Exploring the Impact of Cybersecurity Regulations in the Digital World

Okay, so when you read this lines, I have to give some disclaimer. Law and regulation is just text, it's policy. So it could be really boring to some people and there will be a lot of text in this presentation as well and not too many pictures. So be warned, I'm linguist by my first education, so I like small caps and reading a lot of structured data like this. And what I did, I took five of the most important legislations that now either being launched as new ones or repealed meaning revised for on the European Union level. So that's the scope.

But of course from European level, it drills down to the member states in the eu and and to my understanding in a business as I worked in many banks and places, yeah you have corporate legal, but they don't talk to the IT people. So one example is when I was setting up a global identity system for a global bank, I did my own legal work and I showed to them, is this correct? And they said, Yeah, that's correct.

They could under, I could understand the law better than they could understand it, but my position is that I think IT and writers of policies should work together more often and well, I'm maybe one of those people who can help understand both parties a little bit because I can talk the two languages. So the clicker, the next one the EU was, is going to repeal to rewrite review a number of legislations. And why did they do that? Of course we had C meaning that everyone is working more online. Online platforms, A lot of files and data went up and down across every type of Zoom platform.

We just had it in plenary panel as well. Dependency on digital services is becoming a lot bigger. But also in general, digitization takes a broader perspective, not just data but also operational pro processes are linked to that like operation of infrastructure and so on. And especially after the war in Ukraine started.

Yeah, we don't need to explain why we want to be self sufficient, independent, stronger in our defense for cyber attacks and also the existing law that already was there. They, they review that at the European, they do stakeholder interviews, market consultations. If they make changes to a law, they talk to people from the market. If the anti-money laundering legislation is coming, they ask people from the banks like myself, Do you think your company can work with this? So they are really getting feeling with the market as well. But still it's, yeah, it's all on paper and practice and theory.

That's exactly what needs to come together. And every member state, normally these regulations are on a European level and they're quite generic because anything should fit. I can't prescribe when something is safe, I can prescribe it should be safe, but I can't measure that safety. So I can't be really operational in detail because then it would be a prescription and not a law. And this is a struggle.

So it means that European legislation can be implemented in a practical operational area by each member state in a different way because yeah, and that means that if you are working as a company across many European countries, you have to to comply to this one in one country and to that one and in other one.

And an example is that for becoming a customer of a bank, the bank has to identify you and they want to do it physically with a passport in Germany and in some other countries doing an interview through a camera with a video is counting as interpersonal interaction and it's not an online onboarding. In other countries it would be considered online onboarding and it would have a different impact on the risk for that customer or for the hand.

So you can see that if, if I have to find out about all the 26 local member states legislation because the European one is not clear enough, I have a ch I have a challenge. And that's what happens also why they repeal and change something, some legislation after this all talking to all these people and measuring the effectiveness of the law to harmonize across the member states. And that's very important. And of course we also have a lot of new technologies, automation, self-driving cars, artificial intelligence, you name it. And of course the EU wants to regulate that.

And we'll come across one incident in the Netherlands where for instance, AE had very bad impact on the fundamental rights of a large number of citizens. And of course, yeah, the exact, you have to update your law always and you'll always be late. Law is always running behind the actual practice. Look at the blockchain stuff and all that. That's it's, it's completely mind shift, which the law can't make so easily. But a lot of people are working on it.

And they also understand that the legal burden for companies to be compliant with all this, all these legislations and I'm only acting about five, I'm going to talk about five only. That's already a big burden. And let alone small businesses say, don't even have one legal guy to help them understand. And there are of course a lot of companies who want to help you and make you pay for that. But I think this is a, that's why I think this is a very important topic when you're in it, when you're a leader in it, you need friends in legal.

Otherwise sooner or later you run into big fines like the banks did for their customer onboarding processes. Okay, these are the topics I'm going to cover. And just quickly, each of them have 40 to 90 pages in small caps and a lot of ABCDs and so and so on. The first one, the Cyber Resilience Act, that's the shortest one of all of them. It's a review of a previous act and I'm going to explain later what it is all about. It's about, for instance, iisa and our certifications for software.

Then the NIS S two network and information security regulation number two, it repeals the number one that was starting in 2016. That was the first one. And they have now worked with it for a while. They've reviewed it and seen what was not so good, how to expand it. Then the artificial Intelligence Act act about definitions. What is ae?

