Forem: Chrysa Natsopoulou

Already ISO 27001 certified? Discover how easily you can achieve ISO 9001!

Chrysa Natsopoulou — Mon, 16 Sep 2024 10:55:14 +0000

Are you already ISO 27001 certified and considering ISO 9001 certification? Leveraging your existing management system can significantly simplify the process. Let's explore how to build on your ISO 27001 foundation to achieve ISO 9001 certification efficiently!

Understanding ISO 9001 and ISO 27001

ISO 27001 is centered around Information Security Management System (ISMS), aiming to protect information assets.

On the other hand, ISO 9001 is a globally recognized standard for Quality Management Systems (QMS). It helps organizations of all sizes and sectors improve their performance, meet customer expectations and demonstrate their commitment to quality. Its requirements define how to establish, implement, maintain, and continually improve a QMS. Within the ISO 9000 family, which defines 7 quality management principles including a strong customer focus and continual improvement, ISO 9001 is the only standard that can be certified to.

But why should an organization pursue ISO 9001 certification? 🤔

▸ Customer Satisfaction: Being compliant with ISO 9001 means that you understand your customers' needs and reduce errors. So you can increase customer confidence in your ability to deliver services.

▸ Better Supplier Relationships: Using best-practice processes contributes to more efficient supply chains, and better collaboration.

▸ Winning Contracts: As the ISO 9001 is recognized globally and can increase the organization's reputation, clients is more likely to stick around.

▸ Cost Savings: You can reduce costs by following industry best practices and focusing on quality.

Common Elements between ISO 9001 and ISO 27001

While the focus areas of ISO 27001 & ISO 9001 differ, both standards share several common elements that can be leveraged to streamline the certification process. There are a lot of similarities between ISO 9001 and ISO 27001 that can be accomplished together.

✓ Context of the Organization - Both standards require organizations to identify and define the internal & external factors that impact them, including values, culture, resources and regulations. Additionally, organizations must recognize the interested parties, such as customers, suppliers, employees, and regulatory bodies.
✓ Allocation Process - Both standards require businesses to assign owners to execute different duties of the compliance process. Although the roles and responsibilities within the QMS and ISMS differ, they must both be clearly defined.
✓ Competence, Awareness, Communication and Document Control - These requirements are not only common to ISO 9001 and ISO 27001 but also to other standards. They can be addressed simultaneously and using similar approaches.
✓ Measurement and Monitoring - Both standards require organizations to continuously monitor their business systems to ensure that the desired levels of efficiency are consistently achieved. Also, organizations must follow a systematic process of assessing and quantifying various aspects to ensure that the requirements and objectives are met.
✓ Internal Audits and Management Review - While the audit requirements and the inputs & outputs of reviews differ, the process of conducting them remains the same.
✓ Nonconformity and Corrective Action - The process of managing nonconformities and corrective actions can be identical for both standards, so there is no need to distinguish between them.

Specific Requirements for ISO 9001

While there are several commonalities, ISO 9001 has specific requirements including a strong focus on customer satisfaction, and comprehensive risk management related to product and service quality. In contrast, ISO 27001 primarily focuses on managing information security risks.

Steps to Transition from ISO 27001 to ISO 9001

1️⃣ Gap analysis
Conduct a gap analysis to identify areas where your current ISO 27001 management system meets ISO 9001 requirements and where additional work is needed.
2️⃣ Document the processes
Develop and document the necessary processes and procedures specific to ISO 9001. A process is a set of activities that uses resources to transform inputs into outputs. The ISO 9001 is based on a process approach. Processes must have defined objective(s), input(s), output(s), tools or resources that are required, and ideally, a flowchart.
3️⃣ Training
Ensure your team is trained on the new requirements and understands their roles in the QMS.
4️⃣ Implementation
Implement the new requirements, integrating them with your existing management system.
5️⃣ Internal audits
Conduct internal audits to ensure compliance with ISO 9001 standard.
6️⃣ Management review
Perform a management review to assess the effectiveness of the QMS and make necessary adjustments.
7️⃣ Certification audit
Engage with a certification body to conduct the ISO 9001 certification audit.

