Hogan Lovells 2024 Election Impact and Congressional Outlook Report
Aside from the AI Act’s final blessing by the European Parliament earlier in March (extensively covered by our previous Monthly Notes), the past month was dominated by legislative activities across the globe in the field of cyber security, system resilience, and digital trust.
On 12 March, the European Parliament adopted the Cyber Resilience Act, setting out essential cybersecurity requirements for digital, interconnected devices in the EU. On 18 March, the European Council approved the Regulation on the European Health Data Space to establish an infrastructure for sharing electronic patient files and other health data in a trustworthy manner. In addition, a provisional agreement was reached on the content of a European Media Freedom Act, which lays down rules for the functioning of the market for media services in the editorial independence and media pluralism. On the other side of the Atlantic, the U.S. Department of the Treasury released a strategic report on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence in the financial sector, outlining best practices to help financial institutions navigate the welter of cybersecurity risks surrounding generative AI.
The new EU Cyber Resilience Act (the Act) as now adopted by the European Parliament mainly deals with the security of communication between digital devices. It is therefore a major contribution to the functionality of the Internet of Things, as well as all other forms of device-bound communication. It introduces comprehensive obligations for manufacturers, importers, and distributors of products that may be interconnected with one another or in the context of a bigger network.
The key obligations set out in this new piece of legislation comprise (1) the application of mandatory CE markings; (2) the adherence to certain safety standards during product development, as well as (3) the notification of security vulnerabilities and incidents during the products’ entire lifespan. In a bit more detail:
Overall, this is a highly complex piece of legislation set out to bolster Europe's institutional mechanisms of defense against cybersecurity threats that might find their way into the European common market via products with digital elements. More information about the Cyber Resilience Act has been published on HL Engage by Christian Tinnefeld, Henrik Hanssen, Michael Thiesen, and Joke Bodewits.
Now that the Act has been adopted, it will enter into force on the 20th day following its publication in the Official Journal of the European Union. However, economic operators will have 36 months to adapt to the new rules, with the exception of the reporting obligation, which will apply after only 21 months. To facilitate compliance with these provisions, the ENISA and the European Commission’s Joint Research Centre have published a thorough mapping of the new law.
Only a few days later, on 18 March the European Council approved the compromise text of the European Health Data Space Regulation resulting from the final ‘trilogue’ held by MEPs the week before. This Regulation:
More information on the European Health Data Space and its significance for electronic health records has been published by Giulia Mariuz, Juan Ramón Robles, and Helene Boland.
And finally, the European Parliament has passed the European Media Freedom Act with an overwhelming majority. This is set to introduce a new legal framework to prevent political interference in editorial decisions and ensure transparency of media ownership.
One of the main triggers for this legislation was the ‘Rule of Law Report’ released by the European Commission in 2022, which foregrounds the perils of an intrusive spyware known as ‘Pegasus’. The spyware targeted journalists, lawyers, national politicians, and MEPs in the EU in July 2021.
The new law therefore introduces key terms such as the legal definition of ‘intrusive surveillance software’ and imposes new obligations on the so-called providers of very large online platforms (platforms with an average number of monthly active users in the EU equal to or higher than 45 million) which shall be required, for example, to provide a functionality allowing recipients of their services to declare that they do not provide content generated by artificial intelligence systems without subjecting it to human review or editorial control.
Meanwhile, in the U.S., the Department of the Treasury has released a report that provides further guidance for the finance sector in the U.S. on how to navigate the perils of cybersecurity threats.
In line with the U.S. President’s Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, the report provides an overview of the state of AI use in the financial sector for cybersecurity purposes and addresses its key implications for the sector based on 42 interviews with industry stakeholders.
While generative AI continues to advance in leaps and bounds, there is reportedly little sharing of fraud information across the sector, which limits the ability of financial institutions to aggregate fraud data and train their models to prevent falling prey to fraud schemes. Efforts are now afoot to collect fraud data from industry and government alike and put in place a 'data lake of fraud data' with the aim of training AI models used by financial institutions with the appropriate and necessary safeguards.
The Treasury expects to roll out the study of the impact of AI on the sector over the coming years, so this report is not meant to be definitive. Still, the significant step forward is that the report also charts the main categories of cyber risks that industry players need to prepare for:
We will follow these and other regulatory activities, and keep you posted.
Subscribe to the newsletter here
Authored by Leo von Gerlach and Julio Calvalho