How, how do we define it, what types of IE do we want? How do we regulate that? And that this is not really a law, but gdpr, generic data protection regulation, that's the privacy legislation. We already have this since 2000 and now 1994 was the first predecessor, but 2018 the new version of GDPR became widely known. And but how to work with that as a company And there is now a consortium of service providers together who have a seal as a company. You can ask them for being certified that your GDPR compliant. I think that's not really possible but still it's approved and it's there.

That helps companies instead of making it more difficult. And the AI does regulation on the digital identities across Europe. So the member state citizens can cross border work together and log in from one country to another one without having to register as a citizen everywhere, getting a local digital identity.

Okay, so this is the five ones I'm going to top and I'm starting with the Cyber Resilience Act. First of all, it describes very narrowly all the tasks that inad European network and SEC and information security agency, that's the nsa, like we know it in America, but we have one in Europe as well. It's called in isa, it's based in Athens. And they have a lot of export groups and their mandate is now larger and has been expanded and they're really leading a lot of things. Also the policy making facilitating all the European security activity being the secretary for a number of organizations.

And that's all described in a cyber resilience act. And the more important thing with the largest impact for companies is there is a certification framework for three things. ICT products that could be your laptop or maybe your software in your washing machine, embedded software, your smart light, any anything that contains software, but also real software, full software, standalone products, services by service providers or platforms or whatever. And also the I C T processes.

And with this, I think I have to interpret that as the processes of making all this stuff because if I have a very secure pro product, but in the making, they put a back door in it, the process was not good because yeah, it looks secure and the security is okay, but in the process there were inherent flaws and they tried to make some sort of common standards for products of software. So the users understand, oh this is highly riskful or this is not certified or this is, but how to do that.

As I said, you can't measure security, you can only describe the measures you are taking. Doesn't make them necessarily secure because the risk is changing. And to remain the same level of security, you have to become better at security 10% every year or more. So the risk is going up, meaning the security is going down.

So, but they did try to do that. You can be certified for your products or services EU wide. So if you're certified in one country, it means all the states should consider you certified as a software vendor and a role of of course helping and making all these policies and monitoring it. I wonder what the enforcement would look like cuz you need a lot of security people to check all that stuff and to certify it. And that's one question I have in the operations.

If you don't know how many software vendors and products there are, let alone processes and providers, that's, that's going to be requiring a lot of security just for the prevention of breaches happening. It's not saying it's secure, it's, it's just the fences that you're building, but at least there will be more standardization, which is also partly in this legislation less fragmentation comprehensive set across the whole EU specification of categories while anything to formalize stuff and make thing make the world look easier, at least from a theoretical point of view.

And the users, of course, they would have to know what their risk is if they use a certain product. And there are three levels of risk for scene basic. And it means that the really standard basic risks should be defended against, meaning that if you have something that is connected to the internet, that should be a password for instance. That's just basic. But there of course a lot of products and smart things that don't yet have that or don't have a capability to install it or cannot be made lose account function without connect being connected to the internet.

Although it's not the main function of that light bulb. It can also should be able to function even if I disconnect the internet, you know that type of more yeah, practical things. So the basic known incidents in cyber attacks should be ruled out and all the that that there should be technical documentation and that should also be reviewed. So there are two things. What type of risks do you defend against and how is it reviewed? What you are defend defending against?

And when you go to one level higher, the substantial level of certification, it means that you have real known big, not just the basic, but a real known cyber risk should be ruled out or at least mitigated. And they will evaluate if there is an absence of publicly known vulnerability. So all the standard weaknesses shouldn't be there and all the regular standards in security measures should be taken. And for the high level then we are talking about really skilled attacks that are also quite sophisticated attackers.

And then you need state of the art and more, a lot of more work to make your product secure against that. But that's probably also in more important targets of course.

Yeah, I mean for a light bulb, okay, yeah, that's very nasty. But if I'm a big platform or I'm, if I'm running the software for the pro rail infr rail structure for the gear to manage the rails, I think that's a different level. And then you also need a higher certification because the risk is higher. So this is all risk based and the stronger the certification, the stronger the review you need to do. Then this is the last part I have copied a part of the, the, the, the index. It's a very long low and it has a lot of comp things.

The the NIS two, that's the new, this is an upgrade from the firm previous NIS one, which was mainly talking about national security strategies in every member state you should have a national authority on that. You should have a national cybersecurity strategy, a national computer incident response team, all that. And also reports about that share vulnerability. So we have one big net as Europe to catch all the known vulnerabilities and all the attacks and work together.

