Encryption is mandated for data at rest and data in transit. There is a provision for encryption of data in use when homomorphic encryption becomes feasible, but the loophole referenced in the title is that it is not required now.
I don't like laws that state how something must be done. They stifle innovation.
If you require encryption, companies will put in place the legally mandated encryption yet still not bother with other elements of data security. Your data is only as secure as the weakest link.
Instead make a financial penalty for the loss of user data. If companies are losing data too often, make the penalty bigger. Penalty so big that many companies claim bankruptcy instead of paying it? Require they take out insurance or a bond.
Don't specify exactly how things must be wired. Instead just have a massive fine for the electrician when someones house burns down, and require them to take insurance to pay said fine. The insurers will then take care of making sure the people they insure are doing a decent job, and insurers will research ways to make things safer to reduce their exposure and as a competitive advantage.
Said fines/insurance don't act as a drag on the economy, because they effectively are a tax on doing dangerous stuff, and other taxes can be reduced in tandem.
This article makes repeated references to RTS's while forgetting to mention the absolute most important caveat. RTS's are not law. They're selectively delegated to in the law, but they are themselves not enforcable. What that means in practice is that ANY reference to an RTS MUST include an analysis of if the recomendation is mandated by the actual law (in this case DORA).
This is absolutely critical to understand for anyone dealing with these laws. The RTS's are allowed, and expected, to include provisions that are not enforcable because they fall outside the mandate delegated from the sponsoring law.
This is a very dangerous take - while at this point in time the RTS have not yet been formally adopted by all the relevant bodies, they will be, at which point they will be enforceable.
I work in banking. This was the take of a lawyer from my local (national) enforcement body in denmark (finanstilsynet). They can't make direct recommendations, because the specific judgement about what is delegated to each RTS is itself delegated to EU courts.
That didn't stop them from giving me their opinion which was that certain parts of certain RTS's fell well outside the delegated responsibility, and would therefore never be enforcable. No matter if it was adopted, because the RTS was never delegated the power to define what it decided to define.
This doesn't mean that you should ignore the RTS, but you need to remember what is law and what isn't. RTS's are never enforcable, they are only technical definitions which you use to enforce that actual law.
It seems like the summary of this article is: No
Encryption is mandated for data at rest and data in transit. There is a provision for encryption of data in use when homomorphic encryption becomes feasible, but the loophole referenced in the title is that it is not required now.
Also the article just fucking goes on before getting to that point.
Although I suppose if the author didn’t attempt to prove a negative there’d be no reason for the blog post to exist.
I don't like laws that state how something must be done. They stifle innovation.
If you require encryption, companies will put in place the legally mandated encryption yet still not bother with other elements of data security. Your data is only as secure as the weakest link.
Instead make a financial penalty for the loss of user data. If companies are losing data too often, make the penalty bigger. Penalty so big that many companies claim bankruptcy instead of paying it? Require they take out insurance or a bond.
Same with eg. electrical codes.
Don't specify exactly how things must be wired. Instead just have a massive fine for the electrician when someones house burns down, and require them to take insurance to pay said fine. The insurers will then take care of making sure the people they insure are doing a decent job, and insurers will research ways to make things safer to reduce their exposure and as a competitive advantage.
Said fines/insurance don't act as a drag on the economy, because they effectively are a tax on doing dangerous stuff, and other taxes can be reduced in tandem.
What is an encryption loophole?
Answer: word mumbo jumbo to get clicks.
This article makes repeated references to RTS's while forgetting to mention the absolute most important caveat. RTS's are not law. They're selectively delegated to in the law, but they are themselves not enforcable. What that means in practice is that ANY reference to an RTS MUST include an analysis of if the recomendation is mandated by the actual law (in this case DORA).
This is absolutely critical to understand for anyone dealing with these laws. The RTS's are allowed, and expected, to include provisions that are not enforcable because they fall outside the mandate delegated from the sponsoring law.
This is a very dangerous take - while at this point in time the RTS have not yet been formally adopted by all the relevant bodies, they will be, at which point they will be enforceable.
I work in banking. This was the take of a lawyer from my local (national) enforcement body in denmark (finanstilsynet). They can't make direct recommendations, because the specific judgement about what is delegated to each RTS is itself delegated to EU courts.
That didn't stop them from giving me their opinion which was that certain parts of certain RTS's fell well outside the delegated responsibility, and would therefore never be enforcable. No matter if it was adopted, because the RTS was never delegated the power to define what it decided to define.
This doesn't mean that you should ignore the RTS, but you need to remember what is law and what isn't. RTS's are never enforcable, they are only technical definitions which you use to enforce that actual law.
This an ad blog post by a compliance company. Somewhat surprisingly it does not spread typical techbro anti-EU FUD, though.
Betteridge's law applies:
> Any headline that ends in a question mark can be answered by the word no."