In this article, we review the latest cybersecurity regulatory updates and the challenges they pose, and we propose two approaches to best manage the accumulation of regulations.

Current landscape: A continuing proliferation of cybersecurity regulations

In Europe, a strengthening of cybersecurity laws and an expansion of scope

In recent years, the European Union has continued its regulatory momentum in cybersecurity and resilience, following the implementation of structuring regulations such as DORA, NIS2, CRA, and the AI Act. These regulations also concern a larger number of actors, particularly with an extension of the regulated sectors.

The first is the DORA regulation. Entered into force in January 2025, it imposes obligations on financial entities to strengthen their digital resilience, focusing on four main areas: ICT risk management, incident management, operational resilience testing, and ICT service provider risk management.

The NIS2 directive, which came into force in October 2024, expands the objectives and scope of NIS1. It now applies to two types of entities:

• Essential Entities (EE) – previously known as Operators of Essential Services (OES) in NIS1. However, the list of applicable sectors has significantly expanded.
• Important Entities (IE) – this new category aims to support the development of digital uses in society. It includes, for example, the manufacturing sector of IT equipment. IEs are considered less critical than EEs, so the obligations imposed on them at the national level will be less stringent.

Meanwhile, the EU also adopted the Directive on the Resilience of Critical Entities (REC), also effective from October 2024. It requires critical infrastructure operators to implement measures to prevent, protect against, and manage risks, ensuring continuity of vital services essential to the Union’s economic and social stability.

The NIS2 and REC directives had to be transposed into national laws by 17 October 2024. As of now, only a few Member States have completed this process. In France, following a first vote in the Senate on 12 March 2025, the bill is now before the National Assembly, with a public session scheduled for mid-September.

To further address cybersecurity risks linked to digital products, the EU adopted the Cyber Resilience Act, effective since 10 December 2024. This regulation applies to both standard digital products (e.g. consumer devices, smart cities) and critical digital products (e.g. firewalls, industrial control systems). It requires these to be free of known vulnerabilities, properly documented, and subject to structured vulnerability management.

Outside the EU, the United Kingdom has also strengthened its regulatory framework. Faced with rising cyberattacks on critical sectors like the NHS and Ministry of Defence and recognizing a lag in legislative adaptation, the UK government presented the Cyber Security and Resilience Bill in April 2025. The bill draws inspiration from NIS2 and aims to boost national resilience against growing cyber threats.

A similar dynamic in Asia

Cybersecurity regulations have also been strengthened in Asia in recent years, particularly in China and Hong Kong.

In China, the Network Data Security Management Regulations came into effect on January 1^st, 2025. It complements, clarifies, and extends the obligations arising from previous regulations (CSL, DSL, PIPL). It covers all electronic data processed via networks, including non-personal data, and is structured around three main axes:

• The protection of personal data, with a focus on explicit consent, transferability, and transparency;
• The management of important data, requiring their identification, documentation, and security;
• The accountability of large digital platforms, subject to enhanced obligations in terms of governance, transparency, and algorithmic ethics.

In Hong Kong, a new measure aimed at strengthening the security of critical infrastructure was adopted on March 19^th, 2025, and is set to come into effect on January 1^st, 2026. The main requirements of the Computer Systems Bill are centered around four themes: an enhanced organizational structure (local presence, cybersecurity unit, change reporting), threat prevention (security plan, annual assessment, audit), incident management (rapid notification, response plan, written report), and reporting obligations to the authorities.

Divergent approaches between the European Union and the United States, complicating compliance management 

A. Weakening of the PCLOB: What future for data transfers between the EU and the United States? 

The agreements for the transfer of personal data between the EU and the United States have experienced several disruptions, marked by the Schrems I and Schrems II rulings, which successively invalidated the transatlantic agreements due to non-compliance with the requirements of the CJEU. Then, in 2023, the European Commission adopted the Data Privacy Framework (DPF), intended to re-establish a compliant legal framework, relying notably on the PCLOB, an independent body responsible for overseeing U.S. intelligence practices. 

However, on January 27^th, 2025, the Trump administration revoked several members of the PCLOB, rendering the body inoperative. This decision undermines the validity of the DPF, pushing companies to revert to Transfer Impact Assessments (TIA), which are complex, costly, and legally uncertain.

Historical Overview of EU-US Relations in Personal Data Transfers

An invalidation of the DPF would once again raise questions about the legal framework for personal data transfers between the EU and the United States. In this context of legal instability, a sustainable solution might emerge from technology rather than law. One such example could be homomorphic encryption, which, although not yet fully mature, represents a promising avenue for ensuring data security, provided that sovereign European solutions are developed.

