Aside from the AI Act’s final blessing by the European Parliament earlier in March (extensively covered by our previous Monthly Notes), the past month was dominated by legislative activities across the globe in the field of cyber security, system resilience, and digital trust.

On 12 March, the European Parliament adopted the Cyber Resilience Act, setting out essential cybersecurity requirements for digital, interconnected devices in the EU. On 18 March, the European Council approved the Regulation on the European Health Data Space to establish an infrastructure for sharing electronic patient files and other health data in a trustworthy manner. In addition, a provisional agreement was reached on the content of a European Media Freedom Act, which lays down rules for the functioning of the market for media services in the editorial independence and media pluralism. On the other side of the Atlantic, the U.S. Department of the Treasury released a strategic report on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence in the financial sector, outlining best practices to help financial institutions navigate the welter of cybersecurity risks surrounding generative AI.

EU Cyber Resilience Act

The new EU Cyber Resilience Act (the Act) as now adopted by the European Parliament mainly deals with the security of communication between digital devices. It is therefore a major contribution to the functionality of the Internet of Things,  as well as all other forms of device-bound communication. It introduces comprehensive obligations for manufacturers, importers, and distributors of products that may be interconnected with one another or in the context of a bigger network.

The key obligations set out in this new piece of legislation comprise (1) the application of mandatory CE markings; (2) the adherence to certain safety standards during product development, as well as (3) the notification of security vulnerabilities and incidents during the products’ entire lifespan. In a bit more detail:

  • The Act requires firms to mark all products with (interconnected) digital elements with a CE conformity label. To obtain a CE mark, the product must pass a mandatory conformity assessment against the requirements established by the this Act. This conformity assessment can be carried out internally for non-critical products as well as most products with a lower risk profile. For products with a higher risk profile (listed in the Annexes to the Act), an external conformity assessment by an independent, notified body is required. It is currently expected that most products (~90%) will fall into the non-critical category and will thus require an internal conformity assessment only. The Act also makes a reference to the EU’s newly adopted AI Act so that conformity assessment under both Acts are aligned with one another.
  • The security requirements established by the Act apply strictly at all stages of product development (“security by default”). This includes ongoing risk assessments and management of product vulnerabilities – all to be well documented. The Act also introduces a cybersecurity support period during which the manufacturer has to handle vulnerabilities of the product effectively. This includes, for example, security updates, ongoing monitoring of the product's compliance, and maintaining a single point of contact for customers for the reporting of vulnerabilities.
  • There are also strict reporting obligations for any security-related incidents concerning the product. Depending on the specifics of the product and its application, reports need to be submitted to either the European Union Agency for Cyber Security ("ENISA"), the National Computer Security Incident Response Teams ("CSIRTs"), or even both. Depending on the circumstances, the notification periods can be extremely short; entities must take action within 24 hours of becoming aware of the incident.

Overall, this is a highly complex piece of legislation set out to bolster Europe's institutional mechanisms of defense against cybersecurity threats that might find their way into the European common market via products with digital elements. More information about the Cyber Resilience Act has been published on HL Engage by Christian Tinnefeld, Henrik Hanssen, Michael Thiesen, and Joke Bodewits.

Now that the Act has been adopted, it will enter into force on the 20th day following its publication in the Official Journal of the European Union. However, economic operators will have 36 months to adapt to the new rules, with the exception of the reporting obligation, which will apply after only 21 months. To facilitate compliance with these provisions, the ENISA and the European Commission’s Joint Research Centre have published a thorough mapping of the new law.

European Health Data Space Regulation

Only a few days later, on 18 March the European Council approved the compromise text of the European Health Data Space Regulation resulting from the final ‘trilogue’ held by MEPs the week before. This Regulation:

  • empowers individuals through increased digital access to, and control of, their electronic personal health data – including through data portability rights – at national level and EU-wide, and lays the foundation for a genuine European single market for electronic health record systems involving relevant medical devices and high-risk AI systems;
  • supports the use of health data for better healthcare delivery, better research, innovation and policy-making; and,
  • enables the EU to fully harness the potential offered by a health-specific ecosystem of rules, common standards, practices, infrastructures and governance frameworks that enable safe and secure exchange, use, and reuse of health data.

More information on the European Health Data Space and its significance for electronic health records has been published by Giulia Mariuz, Juan Ramón Robles, and Helene Boland.

European Media Freedom Act

And finally, the European Parliament has passed the European Media Freedom Act with an overwhelming majority. This is set to introduce a new legal framework to prevent political interference in editorial decisions and ensure transparency of media ownership.

One of the main triggers for this legislation was the ‘Rule of Law Report’ released by the European Commission in 2022, which foregrounds the perils of an intrusive spyware known as ‘Pegasus’. The spyware targeted journalists, lawyers, national politicians, and MEPs in the EU in July 2021.

The new law therefore introduces key terms such as the legal definition of ‘intrusive surveillance software’ and imposes new obligations on the so-called providers of very large online platforms (platforms with an average number of monthly active users in the EU equal to or higher than 45 million) which shall be required, for example, to provide a functionality allowing recipients of their services to declare that they do not provide content generated by artificial intelligence systems without subjecting it to human review or editorial control.

Guidance for the finance sector from the U.S. Department of the Treasury

Meanwhile, in the U.S., the Department of the Treasury has released a report that provides further guidance for the finance sector in the U.S. on how to navigate the perils of cybersecurity threats.

In line with the U.S. President’s Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, the report provides an overview of the state of AI use in the financial sector for cybersecurity purposes and addresses its key implications for the sector based on 42 interviews with industry stakeholders.

While generative AI continues to advance in leaps and bounds, there is reportedly little sharing of fraud information across the sector, which limits the ability of financial institutions to aggregate fraud data and train their models to prevent falling prey to fraud schemes. Efforts are now afoot to collect fraud data from industry and government alike and put in place a 'data lake of fraud data' with the aim of training AI models used by financial institutions with the appropriate and necessary safeguards.

The Treasury expects to roll out the study of the impact of AI on the sector over the coming years, so this report is not meant to be definitive. Still, the significant step forward is that the report also charts the main categories of cyber risks that industry players need to prepare for: 

  • social-engineering techniques (e.g., threat actors using social media posts or messages to sophisticate their mimicry);
  • malware & code generation (e.g., threat actors using generative AI to create a false copy of a financial institution's website and harvest customers' credentials);
  • vulnerability discovery (e.g., threat actors using advanced AI-based tools that are typically used for cyber defense by developers and testers to discover vulnerabilities and identify weaknesses in an institution's IT network and application security measures); and,
  • and disinformation (e.g., threat actors incorporating various synthetic content to boost their disinformation campaigns). 

We will follow these and other regulatory activities, and keep you posted.

Next steps

Subscribe to the newsletter here

 

button

 

Authored by Leo von Gerlach and Julio Calvalho

 

This website is operated by Hogan Lovells International LLP, whose registered office is at Atlantic House, Holborn Viaduct, London, EC1A 2FG. For further details of Hogan Lovells International LLP and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2024 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.