Archive for EU

« Older Entries

100 Days ‘til 1st Major EU CRA Deadline: a 24-Hour Reporting Clock 

Posted in Commentary with tags on June 9, 2026 by itnerd

Cybersecurity experts, OEMs, software publishers and end user organizations have focused on the EU Cyber Resilience Act’s ultimate December 2027 compliance deadline for years. What’s gotten far less attention is the first major enforcement milestone on September 11, 2026, now less than 100 days away.

On that date, anyone selling connected products and applications into the EU must report actively exploited vulnerabilities and significant security incidents to regulators under strict timelines – within 24 hours.

Doc McConnell, Head of Policy and Compliance, Finite State, said

“For many companies, the challenge isn’t simply reporting, it’s determining within a few hours whether a vulnerability exists inside their products, whether it’s being actively exploited, and who might be affected. 

“The biggest obstacle isn’t paperwork, it’s visibility. Many companies lack accurate software inventories across their product lines, and have limited insight into third-party components embedded in products. Even more lack an in-place internal decision process to meet that 24-hour reporting mandate. The CRA readiness gap persists across sectors: ICS, automotive, medical devices, consumer electronics, IoT, IT gear, mobile applications distributed to EU  end users, embedded software and more. And are their legal and compliance departments ready to assess cyber resilience?”

Ryan McCurdy, VP, Liquibase, added:

“The CRA turns cybersecurity from a best practice into a reporting obligation. That creates a simple test for software manufacturers: can you prove what changed, who changed it, when it changed, and whether the right controls were applied? For many organizations, the database layer is where that proof breaks down. Manual scripts, schema drift, and inconsistent approvals make it hard to show control when regulators, customers, or auditors ask. The companies that are ready for CRA will not just have security policies. They will have governance and proof of control across the full software lifecycle, including database change.”

The bottom line is that we’ll see if 100 days is an administrative nightmare, or a nothing burger. And it will be up to software vendors to decide which side of the fence that this falls on.

Leave a comment »

Anthropic, EU ​cybersecurity ⁠agency have “productive” meetings regarding Mythos access

Posted in Commentary with tags on June 1, 2026 by itnerd

Reuters is reporting that The European Commission has had several productive meetings with​ Anthropic on potential access ‌for EU bodies to Anthropic’s Mythos. 

The European Commission is in ‌contact with Anthropic ‌regarding Mythos and is assessing its ​possible implications, European Economic Commissioner Valdis Dombrovskis told reporters on Monday.

“The commission representatives ‌met with ⁠Anthropic and was briefed on technical details around ⁠cyber capabilities and the risk of this Mythos ​preview, so ​we ​are currently assessing ‌possible implications in light of the EU policies and legislation,” Dombrovskis said.

Uzair Gadit, CEO, Secure.com:

Giving a regulator like ENISA hands-on access to a frontier model is a smart move, particularly given that Anthropic has filed to go public. Defenders learn fastest when they can test these systems directly, not read about them secondhand. This is a well considered move, aligning with Anthropic’s filing to go public.

The real question isn’t whether AI belongs in cybersecurity. It’s where it helps and where it quietly creates new risk. A model can triage and investigate at a speed no human team matches, but judgment calls still need a person in the loop. 

Europe putting its own experts that close to the technology is how you build informed policy instead of guessing at it.

The threat landscape didn’t evolve — it massively accelerated. What used to require a skilled hacker and days of preparation now takes an AI tool and mere minutes.

Joshua Marpet, Senior product security consultant, Finite State:

Mythos, while reportedly equaled in capability by ChatGPT 5.5, among other frontier models, is still an incredibly powerful AI framework. The usage of Mythos by ENISA is fascinating. Will they use it to find vulnerabilities in EU RED and EU CRA Certified products? Or products coming up for certification? Are they going to try to use it to determine what exploits should be rated at what level? I have to assume that there are multiple questions that Mythos can and will answer for ENISA.

 Importantly, will this change the initial certification or certification maintenance process? That’s a question to be answered in the fullness of time.

Steven Swift, Managing Director, Suzu Labs:

Anthropic continues to keep Mythos behind closed doors, primarily as a marketing stunt. New frontier models have an established pattern of incremental improvements despite exaggerated marketing claims. We should expect Mythos to perform similarly once released more widely. Anthropic has stated that they will be making a public release of Mythos in the not too distant future, though the public release is expected to contain additional safety guardrails which are not present on their internal builds.

