China: Closed consultation TC260 draft standard Basic Requirements for Security of Generative Artificial Intelligence Services of Cybersecurity Technology including cybersecurity regulation

On 22 July 2024, the National Information Security Standardisation Technical Committee of China (TC260) closes the public consultation on the draft national standard "Basic Requirements for Security of Generative Artificial Intelligence Services of Cybersecurity Technology". The draft outlines the requirements that providers of generative artificial intelligence (AI) services are required to implement during the development process regarding the security of training data sources, training data content security, data annotation security, and model security. In addition, it outlines the security obligations after the system was released for public use. Before system launch, providers must conduct security assessments of data sources, ensuring harmful content does not exceed 5%, and ensure data diversity, including when combining domestic and overseas data. During model training, providers must evaluate content security, conduct regular audits, and implement measures for accurate and reliable outputs. They must monitor outputs to prevent attacks, optimise models, manage emergencies, and secure updates. Providers also need to assess software and hardware security for training environments. The draft also requires providers to demonstrate applicability, ensure security for critical scenarios, and establish public reporting channels and backup mechanisms for service stability and continuity.