Data as Main Priority
Recently, Commissioner Breton stated the following:
‘As a European Commissioner, the question I’ve been probably asked the most in the last few weeks is: what is your priority?
Is it 5G? Is it artificial intelligence? Is it industry? Services? Audiovisual? Tourism? Space? Defence? Obviously, all these topics are priorities.
But for me, their foundation, their common denominator, what runs through all their activities from end to end, is data.’
The Commissioner of Internal Market (DG GROW), Digital Single Market (DG CNECT) and DG Defense & Aerospace could not be clearer. Data is the main priority, as it is the dynamic and all-present dimension that is relevant everywhere in this Digital Age. It can bring huge opportunities, benefits and gains. It is therefore high time that people, society and organizations in any sector start to organize themselves to grab this potential, in an European and collaborative way.
No surprise that the Commission published an ambitious Data Strategy  last month.
Common European Data Spaces
In the Data Strategy, the Commission mentions it will support the establishment of common European data spaces in nine (9) strategic sectors & domains of public interest:
- Industrial (manufacturing) data space;
- Green Deal data space;
- Mobility data space;
- Health data space;
- Financial data space;
- Energy data space;
- Agriculture data space;
- Data spaces for public administration, and;
- Skills data space.
The fact that the Commission already indicates these are strategic sectors and domains of public interest implies that cybersecurity is fully in scope and on the radar:
‘The data spaces will be developed in full compliance with data protection rules and according to the highest available cyber-security standards.’
However, the Commission also has the vision of openness:
‘The vision of a common European data space implies an open, but assertive approach to international data flows, based on European values.’
Let’s zoom in to these relationships between data and cybersecurity, while aiming for an open society as envisioned.
Cybersecurity in Data Context
Data protection, whether personal data or non-personal data, is one of the main principles in this Digital Age. Data control, access, use, sharing, management and other functionalities all need the non-functionals that are data protection and cybersecurity.
When done right and therefore in an transparent and accountable way, cybersecurity can greatly contribute to the appropriate levels of data processing and protection. Therefore, cybersecurity is a prerequisite part of the solution to demonstrate trustworthiness and build and sustain trust.
Data in Cybersecurity Context
Data is a great asset to enable, facilitate and optimize cybersecurity. In all technical layers and dimensions as well as cross-layer and cross-dimensions. It can give everything and everybody a ‘contextual digital pulse’. With data and related attributes one can also identify anomalies, fraud and other risk.
Furthermore, one can add attributes in a chain of trust in order to obtain the appropriate impact-based level of trust necessary with the then relevant context. For instance for digital identity, authorization, relational or transactional purposes.
Data-centric security is not yet that much on the radar but is a prerequisite to support human-centric, secure, safe, trustworthy and beneficial digital ecosystems – either cyber or cyber-physical –. More and more data-centricity is recognized and deployed as such. Data is part of cybersecurity, and vice versa.
The digital and data domains are highly regulated nowadays. In the last years numerous new regulations respectively updated regulations have come into force. Does this mean one cannot act and maneuver in this Digital Age without the need of continuous legal assistance? We believe the answer is no, and even better: it is up to you to help out! Here is why.
Generally, all these regulations that concern data, cybersecurity or both are principle-based frameworks. Each leave room for you to design, build and deploy your own dynamic architectures and systems within such regulatory frameworks, as long as one explains and documents it well and keep those up to date. The main ingredients that one needs to take into account? These four (4) main principles, all By Design and By Default:
- Data Processing
- Data Protection
- Data Management
The regulations mentioned in the landscape visual below provide meta-frameworks in domains such as finance (PSD2), critical infrastructure, vital systems and essential servives (NIS), personal data processing, protection and management (GDPR), identity (eIDAS), non-personal data processing and management (FFDR), open data (Open Data Directive), cybersecurity (CSA) and so on.
Each of these regulations has three to four of the main principles incorporated. Based on these, one can further detail and balance out various layers of subprinciples until some rule-based parts and related governance emerge to organize and balance the appropriate organisational and technical measures you look for, provide, procure, implement or monitor. It’s all about using your own and others’ inter-disciplinary common sense.
Cybersecurity is mentioned almost 20 times in the Data Strategy. The Commission also mentions that the new data paradigm where less data will be stored in data centers and more data will be spread in a pervasive way closer to the user ‘at the edge’. This brings new challenges for cybersecurity. However, it also brings massive opportunities, for all.
So, do not wait for a regulator, authority or court to come with ‘further rules’, as they will generally not. It is up to you to help load these regulatory frameworks, and make the most benefit out of the capabilities, data and other assets available in this Digital Age, while observing continuous appropriate dynamic accountability on the main and related (sub)principles and rule-sets. With this, we can build, deploy, use, enjoy and even export the most trustworthy products, (eco)systems and services in the world. As Commissioner Breton formulates:
‘Europe has everything it takes to lead the technology race.’
In our own words: Europe has great capabilities.
Arthur van der Wees, Arthur’s Legal, Strategies & Systems