This is especially interesting for Mythos, which has been reported to have a heavy emphasis on its capabilities around vulnerability management and information security. As these functions are both critical for defenders, in order to build more secure, robust systems. But they’re also the same functions that allow bad actors to leverage those same functions for malicious intent.

Anthropic is trying to walk a very tight line. If safety tuning is too restrictive, the model won’t be useful for defenders. If its too permissive, it’ll be too easy for bad actors to leverage.

Granting access to the EU ahead of a more general release gets some additional eyes on the model, and provides Anthropic a larger userbase from which to solicit feedback from. Its not clear to what extent the EU release will contain safety guardrails, or if they’re being granted access to the unrestricted model.


John Carberry, Solution Sleuth, Xcape Inc.

Expanding early access to Anthropic’s Claude Mythos Preview introduces an asymmetric shift in global risk management, forcing organizations to navigate an automated security arms race where defense must match the velocity of AI-driven exploitation. Because sophisticated adversaries are already utilizing advanced models to automate zero-day discoveries and craft complex exploit chains, restricting access to defensive entities guarantees systemic failure.

Project Glasswing’s integration of the European Union Agency for Cybersecurity, or ENISA, represents a critical geopolitical rebalancing, allowing international defenders to scan critical infrastructure before adversarial actors weaponize those same flaws. For security leaders, this transition means traditional, human-centric patching timelines are officially obsolete, shifting the enterprise bottleneck from vulnerability discovery to human remediation capacity. Organizations must proactively integrate automated code review, implement machine-speed patching workflows, and embed agentic AI safeguards directly into their development pipelines to survive an attack surface that now scales at the speed of computation. If you thought keeping up with patch Tuesday was difficult, wait until you are triaging ten thousand zero-days discovered by an AI before lunch.

Critical Takeaways

  • The defensive arms race is active: Granting ENISA access to Claude Mythos Preview acknowledges that sophisticated adversaries are already deploying autonomous toolkits, making defensive AI adoption an operational necessity.
  • Remediation is the primary bottleneck: With autonomous models surfacing thousands of zero-day vulnerabilities in weeks, the enterprise challenge pivots entirely from flaw discovery to human patching capacity.
  • Traditional vulnerability management is obsolete: Security leaders must transition toward automated triage and machine-speed mitigation to counter threats that scale at computational velocity.

Personally, the EU has to do less talking and more listening in order to get resolution rather than create more problems. But I suspect that the EU has to learn the hard way on this front.

Leave a comment »

The EU Gets Pwned By ShinyHunters

Posted in Commentary with tags , on March 30, 2026 by itnerd

Today is the day that I report on organizations and individuals getting pwned.

The European Commission has confirmed a cyberattack affecting its Europa.eu web platform, with early findings indicating that data was extracted from cloud infrastructure hosted on Amazon Web Services (AWS). The incident was discovered on March 24, 2026, and officials said the breach was contained while an investigation into the full scope remains ongoing.

Hackers linked to the ShinyHunters group have claimed responsibility, alleging they accessed and stole more than 350GB of data, including databases and internal documents. The European Commission has not verified the full extent of the stolen data but confirmed that some data was taken and that affected entities are being notified.

The Commission stated that its internal systems were not impacted, with the attack limited to externally hosted cloud services supporting its public-facing websites. Authorities continue to assess the incident and determine what information may have been accessed while implementing additional security measures.

Lydia Zhang, President & Co-Founder,Ridge Security Technology Inc. served up this comment:

   “Continuously exposed external digital assets, such as public websites and AWS S3 buckets, have become prime attack targets, especially with the rise of AI-driven automated threats. Organizations must strengthen their security posture; continuously scanning, testing, and remediating vulnerabilities across these interfaces is no longer optional, but essential.”

Noelle Murata, Sr. Security Engineer, Xcape, Inc. provided this comment:

   “The business impact has escalated from a simple web defacement to a massive Identity and Access Management (IAM) crisis, as the breach likely involves the theft of DKIM keys and SSO directories. This means the adversary can now generate perfectly authenticated emails that bypass DMARC checks, turning the Commission’s own reputation into a weapon for secondary spear-phishing campaigns across the EU.

   “The technical post-mortem indicates a failure of “Identity Hygiene” rather than a cloud security flaw; AWS has publicly cleared its own name, pointing to compromised credentials – likely harvested via the group’s signature vishing tactics against IT helpdesks. For defenders, the priority is no longer just “containing” the breach but an immediate, wholesale rotation of all cloud-based signing keys and a mandatory password reset for the entire SSO tenant. Furthermore, organizations interacting with the EC should treat all incoming “official” correspondence with extreme skepticism, even if it passes cryptographic validation.

