Whitepaper "Towards Auditable AI Systems"
Every day, criminal hackers attack the networks of companies, authorities and other organisations - far too often with success. Cyberattacks are a real, omnipresent threat. This is why cybersecurity is becoming more and more important: it offers protection against online attacks.
Management and IT security officers are those responsible for ensuring this kind of protection in organisations. To do so, they need clear legal requirements - which is what politics is called to establish. The TÜV Association and its members therefore use their expertise to contribute to the discussions in the relevant forums in order to create the necessary standards with sufficiently high security requirements.
Businesses demand stricter rules
The need for action is growing - for companies as well as in politics. 47 percent of German companies are calling for higher legal IT security requirements. This is a result of a representative Ipsos-survey commissioned by the TÜV Association. 59 percent of the respondents consider legal action as important since it contributes to a better IT security for their company.
According to the "TÜV Cybersecurity Study", three out of four companies state that the importance of IT security has increased in the past five years. 78 percent of the respondents said that this is due to the progressing digitalisation, while 29 percent attributed this to a cyberattack in their own company.
Standards do help
According to the survey, standards such as ISO 27001 play an important role for the IT security of businesses. They provide rules and processes on how organisations can ensure security in practice. Independent bodies can confirm that companies comply with a certain standard through a certificate. By doing so, companies can document – for instance vis-à-vis their clients or suppliers - that their IT systems are as secure as possible. Two out of three companies are already oriented towards standards or even comply with them fully according to the TÜV Cybersecurity Study.
In addition, the TÜV Association considers legal requirements as a decisive factor in improving the protection of businesses and private users against cyberattacks. Therefore, the TÜV Association has issued two main recommendations for further action:
Recommendations of the TÜV Association
- Implement the Cybersecurity Act
In addition to functional safety, security aspects have to become an integral part of product developmentin the future. In the European Union, the Cybersecurity Act offers a suitable legal framework for this objective. The TÜV Association recommends applying the Cybersecurity Act extensively to stipulate security requirements for products, services and processes. The sector-specific directives for specific product categories must consistently refer to the Cybersecurity Act and make use of its schemes.
- Assess artificial intelligence according to risk levels
The functions of self-learning algorithms must be assessable by external bodies. Different requirements for safety/security and assessment procedures should be set up depending on the risk level.
The Cybersecurity Act
The Cybersecurity Act has been in place since 2019. In order to make the digital world a bit safer, it has since been important to fill it with life. As part of the Cybersecurity Strategy, the European Commission is considering submitting a legislative proposal for cybersecurity requirements for connectable products. Therefore, the TÜV Association has commissioned expert opinions to make a legally sound contribution to the discussion on European cybersecurity regulation.