Achieving ISO 9001 certification may seem daunting, but by leveraging your existing ISO 27001 management system, you can streamline the process. Focus on the specific requirements of ISO 9001, conduct thorough gap analysis, and ensure your team is well-prepared. With these steps, you'll be well on your way to enhancing your organization's quality management and customer satisfaction.

"Quality is everyone's responsibility"
W. Edwards Deming

Celebrating Data Privacy International Day!

Chrysa Natsopoulou — Sun, 28 Jan 2024 14:26:51 +0000

The National Cybersecurity Alliance (NCA) has themed Data Privacy Day 2024 as "Take Control of Your Data".

As we commemorate Data Privacy Day, a global initiative dedicated to raising awareness about the importance of safeguarding private information, we recognize the increasing need for individuals, not just professionals, to prioritize their online privacy. This private information, called sensitive data, includes things like your name, address, birthdate, race, gender, contact details, credit card number, ID card number, medical history, IP address, or location. In a world where technology intertwines with our daily lives, understanding and implementing data privacy measures is crucial for everyone.

This blog post aims to empower users of all backgrounds with practical tips, ensuring that the protection of personal data becomes an accessible practice for everyone, regardless of their level of technical expertise. Let's explore simple yet effective strategies to fortify our online privacy in this digital age!

A brief reflection on this day 🗓️

Data Privacy Day, known in Europe as Data Protection Day, is an international event that occurs every year on 28 January. The purpose of Data Privacy Day is to raise awareness and promote privacy and data protection best practices.
So on 28th of January, governments, parliaments, and organizations work together to spread awareness about the importance of protecting personal data and privacy rights. They might run campaigns for the public, organize educational projects for teachers and students, open their doors for visits to data protection agencies, and host conferences.
The day was initiated by the Council of Europe to be first held in 2007 as the European Data Protection Day. Two years later, on 26 January 2009, the United States House of Representatives passed House Resolution HR 31 by a vote of 402-0, declaring 28 January National Data Privacy Day. On 28 January 2009, the Senate passed Senate Resolution 25 also recognizing 28 January 2009 as National Data Privacy Day. The United States Senate also recognized Data Privacy Day in 2010 and 2011.

Tips for Fortifying Your Privacy 🫵

Personal data is processed continuously—whether at work, in interactions with public authorities, in healthcare, during purchases of goods or services, while traveling, or while browsing the internet. Despite this, individuals are often unaware of the risks associated with protecting their personal data and their corresponding rights.
On this day, let's commemorate by reflecting on some privacy reminders:

✔Do not get phished! Phishing emails are one of the most common, and effective methods cyber attackers will use to gain access to secure information. To defend against these manipulative emails, you must:

Stay cautious about emails from unfamiliar senders.
Refrain from clicking on links in unexpected emails, as they might lead to fake websites or download harmful software to your device.
Never reply to emails requesting confidential or personal information. Legitimate organizations won't ask for such details via email.
If something sounds too good to be true, it probably is, so ignore any emails proclaiming that you have won a prize or a special discount.

✔Guarding Against Deepfakes Deepfake technology can create highly realistic videos that manipulate or replace the likeness and voice of individuals. In a malicious context, someone could create a deepfake video impersonating a trusted person, such as a friend, family member, or colleague, and use it to request sensitive information. Although identifying a fake video may be challenging, you can always:

Double-check the identity of the person making the request.
Approach content with a healthy dose of skepticism, especially if it's unexpected or seems unusual.
Stay informed about the latest developments in deepfake technology and understand the potential risks.

✔Watch out for vishing and smishing attempts Emails are not the only medium cyber criminals use to try and receive personal information. Fraudsters will also use SMS and voice messages to trick users into giving up personal information. So you must never handing out personal data over the phone and never clicking on links included in unsolicited SMS messages.

✔Avoid using public Wi-Fi Browsing online using public Wi-Fi can be convenient. But it can put your information at risk, as hackers can snoop on data transmitted throughout the network. So:

You should refrain from transmitting your address and credit card information on public Wi-Fi.
Public Wi-Fi is unsafe when there is no password for access-and event then, Wi-Fi hotspots can be used by nearby hackers to steal your data. Use a Virtual Private Network (VPN) if you have to connect on public Wi-Fi to add a layer of protection to your data.

