EU institutions are being overhauled following the June elections, but legacy files from the previous term continue to land. NIS2, the CRA and PLD2 are the latest legislative acronyms to take note of for cybersecurity and artificial intelligence liability.
Here is a brief overview of what they will change:
The NIS2 Directive sets a high common level of cybersecurity for critical and important entities operating in the EU. It builds on the original 2016 NIS Directive and applies to essential and important entities across sectors of high criticality ― for example, energy, digital infrastructure, health and banking ― and other critical sectors such as postal services, waste management and food. It imposes new security and incident reporting requirements and is meant to streamline cybersecurity measures for covered entities covered by focusing on risk management and supply-chain security ― including incident handling, vulnerability handling and disclosure, and encryption where appropriate. NIS2 entered into force in January 2023 and should have been transposed into national law by 17 Oct. Reportedly only two members states ― Belgium and Croatia ― met the deadline.
The Cyber Resilience Act aims to safeguard consumers and businesses buying or using products or software with a digital component. Its ambition is two-fold: to encourage a life-cycle approach to connected devices and to ensure they are placed on the market with fewer vulnerabilities, as well as to enable users to take cybersecurity into account when selecting and using connected devices. One if its biggest impacts in the ecosystem relates to the CRA defining the chain of responsibility in the cybersecurity ecosystem. During a recent event hosted by the Centre for European Policy Studies, Head of the Directorate‑General for Communications Networks, Content and Technology's Cyber Coordination Task Force Christian D’Cunha noted the significance of the CRA, saying, "For the first time in the world, we introduce a set of rules for strengthening supply chain security for all hardware and software made available in the EU," which he said includes provisions on how products need to be tested before they are released into the market.
The revised Product Liability Directive was also adopted last week, after negotiations concluded before the summer. The PLD2 updates rules on compensation due to a product defect ― now including digital products such as software and AI ― and sets a strict liability regime. The PLD2 expands the scope of products covered to include digital products such as software through its life cycle and AI (free and open-source software are excluded from the scope); expands the concept of damage; and changes the burden of proof and liability regime in some cases. Organizations impacted include manufacturers established both within and outside the EU, importers, their authorized representatives in the EU, fulfilment service providers or, under certain conditions, online platforms. The PLD2 will enter into force in the coming weeks and will need to be transposed in national legislation across EU/European Economic Area.
Elsewhere:
During a recent Politico event on "AI & elections: Are democracies ready?," European Commission Head of Unit, Media Convergence and Social Media, DG CONNECT Krisztina Stump looked back at the European elections held in June from a mis- and disinformation perspective. Stump explained that the amount of mis- and disinformation has increased from 5% to 15% of EU-related disinformation close to the elections, with narratives regarding the war in Ukraine, anti-LGBTQ, anti-migration and climate-change skeptic narratives.
AI-generated disinformation raised a lot of concerns ahead of the elections, for instance surrounding the possible emergence of deepfakes about electoral candidates and political figures. Stump reassured the audience noting that that European Commission had not detected any major disinformation incident. "This shows that deepfake fears did not materialize" around the European elections, she said, also adding that "AI-generated content had been used in the campaign to illustrate the disinformation narratives."
Isabelle Roccia, CIPP/E, is the managing director, Europe, for the IAPP.