   “The reality is that if your identity provider is compromised, your “secure” cloud is effectively an open book.

   “The EU is about to find out that “GDPR Compliance” is a lot harder to enforce when you’re the one filling out the self-report form.”

Phil Wylie, Senior Consultant & Evangelist, Suzu Labs adds this:

   “This attack shows that threat actors do not always need to penetrate core internal networks to create risk. Public-facing cloud environments often contain valuable operational data that can support reconnaissance, social engineering, and follow-on attacks.

   “Most cloud breaches are not failures of the provider but issues around identity security, access management, or configuration. The real lesson here is that organizations need stronger visibility into how cloud data is accessed and moved, not just whether malware is present.

   “Even if the affected systems were isolated, any confirmed data exfiltration should be treated as potential intelligence exposure that could enable future targeting.”

Rajeev Raghunarayan, Head of GTM, Averlon had this to say:

   “Cloud breaches are rarely contained to the system where the compromise started. The real question is what that system had access to, regardless of whether it was considered external or internal. Public-facing applications are often connected to backend services, databases, and storage, and a compromise can expose far more than the initial entry point suggests. The separation between external and internal systems can limit blast radius, but only if access across those layers is tightly controlled, whether through network paths, vulnerabilities, misconfigurations, or identity permissions.

   “The priority for organizations is understanding what data and systems were reachable from the compromised environment, not just what was directly affected. That potential blast radius is what determines the true impact and guides an effective response.”

It’s days like this that make me wonder if there’s no going back and that organizations getting pwned is now the new normal. But we cannot believe that is true. Instead more effort needs to be put into making sure that this starts to get addressed so that pwnage becomes an edge case as opposed to the new normal.

UPDATE: Gidi Cohen, CEO & Co-founder, Bonfy.AI had this to say:

“Modern incidents like the European Commission’s cloud breach are less about a single misconfigured account and more about sprawling unstructured content moving across websites, SaaS apps, storage buckets, AI systems, and agents without unified, context‑aware governance. Cloud security posture management and traditional DLP/DSPM remain necessary, but they are no longer sufficient on their own; without adaptive content controls that understand the people, customers, and citizens behind the data, organizations will continue to be surprised by where sensitive information surfaces when a breach hits.

What matters now is not just where data lives but how it flows: public platforms and “content systems” quietly accumulate regulated and entity‑specific data in logs, backups, CMSes, and object stores, while AI and automation continuously read from and write to those same stores, creating a dense web of human, system, and agent access paths that legacy tools do not see end to end. In that environment, a cloud compromise becomes a test of whether an organization can quickly answer the only questions regulators and boards truly care about, whose data was exposed, through which systems, and how far it has already propagated.”

Leave a comment »

Elon Musk Is Likely In Deep Trouble As Grok Is Under Investigation By The EU

Posted in Commentary with tags , , on January 26, 2026 by itnerd

It sucks to be Elon Musk. He’s already been slapped by the EU for not adhering to the Digital Markets Act, and he’s been under fire for the fact that his AI chatbot Grok creates content that is objectionable content. Here’s how that played out:

That takes us to today. The EU has clearly had enough with Elon’s antics and have opened an investigation into Grok and Twitter/X:

The European Commission has launched a new formal investigation against X under the Digital Services Act (DSA). In parallel, the Commission extended its ongoing investigation launched in December 2023 into X’s compliance with its recommender systems risk management obligations.

The new investigation will assess whether the company properly assessed and mitigated risks associated with the deployment of Grok’s functionalities into X in the EU. This includes risks related to the dissemination of illegal content in the EU, such as manipulated sexually explicit images, including content that may amount to child sexual abuse material.

These risks seem to have materialised, exposing citizens in the EU to serious harm. In light of this, the Commission will further investigate whether X complies with its DSA obligations to:

  • Diligently assess and mitigate systemic risks, including of the dissemination of illegal content, negative effects in relation to gender-based violence, and serious negative consequences to physical and mental well-being stemming from deployments of Grok’s functionalities into its platform.
  • Conduct and transmit to the Commission an ad hoc risk assessment report for Grok’s functionalities in the X service with a critical impact on X’s risk profile prior to their deployment.