B. Divergent Approaches to Regulating Artificial Intelligence

In recent years, artificial intelligence has experienced rapid growth, bringing with it new cybersecurity risks and threats. To address these challenges, the European Union and the United States have adopted opposing regulatory approaches.

The European Union has chosen to implement regulations to govern the development of artificial intelligence. The AI Act was adopted in May 2024, imposing security measures to be implemented according to the risk levels of the systems.

The United States, on the other hand, is focusing on a strategy centered on technological competitiveness and industrial sovereignty, with minimal regulation. This approach was formalized with Executive Order 14179 on January 23^rd, 2025, titled “Removing Barriers to American Leadership in Artificial Intelligence” This order mandates the development of an action plan to strengthen the United States’ dominant position in artificial intelligence. It also repeals measures deemed restrictive to innovation and aims to eliminate any ideological bias or social agenda in the development of AI systems.

In this context of strengthening regulations, what approach should be adopted to manage the accumulation of regulations?

The dynamic of strengthening international regulations contributes to a layering of multiple regulations, complicating compliance management, especially for companies with a significant international footprint. Faced with this complexity, two main approaches can be considered, depending on the context, organization, and international footprint of the companies.

Centralized Approach 

The first approach is based on the development of a global framework of measures. This framework can be based on recognized international standards such as ISO/IEC 27001 or NIST CSF 2.0, or on a regulation deemed key and particularly comprehensive. All applicable regulations are then mapped to this framework, ensuring a cross-cutting coverage of obligations through a single standard.

The responsibility for implementing compliance measures is carried out by central or local teams, depending on the nature of the measures, with always strong control at the central level.

This approach is particularly suitable for companies with a centralized organization and information system, and with a limited international footprint.

Decentralized Approach 

The second approach favors a decentralized organization of compliance, relying on local teams. In this framework, a global regulatory framework is defined at the central level, which constitutes a minimum compliance base for all regions. It generally covers 85 to 90% of the requirements of all regulations that can be found at the local level.

However, in this approach, the aim is not to complete the global framework based on the analysis of all local regulations. The responsibility for adjusting to local or regional requirements lies with local CISOs, who ensure compliance with local measures, particularly the 10 to 15% of measures not covered in the global framework. This organization allows for differentiated implementation according to regions, while maintaining a central normative framework.

This model is particularly suited to decentralized structures, characterized by strong local autonomy and an extensive international footprint. It offers greater agility in the face of regulatory changes, relying on a fine understanding of national contexts, while reducing the central management burden.

Practical Case of Supporting a Client with a Strong International Presence 

A recently implemented cybersecurity program within an international group illustrates a decentralized approach with strong group control.

The compliance framework, defined by the headquarters, is based on security objectives founded on threat scenarios and relies on a common foundation integrating the main applicable regulations. This foundation is structured from a multi-framework matrix (DORA, NIS2, ISO 27001). Local entities ensure the operational deployment of the measures defined at the group level, as well as their internal control, under the coordination of a local CISO responsible for consolidating information and ensuring its reporting. The system also provides for local adjustment capabilities, allowing feedback on the central strategy, particularly to avoid potential contradictions with local regulations.

The group CISO plays a transversal supervisory role. They verify that the requirements defined at the central level are well taken into account by the local CISOs, even though the latter are responsible for their implementation. They also ensure that the deployed systems are aligned with both group requirements and local regulations. Their role is not to challenge local choices but to verify their coherence with the global framework.

In terms of control governance, each regulatory requirement, whether local or group-originated, is associated with a specific control. Clear governance between the group and local levels is therefore essential to manage a coherent control catalog, avoid redundancies, and ensure good articulation in the compliance system.

This model ensures a homogeneous security foundation while preserving the flexibility needed to adapt to local regulations. However, it also has certain limitations. Its centralized structure, while ensuring overall coherence, introduces some complexity in daily management, particularly when it comes to evolving the system or quickly integrating new regulatory requirements.

Possibility of Decoupling Information Systems 

Beyond these approaches, some companies choose to decouple their information systems. This decision is made in a context where geopolitical tensions increasingly influence cybersecurity strategies. In this context, the growing importance of sovereignty and protectionism in cybersecurity regulations creates contradictions between regulations, making it difficult, if not impossible, to ensure the compliance of a single information system with regulations from different geographic areas.

Decoupling addresses these issues by providing dedicated infrastructures, applications, and teams for different geographic areas, typically the US, EU, and Asia, with strict filtering between zones.

