AI and Cybersecurity: A Guide to Compliance with the EU Artificial Intelligence Regulation

The European Commission’s proposal for an artificial intelligence regulation (AI Act) is a pivotal moment in regulating artificial intelligence to establish a horizontal framework for reliable AI and mitigate risks related to health, safety, and fundamental rights associated with new AI technologies. Therefore, AI system providers must implement the necessary technical and organizational measures before placing a high-risk AI system on the EU market to ensure compliance with the requirements set forth in the Act. The purpose is to build trust in artificial intelligence while introducing innovative technology, ensuring a positive societal impact.

Standardization of cybersecurity standards will play a key role in achieving compliance. Specific tools that ensure cybersecurity for high-risk artificial intelligence systems are still not sufficiently researched and are lacking. Such research is just emerging, aiming to gather and combine knowledge and approaches from various fields such as AI research, adversarial machine learning, and general cybersecurity.

Guidelines for Stakeholders

This text aims to highlight the practical implications of cybersecurity prescribed by the Act and provide key guidelines for achieving compliance as published by the Joint Research Centre, which, as a scientific center of the European Commission, provides independent evidence-based knowledge and scientific research.

The provided guidelines offer crucial insights to all stakeholders navigating through the cybersecurity requirements set by the Act. Given the potential impact AI can have (both positive and negative), we can say that there is a wide range of stakeholders who need to consider cybersecurity requirements. We can categorize them into three groups: (1) individual stakeholders, (2) organizational stakeholders, and (3) national or international stakeholders involved in drafting laws and other regulations.

Key Elements

Article 15 of the AI Act stipulates that high-risk AI systems must achieve a certain level of accuracy, robustness, and cybersecurity. Recital 51 of the Act further elaborates on cybersecurity.

Cybersecurity requirements should include the following key elements: resilience to malicious alterations, application of technical and organizational solutions, cybersecurity risk assessment, and appropriate risk-based technical solutions.

According to the Act, high-risk AI systems must undergo a conformity assessment to meet the cybersecurity requirement before being used on the EU market. Recital 51 of the Act states: ‘High-risk artificial intelligence should be accompanied by security solutions and patches throughout the product’s lifecycle or, in the absence of dependency on a specific product, during a period specified by the manufacturer.’ This means that AI system providers must guarantee cybersecurity and its updates throughout the entire lifecycle of the AI system.

Standardized Standards

There are two options for ensuring compliance. The first option is the application of standardized standards mentioned in Chapter 5 of the Act. Recital 61 of the Act states: ‘Standardization should play a key role in providing technical solutions to suppliers to ensure compliance with this Regulation.’ The first requirement for AI standardization, published by the European Commission in May 2023, officially refers to the development of necessary standards to facilitate upcoming regulations on artificial intelligence. Since the application of standardized standards is voluntary, the second option is for AI system providers to demonstrate compliance with the Act independently of them.

By integrating established cybersecurity practices with AI-specific measures, high-risk AI systems can effectively mitigate cybersecurity risks and work towards compliance. Compliance with the AI Act plays a crucial role in developing the AI ecosystem, with technological advancements in cybersecurity being the next step towards greater security for users of AI systems.