✔Confirm website security If you are about to log in to a web platform, ensure that the site is legitimate. The first thing you should do is to check the URL. Make sure it begins with "HTTPS", which shows that there is an encrypted communication between your browser.

✔Strengthening Your Passwords You access most applications, which may contain personal data, and various online platforms by providing a password and a username. Therefore:

Create strong passwords on smartphones, laptops, tablets, email accounts, and any other device or account where personal information is stored. Weak passwords, like "12345" are the easiest way for hackers to access your data.
Use Multi-Factor Authentication (MFA) wherever you can. MFA is an authentication method that requires the user to provide 2 or more verification factors to gain access to a resource such as an application, online account, or a VPN. One of the most common MFA factors that users encounter are one-time passwords (OTP). OTP are those 4-8 digit codes that you often receive via email or SMS. Other examples are fingerprints, facial recognition, answers to personal security information, etc.

As we conclude this post on Data Privacy Day, let's use what we've learned to make online safety a habit. Following these easy tips for data privacy helps us feel more confident online. Every little effort to protect your info makes the internet safer for everyone. Let's keep caring about data privacy and work together for a future where our online experiences are safe and enjoyable!

“If you put a key under the mat for the cops, a burglar can find it, too. Criminals are using every technology tool at their disposal to hack into people’s accounts. If they know there’s a key hidden somewhere, they won’t stop until they find it.”
– Tim Cook, Apple’s CEO

2024 Unveiled: Top Cyber Trends in a Crystal Ball

Chrysa Natsopoulou — Thu, 04 Jan 2024 10:30:03 +0000

According to Forbes, by the end of the coming year, the cost of cyber attacks on the global economy is predicted to top $10.5 trillion.

As we step into the new year, fresh trends emerge on the cybersecurity horizon!

Today, we'll delve into the anticipated trends of 2024. Given that many of these trends are projections rooted in the developments of 2023 or earlier, it's essential to take a moment to look back and examine the challenges encountered by cyber experts in the past year. This retrospective glance will provide us with valuable insights to navigate the evolving landscape of cybersecurity in the upcoming year.

2023: A Year in Review

In 2023, several major companies experienced data breaches. Okta, for instance, fell victim to a breach linked to a compromised personal Gmail account. The hacker used it to sneak into the support case management system, and swiped customer session tokens that could be used to break into the networks of Okta customers. Another affected entity was 23andMe, a consumer genetics and research company headquartered in California US, which encountered a credential stuffing attack, exposing the information of over 5 million users. UPS faced a security incident involving attackers using obtained information to conduct SMS phishing attempts, falsely claiming to provide delivery details. Lastly, the MGM Ransomware attack targeted the company's employee password reset workflow.

Certainly, ransomware attacks were among the negative trends of the previous year. In 2023, we observed some of the most notable instances of ransomware attacks. This surge of digital attacks centers around taking advantage of a weakness in a managed file transfer software called MOVEit. The vulnerability, targeted by the Clop ransomware group linked to Russia, aimed to data theft, particularly personally identifiable information (PII) from customer databases. Moreover, one of the largest US dental health insurers, Managed Care of North America (MCNA) Dental, was targeted by a ransomware attack that compromised the personal data of about 9 million individuals.

Nevertheless, 2023 also ushered in positive trends that enhanced global security. Multi-factor Authentication (MFA) emerged as a key player in this landscape. It mandates individuals to authenticate not only with something they know, like a password, but also with something they are or something they have. This extra layer of verification significantly bolsters security by adding multiple checkpoints, making it more challenging for unauthorized access. MFA's widespread adoption marks a crucial step forward in fortifying digital defenses against evolving threats. Furthermore, let's delve into the realm of quantum computers. This trend carries both positive and negative implications. On the positive side, their remarkable speed enables the swift resolution of problems, such as optimization problems or machine learning optimization, that would traditionally take years. However, on the flip side, this very capability raises concerns about the potential to crack current encryption. If that happens, our existing ways of keeping data safe would be outdated, and we would need new methods to guard against these super-powerful computers. Artificial Intelligence (AI), too, emerges as a trend with dual implications, encompassing both positive and negative aspects. On one hand, AI in the hands of ethical practitioners enables robust analysis and investigation. On the other hand, malicious actors utilizing AI can devise sophisticated attacks. This dual nature underscores the need for responsible development and deployment of AI technologies, as they wield the power to both enhance and potentially undermine various aspects of our digital landscape.

