"The Commission today presented a proposal for a new Cyber Resilience Act [to the European Parliament], to protect consumers and businesses from products with inadequate security features."

We were in September 2022, coming out of the pandemic and facing levels of cybercrime never seen before. The annual cost of cybercrime was already worth a lot. Today it is worth +5.5 billion euros a year.

The European Union was trying to react and proposed fines of up to 2.5% of turnover or up to 15 million euros for companies with digital products - connected directly or indirectly to another device or network. But... 

Does the average citizen have any idea what the European Union is doing beyond this? How concerned is the European Parliament with ensuring the union's cyber security? Get ready because that's what we're going to find out in this article!

EU and European Commission responses on cybersecurity

We're going to look at the EU's main initiatives to combat cybercrime, and tell you what rules you need to be aware of to avoid fines for your company. First of all: what organizations are there to protect us?

ENISA - European Union Agency for Cybersecurity

It was founded in 2004 and seeks to strengthen the reliability of products, services and processes involving information and communication technologies, with cybersecurity certification systems. The agency collaborates with Member States and other bodies by sharing knowledge and strengthening its capacities. 

From a political point of view, this concern exists to strengthen confidence in a connected economy; from a social point of view, to maintain the digital security of European citizens. ENISA therefore contributes to regular updates of EU security policy and sends useful forecasts to legislators and policy-makers in the Member States.

But organizations aside: is there a legal framework that protects us from this new reality, marked by rampant cybercrime? What really happens to cybercriminals who commit illegal acts with the new digital tools?

EU Cybersecurity Regulation

It came into force in June 2019 and introduced a Europe-wide certification system, as well as strengthening ENISA's mandate. The latest version of the document can be viewed here, in 24 languages, including Portuguese. I'll summarize the main points of the document for you:

1. It establishes the objectives, tasks and organizational aspects of the European Union Agency for Cybersecurity (ENISA) and a framework for the creation of European cybersecurity certification systems;
   
   
2. Important terms are clarified, such as "cybersecurity", "network" and "information system", "national strategy for the security of networks and information systems", "operator of essential services", "digital service provider" and "incident handling";
   
   
3. The main sectors for cybersecurity certification are connected and automated cars, electronic medical devices, industrial automation control systems and intelligent networks;
   
   
4. It is stressed that companies and consumers must have accurate information about the level of security guarantee of their certified ICT products, services and processes; and that it is necessary to promote basic rules of cyber-hygiene and risk management for cybersecurity;
   
   
5. It is made clear that companies must be aware of the sanctions that can be applied in the event of a breach of the obligations set out in the regulation.

What about the EU-wide Cybersecurity Certification Scheme?

Still within the scope of the EU Cybersecurity Regulation, note the standardization of the framework for cybersecurity certification in the union. I know: it sounds like a complicated word, but I'll explain what it means. 

Certification is largely responsible for guaranteeing cybersecurity standards for products, services and IT processes. But the fact that different countries used different certification systems was a weakness in the system: because it created market fragmentation and regulatory barriers.

The new certification framework proposes a joint EU-wide system with rules, technical requirements, procedures and standards shared by all member states. The new European system should specify:

1. Categories of products and services covered
   
   
2. Cybersecurity requirements, such as standards or technical specifications
   
   
3. Type of evaluation
   
   
4. Desired level of guarantee (used to inform users)

A certificate resulting from this process will be recognized in all Member States and will facilitate cross-border trade for businesses and consumers. The implementation of this new framework is already underway and Member State authorities have already met several times on the matter.

But does it all come down to the Cybersecurity Certification System?

Cyber Resilience Regulation

The name sounds the same, but the Cyber Resilience Regulation and the Cybersecurity Regulation are different things. The latter seeks to ensure that products with digital components are safe before they enter the market. We're talking about things like:

• Domestic chambers connected to refrigerators;
• Televisions;
• Or smart toys.

To this end, the member states have reached a common position on the legislation that covers the mandatory cybersecurity requirements for these products. And it is this legislation, enshrined across the board, that is called the Cyber Resilience Regulation. The document, which has since been updated, can be viewed here.

"The Internet of Things and other connected objects must have a minimum level of cybersecurity when they are sold in the EU, ensuring that businesses and consumers are effectively protected against cyber threats."

- Carme Artigas Brugal, Secretary of State for Digitalization and AI, Spain

If you weren't aware of the existence of this regulation and especially if you have a product that falls into this bracket, these are the main changes you should be aware of:

1. There are rules to redistribute responsibility for compliance with requirements to manufacturers. Pay attention to obligations such as cybersecurity risk assessment, declarations of conformity and collaboration with competent authorities when necessary;
   
   
2. There are essential requirements in the vulnerability treatment processes that manufacturers must be aware of and there are new obligations for other economic agents, such as importers or distributors, in relation to these processes;
   
   
3. There are measures to improve the transparency of hardware and software products in terms of cybersecurity, as well as a new monitoring framework that promises to enforce this new legislative framework

It goes without saying that this regulation details the specific categories of products that will have to comply with the new regulations. As well as new obligations, stipulated in terms of reporting actively exploited vulnerabilities to the competent national authorities.

Important: if your product falls into this bracket, remember to consider elements that allow the consumer to determine the product's expected lifespan! If you've already done so, don't abandon this article just yet. I still have to tell you about the famous SRI.

