Yearly Archives: 2024

Licensing AI Engineers

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2024/03/licensing-ai-engineers.html

The debate over professionalizing software engineers is decades old. (The basic idea is that, like lawyers and architects, there should be some professional licensing requirement for software engineers.) Here’s a law journal article recommending the same idea for AI engineers.

This Article proposes another way: professionalizing AI engineering. Require AI engineers to obtain licenses to build commercial AI products, push them to collaborate on scientifically-supported, domain-specific technical standards, and charge them with policing themselves. This Article’s proposal addresses AI harms at their inception, influencing the very engineering decisions that give rise to them in the first place. By wresting control over information and system design away from companies and handing it to AI engineers, professionalization engenders trustworthy AI by design. Beyond recommending the specific policy solution of professionalization, this Article seeks to shift the discourse on AI away from an emphasis on light-touch, ex post solutions that address already-created products to a greater focus on ex ante controls that precede AI development. We’ve used this playbook before in fields requiring a high level of expertise where a duty to the public welfare must trump business motivations. What if, like doctors, AI engineers also vowed to do no harm?

I have mixed feelings about the idea. I can see the appeal, but it never seemed feasible. I’m not sure it’s feasible today.

Kernel prepatch 6.9-rc1

Post Syndicated from jake original https://lwn.net/Articles/966525/

The 6.9-rc1 kernel prepatch is out for
testing. Linus Torvalds described some rather large updates to the core
kernel code that are coming for 6.9:

The timer subsystem had a fairly big rewrite, to have per-cpu timer
wheels to improve performance of timers, which can be a big deal
particularly for networking. The other fairly notable core update is
to the workqueue subsystem, where one notable addition is for BH
workqueue support. That’s notable mainly because it means we finally
have a way away from tasklets. The tasklet interface has basically
been deprecated for a long while, but we’ve never really had any good
alternatives (with threaded interrupt handlers being one suggested
use-case, but not realistic in many cases).

DORA Regulation: Essential Requirements for Compliance

Post Syndicated from Editor original https://nebosystems.eu/dora-regulation-compliance-requirements/

What is DORA?

The Digital Operational Resilience Act (DORA) is a EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025. DORA (EU) 2022/2554 is a regulatory framework established by the European Union to enhance the digital operational resilience of the financial sector. It aims to ensure that all participants in the financial system have the necessary safeguards and measures in place to withstand, respond to, and recover from ICT (Information and Communication Technology) related disruptions and threats.

Who is Affected?

DORA affects a wide range of entities within the EU financial sector, including:

  1. Credit Institutions and Banks: These are financial institutions that have the authority to accept deposits from the public and provide credit to individuals and businesses. Their services may include offering checking and savings accounts, loans, mortgages, and financial advice.
  2. Investment Firms: Firms that engage in various investment services such as portfolio management, investment advice, and trading in financial instruments on behalf of clients. They play a crucial role in securities markets and can range from brokerage firms to asset management companies.
  3. Insurance and Reinsurance Companies: Insurance companies provide risk management to individuals and entities by offering insurance policies. Reinsurance companies, in turn, provide insurance to other insurance companies, helping to manage and mitigate risks across the insurance industry.
  4. Payment and Electronic Money Institutions: These entities facilitate payment services and transactions, including transfers, direct debits, and credit transfers. Electronic money institutions issue electronic money, which is a digital alternative to cash used for making electronic transactions.
  5. Crypto-Asset Service Providers: These providers offer services related to cryptocurrencies and other digital assets, including exchange platforms, wallet services, and financial services involving digital tokens.
  6. Central Securities Depositories (CSDs): CSDs are institutions that hold financial instruments like stocks and bonds in electronic form and enable their transfer through book-entry. They play a pivotal role in the settlement and safekeeping of securities in financial markets.
  7. Central Counterparties (CCPs): CCPs are entities that act as intermediaries between buyers and sellers in derivative and securities markets, guaranteeing the terms of a trade even if one party defaults, thus reducing counterparty risk.
  8. Trading Venues: This term encompasses various platforms where financial instruments are traded, including regulated markets, Multilateral Trading Facilities (MTFs), and Organized Trading Facilities (OTFs).
  9. Managers of Alternative Investment Funds (AIFs) and UCITS (Undertakings for Collective Investment in Transferable Securities): These managers operate investment funds not covered by traditional banking regulations. Alternative Investment Funds (AIFs) include hedge funds, private equity, and real estate funds, while UCITS are mutual funds that are regulated at the European level, designed for retail investors.
  10. Data Reporting Service Providers: Entities that provide reporting and data services related to financial transactions, ensuring transparency and regulatory compliance in financial markets. This includes trade repositories and approved reporting mechanisms.
  11. Crowdfunding Service Providers: Platforms that connect individuals or businesses seeking to fund projects or ventures with people willing to contribute small amounts of money, typically via the internet.
  12. ICT Third-Party Service Providers to Financial Entities: These include providers offering critical ICT services such as cloud computing, data analytics, cybersecurity solutions, and software development, which are essential for the digital operations of financial entities.

