Ready or not - EU legislation will challenge you

 

A tsunami of EU legislation

A tsunami of EU legislation is on the horizon for organizations. How are you preparing for it?

1. Bring it on -  we're actively preparing
2. We're aware, but believe there's ample time
3. What regulation? 

If you chose (1), congratulations are in order. You likely have a vigilant compliance team keeping the organization up-to-date with coming new requirements. 

For those who chose (2), I strongly recommend an immediate evaluation. New regulation is a 'grey rhino' risk - large, apparent, and approaching, yet often disregarded as distant and non-urgent. 

This post specifically addresses response (3). I'll provide a high-level overview of what's coming to motivate you to start preparing. Read on to understand the implications of these categories and how they might affect your organization.

EU legislation schedule

Below, you'll find a snapshot of new or impending EU legislation. I've categorized them into three groups: Security & Safety, Data, Digitalization & Privacy, and Artificial Intelligence. While I've grouped these based on each law's primary focus, it's important to note that most of these laws intersect across several areas.

(regulation map updated 12th Jan 2024)

Take note of the distinction between regulations and directives. A regulation is a binding legislative act that must be implemented in full across the EU. In contrast, a directive is a legislative act that establishes a goal for EU countries to achieve. However, the method of achieving these goals is left to the individual countries, which can craft their own laws accordingly.

Below, you'll find a very brief explanation of each regulation and directive mentioned in the above image. For comprehensive details, visit the EUR-Lex site, which is a database of European Union law available in all EU languages.

Selected legislation in brief

NIS2: EU directive 2022/2555 on measures for a high common level of cybersecurity across the Union 

The Network and Information Systems 2 Directive is an update to NIS1 focused on improving cybersecurity. It introduces tougher rules to tackle emerging cyber threats and digital challenges. The directive now covers additional sectors, demanding that organizations report major incidents and follow stricter risk management and reporting guidelines. This aims to boost cyber defenses, especially in key sectors.

CER: EU directive 2022/2557 on the resilience of critical entities 

The Critical Entities Resilience Directive is designed to strengthen the protection of vital infrastructure in the EU against threats like natural disasters, terrorism, internal threats, and sabotage. It requires EU countries to pinpoint crucial organizations that deliver key services vital for society and the economy.

DORA: EU regulation 2022/2554 on digital operational resilience for the financial sector

The Digital Operational Resilience Act focuses on increasing the digital robustness of the EU's financial sector. It establishes a detailed set of rules for handling digital risks in financial markets. DORA applies to many financial entities like banks, payment services, investment firms, and insurance companies. Its purpose is to make sure these organizations can manage and endure different types of digital threats effectively.

eEvidence: EU regulation 2018/0108 on electronic evidence in criminal proceedings

The eEvidence Regulation simplifies how law enforcement agencies in the EU can access electronic evidence for criminal probes. It introduces new tools for quicker and more efficient access to digital data (like emails and texts) across borders. The regulation also sets out clear guidelines for member states on managing data access requests, especially those involving private companies, during investigations.

RED: EU delegated regulation 2022/30 to increase cybersecurity and privacy for wireless devices

The Radio Equipment Directive provides a regulatory framework for the marketing of radio equipment. It aims to create a single market for radio equipment by setting essential requirements for safety, health, electromagnetic compatibility, and efficient radio spectrum use. RED was revised to include Article 3.3, which now addresses the security of radio interfaces. This revision mandates that all radio equipment placed on the EU market must comply with this updated regulation to achieve CE marking, signifying conformity with health, safety, and environmental protection standards​.

GPSR: EU regulation 2021/0170 on general product safety

The General Product Safety Regulation is set to become a significant component of the EU's product safety legal framework, replacing the current General Product Safety Directive and the Food Imitating Product Directive. Its goal is to improve the internal market's functioning while ensuring a high level of health, safety, and consumer protection. This is achieved by setting fundamental safety standards for consumer products sold in the EU market.

CRA: EU regulation on horizontal cybersecurity requirements for products with digital elements

The Cyber Resilience Act focuses on establishing uniform cybersecurity standards for products with digital components. Its main objective is to safeguard cyber and data security throughout the entire lifespan of such products. This applies to any product designed for use with a data connection, either physical or logical, to a device or network. The Act mandates that manufacturers must offer security support and software updates to fix known vulnerabilities. 