10 Top Cyber Trends in 2024

And now let's turn our attention to what's happening in 2024.

1. Moving from passwords to passkeys. Remembering passwords can be a hassle and poses a risk if they fall into the wrong hands. That's why there's a shift towards using passkeys, a new technology, based on FIDO2 authentication, for secure logins. With passkeys, you don't need to remember a traditional password; instead, you can use a simpler, more user-friendly, and secure method. Passkeys enable users to access apps and websites employing features like fingerprint recognition, facial scans, or screen lock PINs. Unlike passwords, passkeys offer resistance against online threats such as phishing, enhancing security compared to methods like SMS one-time codes.

According to Blair Cohen, founder and president of AuthenticID, "I applaud it and think it's great for everyday consumer use, but don't think FIDO2 will be the choice of enterprises, large-scale banks, etc. There are just too many vulnerabilities," he said, specifically highlighting its vulnerability to first-party fraud.
Jack Poller, analyst at TechTarget's Enterprise Strategy Group (ESG) disagreed saying "FIDO2 is going to win in the consumer marketplace since many enterprise organizations, such as Google, Amazon and Apple, currently support it because it's phishing-resistant."

2. Increase of IoT attacks. Today an increasing number of individuals opt for smart devices that seamlessly communicate with each other and connect to the internet. This happens because these devices are designed for ease of use and convenience rather than secure operations, and home consumer IoT devices may be at risk due to weak security protocols and passwords. Nevertheless, this growing reliance on interconnected devices also presents additional opportunities for cyber attackers to infiltrate and exploit potential vulnerabilities. Additionally, with the ongoing work-from-home revolution, the risks associated with employees connecting or sharing data over inadequately secured devices persist as a significant threat in 2024.

In the realm of IoT, every device transforms into a computer, and as we understand, every computer is susceptible to hacking. Thus, each smart device holds the potential vulnerability to hacking.

3. Increased focus on AI. The 2024 is AI heavy.

AI phishing: People have become educated and can often identify phishing emails due to the presence of poor grammar and spelling mistakes. With AI phishing, bad actors can use Large Language Models (LLMs) to remove these idiosyncrasies and sound more like a native speaker, luring victims into a false sense of security. So, organizations will need a more advanced tool to effectively prevent fraud, that examines additional factors about the fraudster, like their IP address, location, and user ID, rather than just focusing on the content they generate.

Increase of deepfake social engineering attempts: This kind of attack, where someone's voice and face are faked to make others believe and trust a misleading video, is on the rise. These deepfakes can be used for social engineering attacks, impersonation, and spreading false information. It's crucial for people to establish security measures that don't rely solely on the information in the deepfake itself. In 2024, deepfake technology, creating realistic yet fake audio and video, is becoming a more significant concern. As the threat of deepfakes grows, organizations need to invest in tools and strategies to detect deepfakes and protect their reputation and data integrity. Raising awareness and providing education are vital in addressing this emerging threat.

AI Hallucination threat: This is a phenomenon wherein LLM-often a generative AI chatbot-provide people with information that is not always right and contributes to the spread of misinformation. AI models can also be vulnerable to adversarial attack, wherein bad actors manipulate the output of an AI model by subtly tweaking the input data. The best way to mitigate the impact of AI hallucinations is to train the AI models on diverse, balanced and well-structured data, to test the system continually, and make sure a human being is validating and reviewing AI outputs.

If cyber attack and defense in 2024 is a game of chess, then AI is the queen – with the ability to create powerful strategic advantages for whoever plays it best.