Towards a Phase of Consolidation and Rationalization? 

In this context, we seem to be heading towards a phase of regulatory consolidation, with the implementation of recently adopted texts and a slowdown in the publication of new regulations. However, developments could still occur to consider the emergence of new technologies, particularly quantum computing.

Moreover, in the face of increasing regulatory complexity in the EU, the European Commission seems to be initiating a new phase of rationalization, aiming to lighten certain obligations deemed unsuitable. This desire for rationalization is notably reflected in a targeted project to ease GDPR requirements for SMEs.

Another avenue for simplification involves the establishment of mutual recognition mechanisms between regulations in different countries. Regulatory compliance for companies could then be simplified, provided that states explicitly integrate this logic into their national regulations. France, for example, is considering integrating this mechanism into the bill on the resilience of critical infrastructures and the strengthening of cybersecurity. However, mutual recognition could lead to a risk of regulatory dumping: some companies might choose the least stringent frameworks to reduce the cost and complexity of compliance, to the detriment of security.

This principle is not entirely new: the GDPR already recognizes third countries as having an “adequate” level of protection (e.g., Japan, Canada, Argentina), thus facilitating data transfers with these countries.

[1] https://www.weforum.org/publications/global-cybersecurity-outlook-2025/

Cet article Navigating Cybersecurity Compliance: Managing the Complexity of Expanding Regulatory Layers est apparu en premier sur RiskInsight.

In the context where the digital transformation of the healthcare sector is accelerating, the protection of health data is an increasingly critical issue. In 2021, our article “Health Data Host Certification: Two Years Already!” by Laurent Guille and Alexandra Cuillerdier, provided a promising initial assessment of the HDS framework. Faced with growing concerns related to data sovereignty and cybersecurity, a redesign was necessary. This evolution towards HDS v2, which came into effect in 2024, marks a turning point in the approach to health data hosting in France, strengthening the protection and sovereignty of health data in an ever-evolving digital context. 

HDS v1: a first structuring but perfectible framework 

Since its introduction in 2018, the HDS framework has helped structure and professionalize the health data hosting sector. However, this first version of the framework had certain limitations. In particular, the initial framework presented gray areas regarding data sovereignty, especially concerning the location and control of health data. Additionally, the rapid evolution of cyber threats and technologies required a substantial update of security requirements to maintain a level of protection adapted to current risks. 

Overhaul of the Technical and Security Framework 

On the technical side, the new requirements of the ISO 27001:2023 standard are adopted within the new version of HDS. This update integrates security risk management adapted to new digital contexts, as well as new controls related to cybersecurity. The other normative references are rationalized. References to ISO 20000-1, ISO27017, and ISO27018 standards disappear in the HDS v2 framework, while 31 specific requirements are directly integrated into the framework, which also relies on the ISO/IEC-17021-1:2015 standard to govern conformity assessment. This new version also clarifies the articulation with the requirements of the SecNumCloud framework to facilitate obtaining HDS certification for hosts already qualified with SecNumCloud. 

A Major Strengthening of Digital Sovereignty 

One of the most significant developments in HDS v2 concerns the strengthening of digital sovereignty. The new framework now requires that the physical hosting of health data be carried out exclusively within the territory of the European Economic Area (EEA). This requirement reinforces guarantees in terms of data protection and contributes to the emergence of an ecosystem of European players in the field of digital health. 

This is complemented by enhanced transparency, which also becomes a central issue of the framework, with two major obligations: 

• Hosts must now publish on their website a map of any data transfers to countries outside the EEA, thus allowing data subjects and healthcare actors to have clear visibility on the journey of their data; 

• In the case of remote access to data from a third country or submission to non-European legislation that does not ensure an adequate level of protection within the meaning of Article 45 of the GDPR, the host must inform its clients in the contract. In particular, it must specify the associated risks and detail the technical and legal measures implemented to limit them. 

Strengthening of Contractual Requirements 

Subcontracting supervision receives particular attention in HDS v2. The associated measures are reinforced, and hosts must now: 

• Precisely detail the certified hosting activities in their contracts; 

• Maintain complete transparency regarding their subcontracting chain; 

• Ensure that their subcontractors comply with the same requirements for data security and location; 

• Implement mechanisms to control and audit their subcontractors. 

These new contractual obligations aim to ensure better control of the value chain and greater transparency for data controllers. 

Practical Consequences for the Ecosystem 

For health data hosts, these evolutions of the framework imply an adaptation of their infrastructures to guarantee the location of data within the EEA. They also require an upgrade of their security measures to meet the requirements of the 2023 version of the ISO 27001 standard and the review of contracts, both with their clients and with their subcontractors. 