It’s a safe bet that this will not end well for Elon because when you mess with the EU, the EU tends to make life miserable for you. And it will also be a safe bet that Elon with whine and moan about how unfair this is. But let’s face facts. Elon created this situation by his cavalier attitude towards common decency. And as a result, this very troubled man is likely now in the “find out” phase.

Like I said at the start of this, it sucks to be Elon Musk.

Leave a comment »

UK and China establish “Cyber Dialogue”, while EU targets “high-risk” foreign tech suppliers

Posted in Commentary with tags , , on January 21, 2026 by itnerd

British and Chinese security officials are seeking to established a “Cyber Dialogue” to discuss cyberattacks amidst hacking accusations by both sides, according to Bloomberg.

The forum is supposedly designed for security officials to manage threats to each other’s national security, by improving communication, allowing, for the first time, private discussion of deterrence measures, and avoiding and preventing escalation, as communicated by people familiar with the matter who spoke on condition of anonymity.

The collaboration comes after China’s top diplomat Wang Yi and British National Security Adviser Jonathan Powell met in Beijing in November agreeing to “confront and resolve issues” and “further enhance regular dialogues” after British officials said a month earlier that they believed Chinese hackers had spied on UK government computer systems for over a decade, and Chinese state-backed actors had compromised its critical infrastructure.

Meanwhile, the European Commission unveiled an updated cybersecurity framework that would tighten protections for critical infrastructure by targeting “high-risk” foreign suppliers of digital equipment and services. 

The proposed legislation marks a shift from previous voluntary guidelines toward mandatory rules giving the Commission the authority to require removal of these high-risk vendors from key sectors such as telecommunications and other infrastructure essential to the EU’s economy and security. 

Although the proposal doesn’t explicitly name specific companies, officials have previously singled out concerns over equipment from Chinese technology firms like Huawei and ZTE.

The overhaul also includes a revised Cybersecurity Act designed to secure information and communications technology supply chains, streamline certification processes, and improve incident reporting and threat alerts.

The updated law would also empower the EU Agency for Cybersecurity (ENISA) to issue early warnings and support collaboration with Europol and national response teams.

Michael Bell, Founder & CEO, Suzu Labs had this comment:

“The Cyber Dialogue is a pragmatic move, not a naive one.

   “In March 2024, the UK publicly accused China of breaching the Electoral Commission and targeting parliamentarians’ email accounts. They sanctioned individuals linked to APT31. They summoned China’s ambassador. Beijing called the accusations “fabricated and malicious slanders.”

   “Eight months later, Wang Yi and Jonathan Powell met in Beijing and agreed to establish a Cyber Dialogue. That looks like whiplash, but there’s logic to it.

   “Cyber operations exist in a gray zone. They’re not acts of war, but they’re not peacetime activity either. Without communication channels, an incident response could be misread as aggression. Escalation becomes more likely when neither side understands the other’s red lines.

   “There’s precedent. In 2015, Obama and Xi established a cyber agreement with hotlines and joint dialogue mechanisms. US officials reported a drop in certain Chinese intrusions afterward. It wasn’t perfect. The US later accused China of violations. But it created a framework for managing the problem.

   “The UK is trying something similar. They’re not pretending the threat doesn’t exist. They publicly attributed attacks, imposed sanctions, and issued warnings about Volt Typhoon pre-positioning in critical infrastructure. Now they’re opening a channel to discuss deterrence and prevent miscalculation.

   “Whether it works depends on whether both sides actually use it. The 2015 US-China agreement produced results until it didn’t. The UK-China dialogue could follow the same trajectory. But having the channel is better than not having it.

   “The alternative, pure confrontation without communication, creates its own risks. In cyberspace, those risks are harder to see until they materialize.

   “In regards to the EU targeting “high-risk” tech suppliers, honestly, it sounds like Brussels ran out of patience.

   “The 5G Security Toolbox has been voluntary guidance since January 2020. It recommended that member states assess high-risk vendors and impose restrictions where necessary. Six years later, only 10 of 27 member states actually did anything meaningful about Huawei and ZTE. The patchwork approach created exactly the security gaps the Toolbox was supposed to prevent.

   “The new legislation fixes that by making removal mandatory. High-risk suppliers must be phased out within three years of the law taking effect. The scope expands beyond mobile networks to fixed and satellite infrastructure across 18 critical sectors: water, electricity, cloud services, semiconductors, medical devices.

   “The Commission will conduct EU-wide risk assessments based on country of origin and national security implications. ENISA gets real authority: early threat alerts, centralized incident reporting, coordination with Europol. A formal catalogue of high-risk suppliers will follow via implementing act. Huawei and ZTE are expected to be on it.

