The European AI Act, a proposed European law on artificial intelligence is the first law on AI by a major regulator. It lays down harmonised rules for the EU.

The European Commission unveiled this new proposal for an EU regulatory framework in April 2021. In this short text we sketch its relevance for supply chain cybersecurity.

The AI Act is getting mixed response from SME and Alliances for SME:

“As expected, the debate around this legislation has already started. On the positive side, this regulation may become the global standard, in the same way GDPR has become. It may also make AI systems more trustworthy and offer extra protections to the public. On the other side, it may stifle innovation, add more costs and red tape, which may hinder start-ups from entering the market. We will hear more on this around the world before it becomes law, currently expected in 2023.

With the rise of Industry 4.0 the approach to producing goods and services has triggered a trend in the current manufacturing industry that focuses on automation of processes and data exchange. The approach integrates the Internet of Things (IoT), cyber-enhanced systems and cloud computing and relies heavily on the timely availability of data about every aspect and stage of the production/creation process.

The IoT is not something you will experience as such itself. What you will see is that more and more objects become connected. If you are manufacturing products, you will be negotiating with providers of connectivity and in the very near future with any tiny part of the artefact that you are intending to build. It becomes very important to know the origin of these artefacts.

We are in the middle of a manufacturing revolution, a five-year cycle as we can see from what happened to the products itself in the supply chain. In the 2013 Introduction to the Springer book Enabling Things to Talk Prof. Dr. Michael ten Hompel, Managing Director at Fraunhofer-Institut for “Materialfluss und Logistik”, describes the consequences for something as “solid” as logistics:

“The logical consequence of the Internet of Things is not just a new philosophy of how we can control our production and logistics. It completely changes the paradigms of conventional supply chain management. Within the Internet of Things the supply chain will be created in real time: Entities, consisting of objects and a piece of (agent based) software, generates the resulting supply chain ‘on the move.’ Therefore, the sequences of operations are not predicted. This leads to a new understanding of how to handle our logistic management which won’t be a supply chain (!) anymore."

He was referring to what happened to the products, the ‘goods’, as an entity it makes the supply chain transparent, visible, and controllable, enabling intelligent communication between people and cargo. The manufacturing revolution that IoT enables and makes inevitable will start in earnest by enabling this kind of intelligent communication between all individual parts and a product that is forever in beta, as it exists in real-time, and as such can be updated and personalized to the task at hand or the preferences of an end user.

This shift is already happening. A PricewaterhouseCoopers (PwC) report in 2016, found electronic manufacturing services (EMS) companies offering new services moving into “new models of joint design manufacturing (JDM) and outsourced design manufacturing (ODM).
Source: Trey Hooper. The 7 Biggest Trends and Challenges in the Electronics Manufacturing Industry in 2017, Feb 14, 2017.

“What Is the Biggest Challenge Facing the Manufacturing Industry Today?” the 2017 Industry Week Salary Survey, asked. In the category of 21–29-year old’s a reply was “balancing the roles of machine and human interaction in intelligent manufacturing environments.”  In fact, among manufacturing leaders in 2021, “34% are investing in artificial Intelligence and 19% in machine learning-based initiatives to augment their workforce, solve critical challenges, and start their organizations on a long-term transformation. Even 16% CFOs view artificial Intelligence as playing a crucial role in business results, putting it in third place behind only cloud computing and the Internet of things (IoT)”.

In this supply chain on-the-move, created in real time provenance becomes a key aspect of your SCA, Software Component Analysis. Provenance means origin but also the validation of that origin.  According to IBM, in the world of supply chain, “provenance is the validated history of ownership, custody and origin of a specific product instance such as a lot, a batch, or a serial number. It also applies to a pallet which may contain more than one product as well.
“In the NIST Privacy Framework Version 1.0 Provenance is “Metadata pertaining to the origination or source of specified data.” NIST SP 800-37 Rev. 2 specifies “chronology of the origin, development, ownership, location, and changes to a system or system component and associated data. It may also include personnel and processes used to interact with or make modifications to the system, component, or associated data.” It testifies to the dynamic nature of any ‘thing’ that you thought was solid up to a point or up to a certain moment in time in the old supply chain you could oversee, before it went on the move. This real time situation brings uncertainty and risk as so many things can go wrong. Alongside this growing risk Artificial Intelligence mitigates these uncertainties identifying, tracking, tracing, and forecasting in a way that human oversight is incapable of. AI thus becomes not a nice to have but a fundamental partner in setting the standard to secure the supply chain.