Perspectives and Implementation 

This new modernized version of the HDS framework addresses the growing challenges of security, sovereignty, and transparency. Its implementation is spread over approximately two years, with immediate application for new certifications from November 16, 2024, and a transition period until May 16, 2026, for hosts already certified under HDS v1. 

In the longer term, several questions arise regarding the evolution of the framework. At a time when the NIS 2 directive already includes healthcare providers and the pharmaceutical industry among its essential sectors of activity, while classifying the manufacturing of medical devices and in vitro diagnostics in its important sectors, the emergence of HDS 2 raises a question: could European cooperation lead to an even more integrated framework for health data protection and harmonize practices across the continent? 

Cet article Evolution of the HDS Framework – Towards Enhanced Security and Sovereignty  est apparu en premier sur RiskInsight.

To arrive at this favorable vote, the European Parliament had to face heavy opposition from lobbyists, in particular certain AI companies, which, until now, could benefit from a very large panel of training data, without worrying about Copyright. Some governments, like French, have also tried to block it the act. In the case of the French State, they feared that regulations could slow down the development of French Tech.

On December 9, 2023, the Parliament and the Council agreed on a text, after three days of “marathon talks” and months of negotiations. An almost record number of 771 amendments were integrated into the text of the law, this is more than required for the passing of GDPR, which displays the difficulties encountered in the adoption of the AI Act.

The regulation on artificial intelligence (AI Act) was approved on March 13, 2024 by the European Parliament, then on May 21, 2024 by the European Council. This is the final step in the decision-making process, paving the way for the implementation of the act. As it is a regulation, it is directly applicable to all EU member countries. The next deadlines are given in Figure 6, at the end of this article.

Figure 1: Timeline of adoption of the AI ​​Act

Who are the stakeholders and supervisory authorities?

The AI ​​Act essentially concerns five main types of actors: suppliers, integrators, importers, distributors, and organizations using AINaturally, suppliers, distributors, and user organizations are the most targeted by regulation.

Each EU state is responsible for “the application and implementation of the regulation” and must designate a national supervisory authority. In France, the CNIL could be a good candidate[1] which created, in January 2023, an “Artificial Intelligence Service”.

A new hierarchy of risks that brings cybersecurity requirements.

The AI ​​Act defines an AIS as an automated system that is designed to operate at different levels of autonomy and that, based on input data, infers recommendations or decisions that can influence physical or virtual environments.

AISs are classified into four levels according to the risk they represent: unacceptable risks, high risks, limited risks, and low risks.

Figure 2: Risk classification, requirements and sanctions

1. AISs at unacceptable risk are those generating risks that contravene EU values ​​and undermine fundamental rights. These AISs are quite simply prohibited; they cannot be marketed within the EU or exported. The various risks deemed unacceptable and therefore leading to an AIS being prohibited are cited in the figure below. Marketing this type of AIS is punishable by a fine of 7% of the company’s annual turnover or €35 million.

Figure 3: Use cases of unacceptable risks                 

2. High risk AISs present a risk of negative impact on security or fundamental rights. These include, for example, biometric identification or workforce management systems. They are the target of almost all of the requirements mentioned in the text of the AI Act. For these AISs, a declaration of conformity and their registration in the EU database are required. In addition, they are subject to cybersecurity requirements which are presented in Figure 4. Failure to comply with the given criteria is sanctioned at a maximum of 3% of the company’s annual turnover or €15 million in fine.
3. Limited risk AISs are AI systems interacting with natural persons and being neither at unacceptable risk nor at high risk. For example, we find deepfakes with artistic or educational purposes. In this case, users must be informed that the content was generated by AI. A lack of transparency can be penalized at €7.5M or 1% of turnover.
4. Low risk AISs are those that do not fall into the categories cited above. These include, for example, video game AI or spam filters. No sanctions are provided for these systems, they are subject to the voluntary application of codes of conduct and represent the majority of AIS currently used in the EU.

Cybersecurity requirements addressed to high-risk AISs.

Although the AI ​​Act Regulation is not solely focused on cybersecurity, it sets a number of requirements in this area:

Figure 4: The AI ​​Act’s cybersecurity requirements

We have identified seven main categories:

Risk Management: The text imposes, for high-risk AISs, a risk management system which takes place throughout the life cycle of the AIS. It must provide, among other things, for the identification and analysis of current and future risks and the control of residual risks.