   “This is expensive. Germany alone faces an estimated €2.5 billion to replace Huawei equipment across Deutsche Telekom, Vodafone, and Telefónica. EU-wide, operators are looking at roughly €3 billion annually in higher infrastructure costs. That’s not a rounding error. It’s why voluntary guidelines failed. Member states and operators kept finding reasons to delay.

   “The legislation removes the option to delay. It’s regulatory coercion, and it’s probably necessary. Security through voluntary compliance only works when everyone complies. When half the member states ignore the guidance, you get exploitable gaps.

   “For enterprises operating in the EU, this means vendor audits, procurement changes, and certification requirements through ENISA. The three-year timeline sounds manageable until you account for supply chain constraints and the reality that everyone will be competing for the same alternative equipment.

   “Both approaches respond to the same underlying reality: Chinese state-affiliated actors have demonstrated capability and intent to compromise Western infrastructure. The UK and EU are choosing different tools to manage that risk.

   “The UK is betting that communication reduces the chance of catastrophic miscalculation. The EU is betting that removing the attack surface is more reliable than trusting dialogue.

   “Neither approach is wrong. They’re addressing different aspects of the same problem. The UK approach manages the state-to-state relationship. The EU approach manages the technical supply chain risk.

   “For enterprises, the implication is clear: you can’t rely on a single approach. You need security architecture that accounts for both diplomatic uncertainty and regulatory mandates. The technology landscape is fragmenting, and your vendor strategy needs to fragment with it.”

John Carberry, Solution Sleuth, Xcape, Inc. follows with this comment:

   “The UK-China cyber dialogue signals a shared understanding that unchecked cyber tensions pose serious escalation risks for global powers. Creating forums for discussing deterrence and intentions could minimize miscalculations, even if persistent accusations of espionage between the two nations remain unresolved.

   “Concurrently, Europe’s implementation of mandatory restrictions on “high-risk” suppliers demonstrates that dialogue doesn’t automatically equate to trust. The EU’s framework signifies a stricter stance on supply-chain security, transitioning from voluntary recommendations to legally binding regulations with tangible economic impacts. This shift from voluntary guidelines to mandatory exclusions for companies like Huawei and ZTE suggests that while the UK pursues dialogue, the wider Western approach is leaning towards complete technological decoupling.

   “ENISA’s augmented responsibilities for early warnings, incident reporting, and cross-border responses further underscore Europe’s focus on cybersecurity as a matter of technological sovereignty rather than mere IT best practices. By granting ENISA and Europol enhanced early-warning capabilities, the EU is fortifying itself against the very state-sponsored actors the UK is now engaging with diplomatically.

   “Collectively, these trends illustrate a two-pronged strategy: diplomatic efforts to influence state conduct, combined with structural defenses to mitigate systemic vulnerabilities. Cybersecurity policy is increasingly serving as both a diplomatic instrument and a component of industrial strategy.

   “You can’t build a bridge of trust with diplomacy while simultaneously bricking up the windows to keep the “partners” out of the house.”

Trust isn’t built overnight. Which I suspect will mean that any real traction on this will take a while to materialize any results. Which is fine as long as everyone sticks to it.

Leave a comment »

Elon Musk’s Twitter/X Hit With $140 Million Fine

Posted in Commentary with tags , on December 5, 2025 by itnerd

Elon Musk is likely less of a fan of the European Union today versus yesterday. I say that because he’s or more accurately Twitter/X has been fined $140 million by them. Here’s why:

 Elon Musk’s social media company X was fined 120 million euros ($140 million) by EU tech regulators on Friday for breaching EU online content rules, the first sanction under landmark legislation which will likely draw the U.S. government’s ire.

And:

EU regulators said X’s DSA violations included the deceptive design of its blue checkmark for verified accounts, the lack of transparency of its advertising repository and its failure to provide researchers access to public data.

Well, this is going to get interesting as I am sure that Elon will have something…. perhaps something stupid to say about this. I did check his Twitter account and there’s nothing so far. But you know that he’s going to say something. In the meantime, it’s clear that the EU is making the point that tech companies will bend to its will and not the other way around.

Leave a comment »

EU’s ‘Cyber Solidarity Act’ creates a cooperative mechanism for effective defenses

Posted in Commentary with tags on March 7, 2024 by itnerd

On Tuesday, the EU agreed to the Cyber Solidarity Act, a new set of rules intending to make the EU more resilient and reactive to cyber threats via cooperation mechanisms.