These entities encompass a broad spectrum of the financial sector within the EU, each playing a critical role in maintaining the stability and integrity of financial markets, and are thus subject to DORA’s regulatory framework aimed at enhancing their operational resilience against ICT risks.

Sanctions and Penalties:

DORA, the Digital Operational Resilience Act empowers competent authorities to impose administrative penalties and remedial measures for breaches of its regulations. This includes issuing orders to cease breaches, requiring the cessation of practices contrary to DORA provisions, adopting measures to ensure ongoing compliance with legal requirements, requiring existing data traffic records from telecommunication operators under suspicion of a breach, and issuing public notices or statements about the breach and responsible parties . The imposition of penalties considers the breach’s materiality, gravity, duration, the responsible party’s degree of responsibility, financial strength, profits gained or losses avoided due to the breach, losses caused to third parties, and the level of cooperation with the competent authority.

Key Requirements of DORA:

  1. ICT Risk Management: Entities must implement and maintain an effective and comprehensive ICT risk management framework, including policies, procedures and measures to identify, protect, detect, respond and recover from ICT-related incidents.
  2. Incident Reporting: Financial entities are required to establish and maintain mechanisms for the timely detection and reporting of significant ICT-related incidents to relevant authorities.
  3. Digital Operational Resilience Testing: Financial entities must regularly test their digital resilience capabilities through various means, including threat-led penetration testing, to identify vulnerabilities and address them proactively.
  4. ICT Third-Party Risk: Entities must manage and monitor the ICT risks stemming from their reliance on third-party service providers, including cloud computing services, ensuring that these relationships do not undermine their digital operational resilience.
  5. Information Sharing: The framework encourages financial entities to share information related to cyber threats and vulnerabilities to enhance collective defense mechanisms and resilience across the financial sector.
  6. Oversight of Critical ICT Third-Party Service Providers: DORA introduces a framework for the oversight of critical ICT third-party service providers to the financial sector, aiming to mitigate systemic risk and ensure the stability of the financial system.
  7. Compliance and Enforcement: DORA establishes mechanisms for supervisory oversight, compliance and enforcement, including the potential for sanctions in cases of non-compliance with the regulation’s requirements.

By adhering to these requirements, financial entities and their ICT third-party service providers will contribute to a more resilient and stable financial system capable of withstanding and responding effectively to digital disruptions and threats.

Navigating DORA’s requirements can be complex, but you don’t have to do it alone. Nebosystems offers tailored cybersecurity measures and consulting to ensure your compliance. Ready to secure your digital resilience? Contact us today.

Contact us

Reference: Digital Operational Resilience Act (EU) 2022/2554. EUR-Lex.

Understanding GDPR: A Definitive Guide on Key Requirements and Compliance

Post Syndicated from Editor original https://nebosystems.eu/what-is-gdpr-key-requirements-guide/

In the digital landscape where data breaches and privacy concerns are increasingly prevalent, understanding the General Data Protection Regulation (GDPR) is essential for businesses and individuals alike. Implemented on May 25, 2018, GDPR represents a significant overhaul of data protection laws, setting a new global benchmark for privacy rights, security, and compliance.

What is GDPR?

The GDPR is a comprehensive data protection law that came into effect in the European Union (EU) but has far-reaching implications for companies worldwide. It represents a significant shift in the way personal data of individuals within these regions is collected, stored, processed, and protected by organizations worldwide. It aims to give individuals more control over their personal data and to unify data protection regulations across the EU, thereby simplifying the regulatory environment for international business

Who is Affected?

The GDPR affects:

  • Organizations within the EU: All entities operating within the EU, regardless of their size, that process personal data are subject to the GDPR.
  • Organizations outside the EU: Non-EU organizations that offer goods or services to individuals in the EU or monitor the behavior of individuals within the EU are also subject to the GDPR.
  • Individuals within the EU: The GDPR enhances the rights of EU residents, offering them greater control over their personal data.

