As more enterprises rely on AI applications, cybersecurity becomes a top priority to ensure the safety and reliability of their daily operations.

Knowledge of both risks and solutions associated with cybersecurity is still rare in many SMEs.

European institutions need to take on a more active role on the matter, supporting SMEs in acquiring said knowledge and instruments.

This guest blog post was written by Mirza Silajdzic. 

In the DIGITAL SME Position Paper on the EU AI Act and the AI Act Open Letter, DIGITAL SME welcomes the upcoming regulation in the field of AI, but adds a few suggestions towards fostering a regulatory framework that promotes scalability for SMEs and all related stakeholders.

As it stands, the proposed AI Act risks placing a disproportionate burden on small and micro enterprises, making compliance extremely challenging for them. Thus, DIGITAL SME requests that such requirements remain “proportionate and realistic, and relative to the level of threat and vulnerability”. SME-friendliness also means including SME representatives in discussions regarding standard-setting, thus avoiding a “one-size-fits-all” approach.

An updated AI Act that takes into account the above conditions can help:

• Foster AI innovation
• Ensure healthy competition
• Bring investment to SME AI innovators
• Strengthen the European AI ecosystem at large
• Enhance the Union’s digital sovereignty
• Help SMEs participate in regulatory sandboxes
• Include SMEs as key stakeholders in all relevant discussions
• Adapt fines and penalties to the capabilities of small-scale companies
• Make sure the European AI Board is mindful of and supports SMEs
• Ensure the liability of large AI technology developers

How should AI innovators approach cybersecurity?

In its bid to secure a thriving AI ecosystem, the EU has to bear in mind the multitude of cybersecurity issues looming on the horizon. As AI solutions built by SMEs, such as business process automation (BPA), consumer behaviour prediction technologies, and advanced analytical solutions, become more common, AI-enhanced cybersecurity services and products will play a greater role in the economy.

Hence, the European Cyber Resilience Act highlights the need for:

• Cybersecure energy, given the continued disruptions to EU and US energy
• Digital skills and education
• Setting cybersecurity rules for digital products and services across the EU
• A unified approach to cybersecurity product and service benchmarks
• Boosted support for digital product and ancillary service security
• Including additional cybersecurity requirements in more EU regulatory frameworks such as the General Product Safety Directive and the Machinery Directive
• Focusing on addressing vulnerabilities in software products
• Defending against hybrid forms of cyber-attacks and cyber-attacks in general
• Bolstering the Union’s goal to become a leader in the cybersecurity space

All of the points above have proved crucial for the smooth functioning of the Digital Single Market. It will also be equally important for the EU to ensure that there is coordination and alignment between the upcoming Cyber Resilience Act, the NIS Directive, and any relevant cybersecurity certifications.

Everything that connects and transmits data is always at risk

For AI and other digital tools SMEs to diffuse, the entire ecosystem must be secured, from the entirety of the supply chain to the everyday operations by the end user. The cybersecurity sector should be a top legislative priority, if the Union seeks to ensure the continued growth of the digital economy.

As the European Commission President Ursula von der Leyen stated: “If everything is connected, everything can be hacked. Given that resources are scarce, we have to bundle our forces. This is why we need a European Cyber Defence Policy, including legislation setting common standards under a new European Cyber Resilience Act.”

When asked to elaborate on the cybersecurity-related risks of AI, David Janssen, founder of European cybersecurity and privacy portal VPNOverview.com had the following to say: “AI is here to stay and it has the potential to bring massive advancement in practically every field and discipline, thus it is best to stay informed and see how it can benefit SMEs.”

According to Mr. Janssen, there are two important pitfalls to consider. First, that AI has the potential to go rogue under certain circumstances. There have been multiple instances of AI programs being shut down for developing extremist, racist, or otherwise harmful tendencies. And secondly, that AI applications can also be used for malignant purposes when placed in the wrong hands. Policy making and programming must account for these scenarios as much as possible, hence why regulating AI seems crucial at this stage.

Despite these pitfalls, tapping into the potential of AI is key to advance best security practices. Mr. Janssen expects threat actors to increasingly apply and deploy AI for malicious goals and purposes, and sees a ‘battle of the AIs’ as a realistic

scenario along with the overarching threat of quantum attacks in the not-too-distant future.

In order to avoid these worst-case scenarios, all actors in the EU cybersecurity market, and most saliently SMEs, need to be supported in their ability to innovate and offer high-quality solutions to the European market. Several SMEs have shown commitment to the cause in their contributions to the draft of the Cyber Resilience Act, as is the case of DIGITAL SME’s Working Group Cyber and Data and Working Group Digitalisation. Taking stock from previous legislative initiatives, the Working Groups expressed support for a risk-based approach to ensure that low-risk products are only subject to minimal requirements and compliance checks, as well as for limiting the time for which the manufacturer has to provide security updates. Looking back at the consultative process, it shows that these proposals were successfully taken into account when drafting the final version of the Act. Therefore, the Cyber Resilience Act provides a new benchmark on how to successfully include SMEs in the key legislative proposals that will shape the present and future of the European digital market.

Author information

This guest post was written by Mirza Silajdzic, a communications specialist and researcher from Bosnia and Herzegovina working for VPNOverview. He is passionate about our technological future and global policy. You can follow him via his LinkedIn.

VPNOverview is a member of the European Digital Innovators Club – the DIGITAL SME’s network bringing together innovative SMEs, start-ups and research institutions wanting to be leaders of the European digital sector.

VPNOverview follows AI developments to the best of their capacities and encourages other companies to properly scrutinise the risks, pros, and cons of utilising AI applications.