Security by Design: The AI ​​Act requires high-risk AISs to take into account the level of risk. Risks must be reduced “as much as possible through appropriate design and development”. The regulation also mentions the control of feedback loops in the case of an AIS which continues its learning after being placed on the market.

Documentation: Each AIS must be accompanied by technical documentation which proves that the requirements indicated in Annex 4 of the law are respected. In addition to this technical documentation addressed to national authorities, the AI ​​Act requires the drafting of instructions for use that can be understood by users. It contains, for example, the measures put in place for system maintenance and log collection.

Data Governance: The AI ​​Act regulates the choice of training data[2] on the one hand and the security of user data on the other. Training data must be reviewed so that it does not contain any bias[3] or inadequacy that could lead to discrimination or affect the health and safety of individuals. This data must be representative of the environment in which the AIS will be used. For the protection of personal data, the resolution of problems linked to bias (presented earlier), to the extent that it cannot be handled otherwise, serves as the only exemption for access to sensitive data (origins, beliefs policies, biometric or health data, etc.). This access is subject to several confidentiality obligations and the deletion of this data once the bias is corrected.

Record Keeping: Automatic logging is part of the cyber requirements of the AI ​​Act. The latter must, throughout their life cycle, identify the relevant elements for the identification of risk situations and to enable the facilitation of post-market surveillance.

Resilience: The AI ​​Act requires high-risk AIS to be resistant to attempts by outsiders to alter their use or performance. The text emphasizes in particular the risk of “poisoning” of data[4]. Additionally, redundant technical solutions, such as backup plans or post-failure safety measures, must be integrated into the program to ensure the robustness of high-risk AI systems.

Human Monitoring: The AI ​​Act introduces an obligation for human monitoring of AIS. This begins with a design adapted to human surveillance and control. Then, it is required that the design of the model ensures that no action or decision is taken by the deployment manager without the approval of two competent individuals, with a few exceptions.

The new case for general-purpose AI: specific requirements.

Since the April 2021 bill, negotiations have led to the appearance of a new term in the regulation: that of Gen AI or “general purpose AI model”. The latter is defined in the text as an AI model that exhibits significant generality and is capable of competently performing a wide range of distinct tasks. These models form a very distinct category of AIS and must meet specific requirements. The new chapter V of the regulation is dedicated to them. There are mainly bonds of transparency towards the EU, suppliers and users as well as respect for copyright. Finally, suppliers must designate an agent responsible for compliance with these requirements. But the new version of the AI ​​Act also introduced a new concept: that of Gen AI with “systemic risk”, which are the most regulated.

What is systemic risk Gen AI?

The AI ​​Act defines “systemic risk” as “a high-impact risk of general-purpose AI models, having a significant impact on the European Union market due to their scope or negative effects on the public health, safety, public security, fundamental rights or society as a whole, which can be spread on a large scale.” Concretely, a Gen AI is considered to present a systemic risk if it has a high impact capacity according to the following criteria:

1. A quantity of calculation used for its training greater than 10^25 FLOPS[5] ;
2. A decision by the Commission based on various criteria defined in Annex XIII such as the complexity of the model parameters or its reach among businesses and consumers.

What measures should be implemented?

If the AIS falls into these categories, it will have to comply with numerous requirements, particularly in terms of cybersecurity. For example, Section 55(1a) requires providers of these AISs to implement adversarial testing of models with a view to identifying and mitigating systemic risk. In addition, systemic risk Gen AIs must present, in the same way as high-risk AISs, an appropriate level of cybersecurity protection and protection of the physical infrastructure of the model. Finally, like the GDPR with personal data breaches, the AI ​​Act requires, in the event of a serious incident, to contact the AI ​​Office[6] as well as the competent national authority. Corrective measures to resolve the incident must also be communicated.

The following diagram summarizes the different requirements based on the general-purpose AI model:

Figure 5: The requirements of the different GenIA models

Is it possible to ease certain requirements?

In the case of a general-purpose AI model that does not present systemic risk, it is possible to significantly reduce the obligations of the regulation by making it free to consult, modify and distribute (Open Source[7]). In this case, the provider is obliged to respect the copyrights and to make available to the public a sufficiently detailed summary of the content used to train the AI ​​model.

On the other hand, a Gen AI with systemic risk will necessarily have to respect the requirements set out above. However, it is possible to request a reassessment of your AI model by proving that it no longer presents a systemic risk in order to get rid of the additional requirements. This re-evaluation is possible twice a year and is validated by the European Commission on objective criteria (Annex XIII).

How to prepare for AI Act compliance?

