Categories
Security

Five major technology regulations in 2024

The year 2024 brings a number of challenges. Commercial, geopolitical and technological. And also legal ones. What are the current regulations to pay attention to?

The legal environment is quite complex. For businesses, public administrations and individuals. In addition to EU regulations and directives, there are Czech laws, decrees and regulations, implementing regulations and decisions on EU regulations, methodologies, case law and interpretations of supervisory authorities.

Generally speaking, the regulatory burden is increasing. Comprehensive regulation is expanding into other areas, and more and more detailed cross-cutting rules are being adopted. And all this is usually accompanied by an increase in potential fines and other penalties. Even for larger companies, it is already quite difficult to keep track of it all. It is still the case that ignorance of the law is no excuse, so no area of law can be completely overlooked.

However, when planning priorities, strategy and usually budgets, it is advisable for companies to focus on these areas:

  • Cyber security
  • Supply chain control
  • New data regulation
  • Artificial Intelligence Regulation (AI Act)
  • ESG

Cyber security

A new law on cyber security, which will transpose the NIS2 Directive into Czech law, is expected to come into force in autumn this year.

The scope of obligations for ensuring information and cyber security will not change that much with the new law. What will be new, however, is the number of regulated entities. Under the current cybersecurity law, obligations are imposed on several hundred larger companies and public entities. The new law will impact thousands, if not tens of thousands, of organizations. Including many medium-sized and smaller entities. This is even in areas not previously covered by any regulation relating directly to information or cyber security, such as food processing, waste management, the provision of certain IT services, transport, etc.

The regulation on digital operational resilience in the financial sector, DORA, is also important for the financial market. This will be effective in just one year, in January 2025. DORA affects not only banks and insurers, but also many other players such as payment institutions, fintechs, cryptocurrency traders, investment firms and insurance intermediaries. And also on major IT vendors that provide services to financial institutions.

Unlike the NIS Directive2 , DORA is a regulation, i.e. directly binding legislation. It does not need to be transposed by Member States into their legal system, as from 17 January 2025 DORA will be directly binding on all newly regulated entities. If you operate in the financial market or provide IT services to financial institutions, it is high time to start preparing for the new requirements. And there will be many, whether legal, organisational or technical.

Supplier management

Supply chain control is a big topic. Many businesses are dependent on a large number of suppliers and their subcontractors that they often do not even know. However, a failure somewhere far down the supply chain could mean that a factory in the Czech Republic stops working, spare parts for cars or key components for medical devices are unavailable, or perhaps data storage facilities used by some financial institutions stop working.

However, the relationship between customer and supplier is also important in the context of the Czech Republic: many companies based in the Czech Republic also supply foreign markets, often to large customers. And they must guarantee compliance with a range of standards, regulations and internal procedures, often through ISO certification. In some cases, foreign buyers require this by choice, but in Germany, for example, a supply chain law has been in force since last year, which imposes the obligation to control suppliers on an increasing number of organisations. Germany is by far the most important trading partner of Czech companies, so this law will affect many Czech companies.

Rules regulating the liability of companies for their (sub)suppliers are also being prepared at the level of the European Union. A proposal for a directive on corporate sustainability due diligence has already been presented in 2022. The directive is currently in the European Parliament and we can expect it to move a step further in the legislative process later this year.

Data regulation

Data Act, DMA, DGA, DSA... And also PSD3, eIDAS2 or FIDA, or the Financial Data Access Framework Regulation. Do these acronyms make your head spin? You are not alone. The rapid development of data processing in virtually all sectors has led to the adoption of a number of new regulations. Often very complex and detailed, focusing on the use of different types of information, sharing, accountability for online content, clarification of rules on electronic identification, easier transition between providers of similar services, etc. All new obligations also need to respect the GDPR rules for processing personal data, copyright and ensure data security.

There are basically two ways to approach the new data regulation: make a checklist and evaluate which new regulation applies to the organization and which does not. And for the former, prepare to implement other processes and technical and organizational rules with a sigh of relief.