CSA: EU regulation to  strengthen preparedness to cybersecurity threats and incidents

The EU Cyber Solidarity Act is designed to improve the EU's preparedness, detection, and response to cybersecurity incidents. This Act aims to create a "European cybersecurity shield" and comes with a significant budget to strengthen EU-wide efforts against cybersecurity threats. The Act focuses on improving threat detection, increasing awareness of cybersecurity situations, and strengthening the preparedness and response strategies for major and large-scale cyber threats and attacks. 

Data Act: EU regulation on harmonized rules on fair access to and use of data

The Data Act is aimed at creating harmonized rules for fair access to and use of data generated within the EU. Its primary objectives are to promote fairness, enhance competition, and encourage data-driven innovation. This Act includes regulations on data sharing, access, reuse, and portability. It also encompasses guidelines for data sharing agreements, provisions for accessing data during public emergencies, and obligations for transitioning between cloud services.

DMA: EU regulation 2022/1925 on contestable and fair markets in the digital sector 

The Digital Markets Act Regulation is designed to promote a fairer and more contestable digital economy. The DMA targets the regulation of activities of companies, particularly large platforms, in the digital sector, introducing specific prohibitions and obligations for these 'big tech' companies to ensure competition and fairness. This regulation is part of the EU's effort to address and manage the dominance of large tech companies and to create a level playing field in the digital market.

DGA: EU regulation 2022/868 on European data governance

The Data Governance Act sets out regulations for the re-use of public sector data. It aims to create a unified market in the EU for data mediation services and the processing of data for altruistic reasons. The DGA's main focus is on easing the sharing of data within the EU and across various sectors.

DSA: EU regulation 2022/2065 on a single market for digital services 

Digital Services Act updates the Electronic Commerce Directive 2000 and focuses on illegal content, transparent advertising, and disinformation. It establishes a framework for regulating digital services within the EU, amending previous directives to address the current digital market. It outlines the responsibilities of digital services, particularly those acting as intermediaries, to connect consumers with goods, services, and content, aiming to create a safer and more accountable online environment.

CSRD: EU directive 2022/2464 regarding corporate sustainability reporting

The Corporate Sustainability Reporting Directive (CSRD) requires more companies to provide detailed reports on their environmental and social impact. It aims to make businesses more transparent about how they affect society and the environment.

ePrivacy: EU regulation on privacy and electronic communications

The ePrivacy Regulation will succeed the ePrivacy Directive of 2002. This regulation is an extension of the GDPR and is specifically focused on cookies and other tracking technologies, with a promise of even more stringent protection of internet user privacy. Aimed at companies in the digital economy, the ePrivacy imposes additional requirements related to the processing of personal data.

AI Act: EU regulation on laying down harmonised rules on artificial intelligence

The EU Artificial Intelligence Act is designed to strengthen rules concerning data quality, transparency, human oversight, and accountability. It also addresses ethical questions and implementation challenges across various sectors. The AI Act would classify AI systems according to their risk level and establish specific development and usage requirements for these systems. 

AI Liability: EU directive on civil liability rules to artificial intelligence

The AI Liability Directive seeks to establish uniform rules for non-contractual civil liability regarding damage caused by AI systems. It introduces a 'presumption of causality' that would make it easier for victims to prove damages inflicted by AI-powered software or products. This directive would enable victims to hold providers, developers, or users of AI technology accountable for harm to health, property, or fundamental rights, such as privacy. The directive aligns with the AI Act. 

Be compliant out there!

As you can see, there's a substantial amount to review. It's crucial to assess your current situation and plan for compliance accordingly. The recurring themes in these regulations appear to be thorough risk management, the responsibility of leadership, and significant sanctions in the event of non-compliance.

I strongly recommend that you begin assessing the impact of these upcoming regulations on your organization.

The quest for the truth in cybersecurity data

(Photo by Chris Liverani on Unsplash)

As the saying goes, "if you torture the data long enough, it will confess." Interpreting cybersecurity statistics can be challenging, especially those that receive media attention. It is important to approach these statistics with a critical eye and consider the context in which they were collected, the potential biases of the data sources, and other factors that could impact their accuracy and relevance.

For example, it was recently reported that ransomware attacks in Finland have increased significantly in 2022. However, upon further investigation, I found out that while there were 3 ransomware attacks on essential service providers in 2021, there were 11 such attacks in 2022. This is a whopping 300% increase!

To understand if the increase is really significant, let's consider the total number of essential service providers in Finland, which is estimated to be between 1000 and 2000. Using the conservative number 1000, this means that in 2021, ransomware attacks targeted 0.3% of essential service providers, while in 2022, the number rose to 1.1%. Alternatively, the increase could be described as a 0.8 percentage point increase.

