We publish our first detailed study of the AI Act and the provisions of the FRIAs

Homo Digitalis publishes today its first Study on the European Regulation on Artificial Intelligence entitled “Artificial Intelligence Act: Analysis and proposals for the incorporation of the provisions on fundamental rights impact assessment in Greece”.

The authors of this first Study are our member Sophia Antonopoulou and Homo Digitalis’ Director of Human Rights & Artificial Intelligence, Lamprini Gyftokosta.

The Study is the first of a series of analyses that we will be publishing in the near future on various important provisions of the AI Regulation, which aim both to inform decision makers in Greece about important provisions of the AI Act in order to assist in its successful implementation, and to frame the public debate on AI in Greece by providing specific arguments and proposals.

The focus of the first Homo Digitalis Study is to highlight some critical issues raised by the implementation of the provisions on AI in the Fundamental Rights (FRR), from the perspective of civil society. Besides, it aims to contribute constructively to the public debate by proposing concrete solutions for an effective impact assessment process with regard to high-risk AI systems.

In summary, the main conclusions of the Study include the following concerns:

  • The exclusion from the obligation to carry out NRAs of AI systems used exclusively by private services.
  • The complete lack of sanctions for those who violate the provisions on TDRs.
  • The ambiguities and interpretative gaps regarding how to carry out an ERA, the updating of data and the re-conducting of an ERA, the risk assessment and proposed measures, the notification of the market surveillance authority and the exemptions from such notification of the market surveillance authority; and
  • The lack of transparency in the use of AI systems and the preparation of SIAs in the areas of law enforcement, migration and asylum management and border control.

It also summarises the proposals for improvement in five key points that are crucial for the effective protection of fundamental rights against any violations of AI systems:

  • It is proposed to exercise discretion under Article 99(2) and to introduce sanctions for non-compliance with the provisions on AI practices. It is further proposed that the relevant sanctions should be on the same scale as those for non-compliance with the prohibition of AI practices under Article 99(3) of the Regulation.
  • It is proposed to establish detailed governance arrangements with clear procedures for handling complaints and appeals and to ensure stakeholder participation in the Greek law that will incorporate the Regulation.
  • Amend Law 4780/2021, the provisions of which govern the functioning of the National Human Rights Commission to assume the role under Article 77 of the Regulation under certain conditions.
  • In addition to the template for conducting a NCHR, it is necessary to develop guidelines, including an extensive analysis of Recital 96,Articles 6(2), 27, 43, 46, 49 and 77 of the AI Regulation.

You can read the Homo Digitalis Study in detail here.


Drones & Artificial Intelligence at Greece’s high-tech borders

By Alexandra Karaiskou

In recent years, Greece has been investing significant funds and effort to modernize its border and migration management policy as part of the digitalization of its public sector. This modernization comes in a techno-solutionist shape and form which entails, as the term reveals, an enormous trust in technological solutions for long-standing and complex problems. In the field of border and immigration control, this includes the development, testing and deployment of advanced surveillance systems at the Greek borders, its refugee camps, and beyond to monitor unauthorized mobility, detect threats, and alert authorities for rapid intervention. While these technologies can bring noteworthy benefits, such as more coordinated and rapid responses in emergency situations that could prove critical for saving someone’s life, they also come with significant human rights risks. They can be also used to conduct more frequent and ‘effective’ pushbacks further away from the borders in more invisible and indetectable ways. Significant risks also exist for the rights to privacy, data protection, non-discrimination, and due process, which are undoubtedly among the first to be adversely impacted by the rollout of such technologies.

Although this techno-solutionist trend is not solely a Greek but a global phenomenon, its concretization in the Greek geo-political sphere, a country which manages a considerable portion of Europe’s south-east external borders, is illustrative of the future of European and Member States’ digital border and migration management policies. Technology has “become the ‘servant mistress of politics’”, as Bonditti has eloquently put it, which raises serious concerns about how these systems will be used in practice once deployed, given the systemic pushback and other non-entrée practices documented in the Aegean and Mediterranean seas. And while these technologies are being tested and deployed in a regulatory vacuum, the stakes become even higher.

REACTION: Greece’s latest border surveillance R&D project

As a country traditionally faced with important migratory and refugee inflows due to its geographical location, Greece has gained interest in research and innovation (R&D) projects developing border surveillance technologies. In the past 6 years, it has participated in more than nine EU co-funded projects as a research partner and/or a testing ground, including in the famous ROBORDER, CERETAB and AIDERS projects. In brief, these projects aim at developing various technologies, such as drones and other autonomous robotic vehicles equipped with multimodal cameras; automated early warning systems and innovative information exchange platforms; as well as algorithms (software) that can analyse real-time data and convert it into actionable information for national authorities. Their overall objective is to improve situational awareness around the borders and states’ interception capabilities and preparedness for emergency responses.

