The European Telecommunications Standards Institute (ETSI) has unveiled a new standard, EN 304 223, establishing baseline security requirements for artificial intelligence that organizations must embed within their governance frameworks. This move marks a significant step in formalizing the cybersecurity landscape for AI as businesses increasingly integrate machine learning into their core operations.
EN 304 223 stands as the inaugural globally applicable European Standard for AI cybersecurity. Its formal approval by National Standards Organizations lends it substantial authority across international markets, positioning it as a crucial complement to regulatory frameworks like the EU AI Act. The standard directly addresses the unique risks inherent in AI systems, such as susceptibility to data poisoning, model obfuscation, and indirect prompt injection – threats that traditional software security often overlooks. Its scope encompasses a wide range of AI technologies, from deep neural networks and generative AI to simpler predictive systems, with the exclusion of those solely used for academic research.
### ETSI Standard Clarifies the Chain of Responsibility for AI Security
A persistent challenge in enterprise AI adoption has been the ambiguous ownership of risk. ETSI EN 304 223 tackles this by defining three primary technical roles: Developers, System Operators, and Data Custodians.
For many organizations, these roles are not clearly delineated. Consider a financial services firm that fine-tunes an open-source model for fraud detection. Such an entity would function as both a Developer and a System Operator, triggering stringent obligations. This dual status necessitates securing the deployment infrastructure while meticulously documenting the provenance of training data and maintaining auditable records of the model’s design.
The explicit inclusion of ‘Data Custodians’ as a distinct stakeholder group directly impacts Chief Data and Analytics Officers (CDAOs). These individuals are responsible for data permissions and integrity, a role that now carries explicit security mandates. Data Custodians must ensure that a system’s intended use aligns with the sensitivity of the training data, effectively embedding a security checkpoint within the data management workflow.
ETSI’s AI standard emphasizes that security cannot be an afterthought tacked on at the deployment stage. During the design phase, organizations are mandated to conduct threat modeling that specifically addresses AI-native attacks, including membership inference and model obfuscation.
One key provision requires developers to restrict functionality to minimize the attack surface. For instance, if a system utilizes a multi-modal model but only requires text processing capabilities, the unused modalities (such as image or audio processing) represent an inherent risk that must be actively managed. This directive compels technical leaders to re-evaluate the common practice of deploying expansive, general-purpose foundation models when a more specialized, smaller model would suffice.
The document also enforces rigorous asset management. Developers and System Operators must maintain a comprehensive inventory of all AI assets, including their interdependencies and connectivity. This practice is vital for discovering “shadow AI” – systems that operate outside of IT’s awareness and therefore cannot be secured. The standard further mandates the creation of specific disaster recovery plans tailored to AI-related attacks, ensuring that a “known good state” can be rapidly restored in the event of a model compromise.
Supply chain security emerges as an immediate friction point for enterprises that rely on third-party vendors or open-source repositories. The ETSI standard stipulates that if a System Operator opts to utilize AI models or components with inadequate documentation, they must provide a clear justification for this decision and meticulously document the associated security risks.
Practically, this means procurement teams can no longer accept opaque, “black box” solutions. Developers are required to furnish cryptographic hashes for model components to verify their authenticity. When training data is sourced publicly, a common practice for Large Language Models, developers must document the source URL and the timestamp of acquisition. This audit trail is indispensable for post-incident investigations, particularly when trying to determine if a model was subjected to data poisoning during its training phase.
Furthermore, if an enterprise exposes an API to external customers, robust controls must be implemented to mitigate AI-specific attacks. This includes measures like rate limiting to prevent adversaries from attempting to reverse-engineer the model or overwhelm defenses with data poisoning attempts.
The lifecycle approach extends into the maintenance phase, where the standard treats significant updates, such as retraining on new data, as the deployment of a new version. Under the ETSI AI standard, this triggers a requirement for renewed security testing and evaluation.
Continuous monitoring is also formalized. System Operators are obligated to analyze logs not merely for system uptime but also to detect “data drift” – gradual shifts in model behavior that could signal a security breach. This elevates AI monitoring from a performance metric to a critical security discipline.
The standard also addresses the “End of Life” phase for AI models. When a model is decommissioned or transferred, organizations must involve Data Custodians to ensure the secure disposal of all associated data and configuration details. This provision is critical for preventing the leakage of sensitive intellectual property or training data through discarded hardware or forgotten cloud instances.
### Executive Oversight and Governance
Compliance with ETSI EN 304 223 necessitates a review of existing cybersecurity training programs. The standard mandates that training be role-specific, ensuring that developers gain expertise in secure AI coding practices, while general staff are educated on threats such as AI-driven social engineering.
“ETSI EN 304 223 represents an important step forward in establishing a common, rigorous foundation for securing AI systems,” stated Scott Cadzow, Chair of ETSI’s Technical Committee for Securing Artificial Intelligence. “At a time when AI is being increasingly integrated into critical services and infrastructure, the availability of clear, practical guidance that reflects both the complexity of these technologies and the realities of deployment cannot be underestimated. The work that went into delivering this framework is the result of extensive collaboration and it means that organizations can have full confidence in AI systems that are resilient, trustworthy, and secure by design.”
Implementing these baseline security measures within ETSI’s AI standard provides a structured pathway for safer innovation. By enforcing documented audit trails, clearly defined roles, and transparency throughout the supply chain, enterprises can effectively mitigate the risks associated with AI adoption while establishing a defensible posture for future regulatory scrutiny.
An upcoming Technical Report, ETSI TR 104 159, is expected to apply these principles specifically to generative AI, addressing emerging challenges such as deepfakes and disinformation.
Original article, Author: Samuel Thompson. If you wish to reprint this article, please indicate the source:https://aicnbc.com/15780.html
