How the AIC4 Cloud Service Provider Supports Organisations in Implementing the EU AI Act
The EU AI Act, a significant piece of legislation regarding artificial intelligence (AI), partially came into force on 1 August 2024 and will be fully applicable by 2 August 2026. This regulation establishes a risk-based framework for AI systems across the EU, which is particularly crucial for cloud service providers offering machine learning services in high-risk sectors, such as healthcare.
What is the AIC4?
The Artificial Intelligence Cloud Service Compliance Criteria Catalogue (AIC4), developed by the Federal Office for Information Security (BSI), provides a structured assurance framework for cloud service providers. It helps demonstrate the security, robustness, and governance of their machine learning services in accordance with the regulatory requirements set forth by the EU AI Act.
The AIC4 consists of technical information security criteria aimed at assessing the security and robustness of AI cloud services, particularly those based on machine learning. It is an extension of the C5 cloud security criteria, incorporating AI-specific requirements. Compliance with AIC4 can only be achieved when a valid C5 attestation is in place.
Enhancing Compliance and Security
The synergy between AIC4 and the EU AI Act offers a highly effective combination of regulatory compliance and practical security measures. While the EU AI Act establishes a legal framework for AI systems, classifying them by risk and defining corresponding obligations, the AIC4 operates at the technical and security levels.
For high-risk AI systems, the EU AI Act mandates several requirements, including:
- Risk management
- Documentation
- Human oversight
- Data governance
- Conformity assessments
High-risk systems are subject to strict regulations, while low-risk systems face minimal oversight. The AIC4 provides concrete, verifiable criteria for security throughout the entire AI lifecycle, enabling cloud service providers to present independent security evidence. This is crucial for building customer trust and preparing for regulatory audits.
Next Steps for Cloud Service Providers
Cloud service providers operating in high-risk sectors, such as healthcare, who do not yet hold BSI-C5 or AIC4 certification, are under significant pressure to act. Delaying compliance could limit market opportunities, potentially resulting in exclusion from tenders or jeopardizing existing contracts where customers require proof of fully tested, secure, and compliant AI systems.
In conclusion, the EU AI Act defines the objectives that must be achieved, while the AIC4 outlines the methods to implement these requirements effectively, increasing confidence among customers and regulatory authorities alike.