Having followed these developments closely from the outset, it came as no surprise when we saw yet another border surveillance project uploaded on the Greek Migration Ministry’s website last fall. This time it is REACTION, a project building on the findings of all the above projects, and co-funded by Greece, Cyprus, and the EU Integrated Border Management Fund. It aims at developing a next generation platform for border surveillance which can provide situational awareness at remote frontier locations as an efficient tool for rapid response to critical situations. Responding to irregular immigration, smuggling, human trafficking and, overall, transnational organised crime is described as the main driver behind the development of REACTION. The system will consist of several components, such as drones that can be used in swarm or solo formations, computer vision (via deep learning techniques), object recognition, identification and characterisation of events, early warning systems, as well as big data analytics. In simpler terms, software trained on machine learning techniques will analyse instantly the vast amounts of data collected by the drones and other sensors connected to the system and produce an alert identifying the type of incident and its coordinates. Depending on its design features, it may also offer additional tools to the authorities, such as the possibility to follow an unidentified object or person, zoom in and potentially cross-reference their distinctive features (ex. a person’s facial image) with data stored in existing databases. It is worth noting that REACTION will be interoperable with the servers of the Greek law enforcement authorities, and Reception and Identification Centres (RICs, i.e. refugee camps, analysed below), as well as EUROSUR, the EU border surveillance system operated by the EU Border and Coast Guard Agency, thereby drawing a wealth of information from various national and European sources.

Such systems come with the hope of revolutionising border management by elevating authorities’ detection and intervention capabilities to the next level. To what end, whether to save lives or let die, remains to be seen. Unfortunately, the country’s recent track record in emergency responses at the border, as evidenced by the recent shipwreck off Pylos and numerous other pushback incidents, leaves little room for optimism. Moreover, the deployment of such a tool might also undermine the right to privacy and data protection, among others, to the extent that anyone approaching the border could become a potential target of surveillance, whose sensitive biometric data could be unknowingly processed. It may still be soon to tell how this system will be implemented in the future, but the widening of power asymmetries between state authorities and vulnerable individuals along with the current state of practice paint a very alarming picture.

Hyperion & Centaur: the new surveillance systems at Greece’s refugee camps

Another area where new surveillance technologies are being piloted is Greece’s refugee camps. The Greek Ministry of Migration currently develops seven projects for the digitalisation of the asylum procedure and the camps’ management. One of them, Hyperion, which is expected to be deployed soon, will be the new management system of all the RICs, closed centres, and shelters. It will register asylum seekers’ personal data, both biographic (ex. full name, date and country of birth, nationality, etc.) and biometric (fingerprints), and will be the primary tool for controlling their entry in and exit from the camp by scanning their asylum seeker’s card and a fingerprint. It will also store information about most services provided to them, such as food, clothing, etc., and their transfers from one camp to another. In the near future, asylum seekers’ moves will be closely and continuously scrutinized by this system, as if they were inmates in high security prisons, which leads to highly intrusive practices that are difficult to justify. Besides surveillance, another objective of Hyperion is to enforce strict discipline to the state’s power: if someone, for instance, leaves the camp and does not return within the authorised time period, they could lose their access to the camp and to the rest of the services provided to them, leaving them homeless and without the most basic living conditions. Noteworthily, Hyperion will also be interoperable with an asylum seeker’s digital case file at the Asylum Service, which means that any alert in the system about a breach of the camp’s rules may have negative implications on their asylum claim. In the example above, unjustified absence from the camp could lead to the rejection of their asylum application, exposing them to the risk of detention and deportation.

In addition, Centaur is the new high-tech security management system of the camps that will automatically detect security breaches and alert the authorities. It consists of drones, optical and thermal cameras, microphones, metal detectors, and advanced motion detectors based on AI-powered behavioural analytics that monitor the internal and surrounding area of the camp. It is connected to a centralised control room in the Ministry’s headquarters in Athens and produces red flags whenever a security threat is detected, such as fights, unauthorized objects, fires, etc. From there, Ministry employees can zoom in and assess the risk, and instruct personnel on the ground on where and how to intervene. It has already been piloted at several camps and works complementarily to Hyperion by surveilling whatever move has been left unmonitored. In practice, the only places where people can enjoy some privacy is the bathrooms and to a certain extent the insides of their rooms. In the words of the 25-year-old refugee living in Samos camp: “there’s not a lot of difference between this camp and a prison”.

Although these systems have been promoted by the Greek authorities as efficient tools to ensure asylum seekers’ safety, this certainly comes at a high cost for privacy and fundamental rights. Besides their right to privacy, which is obviously seriously restricted, their right to non-discrimination or due process could be adversely affected, if the use of these systems leads to biased decisions or summary rejections of asylum applications. Moreover, their right to data protection is also severely compromised. Importantly, no Data Protection Impact Assessment seems to have been conducted, although required by the GDPR; and no regulatory framework has been adopted yet to govern the use (and potential misuse) of these systems, and mitigate these and other human rights risks. While the Ministry’s radio silence on these issues echoes loudly, we look forward to the findings of the Greek DPA’s investigation and trust them to ensure the protection of all persons’ rights in the digital era, regardless of where they are coming from.

Four steps to compliance today

Although the deadlines are further down the line, affected organizations do not have to sit and wait. Time (and money) is precious when preparing to achieve compliance with the NIS2 and DORA requirements. Organizations must assess and identify actions they can take to prepare for the new rules.