4. Ransomware attacks. In 2024, ransomware attacks are anticipated to evolve into more sophisticated threats, impacting both individuals and organizations. A strong defense against such attacks lies in having a resilient backup and recovery plan. Consistently backing up data, educating staff about phishing risks, and deploying effective security measures are crucial components of this strategy. The ongoing battle against ransomware remains a paramount focus within the realm of cybersecurity.

5. Regulatory Compliance and Privacy. As organizations increasingly leverage data, there is a growing emphasis on ensuring data privacy and protection. Consequently, regulatory frameworks are constantly evolving. In 2024, organizations will prioritize compliance with rigorous data protection regulations, including acts such as the Data Act and Data Governance Act. The emphasis will be on transparent data practices, the implementation of robust security measures, and the demonstration of accountability in the handling of sensitive information.

6. Less than Zero trust. In 2024, Zero Trust cybersecurity will continue grow as a priority for many organizations amid intensifying cyberthreats and many organizations will continue implementing a cybersecurity strategy based on zero trust principles as they did the previous year. In 2024, expect more widespread adoption of Zero Trust principles, which means that trust is never assumed and there will be more ways to verify users really are who they claim to be, and adding measures to ensure malicious actors won’t get far even if they thwart initial defenses.

7. Explosion of BYOD and mobile devices. In 2024, we can expect a sustained surge in the prevalence of BYOD (Bring Your Own Device) and increased reliance on mobile devices. To keep important company information safe on these devices, organizations will have to use strong Mobile Device Management (MDM) solutions and make sure strict security rules are followed. Balancing the need for employees to be productive with making sure all data is protected will be a big challenge for companies in this changing environment.

8. Cybersecurity skills gap and education. The demand for skilled cybersecurity professionals is higher than ever. There’s a growing gap between the demand and the available talents. According to Forbes, research indicates that a majority (54%) of cyber security professionals believe that the impact of the skills shortage on their organization has worsened over the past two years. In 2024, this IT skills gap will persist, making it challenging for organizations to find qualified experts to manage their cybersecurity needs. Organizations will need to invest in training and development programs to upskill their existing staff and attract new talents. The shortage of cybersecurity experts is a pressing issue that can’t be ignored.

9. Quantum cryptography. As previously noted, the emergence of quantum computing presents a challenge to traditional cryptography and this year we are closer to this threat. That's why in 2024, there will be a substantial uptick in the use of cryptographic algorithms designed to resist quantum attacks. Businesses will prioritize the enhancement of their cryptographic techniques to protect sensitive data from potential threats posed by quantum computing. This dynamic landscape offers a considerable growth opportunity within the realm of security.

10. Platform engineering. This trend holds significance in 2024 as it marks a pivotal evolution in the development of software and applications. In the early stages of organizational growth, a single development team typically handles all responsibilities. However, as the organization expands, it becomes common to have separate security and development teams. In this scenario, cybersecurity plays a crucial role in orchestrating effective collaboration between these two teams to enhance productivity and ensure seamless operations.

In summary, there has been a concerning increase in data breaches up to the present moment. The looming threat of ransomware attacks remains persistent. MFA is now being provided as an option by numerous websites. Additionally, there has been a staggering 400% rise in IoT threats. As we navigate these challenges, it is crucial for organizations to prioritize cybersecurity measures, adapt to evolving threats, and stay proactive in safeguarding sensitive data and systems this year as well.

And, as always, let's wrap up with a few quotes...

“It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.”
Stephane Nappo, Vice President. Global CISO, Groupe SEB

“We discovered in our research that insider threats are not viewed as seriously as external threats, like a cyberattack. But when companies had an insider threat, in general, they were much more costly than external incidents. This was largely because the insider that is smart has the skills to hide the crime, for months, for years, sometimes forever.”
Dr. Larry Ponemon, Chairman, Ponemon Institute, at SecureWorld Boston

Decoding Data Compliance: A Dive into the Data Act & Data Governance Act

Chrysa Natsopoulou — Tue, 02 Jan 2024 13:27:50 +0000

Welcome to our blog journey into the world of data rules!

Today, we're talking about two important game-changers—the Data Act and the Data Governance Act (DGA). Think of them as guideposts in the digital world, showing us how to handle data smarter. Let's dive in together to understand what these rules mean, how they shape our data future, and why it matters in our ever-evolving digital world.

