EuropeanAI Newsletter #76: Liability x AI Act
The EuropeanAI Newsletter
Covering Artificial Intelligence in Europe
Welcome to the EuropeanAI Newsletter covering the European AI and technology ecosystem. If you want to catch up on the archives, they're available here.
We put a lot of hard work and time into this freely available newsletter. Support us by sharing the subscription link with 3 people who would enjoy this newsletter.
Policy, Strategy and Regulation
Deep dive: draft Cyber Resilience Act
What is it?
The European Commission unveiled its proposal for a regulation on cybersecurity requirements for products with digital elements, the Cyber Resilience Act. It intends to streamline cybersecurity requirements to ensure robust cybersecurity throughout the EU’s digital supply chain.
The Act covers hardware and software that can be connected to another device or to a network, including the internet. It also applies to ancillary services for the operation or use of such hardware and software, such as sensors, smart cards, mobile or network devices, software embedded in hardware and non-embedded software, as well as remote data processing.
Overall, it introduces harmonized mandatory standards for the different categories regarding their design, development and production. Those standards will build upon the standards developed by the European standardization organization CEN and CENELEC with respect to radio equipment.
Moreover, it introduces a range of additional requirements: (i) conditions for placing of products on the market; (ii) possible performance of self-assessment or a third-party conformity assessment prior to market launch; (iii) handling of vulnerabilities throughout the entire life cycle of the products, including obligations for manufacturers and developers to provide security updates and support for a reasonable time period; (iv) obligations for manufacturers to report cyber incidents within 24 hours of becoming aware of them, and (v) market surveillance after the market launch of the product.
Software provided as part of a service is generally not covered by the Cyber Resilience Act and certain types of software (e.g. SaaS cloud computing, online search engines and market places) remain subject to the cybersecurity requirements under the Directive on the security of network and information systems (NIS) and its upcoming sequel NIS2.
How does it connect to the AI Act?
The Cyber Resilience Act will interplay with the AI Act predominantly at the level of ensuring cybersecurity compliance, conformity assessments and vulnerability handling processes. In the AI Act’s legal obligations (Art 15), it is required that high-risk AI systems are designed and developed in a way that they achieve an appropriate level of cybersecurity.
Some of these high-risk AI systems might be integrated (e.g. as safety components) into hardware or represent non-embedded software within the meaning of the Cyber Resilience Act. With respect to them, the Cyber Resilience Act will set the baseline for cybersecurity compliance through its harmonized mandatory standards. If high-risk AI systems meet those standards, they will be considered compliant with the equivalent cybersecurity requirements under the AI Act. Of course, high-risk AI systems would still need to meet additional requirements under the AI Act within the relevant Article, such as for accuracy and robustness.
In general, the conformity assessment requirements under the AI Act apply instead of those under the Cyber Resilience Act. However, when a high-risk AI system qualifies also as a critical digital product (i.e. can pose severe cybersecurity risks) under the Cyber Resilience Act, then this system needs to undergo a conformity assessment under the Cyber Resilience Act even if the AI Act allows for self-assessment. Providers of high-risk AI systems that fall under the Cyber Resilience Act would draw up one single set of technical documentation that contains the information required under both the AI Act and the Cyber Resilience Act.
Enjoy learning about Europe? Share the subscription link with friends, colleagues, enemies...
Contact Charlotte Stix at:
www.charlottestix.com
@charlotte_stix
Dessislava Fessenko provided research and editorial support.
Interesting events, numbers or policy developments that should be included? Send an email!
Disclaimer: this newsletter is personal opinion only and does not represent the opinion of any organisation.
Copyright © Charlotte Stix, All rights reserved.