2022欧盟AI网络安全与标准化报告.docx

ensaE1.JRCPFAN,1NNAGENUY寸口每卡通供.南节O1.O1.OI1.1.O1.00101CYBERSECURITYOFAIANDSTANDARDISATIONMARCH2023ABBREVIATIONSAbbreviationDefinitionA1.Andkiia1.IrWIipenceCEN.CENeiECEuropeanCommitteeforS1.andafd1.sa1.kxi-EuropeanC<xwn*11eekxE1.ectfo<ncaStarKtefd1.sanonCIAConfidentia1.ity.IntegrityandAvai1.abi1.ityENEuropeanStanctefdESOEuropeanStandardisationOfQanISa1.METSIEuropoanTe1.oconvnunicationsStandardsInsthu1.oORGfO1.pReportICTInformaDonAndCommunicatkxisTechno1.ogyISGIndustrySpoci1.icationGroupISOMternationa1.OrganizationIofStandafdzabonITInformabonTechno1.ogyJTCJointTechnica1.CommineeM1.Machne1.earningNISTNationa1.InsbtuteofStandardsandTechno1.ogyR&DResearchAndDeetopfnen1.SAISecurityofArtifioa1.t11te1.rceSCSubcommitieeSDOStandards-Devdop<rOrganisationTRTechnica1.ReportTSTochnica1.Spocifica1.ionsW1.WorkItemABOUTENISATheEuropeanUnionAgencyforCybersecurity.EN1.SA.istheUnion'sagencydedicatedtoach>w>gahhco11wnonIevxHofcybersecurityacrossEurope.Estab1.ishedin2004andstrengthenedbytheEUCybcrsecurdyAct.theEuropeanUnionAgencyforCybersccurityCOCtrtbutostoEUcyberpo1.icy,enhancesthetrustworthinessc1.ICTproducts,servicesandprocessesW1.Ihcybersecuritycert1icatk)schemes,cooperatesMhKtemberStatesandEUbodies.andhe1.psEuropepreparetortecybercha1.1.engeso1.tomorrow.Throughknovedgesharing,capa1.ybui1.dingandawarenessraising.theAgencyworkstogetherW1.thitskeystakeho1.derstostrengthentrustinthennectedenomy,toboostresi1.ienceoftheUni,sGfraStrUCtUre.and.u1.timate1.y,tokeepEurope'ssoetyandcitizensdigda1.tysecure.MoreinformationaboutENISAanddsWOfkcanbefndhere:ww.enisa.europa.eu.CONTACTF<xcontactingtheauthorsp1.easeUSCteamemsa.eufopa.euFormediaenquiriesaboutthispaper.pieaseusepressemsaeuropaeu.AUTHORSP.Bezombes.S.Brunessaux.S.CadzowEDITOR(三)ENISA:E.MagoaaraS.GorniakP.MagnabOSOOE.Tsekmezog1.ouACKNOW1.EDGEMENTSWewou1.d1.iketothankIbCJointResearchCentreandtheEuropeanCommission1(xtheiractivecontributionandconsentsduringthedraftingstage.A1.so,wcWoUIC1.iketothanktheEN1.SAAdHocExportGrouponAnificia1.Inte1.1.igence(A1.)CytXHSOCUriWfortheva1.uab1.efcod-backandcommentsinva1.idatingthisreport1.EGA1.NOTICEThisP1.JbtoCa1.iOnrepresentstheviewsandinterpretationsofENISA,un1.essstatedotherwise,hdoesnotendorsearegu1.atoryob1.igationofENISAorofENISAbodiespursuanttotheRegu1.ation(EU)No2019'881.ENISAhastherhttoa1.ter,updateorremovethepub1.icationoranyoftscontents.Itismendedforinformationpurposeson1.yanditmustbeaccessib1.efreeofcharge.A1.1.referencestoitoritsuseasawho1.eorpartia1.Iymustntai11ENISAasitssource.Third-partysourcesarequotedasappropriate.ENISAisnotresponsib1.eor1.iab1.eforthecontentoftheexterna1.sourcesinc1.udingexterna1.websitesreferencedinthispub1.ication.Na1.herEN1.SAnoranypersonactingonitsbeha1.fisresponsib1.efortheusethatmightbemadeoftheinformationcontainedinthispubteation.ENISAmaintainsitsinte1.1.ectua1.propertyrightsinr<Hationtothispub1.ication.COPYRIGHTNOTICE©EuropeanUnionAgencyforCybersecurity(ENISA).2023TsPubfccationis1.icencedunderCCBY4OmU11cssotherwisenoted,thereuseofthisdocumentisauthorisedundertheCreativeConvnonsAttribution40Internationa1.