This democratization of machine learning aims to enable business users to use complex machine learning solutions puts forward a European approach to Artificial Intelligence and Robotics to boost EU’s research and industrial capacity and to put AI at the service of European citizens and economy. Amid concerns that Europe is losing ground to US and China, the European Council asked the EC to develop a European approach to AI. This led to the 2018 Communication *Artificial intelligence for Europe and its focus on: i) being ahead of technological developments and encouraging uptake by the public and private sectors; ii) prepare for socio-economic changes brought about by AI; and iii) ensure an appropriate ethical and legal framework.

The 2019 Digital Single market Policy document on Artificial Intelligence states that machine learning is the ability of software to learn from its environment or from a very large set of representative data, so that systems can adapt their organisation to changing circumstances. In order to do this robustly, models have to be built and “high-quality data is a key factor to improve performances.” The theme of a September 2019 EU Commission workshop expanded on this by setting up common European data space to ensure enhanced access to privately held data, via industrial and personal data platforms.

These policy documents have foreshadowed the new AI Act which comes in the form of a regulation, which means, according to DOGITAL SME that the new law will be directly and uniformly applicable in 27 EU member states. This harmonised approach they say is good news for small companies, as it will avoid different rules in different countries.

Currently European firms comprise 25% AI players, the highest rate globally following the US (28%). The 2018 ITRE study European Artificial Intelligence (AI) leadership, the path for an integrated vision names Small and medium-sized enterprises (SMEs) as the backbone of Europe’s economy representing 99% of all businesses in the EU and creating around 85% of new jobs. SMEs represent more than 88% of all EU enterprises exporting goods. The 2019 report EU policy framework on SMEs: state of play and challenges states that two third of the SMEs are operating in sectors which have either low knowledge or intense technology. In 2019 will be 89% and 67% of the manufacturing and services sectors. The number of knowledge intensive services, however, is increasing much faster, especially high-tech, with cumulative growth for 2008-2019 of almost 58%.

Given the huge number of SME doing nearly all production in Europe it is frustrating that such a small amount of SME is active in participation in feedback and insights into the way the AI Act works and will influence them. It is as if for most SME AI is still something of the future, science fiction. It is important to raise awareness not only among the domain specific but also the infrastructural players.  Daniel Kern, Senior Manager of Digitalisation and Innovation, BDI, states that in Germany machine building and ICT are SME-driven industries. “According to BDI, only 15% of SMEs are AI active users, which means that 85% are not. They barely employ AI stuff for different reasons and that’s where there is a need to increase the ability of SMEs to cooperate with IT service companies and to link them up with the relevant partners externally.” Although there is an opinion that claims that the role of standards is not very practical as the development of standards is dominated by larger companies, and representation of SMEs is generally low, SME in the cybersecurity such as welcome standards. In Combatting Cyber Threats with Artificial Intelligence (“AI”) – Will the New EU AI Regulation Help? Matheson writes:

“Considering the speed and agile process that technology is developed today, companies and innovators should consider how might the future AI Regulation affect such technology development. Cybersecurity AI systems play a crucial role in ensuring IT systems are resilient against malicious actors. The new AI Regulations will undoubtedly affect these systems. Exactly how these systems will be affected will depend on the system (e.g. for law enforcement use of biometrics, facial recognition) which may lead to conformity assessments, explainability testing, registration, and more.”

Mirko Ross, founder of (providing a toolbox to manage cyberthreats and the lifecycle of Internet of Things devices) had his breakthrough moment conceiving of the main idea in an EC meeting on the Cybersecurity Act. Doing business, anticipating, and taking part of regulatory processes, as well as broader policy objectives on a large scale, it is part of the same flow of information in a world that is real time, on the move and dynamic. As it overturns all old logic of timing, admin and procedure ideas can come from the periphery and small players and be taking up rapidly.

About Rob van Kranenburg 

As the Founder of the Internet of Things Council (2009) and IoT Day (2010) Rob has acquired the expertise to co- explore new innovation pathways with the team of asvin GmbH and enlarge the already impressive ecosystem. His long standing experience and publications in the field of Internet of Things, Industry 4.0 and‚total‘ connectivity in the space of flowsoffers him the perfect background to develop innovation strategies for the use cases ofour technology and to co-create with the team quick wins and long term gains. Rob lives in Gent, Belgium. In his free time, he is an avid reader of (German) poetry.
He is interested in the sovereign identity debate and the concept of disposable identities. Rob joined asvin 2022 as Chief Innovation Officer (CIO).