Four times more ransomware attacks this year, or 300% increase, or 0.8 percentage points increase or just saying that there were 8 attacks more than last year? Your pick depending on what message you want to deliver.

Analysing the trustworthiness of cybersecurity statistics or survey results can be hard work. My tips for a quick and dirty analysis are:

• Do you believe that the source of the information is objective?
• Is the tone of the message matter-of-fact rather than attention-seeking?
• Is the method of data collection and analysis described?
• Do the conclusions make sense based on your own view of the situation?

I would be much more inclined to believe the results if I would get Yes to all four questions. 

If you want to dig deeper, you may consider the following factors:

• The context in which the statistics were collected and reported
• Any potential biases of the data sources
• Whether the study covers only successful breaches or also blocked attacks
• The possibility of cherry-picking or random variation in the results
• The source and size of the data and how it was sampled, as well as any explanation of uncertainty levels
• The clarity of terminology, such as the use of terms like "breach," "incident," and "hack"
• The understanding that correlation does not equal causation
• The consideration of absolute risk, not just relative risk
• The presence of other studies that support the results

Going back to that ransomware attack increase example. It's one thing to understand what has happened and another thing to understand why. My example just showed that conclusions can be delivered differently depending on an agenda. Reason for ransomware attacks increase could be for example Russian-Ukrainian war related activity, criminal activity, increase in zero-day vulnerabilities, changes to organizations infrastructure because of remote work or combination of many. The why would be important to know in order to understand risk and decide about possible actions.

Surveys and statistics can be useful in understanding the state of cybersecurity and trends in the field. However, it is important to approach these statistics with caution and consider all of the factors that could impact their accuracy and relevance.

With cybersecurity statistics and surveys, it also applies, that if the results sound too good or too bad - they are probably not true. 

Predicting cybersecurity events in Finland

(Photo by Dollar Gill on Unsplash)

During March-April 2021 I've been speaking/chairing at a few cybersecurity events and courses. Since it's been all remote because of the pandemic, I've spiced up the events by online surveys. One survey was about predicting likelihood of certain cybersecurity events happening in Finland. It was interesting to see and discuss the results.

I asked participants to estimate the likelihood of the following events happening before the end of 2022.

1. Finland enforces legislation to require ISO 27001 certifications from the largest essential service providers
2. Cyber security accountability / leadership will be centralized in Finnish government (e.g. Cyber Ministry)
3. Finland will be among the top three countries in the Estonian national cyber security index (2020: #1 Greece, #2 Czech, #3 Estonia - #8 Finland)
4. A Finnish cyber security company (Revenue >10M€) will be acquired by a foreign company.
5. A major cloud provider will have an interruption of service lasting 8 or more hours impacting many Finnish organization
6. A Finnish company (other than Vastaamo) with over 100 employees will go out of business due to a cyber-attack
7. Cyber-attack causes physical damage which leads to death(s)
8. A Finnish company gets over 1 million EUR GDPR sanction

All 86 participants were experienced security and/or cybersecurity professionals and answers were given anonymously. 

Finnish cyber security company acquired (4), major cloud service interruption (5) and cyber-attack forcing a company out of business (6) were predicted to be most probable. All three events average likelihood were between 60-70%. The least probable event was a cyber-attack causing deathly physical damage. Average and medium results didn't have big difference.

Interestingly almost all events got estimates from 0% to 100%. Only exceptions were Estonian national cyber security index result (3) which top estimate was 90% likelihood and cyber-attack forcing a company out of business (6) which lowest estimate was 10% likelihood. In short, security and cybersecurity estimates were all over the scale. Standard deviation was large - between 25 and 30. 

This was not intended to be any serious study, but a fun survey of how Finnish security and cybersecurity professionals see the probability of some events in almost two years timeframe. 

 

COVID-19: Making sense of cybersecurity for home workers

(Photo by Ali Yahya on Unsplash)

Countermeasures against COVID-19 infection has changed the way we work and communicate. Everyone who can work from home are advised or forced to do so. Some are experienced remote workers, but many are at the first time working out-of-office weeks or months in a row.

Many (if not all) cybersecurity companies and authorities are publishing remote working security guidelines. Despite good advice and intentions, in my opinion many are missing the point. At least from the large organization's point of view where employees use company managed devices.

The advice I've seen typically has a mix of several target audiences: IT departments, remote workers in general, remote workers stuck at home and even individuals using personal devices. It may be difficult to figure out what's home worker's responsibility.

Here´s what is special for remote working currently:

• People are working at home - not at cafes, libraries or other public spaces.
• The whole family is working at home, kids included.
• Everyone is worried on bigger issues than cybersecurity: health of their family, job security, money, etc.
• Everyone is extra stressed because of social distancing and lockdowns. 