An EU-wide cybersecurity alert system will be established to rapidly share information and will comprise of national cyber hubs which will be responsible for detecting and acting on cyber threats, helping authorities respond more effectively to major incidents.

The new regulation will allow for the creation of a cybersecurity emergency mechanism that will support:

  • Preparedness actions, including testing entities in highly critical sectors, such as healthcare, transportation and energy.
  • Shared financial assistance for impacted entities.
  • A ‘cybersecurity reserve’ made up of incident response services from the private sector as well as associated partnering countries that are ready to intervene during a large-scale cybersecurity incident.

The EU Council and Parliament have also agreed to amend the 2019 Cybersecurity Act in order to establish European certification schemes for managed security services. This aims to boost the quality and comparability of these service providers and avoid fragmentation of the internal market.

Formal adoption of the provisional agreements will come once they have been endorsed by the Council and Parliament. 

Emily Phelps, VP, Cyware had this comment:

   “The Cyber Solidarity Act recognizes and addresses the critical nature for the EU to more effectively prepare, detect, and respond to cyber threats. Threat actors often work together, increasing the challenges nations and organizations face to defend against adversaries. These collaborative efforts to improve resiliency are an important step to protecting critical infrastructure, national security, and economic continuity.

Dave Ratner, CEO, HYAS follows with this comment:

   “Sharing information the way that the EU Cyber Solidarity Act does is a great start and a good initiative — too many times the right information is not shared quickly enough. However, if the goal is to make everyone, especially critical infrastructure, truly proactive and cyber resilient then they need to do more than just share information about ‘what’s happened in the past’ and ‘what’s happening now’.  They need to endorse the use of proactive threat intelligence capable of identifying what is going to happen, and mandate the implementation of cyber resiliency solutions like Protective DNS — which other governments are already recommending — that are capable of automatically identifying attacks in real-time and shutting them down.”

George McGregor, VP, Approov had this comment:

   “The EU continues to flesh out the EU Cybersecurity Strategy laid out 4 years ago.

   “The newly announced Cyber Solidarity Act is intended to drive readiness and cooperation and includes infrastructure investments and financial incentives. Because of this it will certainly prove less controversial than the Cyber Resiliency Act of 2023 which imposed strict breach reporting requirements on companies operating in the EU.

   “Key, however, will be the effective execution of the work needed to implement this Act. For example, the creation of a “state-of-the-art” European Cybersecurity Alert System is certainly aspirational but could prove quite challenging to implement. Further information and regular updates on the status of the various projects required to implement the Act will be welcome as a next stage. “

By making sure that everyone shares info and plays nice in the metaphorical sandbox, it ensures that everyone is a lot safer. Thus I see this as a very good move by the EU and one that should be copied far and wide.

Leave a comment »

EU Passes Landmark AI Bill

Posted in Commentary with tags , on December 9, 2023 by itnerd

Yesterday, the EU reached a deal on its landmark AI bill. In the process, they’re racing ahead of US:

The European approach to trustworthy AI

The new rules will be applied directly in the same way across all Member States, based on a future-proof definition of AI. They follow a risk-based approach:

Minimal risk: The vast majority of AI systems fall into the category of minimal risk. Minimal risk applications such as AI-enabled recommender systems or spam filters will benefit from a free-pass and absence of obligations, as these systems present only minimal or no risk for citizens’ rights or safety. On a voluntary basis, companies may nevertheless commit to additional codes of conduct for these AI systems.

High-risk: AI systems identified as high-risk will be required to comply with strict requirements, including risk-mitigation systems, high quality of data sets, logging of activity, detailed documentation, clear user information, human oversight, and a high level of robustness, accuracy and cybersecurity. Regulatory sandboxes will facilitate responsible innovation and the development of compliant AI systems.

Examples of such high-risk AI systems include certain critical infrastructures for instance in the fields of water, gas and electricity; medical devices; systems to determine access to educational institutions or for recruiting people; or certain systems used in the fields of law enforcement, border control, administration of justice and democratic processes. Moreover, biometric identification, categorisation and emotion recognition systems are also considered high-risk. 

