The Cyber Resilience Act: the EU Commission’s proposal for a horizontal regulation on cybersecurity for products with digital elements. An introduction

in International Cybersecurity Law Review (2022)

The EU Commission presented on 15 September 2022 the proposal for a ‘Regulation on horizontal cybersecurity requirements for products with digital elements amending Regulation (EU) 2019/1020’ (Cyber ... [more ▼]

The EU Commission presented on 15 September 2022 the proposal for a ‘Regulation on horizontal cybersecurity requirements for products with digital elements amending Regulation (EU) 2019/1020’ (Cyber Resilience Act, CRA). This long-awaited piece of legislation would complement EU cybersecurity acquis by laying down horizontal cybersecurity requirements for all products with digital elements. This article sheds light on the ‘horizontal’ character of the CRA proposal by highlighting its main pillars. In particular, the contribution takes into account the new set of obligations placed on economic operators, the conformity assessment procedures as well as the market surveillance framework and the interplay with other legislative initiatives, both in the policy area and outside EU cybersecurity law. Against the backdrop of the sectoral regulatory approach adopted thus far by the Commission vis-à-vis cybersecurity requirements for products, horizontal intervention is needed to ensure legal certainty, avoiding duplicative obligations and further market fragmentation. [less ▲]

The IoT and the new EU cybersecurity regulatory landscape

in International Review of Law, Computers and Technology (2022), 36(2),

This article aims to cast light on how the fast-evolving European cybersecurity regulatory framework would impact the Internet of Things (IoT) domain. The legal analysis investigates whether and to what ... [more ▼]

This article aims to cast light on how the fast-evolving European cybersecurity regulatory framework would impact the Internet of Things (IoT) domain. The legal analysis investigates whether and to what extent existing and proposed sectoral EU legislation addresses the manifold challenges in securing IoT and its supply chain. It firstly takes into account the Cybersecurity Act, being the most recent and relevant EU legal act covering ICT products and cybersecurity services. Then, EU product legislation is scrutinised. The analysis focuses on the delegated act recently adopted by the Commission under the Radio Equipment Directive (RED), strengthening wireless devices’ cybersecurity, the Medical Devices Regulation, the Proposal for a General Product Safety Regulation and the Proposal for a Machinery Regulation. Lastly, the proposal for a revised Network and Information Systems Directive (NIS2) is assessed in terms of its potential impact on the field of IoT cybersecurity. Against this backdrop, the article concludes by advocating the need for a separate horizontal legislation on cybersecurity for connected products. To avoid fragmentation of the EU’s Single Market, a horizontal legal act should be based on the principles of the New Legislative Framework, with ex-ante and ex-post cybersecurity requirements for all IoT sectors and products categories. [less ▲]

L'IA applicata all'analisi dei metadati: un'alternativa alla rottura della crittografia per le autorità di contrasto alla criminalità

in Brighi, Raffaella (Ed.) Nuove Questioni di Informatica Forense (2022)

This paper explores the normative challenges of digital security technologies i.e., end-to-end (E2E) encryption and metadata analysis, in particular in the context of law enforcement activities. Internet ... [more ▼]

This paper explores the normative challenges of digital security technologies i.e., end-to-end (E2E) encryption and metadata analysis, in particular in the context of law enforcement activities. Internet of Things (IoT) devices embedded in smart environments (e.g., smart cities) increasingly rely on E2E encryption in order to safeguard the confidentiality of information and uphold individuals’ fundamental rights, such as privacy and data protection. In November 2020, the Council of the EU published a resolution titled “Encryption – Security through encryption and security despite encryption”. The resolution seeks to ensure the ability of security and criminal justice authorities to access data in a lawful and targeted manner. Nonetheless, in the context of pre-emptive surveillance and criminal investigations, E2E encryption renders the analysis of the content of communications extremely challenging or practically impossible, even when access to data could be lawful. Here, two different layers of complexity seem to emerge. They concern: (i) whether a balance between the values protected by E2E encryption and the aims of law enforcement can be attained; (ii) whether state-of-the-art AI models can preserve the advantages of E2E encryption, allowing for inferences of valuable information from communication traffic, with the aim of detecting possible threats or illicit content. Against this backdrop, we firstly examine whether AI algorithms, such as Machine Learning and Deep Learning, might be part of the solution, especially when it comes to data-driven and statistical methods for applying classification in encrypted communication traffic so as to infer sensitive information about individuals. Secondly, we consider the possible uses of AI tools in the analysis of IoT-generated data in smart cities scenarios, focusing on metadata analysis. We explore whether that AI-based classification of encrypted traffic can circumscribe the scope of law enforcement monitoring operations, in compliance with the European surveillance case-law. Finally, as far as our research focus is concerned, we discuss how the use of AI bears the potential of smoothing traditional trade-offs between security and fundamental rights, allowing for encrypted traffic analysis without breaking encryption. [less ▲]

Disentangling encryption from the personalization debate: On the advisability of endorsing the “relativist approach” underpinning the identifiability criterion

in University of Vienna Law Review (2021), 4(2), 168-188

The great confusion about encryption, cornerstone concept of data security, may jeopardise a proper taxonomy in order to legally qualify data. Through a technical and legal literature review, this paper ... [more ▼]

The great confusion about encryption, cornerstone concept of data security, may jeopardise a proper taxonomy in order to legally qualify data. Through a technical and legal literature review, this paper firstly aims to shed the light on the nature of encryption. Having set the context, the study investigates whether and to what extent the so-called relativist understanding of Recital 26 GDPR is desirable. It considers the effort required to identify the data subject only by the data controller: in the context of cryptography, GDPR’s regime would be applicable if a data controller is able to decrypt a data set or, at least, has reasonable possibilities of doing so. The legal analysis, integrated with technical aspects, addresses the case of polymorphic encryption as an argument in favour of the relativist approach in the post-Breyer era: if cryptographic means have been strong enough so that identification is no longer reasonably likely, such data would be effectively non-personal data. The advisability of such outcome will be critically discussed in the light of recent business trends, where big corporations are increasingly investing in business models aiming at removing from the equation personal data. [less ▲]

The Unsecure Side of (Meta)Data in IoT Systems

in Ambient Intelligence and Smart Environments (2020, July), 28

The exponential spreading and deployment of emerging digital technologies such as the Internet of Things (IoT) has been remarkable: the IoT market is expected to triple, at least, from USD 170.57 billion ... [more ▼]

The exponential spreading and deployment of emerging digital technologies such as the Internet of Things (IoT) has been remarkable: the IoT market is expected to triple, at least, from USD 170.57 billion in 2017 to USD 561.04 billion by 2022. IoT technologies collect, generate and communicate a huge amount of different data and metadata, through an increasing number of interconnected devices and sensors. Current EU legislation on data protection classifies data into personal and non-personal. The paper aims at charting the resulting entanglements from an interdisciplinary perspective. The legal analysis, integrated with a technical perspective, will address firstly the content of IoT communications, i.e. “data”, and the underlying distinction between personal and non-personal. Secondly, the focus will shift on the metadata related to communications. Through a technical analysis of the highly sensitive nature of metadata, even when the content is encrypted, I will argue that metadata are likely to undermine even more the ontological and sharp division between personal and non-personal data upon which the European legal frameworks for privacy and data protection have been built. The incoming ePrivacy Regulation shall provide metadata, which should be considered always personal data, the same level of protection of “content” data. This interpretation might broaden the scope of application of GDPR and the connected obligations and responsibilities of data controllers and data processors too much. [less ▲]