelligence regarding AI security are essentially expected to follow the same mechanisms as cybersecurity in general. Some MS mention progressing towards AI-specific frameworks and the strengthening of European collaboration under the Competent Authorities on AI working group, which already discusses ways to implement the AI Act. One of the MS reported on the establishment of a national committee for AI ethics and reliability, while another MS mentioned that all public sector organisations and all medium and large-sized enterprises that operate AI systems are obliged to maintain a register containing the measures taken to ensure the safe usage and operation of their AI systems.

Figure 14: Overview of AI-related ‘Networking’ answers

Networking

5

4

3

2

1

0

14 (M) 15 (M) 16 (M)

17.

18.

19 (M) 20 (M) 21 (M)

22.

Infrastructure In accordance with the AI Act, to ensure a level of cybersecurity appropriate to the risks, suitable measures would have to be taken by the providers of high-risk AI systems, also considering as appropriate the underlying ICT infrastructure (rule 51 in the explanatory memorandum).

(23) How do you monitor/audit the appropriateness of the controls undertaken by the AI stakeholders (developers, integrators, providers of critical infrastructure e.g. telecom operators) to adequately secure the underlying ICT infrastructure? Please elaborate. (M)

32