Network and Information Security Directive - NIS

In 2016, the first directive on network and information security, known as NIS, was adopted. The plan was not only to strengthen cooperation between Member States on cybersecurity issues, but also to establish security obligations to be met by service providers in critical sectors such as:

1. Energy
2. Transportation
3. Health
4. Finance

And by other digital service providers such as:

1. Online markets
2. Search engines
3. Cloud services

As early as 2022, SRI 2 was born, seeking to balance the level of cybersecurity across the union. It was a comprehensive response to the escalation of cybercrime called for by the COVID-19 pandemic. 

"There is no doubt that cybersecurity will continue to be one of the main challenges of the coming years. The risks to our economies and our citizens are enormous. Today, we have taken another step towards improving our ability to deal with this threat."

- Ivan Bartos, Deputy Prime Minister for Digitalization and Minister of Regional Development of Czechia

This new directive aims to harmonize cybersecurity requirements and the application of measures in the different member states.

To achieve this goal, it establishes:

• Minimum rules for each country's regulatory framework;
  
  
• It defines cooperation mechanisms between authorities in each Member State;
  
  
• Updates the list of sectors subject to cybersecurity obligations;
  
  
• It provides for sanctions to ensure that the new measures are implemented.

Among other new features, the new text also states:

1. More proportionality in the application of sanctions and regulatory impositions;
   
   
2. A higher level of risk management;
   
   
3. Precise criteria that allow national authorities to determine new entities covered;
   
   
4. The emancipation of entities in the fields of national security, public security or law enforcement.

The European Council's website states that "in addition, the new directive has been aligned with sector-specific legislation, in particular the regulation on the digital operational resilience of the financial sector (DORA) and the directive on the resilience of critical entities (REC) (...)"

What about fraud in non-cash payments?

In the past, we've written on this blog about popular techniques for stealing credit card data. But the problem has worsened and, today, technologies such as MBWay and strategies such as smishing have allowed criminals to broaden their spectrum of possible attacks.

I talked about this, more specifically the risks of card payments in retail, in the video below:

The European Union is aware of the fraud and counterfeiting that haunts the sector, not least because it is a significant source of revenue for organized crime and affects consumer confidence in the European economic area.

For this reason, in April 2019, the EU enshrined new rules to be applied by member states from 2021. In this context, they were:

1. Operational obstacles that hindered investigation and prosecution have been reduced;
   
   
2. Measures are planned to increase public awareness of fraudulent techniques;
   
   
3. Harmonized sentences for individuals (3 to 5 years in prison with a minimum sentence when the judge decides on a national "maximum" sentence for crimes of this nature).

Namely: the directive allows member states to go even further and apply stricter rules, while only stipulating a set of minimum rules. If you're curious to see it in full, you can view the directive here. 

Now that you know the regulatory landscape you need to be aware of, let's look at how it's applied. How are these laws enforced? Are they to be taken seriously or are they of no practical consequence? Read on to find out.

Sanctions against cyberattacks: justice and law enforcement

We opened this article with a lead from Diário de Notícias that talked about sanctions, remember? That's right: this new family of rules and policies, if they are to be confirmed in practice, also affect the sphere of justice and the application of the law.

Let's take a quick look at what you should know.

Access to electronic evidence

Electronic evidence is essential for police and judicial authorities today, in a context where criminals are increasingly using technology to commit illegal acts.

85% of criminal investigations involve digital data.

When we talk about electronic evidence for criminal investigations and prosecution, we are talking about:

1. Text messages
2. Email
3. Messaging applications
4. Audiovisual content
5. Information on users' online accounts

One of the novelties to note is that access to electronic evidence no longer stops at the border of each Member State. Previously, in more than 50% of criminal investigations, a transactional request had to be made between the competent authorities...

...but in 2018, a proposal from the commission streamlined access to this evidence. The new rules will allow Member States' judicial authorities to request direct access to information from any service provider within the Union. 

What about countries outside the EU?

1. There is a directive that obliges all service providers who are not established in the Union but operate within it to appoint a legal representative who must receive, respect and execute decisions and orders on this matter;
   
   
2. The European Commission is negotiating, on behalf of the EU, an agreement with the United States of America regarding cross-border access to electronic evidence

This is among other news related to the addition of protocols to the Budapest Convention on Cybercrime, which affects countries on a global scale.

Encryption

The cybersecurity strategy designed by the European Commission also addresses the search for a balance between the use of encryption by service providers and law enforcement access to encrypted information.

From the point of view of fundamental rights, we all agree that data should be safeguarded with strong, inviolable encryption, right? But at the same time, we want the police authorities to be able to access cybercriminals' data when we are the target of a crime...

This is the problem. 

Against this backdrop, in December 2020 a resolution came out to guarantee the security of encryption and security despite encryption. I don't think it's exactly reformist: it seems to me to be a declaration of intent. But if you're curious, you can find out about it here.

Until further notice, I'd say that private entities will come out on top and cybercriminals will remain protected, if they know how to use the right mechanisms for illicit practices. Let me know if you agree with me in the comments section of this article!

Data retention

This issue is also controversial, in the sense that the preservation of data by service providers is in itself a violation of the right to privacy and the protection of personal data. The problem?

This data is necessary to effectively combat cybercrime.

For this reason, there is now a regulation on retention orders for electronic evidence: to prevent it from being deleted by a service provider while a delivery order is being processed. 

Conclusion

We'll come back to this topic as soon as news is published that is of interest to you, the person responsible for running your company. It's important that you keep up to date with the law to avoid fines and ensure that your products meet the expectations of the competent authorities and consumers.
See you soon!