(CCBY4O)fccencehtts7crca!ivccommons.org.'bccnses.,by.,4,).Thsmeansthatreuseisa三owod,providedthatappropriatecrcd<tisgivenandanychangesareEicate(TCoverimageshuttrstock.m.Foranyuseorreproduction&photos(Xothermate11athatenotundertheENISAcopyright,permissionmustbesoughtdirect1.yfromthecopyrighthoWers.ISBN978-92-204-6163.DOI10.2824/277479.TP-03-23011-ENCTAB1.EOFCONTENTS1. INTRODUCTION81.1 DOCUMENTPURPOSEANDOBJECTIVES81.2 TARGETAUDIENCEANDPREREQUISITES81.3 STRUCTUREOFTHESTUDY82. SCOPEOFTHEREPORT:DEFINITIONOFA1.ANDCYBERSECURITYOFA1.92.1 ARTIFICIA1.INTE1.1.IGENCE92.2 CYBERSECURITYOFA1.103. STANDARDISATIONINSUPPORTOFCYBERSECURITYOFA1.123.1 RE1.EVANTACTIVITIESBYTHEMAJNSTANDARDS-DEVE1.OPINGORGANISATIONS123.1.1 CENCENE1.EC123.1.2 ETSI133.1.3 ISO-IEC143.1.4 Others144. ANA1.YSISOFCOVERAGE164.1 STANDARDISATIONINSUPPORTOFCYBERSECURITYOFA1.-NARROWSENSE164.2 STANDARDISATIONINSUPPORTOFTHECYBERSECURITYOFA1.-TRUSTWORTHINESS194.3 CYBERSECURITYANDSTANDARDISATIONINTHECONTEXTOFTHEDRAFTA1.ACT215. CONC1.USIONS245.1 WRAP-UP245.2 RECOMMENDATIONS255.2.1 Recommendationstoa1.1.organisations255.2.2 Recommendationstostandards-deveop>gorganisations255.2.3 RecommendationsinpreparationforIheimp1.ementationofthedraftA1.Act255.3 ANA1.OBSERVATIONS26AANNEX:2727A.1SE1.ECTIONOFISO27000SERIESSTANDARDSRE1.EVANTTOTHECYBERSECURITYOFA1.«.CYBERSECURITYOFA1.ANDSTANDARDISATION:en'saA.2RE1.EVANTISOIECSTANDARDSPUB1.ISHEDORP1.ANNEDIUNDERDEVE1.OPMENT29A.3CEN-CENE1.ECJOINTTECHNICA1.COMMITTEE21ANDDRAFTA1.ACTREQUIREMENTS31A.4ETSIACTIVITIESANDDRAFTAJACTREQUIREMENTS33EXECUTIVESUMMARYTheovera1.1.objectiveOI1.hCpresentdocumentistoprovideanoverviewo1.standar(fe(existing,beingdratted,underconsiderationandp1.anned)re1.atedtotheCybasecurityofa11ifk>a1.inte1.1.igence(A1.),assesstboircoverageandidcMygaps«nstandardisation.ItdeessobyconsideringtboSP(XXicibcsofA1.andinparticu1.armachine1.earning,andbyadoptingabroadVIewofcyt>ersecurit/,empassmgboththe,tfadtionaconfideta1.ity-itegrity-ayai1.abMyparaa«gmandthebroadercep<o1.A1.trustworthiness.Fina1.1.y,thereportexamineshowstandardisationcansupporttheimp1.ementationOfthecybersecurityaspectsembeddedintheproposedEUregu1.ation1.ayingdownharmontsedru1.esona11ificia1.inte1.1.igence(COM(2021)206fina1.)draftA1.Act).Thereportdescribesthestandardisation1.andscapecoveringA1.,bydepictingtheactivitiesofthemamStandardsDcvc1.opingOrganisations(SDOs)thatseemtobeguidedbyconcernaboutmsuff100ntkn<xeoftheappfccationdexitingtechniquestoCoUnkXthreatsandVuincrabiMiesarisingfromA1.Th<sresu1.tsintheongoingdev。