ENISA: 2023 AI and Standardized Cybersecurity Report

ENISA has published the "Cybersecurity Report on AI and Standardization 2023", with the overall goal of providing an overview of standards related to cybersecurity for artificial intelligence (AI), assessing their coverage and identifying gaps in standardization. It does this by taking into account the particularities of AI, in particular machine learning, and by adopting a broad cybersecurity perspective, including the "traditional" confidentiality (integrity) availability paradigm and the broader concept of trustworthiness of AI. Finally, the report explores how standardization can support the implementation of cybersecurity embedded in the proposed EU Regulation that sets out harmonized rules for AI.

The report describes the activities of major standards development organizations (SDOs) covering the standardization landscape for AI.

The report argues that existing general technical and organizational standards can help mitigate some of the risks facing AI by providing specific guidance on their application in AI environments. This consideration stems from the fact that, at its core, AI is software, so software security measures can be transferred to the AI ​​domain.

Finally, the report complements the above observations by extending the analysis to the draft AI Bill. First, the report highlights the importance of incorporating cybersecurity into the assessment of high-risk systems to determine the cybersecurity risks of each system’s specific use. Second, the report highlights the lack of standards covering the capabilities and tools of actors performing conformity assessments. Third, the governance systems established by the draft AI Bill and the Cybersecurity Act (CSA) should be coordinated to avoid duplication of efforts at the national level.

Finally, the report concludes that some standardization gaps will only become apparent as AI technology advances and further research is conducted on how standardization can support cybersecurity.