Explaining ETSI EN 304 223 

WHAT ETSI EN 304 223 IS (AND ISN’T)

ETSI EN 304 223 focuses specifically on AI security, not general application or infrastructure security. It addresses risks that are either unique to AI systems or significantly amplified by them, including:

• data poisoning and training data integrity

• prompt injection and indirect misuse

• opaque third-party model dependencies

• lack of visibility once AI systems are live

• unclear ownership across design, build, and operations

The standard is explicitly intended for real-world, deployed AI systems, including those using deep neural networks and generative AI. It is not aimed at purely academic or experimental research.

Rather than prescribing specific technologies, EN 304 223 establishes a baseline set of lifecycle security expectations that organisations can apply proportionately.

​

HOW THE STANDARD IS STRUCTURED

EN 304 223 organises its requirements around five lifecycle phases:

• Secure design

• Secure development

• Secure deployment

• Secure maintenance

• Secure end-of-life

Within these phases, the standard defines principles covering areas such as supply-chain security, documentation of data and models, testing and evaluation, monitoring of AI behaviour, incident management, and secure disposal.

A key strength of the standard is its emphasis on stakeholder responsibility. Many AI security failures occur between teams — for example, between product, engineering, security, and suppliers. EN 304 223 explicitly addresses this by clarifying who is expected to do what at each stage of the lifecycle.