Question to the Department for Science, Innovation & Technology:

To ask the Secretary of State for Science, Innovation and Technology, whether her Department has made an assessment of levels of cyber preparedness among SMEs adopting AI-enabled tools and services; and whether she plans to publish guidance specifically for smaller businesses.

For the most advanced AI systems, our world-leading AI Security Institute is a centre of UK expertise, advancing our scientific understanding of their capabilities and the associated risks. AISI has already run a large study on backdoor data poisoning, and conducted the largest AI agent red-teaming study to date, identifying tens of thousands of vulnerabilities across sectors including finance, healthcare and customer support. AISI continues to work hand in hand with developers and with the National Cyber Security Centre to make AI protections stronger.

The government has already published a Code of Practice to set the baseline security requirements for AI models and systems, alongside working with the European Telecommunications Standards Institute (ETSI) to create a global standard (EN 304 223) that builds on the Code.

This standard is relevant to all organisations and sets out requirements for developers and deployers of AI alongside data custodians. To support organisations, we have contributed to the publication of an implementation guide (TR 104 128) and we are now working to produce a conformity assessment in ETSI (TS 104 216). The government has also recently completed some pilot training workshops with various professions, including small businesses and published the Cyber Security Breaches Survey 2025-2026 which examined adoption and security approaches by UK organisations to AI. The findings are being used to determine if additional guidance is needed. SMEs should consider this standard when adopting AI-enabled tools and services.