The following advice is given from typical large organization's point of view, where remote workers use company provided devices and software, and have professional IT team supporting them.

Do NOT worry:

• Security of your company provided devices. It´s the responsibility of the IT team to make sure that devices, network connections and access to applications are secure: encrypted hard disk, VPN access to company network, strong authentication, anti-malware software in place and all software up-to-date.
• How the security of your home network may affect remote work. It´s good to change default password of your home wifi access point and check the device configuration in order to protect you home. However, your company devices should be protected regardless of your home network. They are configured to allow access also in random cafes after all.
• Absolute confidentiality of work related matters. In reality there may be several family members at home working around the same kitchen table. Do your best and try to find a private corner for the most confidential discussions, but don't stress too much about it.

What you CAN do to protect work related confidential information and company network:

• Follow the company guidelines. Each company may have some special requirements depending on the work and selected tools. Make sure to follow internal communications and act accordingly.
• Use and protect the company device. Keep your company device to yourself and lock the screen when not in use. Sorry, but you need to get personal devices for your own and your family's leisure use. 
• Keep the data at company network or device. Use only your company provided device and file/document storage to store data. If you must handle printed material, make sure to destroy them later in accordance with your company guidelines.
• Keep your passwords to yourself. Nobody - and I mean nobody - should ask and get your password. Not even your trusted IT team or service desk. Do not reuse company password in services which are not work related.
• Think (extra carefully) before you click. Use your common sense when receiving surprising or suspicious emails or other messages. Do not open attachments or links without checking their authenticity. Criminals are busy trying to profit from fear and uncertainty. Phishing and scams are now more common. 
• Ask for help. If you are unsure what to do, see something suspicious or accidentally click a phishing link, contact your organization's service desk or IT support. Better safe than sorry.

In these extraordinary times organizations should take as much cybersecurity burden from employees as we can. Following the simple advice above the users are the strong link of security while the other strong link must be your IT which takes care of technical protection.

Note, that if the use of employees' own devices is allowed to access company network and confidential data, then a totally new can of worms is opened. Don't want to go there now. Good luck.

Take care and stay safe!

Book recommendations for CSOs and CISOs

I read 20-30 books per year. I've been keeping track of my readings on my web-site since started experimenting with HTML (needed some reason to update the content regularly). Lately I've been using Goodreads as well. I read to keep myself up-to-date professionally. It means topics from security, risk management, business and leadership. When I need something more relaxing, I turn to scifi, fantasy or crime mostly.

I went through my list and decided to give some book recommendations for Chief Security Officers and Chief Information Security Officers. We all need more to read right? First tried to keep the list short with 10 books, but quickly realized that it's too hard and settled with 15 recommendations.

So, here you are, 15 great books I recommend.

🌟Security Engineering by Ross Anderson 

Probably the best security book ever and should be found on every security professional's bookshelf. The book covers security topics broadly including not only technical security, but also topics like psychology and economics. First and second editions are available online and Anderson is just writing third edition.

🌟Thinking, Fast and Slow by Daniel Kahneman 

Nowadays it's more and more understood that good security solutions must take human behavior into account. Unusable security guidelines are disregarded and bad solutions are circumvented. Kahneman's book explains thoroughly human biases and behavior. It's also helps CSO/CISO to understand what may affect his own decision making and how better influence others. If Kahneman's feel a bit too heavy, try first Dan Ariely's Predictably Irrational, The Upside of Irrationality and The (Honest) Truth About Dishonesty.

🌟Unsecurity by Evan Francen 

After working couple of decades as a security professional one starts to wonder why same problems exists year after year and general information security level seems to decrease instead of getting better. Increasing complexity of digital world is of course one reason, but security industry and profession has also failed in many areas. Francen's book nicely summarize what's wrong with information security.

🌟Weaponized Lies - How to Think Critically in the Post-Truth Era by Daniel J. Levitin 

We are choking to information, data, statistics and infographics. All this can presented - accidentally or on purpose - in a misleading way. Skills to navigate through all figures, tables and graphics are critical as well as an ability to evaluate their trustworthiness. As Levitin says in his book: There are not two sides to a story when one side is a lie.

🌟Geekonomics, The Real Cost of Insecure Software by David Rice 

Software is running the world and code is law as Lawrence Lessig has famously said. We tend to concentrate too much on devices and networks when protecting digital world. We must focus more on software, applications, code. Rice's book is about software industry and reasons why we have so much bad software. It's also good to check Gary McGraw's classic Software Security: Building Security In.

