Security in Digital World

Security means many things. For babies, security means being in proximity of one’s parents, and getting regularly fed and nursed. For bigger kids, security can relate to traffic security on their way to school and to safe school environment. For elderly people, security relates to managing life at home and health security. But for most of us, security is probably associated with aspects such as personal safety and securing one’s assets, and of course during these days the utmost important nation’s independence and military security.

Much of our ordinary life is nowadays taking place in digital world. Our living rooms are no longer furnished with bookshelves and record collections as books and music has moved to digital, intangible world. Our letter boxes do not need to be emptied on daily basis any more as the magazines, mail and invoices have been also transferred into electronic form. Devices at our home that still remain physical, are now for the big part connected to internet (IoT, Internet of Things), which is why they are called smart devices. Even our cars are nowadays computers connected to web, and in future autonomous vehicles are that even more.

In addition to our material assets transferring to digital form, also lot of our data is currently stored digitally. We don’t anymore have paper cards containing all our vaccinations, but instead our health data reside in digital health records in digital databases. Same applies to our personal data e.g. as tax payers, employees, loyalty program customers etc. Also transactions have gone digital: We can order things, even our groceries, from web. We pay our bills online, not having to go to ATM or bank, as we used to have. Going forward, our wallets and cards and certificates therein will be transferred to our digital identity wallet, of which I wrote an article when legal framework was not yet ready: https://iprinfo.fi/artikkeli/matrix-of-digital-identity/.

All this means that security no longer is an issue merely related to our physical security. When securing our material, tangible assets and property such as our home and cars, we ourselves are mainly responsible for actions that prevent outsiders to get access to them. We keep door to our house and car locked, and not provide “back doors” to malicious parties to get in. However, with our digital assets we have to trust service providers to provide sufficient technical security measures to prevent access by unauthorized parties. Be it a bank storing our financial documents, health care company possessing our sensitive health data or digital identity wallet provider securing our digital assets and certificates, they too base their information security to software programs and technologies they use in storing and transferring the data and digiassets. They have used consideration in selecting technology partners offering them cloud services and other storage space as well as software. The technology providers on the other hand have made their own choices of encryption algorithms (whether post-quantum safe or not), code (open source or proprietary), transfer protocols etc. when developing their own solutions. Thus, ultimately it is the technology that we have to have trust for when digitalizing our assets and interacting in digital world. “In technology we trust.” Do we?

Technologies continuously evolve, and so do means for hacking the digital systems and passwords. Along quantum computing it is easier to brute force, namely attack and break, many encryption algorithms that were previously considered secure. Hacking in general has evolved, so stronger protection is needed to ensure security and continuity of the digital systems of companies and critical infrastructure in the case of major cyber incidents. EU has tried to tackle this harmful development by initiating during recent years a fair amount of legislation related to data and digitalization. I myself have written about some of the latest EU regulations related to digitalization of data in one of my earlier articles (https://iprinfo.fi/artikkeli/when-law-meets-the-digital-world/) but mainly from Data Acts’ point of view. However, there are also new EU directives and regulations in the field of digital, namely cyber security. In essence, these regulations guide and urge companies to strengthen protection of their technical systems against potential cyber attacks.

In 2020 the EU Commission proposed a significant upgrade to the EU rules on the resilience of critical entities and the security of network and information systems. In January 2023, two key directives on critical and digital infrastructure entered into force with the purpose of strengthening the EU’s resilience against online and offline threats, from cyberattacks to crime and against risks to public health or natural disasters:

NIS2, namely Directive on measures for a high common level of cybersecurity across the Union, replaces the earlier Directive (NIS1) and extends the scope of application from traditional digital businesses to new areas such as energy, waste water and food production. The rational behind this is naturally to safeguard the necessary infrastructure and production in case of potential cyber attack. The NIS2 directive came into force in January 2023, and in Finland the national law is anticipated to become into force in autumn 2024 already. This means that companies falling within the scope of NIS2 application shall evaluate their practices and processes in terms of digital security, and notably not only their own – but also of their supply chains.[i]

CER, the Directive on the Resilience of Critical Entities, aims to strengthen the resilience of essential entities (listed by the Commission) and infrastructure across Europe and businesses operating in the EU. [ii] Member states shall take specific measures to ensure that essential services for the maintenance of vital societal functions or economic activities are provided in an unobstructed manner in the internal market. There is currently steering group being established by Finnish Government, for national implementation of CER.

In addition to directives that require national implementation by the Member states, EU has also enacted several Acts related to Cyber security and resilience that apply in EU states directly without nationalization:

Cyber Security Act establishes an EU-wide cybersecurity certification framework for ICT products, services and processes, and it has been in force from June 2021 already.[iii] However, a targeted amendment was proposed on 18^th of April 2023, such that enables future adoption of European certification schemes for “managed security services”.[iv] The proposal is complementary with proposed Cyber Solidarity Act (CSA).

CSA, the Cyber Solidarity Act, once enacted, will aim to create a “European Cybersecurity Shield”, to improve the preparedness, detection and response to cybersecurity incidents across the EU.[v] The Act also proposes the creation of a Cyber Emergency Mechanism, which will help – as the name of the Act might already suggest – to facilitate mutual assistance between Member States in the event of a cyber attack.

CRA, namely Cyber Resilience Act, introduces mandatory cybersecurity requirements for products with digital elements, ensuring more secure hardware and software products on the market.[vi] The act will provide a framework of cybersecurity rules governing the whole life-cycle of products from planning, design, development and maintenance of such products, with obligations to be met at every stage of the value chain. CRA just had its EU trilogue on 30^th of November, and provisional agreement was reached.[vii]

DORA, the Digital Operational Resilience Act and the Dora Amending Directive, entered into force on 16 January 2023 and will apply from 17 January 2025.[viii] With DORA regulation, a new regulatory risk-management framework is created for financial sector. In practice, financial institutions’ risk management before DORA was focused on the firms having enough capital to cover operational risks. However, general ICT and security risk management regulations didn’t apply to the financial institutions, so DORA will fix this.

The listed legislation forms only a part of the legal cybersecurity framework where companies need to operate in. Notably, many of the requirements do not apply merely to companies designing digital products and services but also to other type of industry using digital processes in their production, procurement etc. However, as overwhelming the amount of regulations seems to be, many of the requirements are such that any company would be, during these times of cyber attacks and even cyber war, wise to apply anyway.

Cybersecurity – that’s what security in the digital world currently is called. In general, same rules as in the physical world should apply also in the digital environment. Indeed, in a recent webinar I attended, related to Corporate responsibility in digital security, Finnish EU Parliament Member Henna Virkkunen said in her speech that in future, we might not talk about separate cybersecurity anymore, but just “security”.

[i] https://digital-strategy.ec.europa.eu/en/policies/nis2-directive:

https://eur-lex.europa.eu/eli/dir/2022/2555

[ii] https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3992:

https://eur-lex.europa.eu/eli/dir/2022/2557/oj

[iii] https://digital-strategy.ec.europa.eu/en/policies/cybersecurity-act:

https://eur-lex.europa.eu/eli/reg/2019/881/oj

[iv] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52023PC0208

[v] https://digital-strategy.ec.europa.eu/en/policies/cyber-solidarity

[vi] https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act:

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:52022PC0454

[vii] https://ec.europa.eu/commission/presscorner/detail/en/ip_23_6168

[viii] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A52020PC0595

Kuva: iStock / burcu demir