IOPmenIo1.adhocreportsandguidance,ando<adhocstandards.Tereportarguesthatexistinggenera1.purposetechnica1.andorganisationa1.standards(suchasISOIEC27001andISO-IEC9001)canContrtutetomitigatingsomeoftherisksfacedbyA1.withthehe1.pofspecificgukianceonhowtheycanbeapp1.iedinanA1.context.Thisconsiderationstemsfromthefactthat,inessence,A1.issoftwareandthere1.or©SOftwaresecuritymeasurescanbetransposedtotheA1.domain.Thereporta1.sospecifiesthatthisapproachisnotexhaustiveandthatithassome1.imitations.Forexamp1.e,whi1.ethereportfocusesonsoftv/areaspeds.thebo11ofA1.caninc1.udebothtechnica1.andorganisationa1.etementsbeyondSoftWare.scashardv/areorinfrastructure.Otherexampiesinc1.udethefactthatdeterminingappropriatesecuritymeasuresre1.iesonasystem-specificana1.ysis,andthefactthatsomeaspectsofcybersecurityaresti1.1.thesubjectofresearchanddeve1.opment,andthereforemightbenotmatureenoughtobexhaustive1.ystandardised.Inadd<1i.existingstandardsseemnottoaddressspecificaspectssuchasthetraceabi1.ityand1.ineageofbothdataandAponents,ormetricson.forexamp1.e,robustness.Therepo11ateo(×*sbeyondthemereprotectionofassets,ascybersecuritycanbeconsideredasinstrumenta1.tothecorrectimp1.ementationoftrustworthinessfeaturesofA1.and-11verse1.y-thecorrectmp1.ementationoftrustvor1.hi11essfeaturesiskeytoensuringcybersecurity.Inthiscontext,itisnotedthatthereisariskthattrustworthinessishand1.edseparate1.ywithinA1.specificandcybersecurity-specifk:standardisationinitiatives.Oneexamp1.eofanareawherethismighthappenisconformityassessment.1.astbutnot1.east,therepodcomp1.ementstheobservationsabovebyextendingtheana1.ysistoIhedra1.tA1.Act.Frsi1.y,thereportstressestheimportanceoftheinc1.usionofcyt>ersecurityaspectsintheriskassessmentofhigh-risksystemsinordertodeterminethecybersecurityrisksthatarespedfictotheintendeduseofeachsystem.Second1.y,thereporthighfeghtsthe1.ackofstandardscoveringthempetencesand100teoftheact<xsperformingconformityassessments.Third1.y,itnotesIha1.thegovernancesystemsdrawnupbythedraftA1.ActandtheCybersecurityAa(CSA)1shou1.dworkinharmonytoavoiddup1.icationofeffortsatnationa1.1.eve1.Fina1.1.y,thereportCOnC1.UdoSthatsomestandard<sationgapsmightbecomeapparenton1.yasIheA1.techno1.ogiesadvanceandwithfurtherstudyotbowstandardisationcansupportcybersecurity.,RogUAimnIEu1.20I&B81GtthoEuropeanPariamnntarc/1»Cunc4o1.17Apn1.2019onEN1.SAtfoEtroXanUmcnAj*511cyIorC>t*fMC11y1.adonGfBrnBgn8mmj但WCSWiEMycyg<5<u的s3and啖划gRubtcn<EUyZO52&2013(C,bersecurRAc1.1.(Mips:AQJHeX.eugauteireQ,201'B61,oi.Informationsecurity,cybersecurityandprivacyprotection-Guide1.inesforinformationsecuritymanagcmcn1.systemsauditingSQ,IEC27007:2020Informationtechno1.ogy-Securitytechniques-Requirementsfoebodiesprovidingauditandcertificationofinformationsecun1.ymanagementsystems-Amendment1Sa,IEC27006:2015AMD1:2020Informationtechno1.ogy-Securitytechniques-Requirementsforbodiesprovidingauditandcertrfcationofintormationsecuritymanagementsystems1.S,IEC27006:2015Requirementsforbodiesprovingauditandcertificationofinformationsecuritymanagementsysems-Part2:PrivacyinformationmanagementsystemsISOIECTS27006-2021Informationtechno1.ogy-Securitytechniques-InformationsecurityriskmanagementISQIEC27005:2018Informationtechno1.ogy-Securitytechniques-In1.OrmauOnSeCUEymanagement-Monitoring,measurement,ana1.ysisandeva1.uationISOIEC27004:2016Informationtechno1.ogy-Securitytechniques-InformationSecurHymanagementsystems-GuidanceISQ,IEC27003:2017Informationsecurity,Cytwrsecurityandprivacyprotection-Informationsecuritycontro1.sISQIEC27002:2022Informationtechno1.ogy-Securitytechniques-Informationsecuritymanagementsystems-Requirements-Technica1.Corrigendum2ISd1.EC27001:2013Cf2:2015Informationtechno1.ogy-Secuntytechniques-InformationSeCUEymanagementsystems-Requirements-Technica1.Corrigendum1ISOIEC270012013Cor1:2014Informationtechno1.ogy-Securitytechniques-InformationSeCUritymanagementsystems-RequirementsIS,IEC27001:2013A.2RE1.EVANTISO/IECSTANDARDSPUB1.ISHEDORP1.ANNED/UNDERDEVE1.OPMENTNameExpectedpub1.icationdate(atthetimeofwriting)DocumentReferenceArtificia1.Inte1.1.igence(AJ)Aworks-Part1:OverviewSQ1CTR24029-1.2021Pubii5h(jAssessmentofmachine1.earningC1.assrticationperformanceISQIECTS4213Pub1.ishedBigdata-Overviewandvocabu1.arySQ1C20546019Pub1.ishedInformationtechno1.ogy-Artificia1.Inte1.1.igenceOverviewo1.ethica1.andsoc>c<a1.concernsIsa1.ECTR24368.2022PuWishedInformationtechno1.ogyArtificia1.imd1.igenccOverviewoftfustwortht11essInart1.t1.cia1.1.nte<1.enceSQ'1ECTR240282020PuWishedInformationtechno1.ogy-Artificia1.Inte1.1.igenceProcessmanagementframeworkforbigdataana1.yticsIsa1.eC24668022PuWishedInformationtechno1.ogy-Artificia1.inte1.1.igence(AI)BqsinA1.systemsandA1.aideddecisionmakingISQ1.ECTR240272021Pub1.ishedInformationtechno1.ogyArtftida1.inte1.1.igence(AI)Overviewofcomputationa1.approachesforA1.systemsscTR24372:2021PuWishedInformationtechno1.ogy-Bigdatareferencearchitecture-Part1:Frameworkandapp1.icationprocessISQIECTR205471:2020PuWisbedInformationtechno1.ogy-Bigdatare1.erencearchitecture-Part2:UsecasesandderivedrequirementsISQ1.ECTR20547-2:2018Pub1.ishedInformationtechno1.ogy-Bigdatareferencearchitecture-Part3:RoferencearchitectureIS0iC20547-3:2020PuWisbedIn1.ormattontechno1.ogyBigdatare1.erencearchitecture-Part4:Securityandprivacysic20547-4:2020PuWishedInformationtechno1.ogy-Bigdatareferencearchitecture-Part5:StandardsroadmapISQ1.ECTR205475:2018Pub1.ishedInformationtechno1.ogyGovernanceofIT-GovernanceImp1.icationsoftheuseofartificia1.inte1.1.igencebyorganizationsISaIeC3a5072022Pub1.ishedSafetyofmachinery-Re1.ationshipwrthISO12100-Part5:Imp1.icationsofembeddedartificia1.inte1.1.igencemachineIetamingJSTR2210052021PuWishedArt1.1.1.c1.a1.Inte1.1.igence(AJ)UsecasessaiECTR24030:2021PuMished(tobervisodnewversionexpectedinMay2023)Artificia1.inte1.1.igence-Functiona1.safetyandA1.systemsISa1.ECCDTR5469Apf-23SoftwareengineeringSystemsandsoftwareQua1.ityRequirementsandEva1.uation(SQuaRE)Qua1.itymode1.forA1.systemssaecots25059May-23Artificia1.inte1.1.igence-Dataqua1.itytorana1.yticsandmachine1.earning(M1.)