Unacceptable risk: AI systems considered a clear threat to the fundamental rights of people will be banned. This includes AI systems or applications that manipulate human behaviour to circumvent users’ free will, such as toys using voice assistance encouraging dangerous behaviour of minors or systems that allow ‘social scoring’ by governments or companies, and certain applications of predictive policing. In addition, some uses of biometric systems will be prohibited, for example emotion recognition systems used at the workplace and some systems for categorising people or real time remote biometric identification for law enforcement purposes in publicly accessible spaces (with narrow exceptions).

Specific transparency risk: When employing AI systems such as chatbots, users should be aware that they are interacting with a machine. Deep fakes and other AI generated content will have to be labelled as such, and users need to be informed when biometric categorisation or emotion recognition systems are being used. In addition, providers will have to design systems in a way that synthetic audio, video, text and images content is marked in a machine-readable format, and detectable as artificially generated or manipulated.

Companies not complying with the rules will be fined.

I’ll give my commentary in a moment. But I’ll serve up the comments of Anurag Gurtu , CPO, StrikeReady:

The regulation paves the way for what could become a global standard to classify risk, enforce transparency and financially penalize tech companies for noncompliance.

The European Union’s deal on the landmark AI bill marks a significant moment in the global conversation about the regulation of artificial intelligence. This ambitious legislation, which seeks to classify AI risks, enforce transparency, and penalize noncompliance, demonstrates the EU’s proactive stance in addressing the complexities of AI technologies.

The Act’s focus on monitoring and oversight, especially for high-risk applications, could set a new global standard for AI regulation. While it aims to balance protection and innovation, the Act will require tech companies operating in the EU to adapt significantly, potentially reshaping global AI development and deployment strategies.

This legislation also raises critical discussions about the balance between innovation and ethical considerations in AI. While Europe is taking a lead, it will be interesting to see how other regions, particularly the U.S., respond to this development. Will they follow suit with similar regulations, or will they take a different path?

Moreover, the Act’s implications on open-source AI models, which are exempt from certain restrictions, could stimulate interesting shifts in the AI industry, potentially favoring open-source approaches.

However, there are concerns about the potential impact on innovation and the competitive edge of European AI companies. While the Act aims to ensure safety and ethical standards, it’s crucial that it doesn’t stifle the innovative potential of AI.

This development is a significant step in the global dialogue on AI governance and sets the stage for further international discussions on how best to manage this rapidly evolving technology.

The combination of classifying risk and known that the EU will not be afraid to drop the ban hammer on any company who tries to skirt the rules is sure to be an effective combination. Other countries need to copy this so that AI is sufficiently regulated and risk is minimized.

Leave a comment »

EU’s Cyber Resilience Act would require a ONE day breach notice

Posted in Commentary with tags on October 4, 2023 by itnerd

A group of leading tech companies and security researchers have written an open letter about how the vulnerability disclosure requirements proposed for the EU’s Cyber Resilience Act don’t make sense and are flat out dangerous.

Basically, the requirements would ask vendors to disclose that they know about a vulnerability in ONE day. The industry argues that’s not enough time and would open the doors to hackers to jump on the vulnerabilities without giving everyone enough time to actually do the patches.  “Article 11 of the CRA requires software publishers to disclose unpatched vulnerabilities to government agencies within 24 hours of exploitation.”

George McGregor, VP, Approov Mobile Security had this comment:

“These vulnerability requirements, if enforced, will be of critical importance to US companies which operate in the EU.  The EU Cyber Resilience Act makes no distinction about where vulnerabilities are discovered so the obligation will be worldwide in scope.

“This is clearly understood by the number of US based individuals who have signed the request to modify the CRA in order to remove the requirement to report unpatched vulnerabilities within 24 hours.

“The letter also requests that vulnerabilities uncovered during testing should not be included in the reporting requirement.

“With this level of industry reaction, the CRA requirements should certainly be relaxed.”

I am completely in favour of this as it makes vendors completely accountable for the quality of their products. But it has to be done in a way that make sense and is sustainable. This doesn’t meet that standard. A rethink is absolutely in order.

Leave a comment »

The EU Passes Draft Legislation To Govern AI

Posted in Commentary with tags , on June 14, 2023 by itnerd

The news is out today that the EU Parliament has moved one step closer to putting legislation into force to govern AI:

The European parliament approved rules aimed at setting a global standard for the technology, which encompasses everything from automated medical diagnoses to some types of drone, AI-generated videos known as deepfakes, and bots such as ChatGPT.

MEPs will now thrash out details with EU countries before the draft rules – known as the AI act – become legislation.

“AI raises a lot of questions socially, ethically, economically. But now is not the time to hit any ‘pause button’. On the contrary, it is about acting fast and taking responsibility,” said Thierry Breton, the European commissioner for the internal market.

