Issy Hall, Department for Science, Innovation and Technology (DSIT)

This post explains the forthcoming ETSI standard on the cyber security of AI (EN 304 223), and the process to develop the baseline through the European Norm Approval Procedure.  

Why EN 304 223 matters

Organisations across sectors are adopting AI at pace. To foster trust and unlock benefits, security must be incorporated across the AI lifecycle. EN 304 223, under development by the European Telecommunications Standards Institute (ETSI), will provide a consensus baseline for the cyber security of AI models and systems. This is based on internationally agreed security principles that organisations can adopt consistently.  

That journey began with the UK’s AI Cyber Security Code of Practice, developed by DSIT with input from the UK National Cyber Security Centre (NCSC) and international partners. It was grounded in the NCSC/CISA co-authored Guidelines for secure AI system development that were endorsed by cyber agencies around the world. 

The EN builds on that work, translating secure-by-design principles into clear, testable requirements that are practical for developers, system operators (deployers) and data custodians. It also presents an opportunity to bring together and align the important work being undertaken internationally, including through standards bodies, on the cyber security of AI systems and models. 

 This is a deliberately collaborative effort: government, standards bodies, industry, and the research community each have a role in making AI systems and models secure-by-design. By grounding standards work in practical guidance and real threat intelligence the tools for managing AI cyber risk can scale with the technology. 

Where we are now: The European Norm Adoption Process in brief

Establishing a European baseline for AI cyber security is important to align policy, market practice and international best practice. The baseline will be developed using the European Norm Adoption Process (ENAP). The ENAP is the pathway for turning a Technical Specification into a European standard (a European Norm, or EN).  

Technical Specification 104 223 – published earlier this year by ETSI – sets out baseline cyber security requirements for AI; the accompanying Technical Report (TR 104 128) offers implementation guidance. This technical package is the basis for EN 304 223, currently under consultation, so organisations already familiar with the TS/TR will recognise the security principles in the EN and be well-placed to incorporate the standard into their AI systems and models.  

The process includes structured engagement and balloting through national standards organisations (such as the British Standards Institution (BSI) in the UK), with opportunities for stakeholders to review the text, share feedback, and prepare for adoption.  

As part of the ENAP, DSIT and partners at BSI and the AI Standards Hub have been coordinating listening and briefing activities to gather views, answer questions, and understand adoption needs. The AI Standards Hub hosted an online consultation session on 6 November which included a range of industry participants. 

What EN 304 223 will enable

For organisations 

• A common baseline you can reference in internal policies, supplier requirements and procurement. 

• Clarity of roles across the AI supply chain (developers, deployers/system operators, data custodians). 

• Easier evidence generation for audits and due diligence, building on existing secure software and cyber security practices.  

 For the ecosystem 

• International alignment with supporting documents to enable adoption. 

• Support for market levers such as training, workshops and conformity assessment to help scale adoption without unnecessary burden.  

How to engage now

1. Review the Technical Specification: If you have not yet done so, read ETSI TS 104 223 (V1.1.1) and TR 104 128 to understand scope, terminology and role responsibilities that feed into EN 304 223. 
2. Prepare for EN 304 223: As the baseline European Norm matures, plan for adoption so you can evidence security across models and systems as part of your governance and reporting  

Alignment with UK work

The EN effort is consistent with the UK Government’s approach to securing AI, following DSIT’s AI Cyber Security Code of Practice and the NCSC–CISA secure AI development guidelines.  

Next steps

• ENAP milestones: The AI Standards Hub draft consultation session facilitated commenting on the draft EN. The ENAP process concludes in December, and we will make sure to keep the AI Standards Hub updated throughout the process. 

• Supporting materials: DSIT and partners will promote training, workshops and mappings to help organisations operationalise the EN when published.  

• Community dialogue: Insights from the BSI listening session and other events will inform guidance and future comms through the AI Standards Hub.  

Conclusion

EN 304 223 will provide a shared, practical baseline for the cyber security of AI. With ENAP underway, this is the moment for organisations to review the standard, test their readiness, and contribute feedback – so that the final EN is fit-for-purpose and implementable across sectors.