The following recommendations are a good starting point:

Governance and risk management: Understand the new requirements and evaluate the current governance and risk management processes. Additionally, consider increasing funding for programs that help detect threats and incidents and strengthening enterprise-wide cybersecurity awareness training initiatives.

Incident reporting: Evaluate the maturity of incident management and reporting to understand current state capabilities and gauge awareness of the various cybersecurity incident reporting standards relevant to your industry. You should also check your ability to recognize near-miss situations.

Resilience testing: Recognize the talents needed to design and carry out resilience testing, including board member training sessions on the techniques used and their implications for repair.


The Hellenic Data Protection Authority is investigating the Greek Coast Guard for its social media monitoring software following Homo Digitalis request

In February 2022, the organizations Homo Digitalis, Privacy International, Hellenic League for Human Rights, and HIAS Greece, together with researcher Phoebus Simeonidis, had submitted a request to the President of the Hellenic Data Protection Authority (HPA) for the Authority to exercise its investigative powers regarding the supply of social media monitoring software and messaging application by the Coast Guard (more here).

Now, the DPA has officially informed us that it has long since launched the relevant investigative actions, has collected evidence from the Coast Guard Headquarters and is examining it in order to complete its assessment.

We recall that, as it appears from the DIAYGEIA portal already from the summer of 2022 the companies “BYTE S.A. – GRIVAS S.A.” have probably undertaken the delivery of the relevant project.

This is of course another important success for Civil Society organizations in Greece!

We would like to thank the scientific staff of the Hellenic Civil Society Foundation, which despite the challenges it faces with its intense workload and reduced financial and human resources, manages to continue its difficult mission.


The Challenge of Complying with New EU Legislative Security Requirements

Γράφουν οι Αναστάσιος Αραμπατζής και Λευτέρης Χελιουδάκης

Τα τελευταία χρόνια, ο αριθμός των πρωτοβουλιών ψηφιακής πολιτικής σε επίπεδο ΕΕ έχει διευρυνθεί. Έχουν ήδη υιοθετηθεί πολλές νομοθετικές προτάσεις που καλύπτουν τις τεχνολογίες πληροφοριών και επικοινωνιών (ΤΠΕ) και επηρεάζουν τα δικαιώματα και τις ελευθερίες των ανθρώπων στην ΕΕ, ενώ άλλες παραμένουν υπό διαπραγμάτευση. Οι περισσότερες από αυτές τις νομοθετικές πράξεις είναι καίριας σημασίας και αφορούν ένα ευρύ φάσμα πολύπλοκων θεμάτων, όπως η τεχνητή νοημοσύνη, η διακυβέρνηση δεδομένων, η προστασία της ιδιωτικής ζωής και η ελευθερία της έκφρασης στο διαδίκτυο, η πρόσβαση των αρχών επιβολής του νόμου σε ψηφιακά δεδομένα, η ηλεκτρονική υγεία και η κυβερνοασφάλεια.

Οι φορείς της κοινωνίας των πολιτών χρειάζονται συχνά βοήθεια για να παρακολουθήσουν αυτές τις πολιτικές πρωτοβουλίες της ΕΕ, ενώ οι επιχειρήσεις αντιμετωπίζουν σοβαρές προκλήσεις στην κατανόηση της πολύπλοκης νομικής γλώσσας των νομοθετικών απαιτήσεων. Το παρόν άρθρο αποσκοπεί στην ευαισθητοποίηση σχετικά με δύο πρόσφατα εκδοθείσες νομοθεσίες της ΕΕ για την ασφάλεια στον κυβερνοχώρο, και συγκεκριμένα την Πράξη για την Ψηφιακή Επιχειρησιακή Ανθεκτικότητα (DORA) και την αναθεωρημένη έκδοση της Οδηγίας για την Ασφάλεια Δικτύων και Πληροφοριών (NIS2).

NIS2

Η NIS2 αποτελεί την αναγκαία απάντηση στο διευρυμένο τοπίο που απειλεί τις κρίσιμες ευρωπαϊκές υποδομές.

Η αρχική έκδοση της Oδηγίας εισήγαγε διάφορες υποχρεώσεις για την εθνική εποπτεία των φορέων εκμετάλλευσης βασικών υπηρεσιών (ΦΕΒΥ) και των παρόχων ψηφιακών υπηρεσιών (ΠΨΥ). Για παράδειγμα, τα κράτη μέλη της ΕΕ πρέπει να εποπτεύουν το επίπεδο κυβερνοασφάλειας των φορέων εκμετάλλευσης σε κρίσιμους τομείς, όπως η ενέργεια, οι μεταφορές, το νερό, η υγειονομική περίθαλψη, οι ψηφιακές υποδομές, οι τράπεζες και οι υποδομές της χρηματοπιστωτικής αγοράς. Επιπλέον, τα κράτη μέλη πρέπει να εποπτεύουν τους παρόχους κρίσιμων ψηφιακών υπηρεσιών, συμπεριλαμβανομένων των διαδικτυακών αγορών, των υπηρεσιών υπολογιστικού νέφους και των μηχανών αναζήτησης.

