As artificial intelligence becomes embedded in everyday business operations, questions around security are moving to the forefront. Addressing this shift, the European Telecommunications Standards Institute (ETSI) has introduced EN 304 223, a new European Standard that sets baseline cybersecurity requirements specifically designed for AI systems.
The standard arrives at a pivotal moment. While many organisations already apply traditional software security practices to AI, those measures often fail to address risks unique to machine learning models. EN 304 223 closes that gap, establishing concrete expectations for how AI systems should be designed, deployed, and maintained securely. Notably, it is the first globally applicable European Standard focused exclusively on AI cybersecurity, having received formal approval from national standards bodies, which gives it weight beyond the EU.
Designed to complement the EU AI Act, the standard recognises that AI systems face threats such as data poisoning, model obfuscation, membership inference, and indirect prompt injection. These risks apply across a wide range of technologies, from deep neural networks and generative AI to more traditional predictive models. Only systems used strictly for academic research fall outside its scope.
Clear accountability for AI security
One of the most practical contributions of EN 304 223 is how it defines responsibility. The standard identifies three core technical roles: Developers, System Operators, and Data Custodians. By doing so, it aims to resolve a common challenge in enterprise AI adoption, where ownership of security risk is often unclear.
In many real-world scenarios, organisations may occupy more than one role. A financial institution that fine-tunes an open-source model for fraud detection, for example, may act as both Developer and System Operator. Under the standard, this dual role comes with expanded obligations, including securing deployment infrastructure and documenting training data sources, model design, and audit processes.
The introduction of Data Custodians as a distinct role has particular implications for Chief Data and Analytics Officers. These custodians control access to and integrity of data, and the standard assigns them explicit security responsibilities. They must ensure that how an AI system is used aligns with the sensitivity of its training data, effectively embedding security checks directly into data governance workflows.
Ryan Daws
Security built in from the start
ETSI’s guidance makes clear that AI security cannot be bolted on at deployment. During the design phase, organisations are required to conduct threat modelling that considers AI-specific attack methods. Developers must also actively reduce attack surfaces by limiting system functionality to what is strictly necessary.
This has practical consequences. If a multi-modal model includes image or audio processing capabilities that are not required for its intended use, those unused features become potential vulnerabilities that must be managed or removed. The standard encourages teams to consider smaller, more specialised models instead of defaulting to large, general-purpose foundation models.
Asset management is another core requirement. Developers and System Operators must maintain detailed inventories of AI assets, their interdependencies, and connectivity. This supports the detection of “shadow AI” and ensures organisations are aware of all models in operation. The standard also mandates AI-specific disaster recovery plans, enabling teams to restore systems to a known safe state after a compromise.
Supply chain transparency and lifecycle controls
For organisations relying on third-party vendors or open-source components, supply chain security is a key focus. EN 304 223 requires System Operators to justify and document the risks of using poorly documented AI models or components. Procurement teams are no longer able to rely on opaque, black-box solutions without scrutiny.
Developers must provide cryptographic hashes to verify model authenticity, and when public datasets are used for training, the source URLs and acquisition timestamps must be recorded. This audit trail is essential for investigating incidents such as suspected data poisoning.
If AI systems are exposed externally through APIs, the standard requires safeguards such as rate limiting to prevent reverse engineering or malicious data injection. Major changes, including retraining models on new data, are treated as new deployments, triggering renewed security testing.
Continuous monitoring is also formalised. Logs are no longer just about system uptime; they must be analysed for data drift or behavioural changes that could signal a security issue. Even at the end of a model’s lifecycle, security obligations remain. When systems are retired or transferred, Data Custodians must ensure that sensitive data and configurations are securely disposed of to prevent leakage.
Governance and executive oversight
Compliance with EN 304 223 extends beyond technical teams. Organisations are required to review and adapt cybersecurity training programmes so that they are role-specific. Developers must understand secure AI development practices, while non-technical staff should be aware of risks such as social engineering through AI-generated outputs.
Scott Cadzow, Chair of ETSI’s Technical Committee for Securing Artificial Intelligence, described the standard as a major step forward. He noted that clear, practical guidance is essential as AI becomes part of critical services and infrastructure, adding that the framework reflects both technical complexity and real-world deployment challenges.
Looking ahead, ETSI plans to build on this foundation with an upcoming technical report focused specifically on generative AI. That work will address emerging risks such as deepfakes and AI-driven disinformation.