To prepare well, you should respect the risk-based approach which is imposed by the text. The first step is to do the inventory of its use cases, in other words, identify all AISs that the organization develops or employs. Secondly, it is about classifying your AISs by risk level (for example through a heat map). The applicable measures will then be identified according to the risk level of the AIS. The AI ​​Act also requires the implementation of a security integration process in AI projects which allows, as with any project, to assess the risks of the project in relation to the organization and to develop a relevant plan to remediate these risks.

To initiate compliance with applicable measures, it is appropriate to start by updating existing documentation and tools, in particular:

• Security Policies to define requirements specific to AI security;
• Evaluation questionnaire the sensitivity of projects targeting questions relevant to AI projects;
• Library of risk scenarios with attacks specific to AI;
• Library of security measures to be inserted into AI projects.

What are the next steps?

Figure 6: Implementation timeline of the AI ​​Act

 —

[1] The CNIL and its European equivalents could use their experience to contribute to more harmonized governance (between Member States and between the texts themselves).

[2] Training data: Large set of example data used to teach AI to make predictions or decisions.

[3] Bias: Algorithmic bias means that the result of an algorithm is not neutral, fair or equitable, whether unconsciously or deliberately.

[4] Data poisoning: Poisoning attacks aim to modify the AI system’s behavior by introducing corrupted data during the training (or learning) phase.

[5] FLOPS: Unit of measurement of the power of a computer corresponding to the number of floating point operations it performs per second, for example, GPT-4 was trained with a computing power of the order of 10^ 28 FLOPs compared to 10^22 for GPT-1.

[6] AI Office: European organization responsible for implementing the regulation. As such, he is entrusted with numerous tasks such as the development of tools or methodologies or even cooperation with the various actors involved in this regulation.

[7] Open Source: AI models that allow their free consultation, modification and distribution are considered under a free and open license (Open Source). Their parameters and information on the use of the model must be made public.

Cet article Cybersecurity at the Heart of the AI ​​Act: Key Elements for Compliance est apparu en premier sur RiskInsight.

The AI Act aims to ensure that artificial intelligence systems and models marketed within the European Union are used ethically, safely, and in compliance with EU fundamental rights. The Act has also been drafted to strengthen the competitiveness and innovation of AI companies. The AI Act will reduce the risk of abuses, reinforcing user confidence in its use and adoption.

France Digitale, Europe’s largest startup association, Gide, an international French business law firm, and Wavestone, have joined forces to co-author a white paper to help you understand and apply the European AI Act: AI Act: Keys to Understanding and Implementing the European Law on Artificial Intelligence.

In this publication, France Digitale, Gide, and Wavestone share their vision of the AI Act, from the types of systems affected to the major stages of compliance.

A few definitions to get you started

The AI Act makes a distinction between artificial intelligence systems and models, which it defines as follows:

• An Artificial Intelligence System (AIS) is an automated system designed to operate at different levels of autonomy and which can generate predictions, recommendations, or decisions that influence physical or virtual environments.
• A General-Purpose AI system (GPAI) is a versatile AI system capable of performing a wide range of distinct tasks. It can be integrated into a variety of systems or applications, demonstrating great flexibility and adaptability.

Players concerned

The AI Act concerns all suppliers, distributors, or deployers of AI systems and models, including legal entities (companies, foundations, associations, research laboratories, etc.), headquartered in the European Union or outside the European Union, who market their AI system or model within the European Union.

The level of regulation and associated obligations depend on the level of risk presented by the AI system or model.

Classification of AIS According to Risk Level

The AI Act introduces a classification of artificial intelligence systems. AIS must be analysed and prioritized according to the risk they present to users: minimal, low, high, and unacceptable. The different levels of risk imply more or less obligations.

Unacceptable-risk AIS are prohibited by the AI Act, while minimal-risk AIS are not subject to the Act. High-risk and low-risk AIS are therefore the focus of most of the measures set out in the regulations.

Specific obligations apply to generative AI and to the development of general-purpose AI models (e.g., Large Language Models or “LLMs”), depending on various factors: computing power, number of users, use of an open-source model, etc.

In order to meet the new challenges posed by the emergence of generative artificial intelligence, the AI Act includes specific cybersecurity measures aimed at reducing the risks generated by the development of generative artificial intelligence.

In a future publication, we’ll be taking a closer look at the cybersecurity aspects of the AI Act. In the meantime, you can find our latest publications on AI and cybersecurity: “Securing AI: The New Cybersecurity Challenges”, “The industrialization of AI by cybercriminals: should we really be worried?”, “Language as a sword: the risk of prompt injection on AI Generative”.