Για το λόγο αυτό, τα κράτη μέλη της ΕΕ έπρεπε να δημιουργήσουν αρμόδιες εθνικές αρχές που θα είναι επιφορτισμένες με αυτά τα εποπτικά καθήκοντα. Επιπλέον, η NIS εισήγαγε διαύλους για τη διασυνοριακή συνεργασία και ανταλλαγή πληροφοριών μεταξύ των κρατών μελών της ΕΕ.

Ωστόσο, η ψηφιοποίηση των υπηρεσιών και το αυξημένο επίπεδο των κυβερνοεπιθέσεων σε ολόκληρη την ΕΕ οδήγησαν την Ευρωπαϊκή Επιτροπή το 2020 να προτείνει μια αναθεωρημένη έκδοση της NIS, δηλαδή τη NIS2. Η νέα οδηγία τέθηκε σε ισχύ στις 16 Ιανουαρίου 2023 και τα κράτη μέλη έχουν πλέον 21 μήνες, έως τις 17 Οκτωβρίου 2024, για να μεταφέρουν τα μέτρα της στο εθνικό τους δίκαιο.

Οι νέες διατάξεις έχουν διευρύνει το πεδίο εφαρμογής της NIS με σκοπό την ενίσχυση των απαιτήσεων ασφαλείας που επιβάλλονται στα κράτη μέλη της ΕΕ, τον εξορθολογισμό των υποχρεώσεων αναφοράς περιστατικών ασφαλείας και τη θέσπιση ισχυρότερων εποπτικών μέτρων και αυστηρότερων απαιτήσεων τήρησης της νομοθεσίας, όπως για παράδειγμα ένα εναρμονισμένο καθεστώς κυρώσεων για όλα τα κράτη μέλη της ΕΕ.

Η NIS2 εισάγει τα ακόλουθα στοιχεία:

  • Διευρυμένη εφαρμογή: Η NIS2 αυξάνει τον αριθμό των τομέων που καλύπτουν οι διατάξεις της, συμπεριλαμβανομένων των ταχυδρομικών υπηρεσιών, των κατασκευαστών αυτοκινήτων, των πλατφορμών των μέσων κοινωνικής δικτύωσης, της διαχείρισης αποβλήτων, της παραγωγής χημικών προϊόντων και αγροτικών προϊόντων διατροφής. Οι νέοι κανόνες ταξινομούν τις οντότητες σε “βασικές οντότητες” και “σημαντικές οντότητες” και ισχύουν για τους υπεργολάβους και τους παρόχους υπηρεσιών που δραστηριοποιούνται στους καλυπτόμενους τομείς.
  • Αυξημένη ετοιμότητα για τις παγκόσμιες απειλές στον κυβερνοχώρο: Η NIS2 επιδιώκει να ενισχύσει τη συλλογική επίγνωση της κατάστασης μεταξύ των βασικών οντοτήτων για τον εντοπισμό και την κοινοποίηση σχετικών απειλών πριν αυτές επεκταθούν σε όλα τα κράτη μέλη. Για παράδειγμα, το δίκτυο EU-CyCLONe θα βοηθήσει στον συντονισμό και τη διαχείριση περιστατικών μεγάλης κλίμακας, ενώ θα δημιουργηθεί ένας εθελοντικός μηχανισμός αμοιβαίας μάθησης για την ενίσχυση της ευαισθητοποίησης.
  • Εξορθολογισμένα πρότυπα ανθεκτικότητας με αυστηρότερες κυρώσεις. Σε αντίθεση με τη NIS, η NIS2 προβλέπει υψηλότατες κυρώσεις και ισχυρά μέτρα ασφαλείας. Για παράδειγμα, οι παραβάσεις της νομοθεσίας από βασικές οντότητες θα υπόκεινται σε διοικητικά πρόστιμα μέγιστου ύψους τουλάχιστον 10 εκατ. ευρώ ή 2% του συνολικού παγκόσμιου ετήσιου κύκλου εργασιών τους, ενώ οι σημαντικές οντότητες θα υπόκεινται σε πρόστιμα μέγιστου ύψους τουλάχιστον 7 εκατ. ευρώ ή 1,4 % του συνολικού παγκόσμιου ετήσιου κύκλου εργασιών τους.
  • Εξορθολογισμένες διαδικασίες αναφορών. Η NIS2 εξορθολογίζει τις υποχρεώσεις υποβολής αναφορών ώστε να αποφευχθεί η πρόκληση υπερβολικής υποβολής και η δημιουργία υπερβολικού φόρτου για τις καλυπτόμενες οντότητες.
  • Διευρυμένο εδαφικό πεδίο εφαρμογής: Σύμφωνα με τους νέους κανόνες, συγκεκριμένες κατηγορίες οντοτήτων που δεν είναι εγκατεστημένες στην Ευρωπαϊκή Ένωση αλλά προσφέρουν υπηρεσίες εντός αυτής θα υποχρεούνται να ορίζουν αντιπρόσωπο στην ΕΕ.

