Regulatory Alert – Broad-Spectrum AI and Cybersecurity Laws in European Union Could Disrupt Businesses
In recent years the European Union has developed several regulations and directives that will, or do, impact innovations in the semiconductor industry related to artificial intelligence (AI) and data aggregation and transmission.
AI technology is spreading into all aspects of the semiconductor business and appears almost weekly in our industry’s headlines. AI can be incorporated in the functioning of manufacturing equipment such as for process yield optimization. AI can have an equipment-related support role through predictive maintenance or optimizing energy efficient sub-fab equipment operations. AI can also be used in a company’s technical operations assisting designers, manufacturing workflow or logistics. AI can even be present in more general business operations such as selecting job candidates or improving employee satisfaction and retention. There are likely many other areas where AI is, or will soon be, used.
The proposed EU recast of the Machinery Directive into the Machinery Products Regulation introduces criteria for AI used in machinery safety components, but alongside that, the EU is working on a separate Artificial Intelligence Regulation (AIR) proposal that has any AI software in scope – whether it resides in a machine or in a desktop computer. The regulation is also structured as ‘CE Marking’ legislation, which, until now, has only been applied to hardware products.
What is particularly unclear at this time is whether the core of the AI system must be in the EU to be in scope, or will the scope also extend to software accessed through client devices internal to the EU which connect to an AI core system external to the EU.
Of course, AI, general machinery operations, and non-machinery business operations depend on the exchange of massive amounts of data from a broad spectrum of devices and terminals. In parallel with the AI Regulation, Europe is developing an extensive net of Cybersecurity legislation that will impact nearly all software and channels of data transmission. For example:
- The proposed Machinery Products Regulation (MPR) mentioned above also contains daunting cybersecurity criteria that the SEMI EU Machinery Directive (EUMD) working group has been focusing on in its advocacy – aiming to bring it to a more practicable level.
- A Cybersecurity Certification Act (CCA) came into force in June of 2021. It establishes a European Cybersecurity Certification Group, national cybersecurity authorities, and ENISA – the European Union Agency for Cybersecurity; and provides a cybersecurity certification framework that can be reference by other regulations (such as the MPR) as mandatory or voluntary.
- A proposed “Digital Product Passport” regulation repeals and replaces the Energy Related Product Directive and expands on its concepts to include, among many new ecodesign criteria, a requirement that all products travel with a ‘data carrier’ which holds certain ‘product passport’ information. Information which must be available to any interested party and remain available even for a period of time “after an insolvency, a liquidation or a cessation of activity”. This regulation is heavily burdened with administrative requirements for passport information registration, and facility and operator identifiers.
These radical changes in the EU regulatory landscape extend beyond the expertise of the EHS professionals in the SEMI EUMD working group. They can impact any company with products entering, or business operations in, Europe from remote access maintenance support systems in equipment to parts inventory management systems. The EUMD working group aims to cover the topics as they relate to actual semiconductor manufacturing and related equipment hardware design, but the working group sees a coverage gap for other aspects of these regulations and directives.
SEMI members are encouraged to coordinate with SEMI EHS Division to develop additional working groups and learning and advocacy plans for the not-machine-hardware topics. To propose working groups focused on business operation systems, software, data communication, etc. please email firstname.lastname@example.org.