Data Act and DGA are two regulations that are part of the European Data Strategy. The European Data Strategy aims to build a data market, where data can flow within Europe. This strategy comprises four key components, each addressing a distinct facet of the overall strategy:

Data Governance Act
Ensure TRUST in data sharing.

Data Act
Ensure FAIRNESS in the allocation of data value among the actors of the data economy.

Implementing Act under Open Data Directive
Unleash the socio-economic potential of data as material for INNOVATION in particular Small and Medium-sized Enterprises (SMEs).

Digital Market Act
Regulate MARKET POWER based on data.

Data Governance Act

We ought to contemplate the significance of the DGA regulation and explore the underlying reasons that prompted its creation. Well, the emergence of digital technologies and the increasing significance of data was the reason to create this regulation. As people share and use data, new problems and issues about its safety and responsible handling, have come up.

So, let's image DGA as a rulebook of how data, whether it is about personal or non-personal data, should be handled. Of course, it works alongside other rules like GDPR. The goal is to make data move freely in the EU, and everything related to data to be trustworthy and safe.

So what does the DGA actually do?

1. Reusing certain types of data held by public bodies in the EU
The law permits individuals to utilize government-provided valuable information for purposes such as research or projects.
2. Setting up a system to notify and oversee services that help with sharing data
The DGA establishes a mechanism for overseeing companies or services involved in data sharing, ensuring their adherence to regulatory guidelines.
3. Creating a way for groups collecting and using data for good causes to register voluntarily
In accordance with DGA, groups collecting data for legitimate reasons can opt to register and demonstrate their adherence to proper practices. Consider a neighborhood watch group gathering information on local incidents to bolster community safety. This group can affirm its commitment to using data for constructive purposes by adhering to the established regulations.
4. Establishing a board to promote innovative uses of data in Europe
The DGA forms a group that encourages coming up with new and cool ways to use data for the benefit of Europe. For example, researchers might analyze healthcare data to improve medical treatments.

But how DGA affects the area of cybersecurity?

Organizations that adhere to this regulation experience enhanced data management by establishing robust procedures for handling information. Additionally, compliance with DGA enables them to invest in cybersecurity tools and practices, including encryption techniques and Multi-Factor Authentication (MFA). DGA also promotes the importance of educating staff on responsible data practices and cybersecurity. Last but not least, companies are required to develop an incident response plan to effectively address cybersecurity incidents.

What do companies need to comply with the law?

DGA holds significant importance as it compels businesses to transform their approach to data management, evolving from mere protection to a more comprehensive framework. Consequently, here are some of the requirements expected from organizations and EU countries under the DGA:
Primarily, organizations are required to implement robust measures for the secure handling of data. This entails enforcing stringent access controls to ensure that only authorized individuals can access and utilize the data. Employing encryption techniques is mandatory to safeguard data during both transmission and storage. In a broader sense, organizations must establish a comprehensive data governance framework, delineating rules and procedures for effective data management to foster transparency and accountability. Furthermore, organizations are obligated to collaborate with competent bodies to ensure the seamless implementation of DGA's cybersecurity requirements across public sectors. For instance, if a government agency is tasked with enforcing cybersecurity measures in accordance with the DGA, collaboration with a cybersecurity expert organization may be essential to ensure correct interpretation and application of policies.

To ensure the effective implementation of the plan for reusing data, each EU country must:

Select qualified individuals to spearhead the execution of this plan within their public offices.
Establish a centralized platform where individuals can pose questions or submit requests for data reuse.
Develop a streamlined process for handling data reuse requests within a specified timeframe following the receipt of each request.

The DGA entered into force on 23 June 2022 and is applicable since 24 September 2023.