DORA

Η πράξη για τη Ψηφιακή Επιχειρησιακή Ανθεκτικότητα (DORA) αντιμετωπίζει ένα θεμελιώδες πρόβλημα στο χρηματοπιστωτικό οικοσύστημα της ΕΕ: πώς ο τομέας μπορεί να παραμείνει ανθεκτικός κατά τη διάρκεια σοβαρών επιχειρησιακών διαταραχών. Πριν από την DORA, τα χρηματοπιστωτικά ιδρύματα χρησιμοποιούσαν την κατανομή κεφαλαίου για τη διαχείριση των σημαντικών κατηγοριών λειτουργικού κινδύνου. Ωστόσο, πρέπει να αντιμετωπίσουν καλύτερα τις προκλήσεις που ανακύπτουν για την ενίσχυση της κυβερνοσφασάλειας τους και να ενσωματώσουν πρακτικές που θα ενισχύσουν την ανθεκτικότητα τους έναντι ενός εξελισσόμενου τοπίου απειλών στο ευρύτερο επιχειρησιακό πλαίσιο τους.

Το δελτίο τύπου του Ευρωπαϊκού Συμβουλίου παρέχει μια περιεκτική δήλωση του σκοπού της Πράξης για την ψηφιακή επιχειρησιακή ανθεκτικότητα:

«Η πράξη DORA καθορίζει ενιαίες απαιτήσεις για την ασφάλεια των συστημάτων δικτύου και πληροφοριών των εταιρειών και οργανισμών που δραστηριοποιούνται στον χρηματοπιστωτικό τομέα, καθώς και των κρίσιμων τρίτων παρόχων υπηρεσιών ΤΠΕ (τεχνολογίες πληροφοριών και επικοινωνιών), όπως πλατφόρμες υπολογιστικού νέφους ή υπηρεσίες ανάλυσης δεδομένων».

Με άλλα λόγια, η DORA δημιουργεί ένα ομοιογενές κανονιστικό πλαίσιο για την ψηφιακή επιχειρησιακή ανθεκτικότητα, ώστε να διασφαλιστεί ότι όλες οι χρηματοπιστωτικές οντότητες μπορούν να προλαμβάνουν και να μετριάζουν τις απειλές στον κυβερνοχώρο.

Σύμφωνα με το άρθρο 2 του κανονισμού, η DORA εφαρμόζεται σε χρηματοπιστωτικές οντότητες, συμπεριλαμβανομένων τραπεζών, ασφαλιστικών επιχειρήσεων, επιχειρήσεων επενδύσεων και παρόχων υπηρεσιών κρυπτοστοιχείων. Ο κανονισμός καλύπτει επίσης κρίσιμα τρίτα μέρη που προσφέρουν σε χρηματοπιστωτικές εταιρείες υπηρεσίες ΤΠΕ και κυβερνοασφάλειας.

Επειδή η DORA είναι κανονισμός και όχι οδηγία, είναι εκτελεστή και ισχύει άμεσα σε όλα τα κράτη μέλη της ΕΕ από την ημερομηνία εφαρμογή της. H DORA συμπληρώνει την Oδηγία NIS2 και αντιμετωπίζει πιθανές επικαλύψεις ως ειδικό δίκαιο (“lex specialis”).

Η συμμόρφωση με τη DORA αναλύεται σε πέντε πυλώνες που καλύπτουν ποικίλες πτυχές της πληροφορικής και της κυβερνοασφάλειας, παρέχοντας στις χρηματοπιστωτικές επιχειρήσεις μια εμπεριστατωμένη βάση για την ψηφιακή ανθεκτικότητα.

  • Διαχείριση κινδύνων ΤΠΕ: Οι διαδικασίες εσωτερικής διακυβέρνησης και ελέγχου διασφαλίζουν την αποτελεσματική και συνετή διαχείριση κινδύνων ΤΠΕ.
  • Διαχείριση, ταξινόμηση και αναφορά περιστατικών που σχετίζονται με τις ΤΠΕ: Ανίχνευση, διαχείριση και προειδοποίηση περιστατικών που σχετίζονται με ΤΠΕ, με τον καθορισμό, την καθιέρωση και την εφαρμογή μιας διαδικασίας αντιμετώπισης και διαχείρισης περιστατικών κυβερνοασφάλειας.
  • Έλεγχος ψηφιακής επιχειρησιακής ανθεκτικότητας: Αξιολόγηση της ετοιμότητας για τη διαχείριση περιστατικών κυβερνοασφάλειας, εντοπισμός ατελειών, ελλείψεων και κενών στην ψηφιακή επιχειρησιακή ανθεκτικότητα και ταχεία εφαρμογή διορθωτικών μέτρων.
  • Διαχείριση του κινδύνου ΤΠΕ από τρίτους: Πρόκειται για αναπόσπαστο στοιχείο του κινδύνου κυβερνοασφάλειας εντός του πλαισίου διαχείρισης κινδύνου ΤΠΕ.
  • Ανταλλαγή πληροφοριών: Ανταλλαγή πληροφοριών σχετικά με απειλές στον κυβερνοχώρο, συμπεριλαμβανομένων δεικτών συμβιβασμού, τακτικών, τεχνικών και διαδικασιών (TTP) και ειδοποιήσεων για την κυβερνοασφάλεια, για την ενίσχυση της ανθεκτικότητας των χρηματοπιστωτικών οντοτήτων.

