Context: Artificial Intelligence (AI) powered cybersecurity threats are on the rise, with 78% of chief information security officers saying such threats are already having a significant impact on their organizations (March 11, 2025 DarkTrace report). Such threats come in a variety of forms, including data poisoning, model obfuscation, indirect prompt injection, and vulnerabilities tied to complex data management. As the European Telecommunications Standards Institute (ETSI) continues to expand its focus in innovative areas such as AI and quantum technologies (June 6, 2025 ip fray article) – the organization developed a standard for quantum key distribution over 17 years ago (July 2008 ETSI QKD information page) – it unveiled its latest specification TS 104 223 in April, aiming to raise the security level of all AI systems against the backdrop of rising cybersecurity threats (April 23, 2025 ETSI press release). The specification covers a set of 13 core principles, expanding to a total of 72 trackable principles, and is defined across five lifecycle phases, providing stakeholders in the AI supply chain (from developers and vendors to integrators and operators) with a “robust” set of baseline security requirements, ETSI has stated. The specification was a “global first” in setting a clear baseline for securing AI, according to Scott Cadzow, Chair of ETSI’s Technical Committee for Securing Artificial Intelligence.
What’s new: ETSI will now transpose TS 104 223 into a European Norm (EN) to support international alignment on AI security requirements. The specification will be submitted later this year to a public enquiry with European standards organizations through the EN approval process, seeking comments from those bodies on the specification’s text.
Direct impact: This new specification confirms that ETSI keeps expanding its focus beyond just telecommunications standards, which is something director-general Jan Ellsberger set out to do when first elected for his role early last year.
Wider ramifications: This new technical standard was announced the same day ETSI welcomed the European Commission’s (EC’s) “International Digital Strategy for the European Union” (June 5, 2025 EC press release), emphasizing the key role of Europe’s standards system in increasing the EU’s influence on key digital technologies (June 12, 2025 ETSI response to EC International Digital Strategy (PDF)). ETSI plans to bring together diverse global expertise to greatly enhance the cybersecurity and privacy of European citizens, Mr. Ellsberger has stated.
The EC’s recently published Cyber Resilience Act (CRA) introduces mandatory security requirements for hardware and software throughout their entire lifecycles (November 20, 2024 EU proposed Cyber Resilience Act). ETSI is helping implement that regulation by developing uniform, harmonized European standards for several different product families, including items that are exposed to greater risk of compromise, such as password managers, anti-virus software, smart home assistants, connected toys, and wearables (June 12, 2025 ETSI press release).
According to ETSI, the CRA will offer several benefits:
- Streamlined, EU-wide standards that simplify compliance and create a more consistent regulatory environment across member states;
- Particularly for SMEs and Micro-SMEs, it will lower the legal costs associated with entry into diverse markets and facilitate global trade;
- Level the playing field in terms of market credibility, as this will now be perceived through the presumption of conformity provided by these Harmonised Standards instead of solely through branding power;
- For consumers, enhance trust by requiring stronger built-in security and better protection of personal data and privacy; and
- Promote a secure-by-design approach, driving the development of safer, more resilient technologies and strengthening the global competitiveness of EU products with digital elements.
Mr. Ellsberger said in a statement last week:
“As digital transformation accelerates across every facet of commerce and society, ETSI’s ability to bring together diverse global expertise will greatly enhance the cybersecurity and privacy of European citizens.”
The new specification was developed by ETSI’s Technical Committee on Securing AI (SAI), which includes representatives from international organisations, government bodies, and cybersecurity experts.
Commenting on that new specification, Mr. Cadzow said:
“In an era where cyber threats are growing in both volume and sophistication and negatively impacting organizations of every kind, it is vital that the design, development, deployment, and operation and maintenance of AI models [are] protected from malicious and unwanted inference. Security must be a core requirement, not just in the development phase, but throughout the lifecycle of the system. This new specification will help do just that—not only in Europe but around the world.”
ETSI’s AI cybersecurity efforts come a couple of weeks after the European Commission released its Joint Communication on “An International Digital Strategy for the European Union” in response to a call by the European Council to steer the EU’s external digital policy.
ETSI has said it welcomes the document but notes that even the EC’s Competitiveness Compass has stressed the need for improvement regarding the agility, inclusiveness and global impact of European standardization:
“The current system lacks responsiveness to faster innovation cycles in emerging technologies. Engaging systematically in global standard-setting processes is very important to influence outcomes aligned with EU interests, helping industry to maintain competitive positions in key technology markets, such as 5G and 6G telecommunications, AI and the Internet of Things.”
But digital standardization is “not an end in itself”, ETSI said, adding:
“It must enable industry to fulfil market expectations, export EU values and secure the competitiveness and autonomy of European industries, ensuring that any resulting standards and technical specifications are fit for purpose.”
These are some of ETSI’s key recommendations:
- Develop more and deeper digital partnerships;
- Strengthen existing assets in Europe to play a central role in international cooperation;
- Enhance European private-sector participation in global standardization efforts;
- Prioritise standardization over the use of implementation acts or common specifications for European requirements; and
- Ensure that the concept of an “EU Tech Business Offer” reflects to the best extent possible the technical elements being standardized in Europe.