Following the splendid DigEat Festival, organised by Digitalaw Srl in Lecce on 27-29 November, we feel it is useful to take a closer look at some of the topics discussed during the event.
The idea that cybersecurity is exclusively a technical problem belongs to an old and obsolete vision. Anyone who has even leafed through an international standard will have realised the strategic importance of organisational and procedural aspects. On several occasions, it has been stressed that NIS 2 itself, in Article 24, speaks of procedures, strategies, policies as essential elements for the resilience of infrastructures, information and systems. The role that the CISO can play within organisations (be they public or private) is fundamental: being able to find the right harmony between various levels of cybersecurity and effective organisational models is a difficult task and requires skills and knowledge that cannot be delegated to a single hardware device or software product.
A change in regulatory technique
It was important to emphasise the change in standardisation technique that came with the GDPR: we moved from a ‘specific standardisation technique’ to a ‘principle-based standardisation technique’. The most striking demonstration of this is the term ‘ accountability ‘ which, readers will recall, has been the subject of huge debates about the correctness of its translation. This paradigm shift did not end with the GDPR but continued with texts such as NIS2, the DORA Act, and will continue to be adopted precisely because it is considered more appropriate and effective. On the more technical side, it should be noted that many procedures that are considered known, are in fact applied in a largely inadequate manner; the case of backup & restore was discussed. This procedure, which companies believe they execute correctly, is often executed incorrectly due to the disregard of certain fundamental procedures. In particular, the orientation of the best-known standards (such as ISO 27001) was presented, which makes explicit how these operations must be performed. Another widely underestimated aspect is change management, which has a particular impact on both the control aspects of the production chain and contractual aspects. In relation to this last step, and with particular reference to the implementation of artificial intelligence models, the contractual implications in securing the infrastructure were analysed. It is not always easy to accurately discriminate the causes of an IT incident on the basis of events: this is because responsibilities tend to be shifted from one actor to another and in these cases, unfortunately, contractual arrangements are inadequate to manage any friction constructively and quickly.
A paradigm shift is possible
The Anglo-Saxon method of regulation changed everything: it changed the approach to regulation for a jurist, but it also changed the approach to fundamental rights for end users. It allowed a much-needed elasticity in the application of normative principles. However, this is not really new: ISO 27001:2013 already implemented aspects of supply chain auditing and monitoring. The National Cybersecurity and Data Protection Framework, an initiative that originated in 2015, already included many measures that were later taken up in the GDPR as well as in NIS 1 and 2. The Minimum ICT Security Measures for P.A. referred to in Circular 2/2017, descend from the Critical Security Controls 6 (June 2016) of the Center for Internet Security (CIS), which already implemented integrations between organisational procedures and implementation techniques. It is therefore possible to state without any hesitation that it is more than 13 years that Quality IT has been trying to promote an integrated approach based on procedures, strategies and policies and not only on technique.
Cultural changes and resistance
Recent regulatory developments have caused the end-user community to become more aware of their rights. Internationally, the GDPR has become the example of a new, possible and copyable regulatory paradigm (there are numerous cases worldwide). On the IT level, albeit with difficulty and often with delay, a new way of realising and implementing solutions and architectures is emerging. It had started many years ago by putting data at the centre of attention rather than systems, and it is continuing by favouring an infocentric vision over a purely technical one. It is necessary to continue in this direction, and the way forward is anything but simple: the Digital Omnibus proposal, aiming at a cross-cutting regulatory simplification on several fronts (AI Act, NIS 2, GDPR) in search of an undoubtedly necessary harmony after a period of regulatory hypertrophy. However, this simplification is raising some doubts:
A second pillar is the revision of Section 4 of the AI Act concerning AI literacy. The general obligation for providers and deployers to ensure uniform training programmes is replaced by an obligation on the part of the Commission and the Member States to promote non-binding initiatives aimed at ensuring an adequate level of competence and technical awareness. The specific training obligations for users of high-risk systems, on the other hand, remain unchanged and continue to represent an essential prerequisite for the safe and responsible use of artificial intelligence. (Source: Altalex)
The essential point of this change is the promotion of the principle that training can be downgraded to ‘ non-binding initiatives aimed at ensuring an adequate level of competence’. If this principle were accepted, it could be agreed to extend it to other areas in which a greater awareness has been achieved, with difficulty, than in the past. Training should be, in the writer’s opinion, an essential obligation to prevent the inaccurate dissemination of knowledge or the unconscious use of systems, equipment and applications. It is therefore not a question of attributing to training a ‘notional’ value, but a value linked to ‘awareness’ regarding the use of systems and technologies.
US pressure
In recent days, US President Donald Trump and entrepreneur Elon Musk have made claims about the uselessness of the European Union. These assertions arose especially after the European Union took action to protect content posted on certain social platforms.
After almost two years, the European Commission has taken a non-compliance decision against X for violating its transparency obligations under the Digital Services Act (DSA): the company was fined EUR 120 million, in a decision that was also criticised by US Vice President JD Vance. (Source: Adnkronos)
It should be made clear immediately that this kind of comment is one of the knee-jerk reactions one should be used to by now. The US capitalist culture prevents the blossoming of a series of rights and privileges that undoubtedly make Europe slower in technological development but also more democratic in the balancing of rights. Certainly, for its part, Europe should consider developing solutions that make it less exposed to lock-in mechanisms by other countries.
The protection of institutions
This context was also disturbed by the affair involving the Data Protection Authority. This is not the place to discuss such a complex and unclear subject in its entirety, but it is certainly worth remembering that while investigative journalism is sacrosanct, must be defended and is an expression of the democracy mentioned above, it is equally true that we must be careful about the process of demolishing institutions. The Garante della Protezione dei Dati Personali (Data Protection Authority) has played an essential role in the last 10 years in protecting data subjects: jurists understand very well how much this has meant. It would be good, therefore, to distinguish between personal and institutional responsibilities: it is never helpful to undermine the credibility of an institution.
Conclusions
A paradigm shift is possible and is taking place, but we should pay attention to what will happen in the immediate future: while on the one hand it is necessary to create harmony and coherence between norms, on the other hand it is important not to downplay the impact they can have in improving the use of technologies. We certainly need to develop Europe’s technological presence more in the global framework but, at the same time, we must avoid cultural tampering with the democratic mechanism that has made us better and more sensitive to our rights.
