Cyber & IT Supervisory Forum - Additional Resources

A multilayer framework for good cybersecurity practices for AI June 2023

2. FRAMEWORK FOR GOOD CYBERSECURITY PRACTICES FOR AI

OVERVIEW OF THE FRAMEWORK The proposed FAICP framework is a simple approach to guide NCAs, individual AI stakeholders and the research community on how they can use the existing cybersecurity practices, what additional cybersecurity activities are needed to address the specificities of AI and the additional practices required when AI systems are employed in specific sectors (e.g., health, energy, telecom).

The framework was developed using the following principles. • Inclusive. Uses past experience and builds upon it. •

Holistic. Considers the AI systems within the ICT infrastructure and embraces all cybersecurity practices needed around and within the AI systems and their individual components. • Expandable. Its generic and yet embracing structure can include future developments in all three layers. • Multi-use. Useful to AI stakeholders independently of the sector. • International. Includes European and international efforts, standards and recommendations.

The FAICP is a scalable 3-layered framework:

Figure 1: FAICP – A scalable framework for AI-related cybersecurity good practices

• Layer I (cybersecurity foundations). The basic cybersecurity knowledge and practices that need to be applied to all ICT environments that host/operate/develop/integrate/maintain/supply/provide AI systems. Existing cybersecurity good practices presented in this layer can be used to ensure the security of the ICT environment that hosts the AI systems.

6