But that was reviewed and it's that need really really an upgrade because again, you could see that every silo of a member state did their own thing and and more operation makes stronger defense. Of course with big net you catch more achieves than with 26 small nets. And also the Harmon harmonization of the implementation, the actual operational impact and the, I fi that's the word coin by Karina Dow, but it means physical and digital are interoperable with each other. And you can't just cut off the digital security from the physical security.

Often physical security like infrastructure could be endangered by digital security. If that's not good enough, then you have a physical problem on safety when you, your digital infrastructure is not well protected. And of course the old requirements in the old legislation are still remaining valuable. But also they have now defined, which was not so strong in the previous version of NI, that there are essential entities and there are important entities, an essential entity.

Now what, what's being bombed in Ukraine, Those are the essential entities like the gas, the water supply, the electricity, transport, railways, healthcare, you mentioned it, just look at Ukraine and you have a glimpse of what could be essential, but also internet exchange, which is for the communications, telecommunications stuff, but also things that are working for the government to rule and for law enforcement and banking and financial market of course that's really quite essential.

They have added other services too, and they call them the important entities and that could also be service providers to other services that deliver essential if, if the mail to the important to the essential provider of electricity, if they can't receive their post pulses, they're snail mail, they, they get services from third parties. They are not essential in themselves, but they, they are essential for one of these essential. So anyone in that service change should also be captured in under the same requirements. And why do we make this legislation? Why do we categorize these?

Because, or does the EU categorize them? Because for all of those we'll be strong reporting and and security requirements. And in some member states, some of the essential parts were not part of this requirements and duties and others were, so the electricity from Germany was or wasn't and he from the Netherlands was or wasn't included in this legislation. So the coverage was having gaps per country that would be very disparate.

And again, that's not good for the equal competition and the open markets and transparency and it gives a lot of burden if you have to to be compliant in multiple countries. And of course it gives gaps in the security. So then there is the artificial intelligence act. Now there are many types of definitions for artificial intelligence and they put that in the annex because that may change because the, the software or the technology will change. So they didn't put it in law because law is chiseled for the next X years. So that type of things you put in the annex.

And they wanted to make a uniform framework also for the use of artificial intelligence. And they have made two categories for or three categories some. The first category is forbidden use of artificial intelligence. In certain cases you are not allowed to use solely artificial intelligence. For instance, if you are scoring people for certain physical real rights, fundamental rights that you're excluding them because you have your, your your algorithm or your algorithm defining that you're not part, you're not eligible.

And you do that only based on artificial intelligent measures and patent recognitions and so on. You can't make big life impacting decisions that to select or deselect people. And some of those are forbidden and some of those are not forbidden, but are marked as high risk. If you do that, there should be ultimate transparency, security, large line of duties you have to fulfill in order to do that. And one of those is done in the Netherlands. That's the bottom. We had the childcare subsidies.

People got get, could get subsidies for childcare and they could, they had to pay it back because the algorithm thought, oh this is fraudulent. And there were certain parts of the populations that came out more often than other ones. And really, well the numbers I think 26,000 parents and 16 hundreds or yeah, 6,000 children and they went bankrupt. They had to pay back the subsidies, they had to sell their house.

They were, children were taken out of their families because there was sort of criminal crimes and fraud. And it was, it's still years after they haven't compensated and really devastated people lost their business, lost their homes, lost their children. Children are missing, are still not bought back to their parents are still somewhere in institutions and the government had to step down.

Okay, so this was used due to, yeah, perceived fraud detection, but the algorithm was inducing a lot of discrimination and it's still going on, eh, we have still still not solved. And that's why, that's for instance one of the types of high risk, if you want to read all the details, you have to come back to the presentation because we're running out of time. The A does regulation, we've seen last year in eic I've presented on that every digital wallet, digital identity wallet for every European person.

It is also before we had a, it was this generic identity federation schedule, but now it's really with distributed identity and at the stations you have with you in your device. Well self-sovereign identity is in other word decentralized identity. The private sector and the public sector will work together on that. We'll use it together and ledgers for the archiving ledger based stuff. So every wallet has to be notified also to the other countries.

So it's, if it's notified and is it certified, it's it, it is mandatory for other countries to accept it. So that has a big wallet, a big impact on the identification and at a station for citizens in different areas. And then of course the Euro privacy certification, I already touched on this, that's for businesses hopefully a bit helpful in making sure they are certified and it's an official label. And of course there are many legal companies who want to help you get certified or not certified, but at least do do do your interviews and the PIA and the privacy impact assessments and all that.