A rebellion by centre-right MEPs in the EPP political grouping over an outright ban on real-time facial recognition on the streets of Europe failed to materialise, with a number of politicians attending Silvio Berlusconi’s funeral in Italy.

The final vote was 499 in favour and 28 against with 93 abstentions.

Craig Burland, CISO, Inversion6 had this comment in relation to this news:

Let the debate begin! Similar to data privacy years ago, the EU has just taken a position at the far end of the spectrum to frame the parameters of the discussion. Putting aside the many challenges of enforcement as well as the ubiquitous use of AI in modern technology projects, the EU has documented intriguing concepts centered on ensuring the validity of the content and proper use cases. Contrast this with Google’s pronouncement last week that focused primarily on protecting the technology itself.  What was announced today will shift and transition as the debate plays out in the media and behind closed doors. But, in planting this flag, the EU has started what will be a fascinating dialog that affects businesses and individuals alike.

I’m honestly not sure how this will shake out. But based on the fact that the EU has come out with regulations like GDPR, this draft legislation is likely to shape the discussion about AI and how it should be used. Thus everyone need to pay attention to this.

UPDATE: Eduardo Azanza, CEO, Veridas adds this:

     “The passing of the Artificial Intelligence Act is a significant moment and should not be underestimated at all. For technologies such as AI and biometrics to ever be successful, it is essential that there is trust from businesses and the wider public.

It’s critical that we have established agreed standards and deliverables to ensure that AI and collected biometric data are used responsibly and ethically. There must be clearly defined responsibilities and chains of accountability for all parties, as well as a high degree of transparency for the processes involved. 

As the UK and US look to introduce their own Artificial Intelligence Act, it is essential they work with the EU to define minimum global standards – only then can we guarantee the ethical use of AI and biometrics.

Ultimately, it’s businesses’ duty to responsibly and ethically use AI technology, as its capability to replicate human abilities raises huge concerns. Organizations need to be conducting periodic diagnoses on the ethical principles of AI. Confidence in AI security technology must be based on transparency and compliance with legal, technical, and ethical standards.”

UPDATE #2: Ani Chaudhuri, CEO, Dasera had this comment:

European Union lawmakers have taken a decisive step in shaping the future of artificial intelligence by adopting the E.U. AI Act. This landmark legislation challenges the power of American tech giants and sets unprecedented restrictions on AI usage. This move is long overdue as it prioritizes data security and protects individuals from potential harm caused by unchecked AI systems.

The E.U. AI Act introduces essential guardrails to prevent deploying AI systems that pose an “unacceptable level of risk.” By banning tools like predictive policing and social scoring systems, the legislation safeguards against intrusive and discriminatory practices. Furthermore, it limits high-risk AI applications, such as those that could influence elections or jeopardize people’s health.

One significant aspect of the legislation is its focus on generative AI, including systems like ChatGPT. Requiring content generated by such systems to be labeled and mandating the publication of summaries of copyrighted data used for training promotes transparency and protects intellectual property rights. These measures address growing concerns and ensure responsible AI development.

While some voices express concern over the potential impact on AI development and adoption, the European Parliament’s determination to lead the global dialogue on responsible AI should be applauded.  European lawmakers have proactively developed comprehensive AI legislation that accounts for evolving technologies and potential risks.

The E.U.’s commitment to data privacy, tech competition, and social media regulation aligns with its ambitious AI regulations. This cohesive framework ensures that European companies adhere to high standards, promoting consumer trust and privacy. It also strengthens Europe’s position as the global tech regulator, setting precedents that will shape international tech policies.

As Europe leads in establishing AI standards, the United States must step up its efforts to keep pace. Congress must pass comprehensive legislation addressing AI and online privacy. Falling behind Europe risks hindering innovation and surrendering the opportunity to lead the global debate on AI governance.

We believe that responsible AI development should be a global endeavor. As Europe sets the bar, it is incumbent upon the United States to catch up and play an active role in shaping AI policies. We can strike the right balance and ensure AI benefits society by fostering innovation while safeguarding individual rights.

While concerns and challenges exist, the E.U. AI Act represents a significant step toward building a responsible and secure AI ecosystem. Europe’s commitment to protecting individuals and upholding data security sets an example for the world. As the AI landscape continues to evolve, we must embrace robust regulations that foster trust, innovation, and global cooperation.

Leave a comment »

« Older Entries