Robustness and Cybersecurity in the EU Artificial Intelligence Act

TL;DR

This paper analyzes the EU Artificial Intelligence Act's provisions on robustness and cybersecurity, highlighting legal challenges and proposing ways to align legal standards with recent ML research to improve high-risk AI systems.

Contribution

It identifies legal shortcomings in the AIA related to robustness and cybersecurity and offers insights to harmonize standards with current ML advancements.

Findings

Legal challenges in implementing robustness provisions

Assessment of cybersecurity requirements for high-risk AI

Recommendations for aligning ML research with legal standards

Abstract

The EU Artificial Intelligence Act (AIA) establishes different legal principles for different types of AI systems. While prior work has sought to clarify some of these principles, little attention has been paid to robustness and cybersecurity. This paper aims to fill this gap. We identify legal challenges and shortcomings in provisions related to robustness and cybersecurity for high-risk AI systems(Art. 15 AIA) and general-purpose AI models (Art. 55 AIA). We show that robustness and cybersecurity demand resilience against performance disruptions. Furthermore, we assess potential challenges in implementing these provisions in light of recent advancements in the machine learning (ML) literature. Our analysis informs efforts to develop harmonized standards, guidelines by the European Commission, as well as benchmarks and measurement methodologies under Art. 15(2) AIA. With this, we seek to bridge the gap between legal terminology and ML research, fostering a better alignment between research and implementation efforts.