[1] France agrees to ratify the EU Artificial Intelligence Act after seven months of resistance (lemonde.fr).

Cet article The AI Act: The Keys to Understanding the World’s First Legislation on Artificial Intelligence. est apparu en premier sur RiskInsight.

A denser and more complex cybersecurity regulatory landscape

The first attempts to regulate personal data protection and cybersecurity remained partial until the early 2000s, being driven mainly by the United States and the European Union.  Initially, they focused on the protection of personal data, in France with the Loi Informatique et Libertés (1978) and in the United States with sector-specific regulations: the Privacy Act (1974) for the public sector, the Health Insurance Portability and Accountability Act for the healthcare sector (1996) and the Gramm-Leach-Bliley Act (1999) for the financial sector.

The first cybersecurity regulations were introduced in the financial sector in the early 2000s, with the aim of improving the security of the services provided. Notable regulations include the Sarbanes-Oxley Act (2002), in the USA, reinforcing corporate transparency in terms of internal control, and the Payment Services Directive (2007) in the European Union, regulating the security of online payments and transactions.

Since the early 2010s, more structuring regulations have emerged to form an initial cyber regulatory base in the same regions. These regulations are mainly focused on critical infrastructure protection, with France’s Loi de Programmation Militaire de 2013-2018 (2013), the USA’s National Cyber Security and Critical Infrastructure Protection Act (2014), but also the Network and Information Security 1 Directive (2016) enacted by the European Union.

It wasn’t until the late 2010s that the desire to regulate the cyber space became more global. As many countries followed in the footsteps of the United States and the European Union, stricter cyber regulations began to emerge, with far-reaching impacts on information systems. This can be seen in the arrival of major personal data protection regulations around the world: the General Data Protection Regulation (GDPR, 2018) in Europe, the California Consumer Privacy Act (CCPA, 2020) in California, the Personal Data Protection Law (PDPL, 2020) in Brazil, the Personal Information Protection Law (PIPL, 2021) in China, or the Personal Data Law (2022) in Russia.

Other regulations aimed at protecting information systems are multiplying, with the Cybersecurity Law in China (2017), the NYCRR 500 Cybersecurity Regulations for the State of New York (2017), or the new iteration of the NIS Directive (2023) and DORA in Europe.

Evolution of cybersecurity regulatory landscape[2]

Added to this complex cybersecurity regulatory landscape is a vast ecosystem of cybersecurity requirements and standards, with different levels of constraint: regulatory requirements stemming from cyber or other regulations, mandatory requirements, recommendations or even requirements with contractual value. In this context, it is essential to identify all applicable requirements and the level of constraint they impose.

Types of cybersecurity requirements and standards, beyond cyber regulations

A cybersecurity regulatory compliance strategy adapted to the new paradigm

With the global cybersecurity regulatory landscape becoming increasingly complex, compliance cannot be thought of solely as total compliance with all applicable regulatory requirements. Faced with detailed, costly and sometimes contradictory requirements, it is becoming necessary to implement risk-based cyber compliance strategies. The definition of these strategies will be based on a study of the existing level of regulatory compliance, an assessment of the effort and complexity of the measures required to comply with each regulation, and a consideration of the risks associated with potential non-compliance, both in terms of sanctions and IS protection. This analysis, far from seeking to escape the law, aims to identify the benefit/risk of activities, and may lead to redirecting activities, limiting their scope, or acting in concert with the ecosystem to evolve requirements.

To implement such a strategy, it is first essential to identify all applicable regulations, and to set up a regulatory watch to keep alongside regulatory developments and related news. A two-tiered organisation must then be set up to manage cyber regulatory compliance.

A first level of overall management aimed at providing a high-level overview: a global analysis of the level of cyber compliance must be carried out. This can be based on a recognised cybersecurity standard such as NIST or ISO 27001 for security requirements. For requirements relating to the protection of personal data, GDPR is a good foundation, since most international regulations on this topic are derived from it. The NIST privacy and ISO privacy standards are also solid references in this field. These benchmarks can be mapped onto the main applicable regulations, and advantage can be taken of existing synergies between regulations, as illustrated by the two examples below.

To complete this analysis, an audit plan should be drawn up to assess compliance with key local regulations in greater detail.

A second level of “local” management, on a geographical or business line scale, aimed at ensuring local regulatory compliance in each of the regions where the Group is present. This requires first of all the implementation of a local watch to identify and know precisely the regulations and associated news. This is followed by a detailed analysis of the level of compliance with local regulations, the identification of specifics needed to ensure the right level of compliance, and the feedback of these elements to the Group to ensure the overall management of compliance actions.

