On March 4, 2024, the National Cybersecurity Standardization Technical Committee (SAC/TC260) officially unveiled a pivotal technical document: TC260-003 Basic Security Requirements for Generative Artificial Intelligence Services (hereinafter referred to as the Basic Requirements).

Background

The Basic Requirements outline security requirements that should be followed by generative AI service providers, including training data security, model security, and security measures. At the same time, the Basic Requirements can be seen as a supporting document for the Interim Measures for the Management of Generative Artificial Intelligence Services (hereinafter referred to as the “Interim Measures”), as they establish a clear standard for the security assessment stipulated in Article 17 of the Interim Measures. According to the Interim Measures, when generative AI service providers perform the algorithm filing procedures as required, they shall conduct a security assessment in accordance with the Basic Requirements and submit an assessment report to the competent authority.

Drafting organizations

Unlike for standardization projects, the drafting of technical documents does not require the stage of open call for drafting organization – which is instead mandatory for standardization projects. Considering the exigency of industrial needs in terms of compliance with the Interim Measures, SAC/TC260 adopted the form of technical document rather than standard on this matter. Additionally, it is noteworthy that none of the principal drafting organizations of the technical document are European enterprises, signaling the absence of European involvement in the drafting process. Yet they did convene several rounds of closed-door informational sessions prior to the official release, wherein domestic and foreign enterprises had the opportunity to pose inquiries regarding the draft, which were explained onsite by the main drafters. However, formal comments were not solicited or addressed during the session; instead, enterprises were encouraged to submit feedback via email. According to representatives offrom foreign enterprises who also participated in closed-door informational sessions, a few foreign enterprises raised objections or had strong second opinions.

With the intention of upgrading the technical document into an official standard, upon the release of Basic Requirements, TC260 issued a call for drafters to participate in the development of the official standard version of the document, which indicate opportunities for foreign stakeholders to participate in this process.