DATA ACT

The DGA needs a companion...Today, the Internet of Things (IoT) revolution fuels exponential growth with projected data volume set to skyrocket in the coming years. Considering that 80% of data is unused due to trust barriers, the Data Act regulation was the next logical step that brings new rules for data sharing.
The Data Act aims to boost the EU's data economy by unlocking industrial data, optimising its accessibility and use, and fostering a competitive and reliable European cloud market. It seeks to ensure that the benefits of the digital revolution are shared by everyone.
This regulation specifically addresses data generated through connected products. The Data Act empowers users of connected devices, spanning from smart household appliances to intelligent industrial machines, to access data generated during their usage. This data is frequently held exclusively by manufacturers.

Which are the objectives of Data Act?

1. Empower Consumers and Companies using Connected Products
The primary objective is to empower individuals and businesses utilizing smart devices. For instance, with a smart thermostat, the Data Act aims to streamline the control and comprehension of how your data is utilized, offering greater transparency and control.
2. Increase Availability of Data for Commercial Use and Innovation Between Businesses
Moreover, with increased data accessibility for businesses, they can leverage it to generate innovative ideas. For example, if a weather station collects data, the Data Act could enable a company to utilize that information in developing a new app tailored for farmers.
3. Introduce New Mechanisms for Re-use by Public Sector Bodies of Data in Exceptional Situations
The subsequent objective is to permit government agencies to repurpose data during emergencies, utilizing information collected for one purpose to contribute to disaster response efforts.
4. Increase the Fluidity of the Cloud/Edge Market and Raise Trust in the Integrity of Cloud and Edge Services
The Data Act also influences cloud services, facilitating their optimal functionality and instilling trust in their security measures. For instance, if you utilize a cloud service to store photos, the Data Act may ensure the safety and security of your photos.
5. Establish a Framework for Efficient Data Interoperability
The final objective is to establish a system that enhances the seamless integration of various types of data. This implies that if you possess health data from a fitness app and wish to utilize it in a different app, the Data Act could formulate rules to facilitate a smooth and efficient process.

How can someone be compliant with Data Act regulation?

As the Data Act centers around smart devices, one essential requirement is that products with internet connections must be manufactured and designed to allow individuals easy access to their data without the need for a formal data access request. However, in situations where direct user access to the data is not feasible, the data holder, typically the provider of a connected service, is obligated to promptly and readily provide the data to the user upon request. The next requirement pertains to data owners and users who have the authority to cease access, usage, or sharing if it contravenes EU or country security laws. The final requirement pertains to the GDPR, stating that the Data Act does not impact rights and obligations under the GDPR, nor does it establish any new legal basis for processing personal data.

The Data Act also has implications for cybersecurity. It significantly impacts how companies manage data and address cybersecurity concerns. While advocating for increased information sharing, it also poses challenges, such as preventing unauthorized access, mitigating employee malware risks, and implementing robust encryption methods to ensure data security:
Increased Data Sharing
The Data Act pushes organizations to share data securely as they are now encouraged to share more data for various purposes.
Data Intermediation Services
The Act establishes regulations for managing data on behalf of others, such as a cloud storage company handling data for its clients.
Competition and Security Balance
The Act aims to ensure fair competition among companies in the data market. While encouraging healthy competition, it emphasizes the importance of not compromising the safety and security of the data.
Standardization and Security Measures
The Act may establish standards for data sharing, ensuring that organizations adhere to robust cybersecurity measures.
Data Innovation and Security
The Act incorporates regulations for establishing a European Data Innovation Board. While promoting new ideas is commendable, cautious consideration is essential for cybersecurity. The objective is to mitigate security risks that may emerge from experimenting with innovative approaches to data usage.

In 2023, the Council and the European Parliament reached a provisional agreement for Data Act and it will enter into force in Q3 2025.

And let's conclude with two quotes...

This is a significant milestone in the journey towards a single market for data. The Data act will optimise data use by improving data accessibility for individuals and businesses. This is very good news for our digital transformation.
Margrethe Vestager, Executive Vice-President for a Europe Fit for the Digital Age - 28/06/2023

Following the adoption of the Digital Services, Digital Markets and Data Governance Acts, today’s agreement forms another milestone in our efforts to re-shape the digital space. The Data Act will ensure that industrial data is shared, stored and processed in full respect of European rules. It will create a thriving data economy that is innovative and open, but on our European conditions.
Thierry Breton, Commissioner for Internal Market - 28/06/2023