Encryption is mandated for data at rest and data in transit. There is a provision for encryption of data in use when homomorphic encryption becomes feasible, but the loophole referenced in the title is that it is not required now.
I don't like laws that state how something must be done. They stifle innovation.
If you require encryption, companies will put in place the legally mandated encryption yet still not bother with other elements of data security. Your data is only as secure as the weakest link.
Instead make a financial penalty for the loss of user data. If companies are losing data too often, make the penalty bigger. Penalty so big that many companies claim bankruptcy instead of paying it? Require they take out insurance or a bond.
Don't specify exactly how things must be wired. Instead just have a massive fine for the electrician when someones house burns down, and require them to take insurance to pay said fine. The insurers will then take care of making sure the people they insure are doing a decent job, and insurers will research ways to make things safer to reduce their exposure and as a competitive advantage.
Said fines/insurance don't act as a drag on the economy, because they effectively are a tax on doing dangerous stuff, and other taxes can be reduced in tandem.
This article makes repeated references to RTS's while forgetting to mention the absolute most important caveat. RTS's are not law. They're selectively delegated to in the law, but they are themselves not enforcable. What that means in practice is that ANY reference to an RTS MUST include an analysis of if the recomendation is mandated by the actual law (in this case DORA).
This is absolutely critical to understand for anyone dealing with these laws. The RTS's are allowed, and expected, to include provisions that are not enforcable because they fall outside the mandate delegated from the sponsoring law.
This is a very dangerous take - while at this point in time the RTS have not yet been formally adopted by all the relevant bodies, they will be, at which point they will be enforceable.
It seems like the summary of this article is: No
Encryption is mandated for data at rest and data in transit. There is a provision for encryption of data in use when homomorphic encryption becomes feasible, but the loophole referenced in the title is that it is not required now.
Also the article just fucking goes on before getting to that point.
Although I suppose if the author didn’t attempt to prove a negative there’d be no reason for the blog post to exist.
I don't like laws that state how something must be done. They stifle innovation.
If you require encryption, companies will put in place the legally mandated encryption yet still not bother with other elements of data security. Your data is only as secure as the weakest link.
Instead make a financial penalty for the loss of user data. If companies are losing data too often, make the penalty bigger. Penalty so big that many companies claim bankruptcy instead of paying it? Require they take out insurance or a bond.
Same with eg. electrical codes.
Don't specify exactly how things must be wired. Instead just have a massive fine for the electrician when someones house burns down, and require them to take insurance to pay said fine. The insurers will then take care of making sure the people they insure are doing a decent job, and insurers will research ways to make things safer to reduce their exposure and as a competitive advantage.
Said fines/insurance don't act as a drag on the economy, because they effectively are a tax on doing dangerous stuff, and other taxes can be reduced in tandem.
What is an encryption loophole?
Answer: word mumbo jumbo to get clicks.
Betteridge's law applies:
> Any headline that ends in a question mark can be answered by the word no."
This an ad blog post by a compliance company. Somewhat surprisingly it does not spread typical techbro anti-EU FUD, though.
This article makes repeated references to RTS's while forgetting to mention the absolute most important caveat. RTS's are not law. They're selectively delegated to in the law, but they are themselves not enforcable. What that means in practice is that ANY reference to an RTS MUST include an analysis of if the recomendation is mandated by the actual law (in this case DORA).
This is absolutely critical to understand for anyone dealing with these laws. The RTS's are allowed, and expected, to include provisions that are not enforcable because they fall outside the mandate delegated from the sponsoring law.
This is a very dangerous take - while at this point in time the RTS have not yet been formally adopted by all the relevant bodies, they will be, at which point they will be enforceable.