Key Requirements of GDPR

The GDPR is built around several key principles that dictate how personal data should be handled, processed, and protected. Understanding these requirements is crucial for any organization striving for compliance:

  1. Lawfulness, Fairness, and Transparency: Processing must be lawful, fair and transparent to the data subject.
  2. Purpose Limitation: Data must be collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes.
  3. Data Minimization: The collection of data should be limited to what is necessary in relation to the purposes for which they are processed.
  4. Accuracy: Personal data must be accurate and, where necessary, kept up to date.
  5. Storage Limitation: Data should be retained only as long as necessary for the purposes for which they are processed.
  6. Integrity and Confidentiality (Security): Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage.
  7. Accountability: The data controller is responsible for, and must be able to demonstrate, compliance with all the principles mentioned above.

Rights of Data Subjects

The GDPR enhances and introduces new rights for data subjects, including:

  • The right to be informed: Individuals have the right to be informed about the collection and use of their personal data.
  • The right of access: Individuals can access their data and ask how their data is being used.
  • The right to rectification: Individuals have the right to have inaccurate data corrected.
  • The right to erasure (Right to be Forgotten): Individuals can request the deletion of their data under certain conditions.
  • The right to restrict processing: Individuals can request the restriction of processing of their personal data.
  • The right to data portability: Individuals have the right to receive their personal data in a structured, commonly used, and machine-readable format.
  • The right to object: Individuals can object to the processing of their personal data in certain circumstances, including for direct marketing.

Additional Requirements:

  • Consent: When processing is based on consent, it must be freely given, specific, informed, and unambiguous, with a clear affirmative action by the data subject.
  • Data Protection by Design and by Default: Organizations must implement appropriate technical and organizational measures to meet the principles of data protection effectively and safeguard individual rights. Integrating privacy considerations into the design of systems and processes, known as ‘Privacy by Design,’ is a GDPR principle that emphasizes proactive privacy measures from the outset of any project or process involving personal data.
  • Data Protection Impact Assessments (DPIAs): DPIAs are required where data processing is likely to result in high risk to the rights and freedoms of individuals, particularly with the use of new technologies.
  • Data Breach Notification: Organizations must notify the appropriate data protection authority of a data breach within 72 hours, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Affected individuals must also be notified if there is a high risk to their rights and freedoms.
  • Data Protection Officers (DPOs): Organizations must appoint a DPO if they are a public authority, their core activities require large scale, regular and systematic monitoring of individuals, or their core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
  • One-Stop-Shop: The GDPR introduces a one-stop-shop mechanism for organizations operating in multiple EU countries, meaning they only have to deal with a single supervisory authority.
  • Cross-Border Data Transfers: The GDPR imposes restrictions on the transfer of personal data outside the EU, ensuring that such transfers only occur to countries or entities providing an adequate level of data protection.
  • Processors Obligations: Processors are directly responsible for processing personal data in accordance with the GDPR’s mandates, including processing data based on the controller’s documented instructions, ensuring the confidentiality of the processed data, and aiding controllers in meeting their GDPR obligations .
  • Record Keeping: Controllers and processors must keep detailed records of processing activities.
  • Security of Processing: Controllers and processors must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
  • Cooperation Among Supervisory Authorities: Supervisory authorities must cooperate with each other to ensure consistent application of the GDPR across the EU.
  • Certification Mechanisms, Seals, and Marks: The GDPR encourages the use of certification mechanisms, seals, and marks as evidence of compliance with its provisions, including for controllers or processors not directly subject to the regulation due to their geographical location .

By adhering to these requirements, organizations can ensure compliance with the GDPR, thereby enhancing the protection of personal data and potentially avoiding significant penalties for non-compliance. Non-compliance with the GDPR can result in hefty fines, with penalties reaching up to €20 million or 4% of the annual worldwide turnover of the preceding financial year, whichever is greater, for the most serious infringements.

The GDPR’s impact extends beyond the borders of the EU and EEA, affecting any organization worldwide that processes the personal data of individuals within these regions. Its implementation marks a significant step towards enhancing individuals’ privacy rights and setting a new global standard for data protection.

For organizations seeking to fortify their data protection measures in line with GDPR standards, our Comprehensive GDPR Compliance Cybersecurity Solutions provide a robust framework tailored to meet the unique challenges of your business.

Whether you’re looking to enhance your cybersecurity measures or seeking expert consulting to navigate GDPR compliance, reach out Nebosystems today. Let us help you transform GDPR compliance from a daunting obligation into an opportunity for enhanced data security and trust building.

Contact us

Reference: General Data Protection Regulation (2016/679). EUR-Lex.

