Cloud compliance 2023: what did last year bring and what will and (probably) will not pass this year?
The year 2022 is behind us. Prizes are being handed out for everything and the balance sheet is being taken. So let's also try to do a little recap. What was 2022 like in terms of compliance? And what will the current one come with? Should we be surprised or do we already know what to prepare for?
Dana Yussupova
What 2022 will bring in cloud compliance
At the beginning of the year, the reverberations of covid were still visible and everyone was looking forward to everything becoming normal again. It didn't last long. Just as we were about to take a breath, the war in Ukraine began. Europe was plunged into an energy crisis, there were endless discussions about its cause and solutions, and the spectre of recession began to surround economic development.
In all the changes of 2022, at least something has remained the same, namely the EU's digital direction. The EU is holding the line and implementing its digital strategy as planned. Last year, a few important events happened along the way from a compliance perspective.
Data handling
Crucial, long-awaited regulations for Europe's digital journey have been approved and published, and prudent handling of data remains a priority:
- Digital Governance Act
It sets out the conditions to enable the use of data across the public sector. - Digital Services Act
It introduces new conditions and obligations for business in intermediary services; in 2023, individual Member States must designate Digital Services Coordinators, while the EU Commission will gradually issue guidelines and rules for implementation. - Digital Markets Act
It sets the rules for the world's biggest players, digital market entry and competition. - Adequacy decision for the EU-US Data Privacy Framework
The European Commission has started the process to adopt a transatlantic data flow solution that will address the CJEU's concerns from the July 2020 Schrems II decision. For more details on this topic, please see in this Cloud Encyclopedia article or on our LinkedIn profile.
Cybersecurity
In this area of EU interest, the following has been approved:
- DORA
Regulation on digital operational resilience of the financial sector; it is a regulation, meaning it is directly effective. No local regulation is needed. We are just waiting for the so-called 'European Regulation'. Regulatory Technical Standards (RTS). - NIS2
Directive on measures to ensure a high common level of cybersecurity; as this is a directive, we will have to wait a while for local transposition. - CER
Directive on strengthening the resilience of critical actors in sectors such as energy, transport, health, water and space. Some of the provisions of the draft Directive also apply to public authorities. Critical entities will have to identify relevant risks that may significantly disrupt the provision of essential services and will have to apply measures to ensure their resilience and report disruptive incidents to the competent authorities.
Important cooperation
Interesting and important collaborations have begun, such as:
- ENISA & European Data Protection Supervisor (EDPS)
The two institutions will join forces on cybersecurity and data protection (which will also be supported by the other EU institutions). The plan aims, among other things, to promote a common approach to data protection, introduce privacy-enhancing technologies and strengthen capacities and skills within the EU institutions. - CNB & NUCIB
The two institutions will cooperate in the supervision of financial institutions, in the identification of critical infrastructure elements, in methodology and in cyber resilience testing, and will provide consultation and training to each other. - CBA & NCIB
Closer cooperation will focus primarily on the prevention of cyber threats, the exchange of information on detected threats and on cyber attacks directly.
What's ahead in cloud compliance in 2023
We expect the following regulations:
- Adequacy decision for the EU-US Data Privacy Framework
Once the European Data Protection Board (EDPB) has given its opinion on the decision and the Commission has received the green light from the committee of Member States' representatives, the decision will go to the Commission for approval. - Completion of the Artificial Intelligence Act
The aim is to underpin the responsibilities of manufacturers of AI products. Regulation addresses the presumption of causation where injuries could be related to AI productsthat are of a high technical level. The directive also creates a right of access to information about the technology to help victims obtain evidence of manufacturer liability. The directive may have implications for class actions, compensation, protection of trade secrets, etc. - Legal framework for the protection of health data
The regulation targets digital health providers to force them to comply with a number of new legal requirements applicable to systems used to process health data. The Regulation applies to the exchange of health data between patients and healthcare professionals and across EU countries. It also targets the secondary use of this data for scientific purposes, innovation and development. - eIDAS
A review of Regulation (EU) No 910/2014 (eIDAS Regulation) is expected to be announced in 2023, with the aim of extending its benefits to the private sector and promoting digital identity. The reform should include, among others:- Establishing a European digital identity
- Electronic identification schemes
- Qualified Archiving Service for qualified electronic signatures
- Qualified electronic archiving service for electronic documents
- Electronic attestation of attributes
- Qualified trusted services.
What makes sense to prepare for now
- DORA
They will be issued so-called. Regulatory Technical Standards (RTS). Therefore, the best approach is to carry out due diligence on the current situation until the time of their publication and then implement actions in the areas affected by the RTS. - NIS2
One of the key points that makes sense to implement now before national transposition (by September 2024 at the latest) is to review contractual relations with suppliers. If the company will be negotiating new contracts with suppliers, it is advisable to keep NIS2 in mind and incorporate its requirements now. Otherwise, it is better to wait for national transposition. In the Czech Republic, it can be expected to be quick, as the NICIB has already prepared everything. All that is needed is for the House to work as it should.
Digital transformation remains a priority for our government. The CNB and NUCIB have confirmed their cooperation. Therefore, based on the need to implement the above regulations we can expect the development of digitalisation at all levels. From the perspective of 30 years ago, we are already experiencing science fiction thanks to digitalisation - and this is just the beginning. We've already opened the door and it's up to us what comes next.