But they have now also standardized it. But these are the big five and the big consultancy companies behind it who are executing this. That's about the gdp. Now the conclusion, of course, what we see is in general that there, the scope of what is being regulated is growing and growing and growing, but it always stays high level and you need details implementing acts on a European or a national level to really work out other details because there's a lot of interpretation and a lot of things happen to be in Anis. So they can all the time be this changed and updated.

And for businesses it means that the burden of compliance is becoming bigger, although small to medium enterprise are excluded for a number of those legislations because they can't expect everyone to have a legal eye. For instance. Certification can help, but because it, it implies that there should be standardization also, otherwise you cannot certify. You have a standard set of rules but also a lot more complexity because there are more rules at the same time. And potentially the EU policy makers, they try to harmonize these rules.

So they take out something from one law and put it in a better law in a better place reorganizing stuff. But still there's a lot of tracks going on at the same time. And these are only five but are a lot more on specific industries who are also describing the same topics but for that industry. And I see a tendency that they try now to look at that harmonization so it's better in sync. And a lot of this is in draft has not already yet.

So there's still a lot of market consultation and then the European commission has to debate about it and then of course later on it will be on the national level and debate it. And it could take one to three years before something is really practical in a member state. And the question of course is always will this only be paper tigers or they will really, really, really become more secure. But one thing it does, it makes everyone more aware of cybersecurity.

Like we saw with the GDPR all at once, everybody was talking about GDPR when it was launched, the new version, let's hope it works the same for these legislations as well. I think that's the end.

Yeah, time for questions. Not much, but No. Well that's great. While you think of a question in the room, I have a question. The one thing that you brought across quite strongly was the need for good communication relations between IT and legal. Now your vast experience, what would you say are the biggest inhibitors to that? And then on the other side, what have you seen fosters good relations between these two sides?

So organizations particularly, Oh I know that's Anisa is doing every year that ipen the internet privacy and security workshop where they invite engineers and legal people and they are explicitly brought together, but these are mostly people from the academic area, which is not always the practical I used to be.

I've been there two times, so it's always at a university and it's a very, but I want to see more of that because I, I, in my banks where I worked, I gave presentations really it presentations to the board on cybersecurity and maybe they should have buddies in it or making them work together or because, and that's I think a good final statement in society you see that everything is mixed and shared services are mixed. Digital and physical are mixed. Industries are mixed. In digital world, everything can come together, but organizations are still organized in silos.

And I think that should be a solution, not just the legal people in the cybersecurity and IT people, but also the compliance, the risk, the, the business who build apps there should, there should be these type of mixed and shared setups as well in organizations and they're often old fashionably shaped into silos of experts that don't talk. So thanks very much. Well that you've heard it.

Again, the silos are bad. Just a message to our online participants, if you do have questions, please put them into the platform, but try and get them in as soon as possible because I have noticed a couple have been coming through a little bit too late for me to ask to presenters. So please don't leave it to the very, very, very end. And then they've moved on and you can't ask the questions. Equi covered a great deal in a very short time. Very expertly I must say. Are there any questions in the room?

Oh yes, here. So thank you very much.

First, it was a very interesting presentation. So the friend in it and in legal, does he need a friend at the regulator side actually because even in multinational countries I've seen that the local regulator I interpretate and audits the countries differently and it's, for example, between Netherlands and Germany, I see typically huge differences in financial services, how the auditors are looking at it. Correct. That's the enforcement of the law that's always based in interpretation.

I can say the banks that I worked for, the three CSOs we're talking together, went to the national bank, talked to the regulators or the enforcers and that's I think also, so not just cross their divisions or silos of knowledge and expertise or scope, but also about the the regulator, the enforcer. And they should, and I know it works very well when you have a problem in your cybersecurity, you don't get the budget, blah blah blah. Go to the auditor, ask them, This is red, I can't get the budget. Tell my boss it's a problem. It works.

So, but yeah, still you need to be secure about what the rule is and what should be done and the burden of compliance and the cost of compliance is going up, up, up. I know that's, yeah, apart from the risk. So once again, we've been caught by by time I'm afraid. But another well earned networking break coming up. If you've got any burning questions, I'm sure your quiver would be pleased to follow up with them in the networking break. And I will see you the other side in the main session at 20 past. Thanks very much.