🌟Transforming NOKIA: The Power of Paranoid Optimism to Lead Through Colossal Change by Risto Siilasmaa

Excellent and rare inside look how the Board of large, global company works. Useful for CSOs and CISOs who are working with executive teams and boards - interesting to everyone. Siilasmaa coined the term paranoid optimism, which means combining vigilance and a healthy dose of realistic fear with a positive, forward-looking outlook expressed via scenario-based thinking.

🌟Team of Teams: New Rules of Engagement for a Complex World by Stanley McChrystal

Organizations want to be agile and move from hierarchical organizations to networked models where employees and teams get more autonomy. Modern communication tools, network and data enables that, but not without leader's deliberate efforts to allow and nurture decision making at all levels. McChrystal writes about his experiences how traditional, hierarchical  military organization was changed to a network of empowered individuals and teams.

🌟Factfulness: Ten Reasons We're Wrong About The World - And Why Things Are Better Than You Think by Hans Rosling

Rosling explains why our world view is mostly wrong and how to avoid common misconceptions. When thinking of poverty, education, population growth, income, life-expectancy, etc. the world is much better place than generally thought. Even highly educated people, business leaders and decision makers often don't understand what the world is like today - neither did I.

🌟The Lean Startup: How Today's Entrepreneurs Use Continuous Innovation to Create Radically Successful Businesses by Eric Ries

A startup can be defined as a human institution designed to create a new product or service under conditions of extreme uncertainty. A startup can also be a part of large organization, not only a new, small company.  The book explains Build → Measure → Learn loop and how to minimize the total time through this feedback loop. Today almost everything imaginable is possible to build (with enough time, money and other resources), so the question today is not can it be done, but should it be done. There's also a bestseller This Is Lean by Modig & Åhlström,

🌟Homo Deus: A Brief History of Tomorrow by Yuval Noah Harari

Homo Deus is amazing look at the human history and predictions of the future of human evolution with algorithms, robotics and artificial intelligence. I would also recommend reading Harari's Sapiens to put current state of world in perspective and 21 Lessons for the 21st Century for today's challenges.

🌟Liars & Outliers: Enabling the Trust that Society Needs to Thrive by Bruce Schneier

Most of Schneier's books are good. For here I picked Outliers, since it gives a thorough look at trust and what makes us trustworthy. The role of trust is increasingly important in our digital environment - organizations, products, applications and services cant success without employees, customers and citizens to trust them. Interesting claim in the book was that some level of rule-breaking is needed in the society in order to innovation and social progress become impossible. Schneier's latest Click Here to Kill Everybody is good read about Internet of Things challenges.

🌟How to Measure Anything in Cybersecurity Risk by  Douglas W. Hubbard  and Richard Seiersen

It's a common argument that security can not be measured properly, hence we have lots of qualitative metrics instead of quantitative ones. Hubbard argues that anything can be measured, also security and cybersecurity. Good reading to understand how statistical models can help measuring the security status with raw data. The Failure of Risk Management is another Hubbard's book worth reading.

🌟The Red Web: The Struggle Between Russia's Digital Dictators and the New Online Revolutionaries by Andrei Soldatov and Irina Borogan

So much is written about US NSA surveillance methods that it's refreshing to have a look what Russia is doing. The book documents the history of Russia's surveillance system development. It starts from the pre-Internet era, explains how the SORM system was developed, describes Russia's attempts to change Internet governance via ITU and ICANN, documents the Sochi Olympics surveillance efforts and didn't forget the story of Snowden getting an asylum at Russia

🌟Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet by Joseph Menn

If you have been in business long enough, you may remember CarderPlanet and Russian Business Network. It's useful to read a bit about criminals and law officers trying to catch them. Especially because Menn tells the story from the perspective of the good guys.

🌟The Adventures of an IT Leader by Robert D. Austin, Shannon O'Donnell and Richard L. Nolan

This is fictional story where a business manager is appointed as a new CIO of the company. Since he doesn't have any ICT background he needs to learn how everything works and how he can keep track of ICT functionality and business requirements. Useful from security management point of view to read how a new CIO gradually finds ways for better communications and metrics. Also, the biggest challenge the fresh CIO faces is a serious security incident.

Many great books left out so you better check my site or Goodreads where I have more books with ratings. My ratings are of course timebound. How I've rated the book depended on my knowledge, skills and interest at the time of reading. Goodreads also creates nice yearly statistics.

Happy reading and let me know what I should read (or nowadays also listen) next.