Or the checklist could be different: In data regulation, try to find opportunities to develop and improve your own operations, processes, product, customer service. Does the new regulation allow for more efficient data processing, does it make it easier for clients to access information about their products, does it facilitate the transition between service providers? So let's leverage the data and enable clients to see and do more. I'm sure they'll appreciate it.

AI Act

Artificial intelligence, often under the "code name" of AI, is all around us. Not so much in devices, programs and applications yet, but it is being written and talked about all the more.

AI as a threat, AI as an opportunity, AI in marketing, in data analytics, in HR. Artificial intelligence draws pictures and sues major US publishers over whether it could train on their copyrighted works. AI is programming, AI is cheating, AI is defending companies, AI is being used to phish, to produce fake videos...

Perhaps it's not a bad idea to pause and look at the topic of artificial intelligence with a cool head.

Yes, algorithms with elements that could be described as machine learning, sometimes perhaps with a hint of something artificial or something intelligent, are developing quite rapidly. The freely available tools that many of us like to play with pose some risks. For personal data, internal information, copyrighted works. But perhaps also for the environment, because processing a single image request in the popular Midjourney consumes as much electricity as charging a mobile phone.

The rapid development of various AI and "AI" tools and applications has given European standard setters a bit of a scare. Until recently, the quite calmly discussed AI Act, the new EU regulation governing the basic rules for the development, marketing and use of AI tools in the European Union, has become the subject of fierce debates, efforts to tighten and tighten the screws. By the turn of the year, the major players in the EU appear to have reached an agreement and the regulation is moving further through the legislative process.

For those who are trying to move with the times and already use AI elements, or even develop and build them into their products, the AI Act will bring a number of new responsibilities. These range from organisational measures (risk management, certification, assessment of the impact of AI on the rights of affected persons), to administrative measures (documentation, information obligations), to technical and security measures. The use of AI in some areas is likely to be completely prohibited (e.g. biometric identification of people, creation of so-called social credit), while in other areas it will be assessed according to the level of risk to the persons concerned. For the more risky areas, such as selecting new employees, deciding whether to enrol in an educational institution, assessing creditworthiness or setting insurance premiums, a number of additional obligations will be required.

Are you investing in AI? Then, in addition to the risks associated with information protection, data confidentiality, or the introduction of operational errors, you should also take into account the new regulation. The AI Act can easily make the use of AI more difficult, more expensive, or even in some places, banned altogether.

ESG

We've probably all heard the acronym ESG before.

Just to be clear, the individual letters indicate these types of risks and impacts:

  • E for environmental (environmental)
  • S for social
  • G for governance (internal governance)

ESG regulation is quite convoluted. Some larger companies are already required, or will soon be required, to measure and report on the ESG impacts of their operations. ESG risk management in other areas, such as supplier selection, does not yet have uniform regulation.

All this does not mean that a typical Czech company will not face demands to prove how it addresses its carbon footprint or social responsibility. Just supply a larger, more regulated or multinational company. The latter usually addresses ESG comprehensively and enforces this on its suppliers as well.

However, a company may also encounter ESG questions when it wants a loan (for example, for operating financing), insurance or is interested in a subsidy. In these situations, information is often requested on internal ESG strategies and policies, reducing the negative environmental impacts of operations, processes for ensuring compliance with legal requirements, preventing discrimination, etc.

The first area, the environmental impact of business, is particularly resonant at the moment. However, ESG as such also has implications for a number of other areas, such as supplier management and accountability. Letter G (internal corporate governance) in turn requires a degree of internal management and controls to prevent breaches. In other words, a functional compliance system.

How do we get out of all this?

The regulatory wave is not letting up. How to manage it and not drown?

The important thing is:

  • Look for opportunities in new regulation. Opportunities to improve your processes, save money, find new business models...
  • Efficiency. A cleverly implemented system for checking and verifying suppliers will meet the requirements of a wide range of legislation.
  • Reasonableness. Implement only what is really necessary, according to your own conditions, organisational structure and needs. Do not buy overpriced and unnecessary solutions.
  • To be inspired. In related areas, implementation of similar requirements, examples of good practice summarized in international standards and norms.
  • Keep calm and don't be intimidated (and invoiced) by various quick-fix experts.

Source: František Nonnemann, GDPR.cz

Up Up