Protection regulations call into question the need to separate information systems

Complying with a multitude of cybersecurity regulations is becoming a real challenge for companies with an international presence and centralised information systems. This is due to the stacking up of these regulations, sometimes with incompatible or contradictory provisions, but also to the emergence of requirements with far-reaching impacts on information systems.

This is the case, for example, with China’s PIPL regulations, and in particular Article 40, which stipulates that the transfer of data outside China will only be authorized if processing complies with the security assessment established by the Chinese authorities. This regulation will apply above a certain volume of personal data (not yet specified by the Chinese authorities).

Incompatibilities between regulations have also arisen between the United States and the European Union. This is illustrated by the invalidation of the U.S. Privacy Shield[3] by the European Court of Justice, its Schrems rulings calling into question the ability of U.S. Cloud hosts to process the personal data of their European customers in line with European requirements.

Against this backdrop of heightened cybersecurity and personal data protection requirements, emphasised by the protection intentions of certain countries, it may become necessary to study the need to separate globalised and centralised information systems by considering separation into several geographical zones, which could be:

• A zone comprising the USA and the UK
• A second zone centered on China
• A third zone made up of the European Union and GDPR-relevant[4]

Depending on their regulatory reality and potential developments, other countries or regions could be attached to one or other of these three zones.

In the future, the information systems of these different zones could rely more heavily on the sovereign clouds that are currently being developed.

Constraints that can even lead to the closure of a region’s operations

We’re even seeing a number of companies halting or postponing the launch of activities in certain countries where the regulatory constraints and associated risks of sanctions are too great in relation to the business challenges and strategy of the company. This is particularly the case in certain US states, and in Europe, where some major players are putting the brakes on their development because of the RGPD (e.g. Google’s open AI/ Bard, or Meta’s launch of Thread).

What’s next for 2023 and beyond?

The complex regulatory landscape will continue to expand in the months and years ahead. Both in new areas (AI, product security) and in existing areas, such as critical infrastructure.

On the “critical infrastructure” front, after the first phases of regulations focused on personal data protection, the authorities have been looking at critical infrastructure protection, which continues with the NIS2 directive in particular. Adopted on November 10, 2022 and soon to be implemented into French law, it aims to reduce disparities between member states, strengthen cybersecurity in a context of increasing digitalisation, and establish security measures to improve the level of security of critical infrastructures within EU member states.

A new phase is now taking shape, during which regulations will focus on the safety of digital products, with in particular:

• The AI Act, a European regulation aimed at defining a common frame of reference for the development and use of Artificial Intelligence (AI). Against a backdrop of lightning acceleration in the uses of AI, new regulations are also set to emerge around the world, and particularly in China, where measures have already been taken and led to the closure of 55 applications and 4,200 sites between January and March 2023[5].
• The Cyber Resilience Act (C.R.A), another European regulation, which aims to strengthen the security of digital products by imposing measures to be respected by manufacturers right from the product design stage. Not to mention the recent announcement by the White House of the “Cyber trust mark” initiative, which targets the same objective but with a different approach[6].

The regulatory stakes are not about to diminish, and cyber teams need to be prepared. At the very least, it will be necessary to strengthen links with the business lines concerned, as well as with legal teams. The most mature companies in this field have set up legal departments within their cyber teams, to exchange information with the various legal departments. This may not necessarily be necessary, depending on the organization of each structure, but it can also be a guarantee of strong mobilization.

In all cases, the challenge for companies will be to transform these often mandatory regulatory requirements into a competitive advantage for their business, not by punitive, minimal compliance, but rather by taking ownership of the subject and transforming these practices in a way that can be leveraged externally.

[1] https://blog.checkpoint.com/2023/01/05/38-increase-in-2022-global-cyberattacks/

[2] Non-exhaustive list of cybersecurity regulations

[3] https://www.cnil.fr/fr/invalidation-du-privacy-shield-les-suites-de-larret-de-la-cjue

[4] Countries complying with the level of protection required by the EU https://www.cnil.fr/fr/la-protection-des-donnees-dans-le-monde

[5] https://www.01net.com/actualites/comment-les-lois-chinoises-tres-strictes-risquent-de-nuire-a-lia-made-in-china.html  

[6] https://arstechnica.com/information-technology/2023/07/the-cyber-trust-mark-is-a-voluntary-iot-label-coming-in-2024-what-does-it-mean/

Cet article Cyber regulatory landscape: challenges and prospects est apparu en premier sur RiskInsight.