Reshaping the future
The relationship between law and technology is a complex one. While law plays a crucial role in safeguarding public interests and ensuring checks and balances, it is also perceived by some as a potential impediment and a deterrent to innovation in the tech industry. Proponents of this idea argue that the tech industry has thrived in part because of its ability to respond to market demands. However, discussions around law and technology tend to yield valuable insights, often involving multiple stakeholders and featuring concerted efforts.
During my graduate studies in Estonia, I encountered a prevailing academic view that sees law as a constraint in the context of technological progress. Although it is widely believed that law struggles to keep pace with the rapid technological advancements and innovations of our time, this characteristic should not necessarily be viewed a drawback. Law, as a restraint in the midst of rapid technological change, provides a fertile ground for nurturing new technological solutions and ideas and allowing stakeholders to engage in meaningful debate and explore a wide range of possibilities.
In other words, its ability to slow down or restrain technological development can actually have positive outcomes by creating opportunities for resistance, reconstruction, and resilience. By imposing limits and requirements, it encourages stakeholders to explore more thoughtful and adaptive solutions. This generates a dialectical process wherein the tech industry, responding to legal constraints, presents its antithesis by seeking new solutions, ultimately leading to a synthesis that reconciles legal requirements and fosters greater technological resilience, adaptability, and human agency.
Reinstating human agency
For example, the European Union's General Data Protection Regulation (GDPR) has set a global standard for data privacy and security. It has compelled tech companies operating in the EU to prioritize user data protection. In practice, this means that organizations constantly need to keep up to date on privacy and data protection regulations to ensure that their business operations remain in compliance. As a result, legal frameworks like GDPR can play a role in restoring human agency, or at least non-technical agency, in times of rapid technological change.
Human agency allows individuals to make ethical decisions regarding the development and application of certain technologies. It provides the capacity to consider the moral implications of technological choices, ensuring that technology aligns with our values and interests. Therefore, discussions about regulation and technology allow us to adapt to these changes and exert some control over the direction of our technological progress. These discussions are not meant to stifle progress but rather to ensure that technological advancements serve the greater good, safeguarding individual rights and societal values.
Regulations not only restore human agency, but also serve as valuable benchmarks and sources of guidance for other countries. By examining advanced and recently published regulations in forward-looking nations, individuals and organizations can proactively adopt practices and recommendations even before they are mandated as national standards in their own country. This approach promotes international collaboration and the harmonization of standards, culminating in improved cybersecurity and safety measures on a global scale.
While technology and law can be a tricky companions, it's up to us to make the most of this complex relationship. Here’s a brief overview of the latest EU regulations:
- Digital Operational Resilience Act (DORA)
DORA came into effect in January 2023. It requires organizations in the European Union financial services sector to ensure that they can withstand, respond to, and recover from all types of ICT-related cyber disruptions and threats. The overall goal of the regulation is to strengthen the resilience and cybersecurity of EU financial entities by streamlining and improving previously existing rules and adding new requirements to improve cybersecurity and harmonize cybersecurity regulatory requirements. Check out my colleague Warwick Ashford's excellent report on Dora for more info.
- EU Cyber Resilience Act (CRA)
The CRA is a proposed cybersecurity regulation for the EU, introduced on September 15, 2022, by the European Commission. Its primary aim is to enhance cybersecurity and cyber resilience within the EU by establishing common cybersecurity standards for products containing digital components. By imposing cybersecurity standards, the CRA helps protect consumers from new and emerging cyber threats. For example, it would guarantee “a framework of cybersecurity requirements governing the planning, design, development and maintenance of such products, with obligations to be met at every stage of the value chain”.
- NIS2 Directive
The NIS2 Directive is the EU-wide cybersecurity legislation that came into force in 2023. It updates and modernizes the Directive on the security of Network and Information Systems (NIS), which was introduced in 2016, to address the challenges posed by increasing digitization and evolving cybersecurity threats. The directive aims to enhance the overall cybersecurity posture of critical infrastructure operators and digital service providers. Key digital service providers, such as search engines, cloud computing services and online marketplaces, will have to comply with the security and notification requirements under the Directive. Check out this blog post for more information.
The EU's approach to regulation in cyberspace is driven by the need to protect the rights and security of its citizens in the digital age and create a level playing field in the digital market. It emphasizes the importance of cooperation, transparency, and accountability while addressing the challenges posed by emerging technologies. Furthermore, the relationship between law and technology is one of the focal points of KuppingerCole’s cyberevolution event in Frankfurt from 14-16 November.
As the regulatory landscape continues to evolve, organizations must proactively adapt their strategies and practices to meet these new standards. Stay up to date as we delve into the future of regulation and examine the far-reaching implications of recent regulatory developments, including NIS2, DORA, and CRA. Compliance with these regulations is essential for organizations operating in the EU to ensure the protection of critical infrastructure, safeguard against cyber threats, and maintain trust in digital services.