CyberSANE is a peer-to-peer solution which aims to enhance the cybersecurity of Critical Infrastructures’ information systems through the collection, correlation and sharing of information coming from multiple sources. The end-users who will implement the CyberSANE system must comply with several legal obligations which are relevant to this type of systems, concerning in particular data protection, privacy and security-related aspects.
The design of the CyberSANE system has therefore been preceded by the analysis and identification – led by KU Leuven as part of its work on the “Basis of Legal and Ethical Requirements” (Task 2.2) – of the legal and regulatory frameworks which will apply to the end-users.
The relevant legal instruments and obligations are outlined in Deliverable D2.2 “Legal and Ethical Requirements”, which represents the basis for the legal and ethical implementation, oversight and evaluation to be carried out in the final phases of the project.Where possible, the discussion of the various legal and regulatory frameworks is accompanied by a flowchart or a table of use cases and requirements.
In order to ensure that CyberSANE aligns with the fundamental rights to privacy and data protection, the design of the architecture builds upon a thorough analysis of the legal framework applicable to the processing of personal data, as set out in particular in the General Data Protection Regulation (GDPR). With a view to enable and facilitate compliance by the end-users with GDPR obligations, such obligations have been considered by the CyberSANE consortium since the early stages of design, following an authentic “data protection by design” approach.
In addition, the exploration of the EU Framework on Data Protection has also included the Directive on the processing of personal data for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties and the Regulation on the free flow of non-personal data.
Another essential set of requirements for CyberSANE is the one stemming from the recent legislative initiatives undertaken at the level of the EU cybersecurity strategy: in particular, the Network and Information Systems (NIS) Directive and the Cybersecurity Act.
The CyberSANE system is primarily addressed to Critical Infrastructures which are likely to be identified by the Member States under one of the two categories of entities to which the NIS Directive applies: the operators of essential services and the digital service providers. Special attention has been dedicated to the interplay between the NIS Directive and GDPR. In this regard, it is important to note that – to the extent that personal data are processed through network and information systems – both the GDPR and NIS Directive legal frameworks will apply at the same time.
Another important piece of legislation aimed at strengthening the security of the EU cyber-space was passed in June 2019: Regulation (EU) 2019/881 on ENISA (the European Union Agency for Network and Information Security) and on information and communications technology cybersecurity certification, also known as the “Cybersecurity Act”. Besides expanding the role of ENISA, the Cybersecurity Act establishes a framework for the introduction of the first EU-wide harmonized cybersecurity certification framework for the ICT products, services and processes identified in the EU rolling work programme. Hence, CyberSANE will monitor the normative developments concerning the EU cybersecurity certification scheme, in order to ensure compliance with such rules, and possibly achieve a certification.
In light of the goal of CyberSANE – which is to enhance the cyber-resilience of Critical Information Infrastructures (CIIs) – due consideration has been given to the EU legal framework on Critical Infrastructures, including with regard to the sharing of information among Critical Infrastructures and between these and the public authorities.
Furthermore, the legal analysis carried out in the early phases of the project addressed the international and European rules applicable to the formation and handling of evidences in the aftermath of a cyber-attack, including the recent proposal for an EU framework on e-Evidence. The ShareNet (Intelligence and Information Sharing and Dissemination) component of CyberSANE aims precisely at facilitating the process of sharing potential digital evidences with other CIIs, law enforcement and investigatory authorities, allowing them to determine the trustworthiness of each information sources, and to also timely identify attacks, as soon as the data is received.
Moreover, Task 2.2 looked at the ethics-related aspects which must be taken into account when integrating AI components in a technology such as CyberSANE. In particular, the analysis focused on the “Ethics Guidelines for Trustworthy Artificial Intelligence (AI)”, published in April 2019 by the High-Level Expert Group on AI appointed by the European Commission. The Guidelines list four ethical principles:
respect for human autonomy
prevention of harm; fairness
to be adhered to in the development of any AI technology.
These principles are translated into a series of seven interrelated requirements: human agency and oversight; technical robustness and safety; privacy and data governance; transparency; diversity, non-discrimination and fairness; societal and environmental wellbeing; and accountability, which must be implemented through a combination of technical and non-technical measures.
The development of CyberSANE has taken into consideration the (non-exhaustive) assessment checklist included in the Guidelines. In any case, the specifics of the AI system at issue will have to be regularly checked against the principles and values (discussed in the Guidelines) as underpinning a fully Trustworthy AI.