-Part1:Overview,termino1.ogy,andexamp1.esSQ1ECCO52591M23Artificia1.inte1.1.igence-Dataqua1.ityforana1.yticsandmachine1.earning(M1.)-Part3:DaIaqua1.itymanagementrequirementsandgu<>einesIsaIeCco5259-3Ju1.-23Artmcia1.Inte1.1.if1.ence-Dataqua1.itytorana1.yticsandmachine1.earning(M1.)-Part4:Dataqua1.ityprocessframeworkISaiECCD5259-4Ju1.23Informationtechno1.ogy-Ar1.ificui1.inte1.1.igence-Contro1.kibt1.ityofautomatedartificia1.mte1.1.igencesystemsISQIECAW1.TS8200JM23Informationtechno1.ogy-Artificia1.Inte1.1.igence-A1.systemHfecyc1.eprocessesISQIECDIS5338Aug23Informationtechno1.ogyArtificia1.inte1.1.igence-GuidanceforAJapp1.icationsISQIECDIS5339Aug23Informationtechno1.ogy-Artificia1.Inte1.1.igenceOverviewofmachine1.earningcomputingdevicesISQIECAWITR17903Nv23Artificia1.inte1.1.igence-Dataqua1.ityforana1.yticsandmachine1.earning(M1.)-Part2:Dataqua1.itymeasuresISQIECCD52592Jan24Informationtechno1.ogy-Art1.ticto1.InieHkjence-Objectivesandapproachesfoeexp1.ainabi1.ityofM1.mode1.sandA1.systemsS0,1.CAW1.TS6254Fb-24Informationtechno1.ogy-Ar1.ifkia1.inte1.1.igence-TreatmentofunwantedbiasInc1.assificationandregressionmacine1.earningtasksISQIECAW1.TS12791Fet>-24SoftwareandsystemsengineeringSoftwaretestingPart11:TestingofA1.systems,cAWTS29119-111JFt>24Artificia1.inte1.1.igence-Dataqua1.ityforana1.yticsandmachine1.earning(M1.)Part5:Dataqua1.itygovernanceISQIECAW1.5255Fet>-25Informationtechno1.ogy-Ar1.1.tcia1.Inte1.IHienceTransparencytaxonomyo1.AJsystemsISQIECAW1.127%Feb-25Qua1.ityeva1.uationguide1.inesforA1.systemsISOIECAWITSM71UnderConsidorabonInformationtechno1.ogy-AHificioIinte1.1.igence-Rc1.crcnccarchitectureofknow1.edgeengineeringISQIECDIS5392Underdeve1.opmerrtA.3CEN-CENE1.ECJOINTTECHNICA1.COMMITTEE21ANDDRAFTA1.ACTREQUIREMENTSNameTR,s.ENActk>n:a<k>ta<top<(ISO-IEC)-deve1.op(ESOa)TargetddtcISO1EC22989:2022Artificia1.inte1.1.igenceconceptsandtermino1.ogyISAdop(Ju1.y2022ISIEC2308:2022Frameworkforartificia1.inte1.1.igence(AJ)systemsusingmachine1.earning(M1.)ISAdop(Ju1.y2022ISoIECCD5259-1Dataqua1.ityforana1.yticsandmachine1.earning(M1.)-Part1:Overview,termino1.ogy,andexamp1.estsAdDPeDecember2023IS,IEC9001:2015Qua1.itymanagementsystems-RequirementsIS2015ISOIEC42001Artificia1.inte1.1.igence-FianagementsystemISAdopcDecember2023ISeXIEC27001:2022Informationsecuritymanagementsystems-RequirementsIS2022ISdIEC23994GuidanceonriskmanagementISAdoptDecember2023TransparcfxzyandprovisionofinformationtousersHumanoversightQua1.itymanagementsys<emConformityassessmentAccuracyHIcCybersecurityBBDDf1.f1.D1D