Σύμφωνα με το άρθρο 64, ο κανονισμός τέθηκε σε ισχύ στις 17 Ιανουαρίου 2023 και εφαρμόζεται από τις 17 Ιανουαρίου 2025. Είναι επίσης σημαντικό να σημειωθεί ότι το άρθρο 58 ορίζει ότι έως τις 17 Ιανουαρίου 2026, η Ευρωπαϊκή Επιτροπή θα επανεξετάσει “την καταλληλότητα των ενισχυμένων απαιτήσεων για τους νόμιμους ελεγκτές και τα ελεγκτικά γραφεία όσον αφορά την ψηφιακή επιχειρησιακή ανθεκτικότητα”.

Τέσσερα βήματα για τη συμμόρφωση σήμερα

Παρόλο που οι προθεσμίες είναι πιο μακριά, οι επηρεαζόμενοι οργανισμοί δεν χρειάζεται να κάθονται και να περιμένουν. Ο χρόνος (και το χρήμα) είναι πολύτιμος όταν προετοιμάζεστε για την συμμόρφωση με τις απαιτήσεις των NIS2 και DORA. Οι οργανισμοί πρέπει να αξιολογήσουν και να προσδιορίσουν τις ενέργειες που μπορούν να προβούν για να προετοιμαστούν για τους νέους κανόνες.

Οι ακόλουθες συστάσεις αποτελούν ένα καλό σημείο εκκίνησης:

  • Διακυβέρνηση και διαχείριση κινδύνων: Κατανοήστε τις νέες απαιτήσεις και αξιολογήστε τις τρέχουσες διαδικασίες διακυβέρνησης και διαχείρισης κινδύνων. Επιπλέον, εξετάστε το ενδεχόμενο να αυξήσετε τη χρηματοδότηση για προγράμματα που βοηθούν στον εντοπισμό απειλών και περιστατικών κυβερνοεπιθέσεων και να ενισχύσετε τις πρωτοβουλίες εκπαίδευσης για την ευαισθητοποίηση σε θέματα κυβερνοασφάλειας σε επίπεδο επιχείρησης.
  • Αναφορά περιστατικών: Αξιολογήστε την ωριμότητα της διαχείρισης συμβάντων και της υποβολής εκθέσεων για να κατανοήσετε τις τρέχουσες δυνατότητες και να μετρήσετε την ευαισθητοποίηση σχετικά με τα διάφορα πρότυπα υποβολής εκθέσεων συμβάντων κυβερνοασφάλειας που αφορούν τον κλάδο σας. Θα πρέπει επίσης να ελέγξετε την ικανότητά σας να αναγνωρίζετε καταστάσεις ατυχημάτων που αποφεύγονται την τελευταία στιγμή.
  • Δοκιμή ανθεκτικότητας: Αναγνώριση των ταλέντων που απαιτούνται για το σχεδιασμό και τη διεξαγωγή δοκιμών ανθεκτικότητας, συμπεριλαμβανομένων εκπαιδευτικών συνεδρίων για τα μέλη του διοικητικού συμβουλίου σχετικά με τις τεχνικές που χρησιμοποιούνται και τις επιπτώσεις τους.
  • Διαχείριση κινδύνων από τρίτους: Για να βοηθήσετε στη δημιουργία ενός σχεδίου περιορισμού των κινδύνων, επικεντρωθείτε στην ενίσχυση της χαρτογράφησης των συμβάσεων και στην αξιολόγηση των τρωτών σημείων τρίτων μερών. Αναγνωρίστε τις υπηρεσίες που είναι απαραίτητες για τη φιλοξενία θεμελιωδών επιχειρηματικών διαδικασιών. Ελέγξτε αν έχει εφαρμοστεί μια αρχιτεκτονική ανοχής σε σφάλματα για να μειωθούν οι επιπτώσεις της διακοπής λειτουργίας κρίσιμων παρόχων.

Το άρθρο αυτό εκπονήθηκε στο πλαίσιο του έργου “Increasing Civic Engagement in the Digital Agenda — ICEDA” με την υποστήριξη της Ευρωπαϊκής Ένωσης και του South East Europe (SEE) Digital Rights Network. Το περιεχόμενο αυτού του άρθρου δεν θα πρέπει να θεωρείται ότι αποτελεί επίσημη θέση της Ευρωπαϊκής Ένωσης ή του SEΕ.

Photo by FLY:D on Unsplash


Raising Awareness Is Critical for Privacy and Data Protection

By Anastasios Arampatzis

Many believe cybersecurity and privacy are about emerging technologies, processes, hackers, and laws. Partially this is true. Technology is pervasive and has changed drastically how we live, work and communicate. High-profile data breaches make the news headlines more frequently than not, and businesses are fined enormous penalties for breaking security and privacy laws.