Седмицата (18–23 март)

Post Syndicated from Надежда Радулова original https://www.toest.bg/sedmitsata-18-23-mart/

Седмицата (18–23 март)

„Понеделник беше, ситен дъжд валеше. Вторник си замина влажен през комина“. Ето така, като в детско стихотворение, започна седмицата след Сирни заговезни: с неделната изцепка на ГЕРБ, която на моменти изглеждаше като кьорфишек, но постепенно набра скорост и доведе до голямо бум. При което отдавна разхлопаната сглобка се разпадна на ръждясали винтчета и гайки със слаби шансове за повторно сглобяване.

На фона на това бум-тряс падна голямо замазване с добре познатата ни гербаджийска маламашка. То не бяха ритуални разходки с папки до Президентството, напред-назад, иди ми – дойди ми и дай си ми куклите, мои са си! То не бяха сръдни и обиди, ти мен уважаваш ли ме, тук ме почеши, там ме погъделичкай, а сега да се извиниш, ама много трябва да се извиниш, пу – ти гониш и пр. Политически цирк, който всички сме арестувани да гледаме от първия ред вече шести ден… А междувременно ротацията става все по-голям мираж. С всички производни от него миражи.

В такива моменти не ни остава друго, освен да си кажем като Волтеровия Кандид: „… но трябва да работим градината си“. Това и продължаваме да правим в новия ни брой… Макар да сме напълно убедени, че не живеем – пак по Волтер – в „най-добрия от възможните светове“.

На тази простряна пред очите ни и все още неизсъхнала от дъжда и преговорните плюнки политическа седмица е посветен анализът на Емилия Милчева „Ще се сглобяват ли? Кой е на ход?“. Текст, в който се проследява алогическата нишка, свързваща действията на преговарящите политически „мъже“ и особения статут на жените папкоприносителки.

Светла Енчева продължава „мигрантската тема“ от предишния брой със статията си „Как думата „мигрант“ стана дехуманизираща“. Този път Светла ни представя не конкретен казус, а по-скоро разисква юридическите параметри на понятия като „мигрант“, „бежанец“, „търсещ убежище“ и прочее, включително социалния и политическия пълнеж, с който раздуваме и деформираме значенията им в България. Истински образователен текст – струва си да го прочетем внимателно, преди да формулираме позицията си по горещата в последните седмици тема.

Оставаме с проблемите на образованието в поредното интервю на Надежда Цекулова „От промяна в училищната среда към промяна в обществената“. Този път се срещаме с Мария Стайнова и Виолетка Славова от архитектурно студио „Лусио“, които се занимават с проектиране на съвременни образователни пространства в контекста на училищните сгради. Ключов процес в реформирането на цялата система, невъзможен без активното участие на ученици и учители.

След прочитането на поредната доза „научни новини“ от Михаил Ангелов, както обикновено, се чувстваме малко по-умни и обнадеждени за бъдещето. Този път това се дължи на данните от „Вояджър 1“, според които има шанс комуникацията с апарата да бъде подновена; на възможността да се произвежда човешки инсулин от крави; на иновациите в сферата на соларните панели и прочее градивни вести от светлата страна на човешката деятелност.

Още едно продължение тази седмица – „Малайзия по стените“ от Петя Кокудева. Пътешествието продължава сред градски рисунки по стените, из пъстри будистки храмове, нощни пазари, разкошни дърворезби и местни обичаи и легенди. Поражда спонтанни желания за незабавно отпътуване натам!

„Госпожо, Вие май сте били затруднена от учтивата форма“ е новата статия на Павлина Върбанова, сервирана в рубриката ѝ „Порция език“. Главната буква и съгласуването понякога се оказват препъникамък дори и за най-грамотните, особено в случаите, когато решенията на кодификатора са несистемни и лишени от логика.

„Ще полети ли България в Космоса?“ пита Александър Нуцов, докато „всичката Мара втасала“ в страната. Във въпроса му обаче има резон предвид  факта, че в световен мащаб високотехнологичната космическа индустрия формира все по-голям дял от бизнеса. Една от първите стъпки в тази посока е създаването на космическа агенция в България – има шанс това да се случи до края на годината. Планира се и магистърска програма в областта на космическите изследвания в поне три университета у нас.

В крайна сметка се оказва, че изучаването на Космоса често разрешава напълно земни проблеми, свързани със същата онази градина, която Кандид ни призовава да обработваме. А и кой знае, един ден градината може да се окаже част от съвсем друг пейзаж – марсиански или лунен?

Приятно четене!

P.S. В края на тази седмица дойде пролетта и си отиде големият писател Алек Попов. Ще го помним. Ще го помни езикът ни. Светъл път и памет!