International cybersecurity law review最新文献

The article outlines the European Union (EU) regulation of information technology (IT) security in Internet of Things products from a consumer and end user perspective. It starts with civil law and the necessity to address security requirements and specifications in individual contractual terms. Data and consumer protection laws have not helped much, mainly because of missing definitions and levels of applicable security. Two new EU directives reforming the law of obligations may improve the situation for consumers since security is now a named quality requirement, especially for the sale of (digital) goods. Also introduced is the provision of security updates as a contractual duty. But both rule sets address only the traders, not the producers. This is different with the activation of clauses in the radio equipment directive, which sets IT security measures as requirements to be compliant for CE labeling. An important element is the introduction of a vulnerability management system. Details can be found in the draft of technical standard ETSI/EN 303645. The work concludes with a look at the EU's efforts regarding certification schemes and the interaction of all regulation elements, with more liability for insecure products plus the hope for effectiveness.

This article aims to identify the necessary elements for the independent and democratic structuring of the National Data Protection Authority (ANPD) in its definitive legal profile, as an autarchy under a special regime, so that it can achieve the technical and decision-making autonomy that it was granted by the Brazilian Data Protection Law (LGPD). Drawing on documentary research and findings on similar foreign authorities, it is possible to point out, as a partial result of this analysis, the insufficiency of entrusting such a mission to its recent formal separation from the Direct Administration, being also possible to conclude that the success of the state modernization in the Digital Age will depend, to a large extent, on intertemporal choices able to direct the ANPD towards a structure attentive to technological innovations. To this end, the training and continuing education of the institution's staff, as well as possible agreements to be signed by the entity, such as the alternatives sought by the Courts of Accounts in the field of information and communications technology (ICT), emerge as a determining factor.

This article examines the Canadian federal government's proposed Critical Cyber Systems Protection Act (CCSPA), compares it with existing and proposed cybersecurity legal requirements in the European Union (EU), and sets out recommendations to address shortcomings of the proposed Canadian legislation. One of the cornerstone components of Bill C‑26, the CCSPA seeks to regulate critical cyber systems in federally regulated private sectors. It represents a significant overhaul of Canadian cybersecurity regulation. However, the current proposed legislation exhibits many flaws, including a commitment to, and entrenchment of, a patchwork approach to regulation that focuses on formal registration; a lack of oversight of its confidentiality provisions; a weak penalty scheme that focuses solely on compliance, not deterrence; and diluted conduct, reporting, and mitigation obligations. To repair these flaws, this article reviews the provisions of the proposed law and compares them with the EU's Directive Concerning Measures for a High Common Level of Security of Network and Information Systems Across the Union, the first EU-wide cybersecurity legislation, as well as its proposed successor, the NIS2 Directive. Where relevant, various other cybersecurity regulations in peer states are discussed. Specific recommendations are put forward.

Computer Security Incident Response Teams (CSIRTs) or Computer Emergency Response Teams (CERTs) are an integral part of incident handling capabilities and are increasingly demanded by organizations such as critical infrastructures. They can hold many different skills and are of great interest to organizations in terms of cyber security and, more concretely, cyber incident management. This contribution seeks to analyze the extent to which their activity is regulated under Swiss law, considering that private CSIRTs are not regulated in the same way as governmental and national CSIRTs such as the Computer Emergency Response Team of the Swiss government and official national CERT of Switzerland (GovCERT).