However, they must remember the most important pillar of data protection and privacy; the human element. Hymans create and use technology, and it is humans who even develop the regulations that govern a respectful and ethical use of technology. What is more, humans mostly feel the impact of data breaches. The human element is also responsible for the majority of data breaches. The Verizon Data Breach Investigations Report highlights that humans are responsible for 82% of successful data breaches.

If this percentage seems high, imagine that many security professionals argue that it is instead closer to 100%. Flawed applications, for example, are the artifact of humans. People manufacture insecure Internet of Things (IoT) devices. And it is humans that choose weak passwords or reuse passwords across multiple applications and platforms.

This is not to imply that we should accuse people of being “the weakest link” in cybersecurity and privacy. On the contrary, these thoughts underline the importance of individuals in preserving a solid security and privacy posture. This demonstrates how essential it is to create a security and privacy culture. Raising awareness about threats and best practices becomes the foundation of a safer digital future.

Data Threats Awareness

Our data is collected daily — your computer, smartphone, and almost every internet-connected device gather data. When you download a new app, create a new account, or join a new social media platform, you will often be asked to provide access to your personal information before you can even use it! This data might include your geographic location, contacts, and photos.

For these businesses, this personal information about you is of tremendous value. Companies use this data to understand their prospects better and launch targeted marketing campaigns. When used properly, the data helps companies better understand the needs of their customers. It serves as the basis for personalization, improving customer service, and creating customer value. They help to understand what works and what doesn’t. They also form the basis for automated and repeatable marketing processes that help companies evolve their operations.

In an article from May 2017, The Economist defined the data industry as the new oil industry. According to LSE Business Review, advertisements accounted for 92% of Facebook’s revenue and above 90% of Google’s revenue. This revenue is equal to approximately 60 billion $.

This is the point where things derail. Businesses store personal data indefinably. They use data to make inferences about your socioeconomic status, demographic information, and preferences. The Cambridge Analytica scandal was a great manifestation of how companies can manipulate our beliefs based on the psychographic profiles created by harvesting vast amounts of “innocent” personal data. Companies do not always use your data to your interest or according to your consent. Google, Apple, Facebook, Amazon, and Microsoft generate value by exploiting them, selling them (for example, via a data broker), or exchanging them for other data.

Besides the threats originating from the misuse of our data by legitimate businesses, there is always the danger coming from malicious actors who actively seek to spot gaps in data protection measures. The same Verizon report indicates that personal data are the target in 76% of data breach incidents. The truth is that data is valuable to criminals as well.

According to Keeper Security, criminals sell your stolen data in the dark web market, doing a profitable business. A Spotify account costs $2.75, a Netflix account up to $3.00, a driver’s license $20.00, a credit card up to $22.00, and a complete medical record $1.000! Now multiply these prices per unit by the million records compromised yearly, and you have a sense of the booming cybercrime economy.

Privacy Best Practices Awareness

If this reality is sending chills down your spine, don’t fret! You can take steps to control how your data is shared. You can’t lock down all your data — even if you stop using the internet, credit card companies and banks record your purchases. But you can take simple steps to manage it and take more control of whom you share it with.

First, it is best to understand the tradeoff between privacy and convenience. Consider what you get in return for handing over your data, even if the service is free. You can make informed decisions about sharing your data with businesses or services. Here are a few considerations:

-Is the service, app, or game worth your personal data?

-Can you control your privacy and still use the service?

-Is the data requested relevant to the app or service?

-If you last used an app several months ago, is it worth keeping it, knowing that it might be collecting and sharing your data?

You can adjust the privacy settings to your comfort level based on these considerations. Check the privacy and security settings for every app, account, or device. These should be easy to find in the Settings section and usually require a few minutes to change. Set them to your comfort level for personal information sharing; generally, it’s wise to lean on sharing less data, not more. You don’t have to adjust the privacy settings for every account at once; start with some apps, which will become a habit over time.

Another helpful habit is to clear your cookies. We’ve all clicked “accept cookies” and have yet to learn what it means. Regularly clearing cookies from your browser will remove certain information placed on your device, often for advertising purposes. However, cookies can pose a security risk, as hackers can easily hijack these files.

Finally, you can try privacy-protecting browsers. Looking after your online privacy can feel complicated, but specific internet browsers make the task easier. Many browsers depreciate third-party cookies and have strong privacy settings by default. Changing browsers is simple but can be very effective for protecting your privacy.

Data Protection Best Practices Awareness

Data privacy and data protection are closely related. Besides managing your data privacy settings, follow some simple cybersecurity tips to keep it safe. The following four steps are fundamental for creating a solid data protection posture.

-Create long (at least 12 characters) unique passwords for each account and device. Use a password manager to store all your passwords. Maintaining dozens of passwords securely is easier than ever, and you only need to remember one password.

-Turn on multifactor authentication (MFA) wherever permitted, even on apps that are about football or music. MFA can help prevent a data breach even if your password is compromised.

