30 July 2024
Share Print

Technol-AG: 2 new tech law guides and some recent tech law news

To The Point
(5 min read)

In this edition, we have strayed slightly from our usual format to give you not only some recent tech law updates but also to introduce you to our two recently launched tech law guides: Guide to DORA and the UK Critical Third Party Regime and Harnessing Generative AI: A Practical Legal Guide.  Links to download each are set out below.  

For our more usual tech law updates, we take a look at NIS2 and give a recent update regarding its implementation, as well as a recent update on AI and the financial services sector.  

2 new tech law guides and some recent tech law news:

  1. It's 7am, and a critical tech system goes down...
  2. NIS2: What is it, how does it compare with Dora and what's the latest?
  3. A Practical Legal Guide to Harnessing Generative AI and some recent AI news

 

It's 7am, and a critical tech system goes down...

Our guide to preparing your firm for critical service incidents, which provides some key information on the Digital Operational Resilience Act (DORA) and the UK Critical Third Party Regime is now available. If you would like to download a copy, please click here.

Back to the top >


 

NIS2: What is it, how does it compare with DORA and what's the latest?

Another key piece of cybersecurity legislation to be aware of is the NIS2 Directive (NIS2).  

What is NIS2?

NIS2 (with the "NIS" standing for "network and information systems") is an EU directive which provides legal measures for a high common level of cybersecurity across the EU.  It replaced NIS (the first piece of EU-wide legislation on cybersecurity), aiming to address the considerable changes to the cyber threat landscape since NIS was adopted in 2016.

Is it already in force?

NIS2 entered into force in January 2023 on the same day as DORA, and Member States have until 17 October 2024 to transpose its measures into national law. 

What are some of its key elements?

Some of the key elements of NIS2 are:

  • Security and reporting requirements: NIS2 imposes a risk management approach, which provides a list of basic security elements which must be applied
  • Incident reporting: NIS2 includes precise provisions on the process for incident reporting, content of reports and timelines  
  • Security of supply chains and supplier relationships: NIS2 requires companies to address cybersecurity risks in the supply chain and supplier relationships
  • Governance and accountability: NIS2 imposes governance and accountability obligations on management boards

How does it differ from DORA?

As you will see in our guide, DORA is applicable to 21 different types of financial entities as well as ICT third-party service providers.  

NIS2 is broader in scope, applying to entities which operate in a broad range of sectors and offer services in the EU.  In particular, to "large" (at least 250 employees and €50 million turnover) and "medium" (at least 50 employees and a turnover of €10-50 million) entities which operate in "essential" or "important" sectors.  This includes, for example, transport, energy, healthcare, banking, digital infrastructure, water supply, manufacturing of critical products and production, processing and distribution of food.

 Some of the other key ways in which NIS2 differs from DORA are:

  • it is a directive, rather than a regulation – it is not directly applicable and needs to be implemented by local legislation (but it provides specificity and minimum standards to avoid too much divergence);
  • it goes beyond operational resilience and offers a broader cross-sector approach to cybersecurity, whereas DORA is tailored to the needs and challenges of the financial industry; and
  • it provides high and defined penalties for non-compliance, whereas DORA leaves sanctions up to the Member States.

Recent update on implementation

On 27 June 2024 the European Commission launched a 4 week consultation on a draft act to update NIS2 in order to align the rules at EU level, given the cross-border nature of some operators from the digital sectors, and to specify the cases when an incident must be considered significant.

Draft acts are a way of updating an EU law, once passed, to reflect developments in a particular sector or to ensure it is implemented properly.  In order to adopt such an act, the European Commission must usually consult a committee in which every EU country is represented.  An overview of the feedback from this consultation will be presented to the committee for discussion.  

Practical Takeaways

Even if you are not in scope for DORA, you may find that you are in scope for NIS2.  With the consequences of not complying including fines of up to €10 million or 2% of global turnover, it is important to determine whether or not you are.  If you would like help with this, please get in touch.  

Back to the top >


 

A Practical Legal Guide to Harnessing Generative AI and some recent AI news

Harnessing Generative AI: A Practical Legal Guide

Generative AI (GenAI) solutions have the power to supercharge an enterprise.  After the recent confirmation that the EU AI Act will come into force on 1 August and the further indication given in the King's Speech that the new UK government will be introducing AI legislation, it is more important than ever to understand how to safely deploy this technology.
 
Our new practical legal guide to harnessing GenAI solutions is now available.  It identifies some key topics for you to be thinking about now, the key areas of risk and how to mitigate them and provides an overview of the current GenAI regulatory landscape.  If you would like to download a copy, please click here.

Targeted consultation on AI in the financial sector

Among the many pieces of AI news since our last edition, was the launch of a consultation and workshop series by the European Commission.

What is the consultation?

Launched on 18 June 2024, this is a targeted consultation and workshop series focused on AI in the financial sector.  

Who is the European Commission consulting?

The European Commission is seeking input from all stakeholders developing or planning to develop or use AI applications in financial services, including companies and consumer associations.

Why is the European Commission consulting?

The purpose of the consultation is to provide the Commission services with insights into how AI is being applied in, and its impact on, the financial services sector.

Feedback from stakeholders will support the Commission services in the implementation of the EU AI Act, which is due to come into force on 1 August 2024, and in its evaluation of market developments and risks related to AI.

How is the consultation being run?

The consultation is in the form of a three part questionnaire, including:

  • a section on specific use cases in the banking and payments, market infrastructure, securities, insurance and pensions, and asset management sectors; and
  • a section which poses questions designed to help the Commission understand the specific requirements of stakeholders to allow it to offer relevant advice on effectively adopting the upcoming AI framework.

Depending on the progress made, the Commission will publish a report on the findings and an analysis of the main trends and issues arising with the use of AI applications in financial services.

When does the consultation end?

Stakeholders are invited to respond to the consultation by 13 September 2024

Practical Takeaways

For those in the financial services sector, this consultation is likely to inform the guidance issued by the European Commission for the implementation of the EU AI Act.

Back to the top >

Don't miss out


Join our mailing list and receive the Top 3-5 technology law updates you need to know about  

Subscribe