-Do not deactivate the automatic updates that come as a default with many software and apps. If you choose to do it manually, make sure you install these updates as soon as they are available.

-Do not click on links or attachments included in phishing messages. You can learn how to spot these emails or SMS by looking closely at the content and the sender’s address. If they promote urgency and fear or seem too good to be true, they are probably trying to trick you. Better safe than sorry.

This article was prepared as part of the project “Increasing Civic Engagement in the Digital Agenda — ICEDA” with the support of the European Union and South East Europe (SEE) Digital Rights Network. The content of this article in no way reflects the views of the European Union or the SEE Digital Rights Network.


We open our first vacancies

Following the successful application of its Board of Directors, Homo Digitalis is one of the 14 organisations that the European AI Fund has chosen to support with funding!

We are very, very happy about this huge success, as the application process and its two stages took more than 4 months with more than 140 organisations from all over Europe having applied.

You can find out more information specifically about Homo Digitalis funding here, and more information about the European AI Fund can be found here.

Homo Digitalis since its inception in 2018 and until today has been working out its activities on a voluntary basis. It is now transitioning to a new era in which it seeks to become an organisation with full and part-time staff that will reinforce its strategic and leading role, always in collaboration with its strong network of volunteers.

As part of this funding, Homo Digitalis today announces two open calls for the positions of “Manager in AI & Human Rights” and “Fundraising Manager / Charity Expert”. You can find all the information about these positions, as well as the deadlines for expressing interest, in the links below.

Manager in AI & Human Rights
Fundraising Manager / Charity Expert


Submission of Comments to the Draft Law on the procedure for lifting confidentiality of communications

Today, Homo Digitalis’ Legal & Policy Team submitted its comments in the context of the Ministry of Justice’s open consultation on the draft law entitled “Procedure for the lifting of the confidentiality of communications, cybersecurity and protection of citizens’ personal data”

Homo Digitalis welcomes the submission of the present draft of the Draft Law on the Protection of Privacy and Security of Personal Data. Law to regulate the procedure for lifting the confidentiality of communications, including the restructuring of the National Intelligence Service (NIS) and the criminalization of the trade, possession and use of prohibited surveillance software in Chapters B to E of the old draft law. The issues of lifting the confidentiality of communications need clarification to ensure the validity of the procedure and to guarantee the constitutionally guaranteed right to confidentiality of communications (see Article 19 of the Constitution). Although the Bill presents a limited number of positive elements, it is rife with a number of problematic provisions, which we highlight in our comments, and the institutional omission of the inclusion of the DPAA in the legislative process poses significant challenges. Homo Digitalis urges the Ministry of Justice to take seriously the relevant comments of the DPAA on the provisions of this Sect. Law, as posted on its website and in this public consultation. Homo Digitalis drafts these comments in their entirety.

Homo Digitalis also welcomes the amendment of the national regulations for the transposition of Directive 2016/680 in Law 4624/2019 in Chapter F of this Law, which is a consequence of the submission of a relevant complaint before the European Commission by Homo Digitalis in October 2019, and the relevant consultations initiated by the Commission with the Greek State. This revision, although after the expiry of the compliance date set by the European Commission for the Greek State (June 2022), ensures compliance with European Law and safeguards the constitutionally guaranteed right to the protection of personal data (see Article 9A of the Constitution).

You can read all our comments in detail on the Public Consultation website or here.


We bring The Glass Room exhibition to Greece

“The Glass Room Misinformation Edition” exhibition is coming to Greece on 21-27 November at the National Library of Greece to help us acquire a more critical thinking towards technology and its different aspects, to get to know better the devices we use every day, but also to discover what information we share online and with whom.

What happens when we increasingly rely on social media to seek information?
How do we recognise that the information we receive is real?
What data does social media and other applications know about us?
Who has access to this data and how can they use it?
How do we protect our security and privacy?
How does the technology industry and the business models behind it influence our decisions?
In a simple and interactive way we learn how to take back control of our data to protect our privacy and security. The exhibits help us better understand our relationship with technology, critically evaluate the information we share daily through the devices we use, and become more familiar with our apps and devices.

The Glassroom exhibition has travelled to 61 countries around the world, counting 471 award-winning events and more than 350,000 visitors worldwide.

The Glassroom Misinformation Edition

21-27 November

Daily 09.00 – 20.00
National Library of Greece, ground floor
(Stavros Niarchos Foundation Cultural Centre, 364 Sygrou Avenue)
Entrance: completely free
More information about the exhibition.

Created by Tactical Tech
Organized in Greece by Digital Detox Experience , Homo DigitalisOpenLab Athens
Hosted by: National Library of Greece.


Homo Digitalis meets members of the European Parliament in Athens

Konstantinos Kakavoulis and Alexandra Karaiskou represented Homo Digitalis in a meeting with a delegation of Members of the European Parliament visiting Greece.

Together with the MEPs and other civil society partners, we discussed issues related to the use of intrusive technologies in the fields of policing and border security, while we also developed arguments regarding the provisions of the proposed AI Act and the relevant interventions needed to properly regulate the challenges that arise.