Appunti Information and technology law (parte 2)

- Right to rec)fica)on, erasure, restric)on, and portability (Art. 16):

data can be corrected, delated, limited, or transferred to another

control.

- Right to be forgoNen (Art. 17): an extended erasure right; includes

informing others to delete copies - e.g., in machine unlearning.

- Right to object (Art. 21): especially strong in cases of direct marke)ng

- no reason needed.

The Ar)cle 29 Working Party has become the European Data Protec)on

Board (EDPB). It says that each Member State has its own na)onal

authority, like the Italian Garante, with coopera)on ensured through the

one-stop-shop mechanism.

Their roles include:

- Monitoring and supervision.

- Advisory and inves)ng.

- Handling complaints.

- Correc)ve powers like warnings and fines.

If a breach occurs, Data Protec)on Authori)es (DPAs) can impose

administra)ve sanc)ons. These are guided by principles of propor)onality

and effec)veness.

There are two groups of fines:

- First group: up to €10 million, or 2% of global turnover - whichever is

higher.

- Second group (more serious): up to €20 million, or 4% of global

turnover - again, whichever is higher.

11° Lecture: 29/10/2025

Before DORA, every EU country had its own rules and it was a true “chaos

of compliance”, full of regulatory gaps and inconsistencies that leZ the

financial sector exposed.

In response, the European Parliament approved DORA - the Digital

Opera)onal Resilience Act - in 2023 and it became fully applicable from

th

January 17 , 2025.

DORA introduces:

- Uniform standards.

- Strong governance.

- Mandatory controls to protect the EU financial ecosystem.

Financial ins)tu)ons must be able to:

- Withstand digital disrup)on (like cyberaNacks or outages).

- Respond rapidly to incidents.

- Recover opera)ons within predefined )melines.

It applies to a wide range of actors:

- Banks, payment providers, insurance, investment firms.

- ICT third-party providers, including cloud and cybersecurity

vendors.

Sanc)ons for non-compliance include:

- Fines up to €10 million or 2% of global turnover.

- Suspension or restric)on of ICT services.

- Personal liability for execu)ves and broad members.

- Na)onal and EU authori)es.

DORA is built on 3 pillars:

1. Governance

- The CISO (Chief Informa)on Security Officer) becomes a central figure:

i. Reports directly to the Board.

ii. Has a guaranteed budget and veto power.

iii. Legal protec)on to enforce security independently.

- The CISO must document:

i. Risk Register, Security Policies, Digital Asset Inventory.

ii. Business Con)nuity Plan, and monthly Board Reports.

2. Risk Management

- Ins)tu)ons must implement a comprehensive ICT Risk

Framework.

- This includes:

24/7 SIEM monitoring.

• EDR tools everywhere.

• Threat intelligence.

• Penetra)on tes)ng.

• Third-party risk management.

• A clear incident response plan.

•

3. Incident Repor=ng

Mandatory repor=ng of every major ICT incident – no excep)ons.

• Must no)fy authori)es within 4–24 hours.

• Report must include:

• Type, cause, affected systems, financial/opera)onal impact,

o recovery measures.

A communica=on plan is essen)al – silence = loss of trust.

• A Post-Incident Review must define root cause and lessons learned.

•

DORA promotes the Zero Trust model – no implicit trust. The key

principles are:

1. Least privilege access

2. Con=nuous verifica=on

3. Micro-segmenta=on

4. Assume breach

5. End-to-End encryp=on

This reduces aNack surfaces and builds strong cyber resilience.

The IRP is the opera=onal backbone of digital resilience and defines:

Who does what, when, and how in case of aNack.

• The goal is to minimize down)me, limit damage, and use every

• incident as a learning opportunity.

The main phases of IRP are:

Prepara)on, Detec)on, Containment

• Eradica)on, Recovery

• Lessons learned

•

The involved teams are:

CISO & SOC

• IT Ops

• Comms/PR

• Legal/Compliance

• Top management

•

Key metrics and tools are:

Recovery Time Objec=ve (RTO) – max acceptable down)me

• Recovery Point Objec=ve (RPO) – max acceptable data loss

• Backup strategy – isolated and automated

• Failover systems – geographically distributed redundancy

•

DORA interacts with other regula=ons such as NIS2 and GDPR:

With NIS2: DORA applies it to the financial sector, with stricter

• tes)ng and governance.

With GDPR:

• Both require incident repor)ng.

o GDPR focuses on data protec=on.

o DORA focuses on resilience and con=nuity.

o Result: a cyber incident may require dual repor=ng.

o

DORA builds on global best prac=ces, making them mandatory in the

EU: ISO/IEC 22301: business con)nuity

• ISO/IEC 27002: controls and security management

• NIST 800-53/800-61: risk management and incident response

• ENISA Guidelines: cyber hygiene and harmoniza)on across the EU

•

DORA doesn’t reinvent cybersecurity — it harmonizes, reinforces, and

raises the bar.

Its mission is to make the EU’s financial system cyber-resilient,

accountable, and future-ready.

12° Lecture: 03/11/2025

In GDPR, Risk means something that could nega)vely affect people’s

rights and freedoms. It’s evaluated based on:

Likelihood of happening.

• Severity of the impact.

•

Many GDPR obliga)ons are risk-based.

The most relevant GDPR Ar)cles are:

Ar)cle 24: Controllers must use technical and organiza)onal

• measures based on the nature, scope, context, and purpose of

processing. These measures must be regularly reviewed and

updated.

Ar)cle 25: Promotes “data protec)on by design and by default”.

• Risks must be addressed from the start, using tools like

pseudonymiza)on and data minimiza)on.

Ar)cle 32: Focuses on security of processing, including:

• Encryp)on

o Confiden)ality, integrity, availability

o Data recovery

o Tes)ng and evalua)on

o

Ar)cle 35: Introduces DPIA (Data Protec)on Impact Assessment).

• Required when processing likely causes high risk, especially with

new technologies. DPIA must be done before processing begins.

Common risks include:

Iden)ty theZ, financial loss, psychological harm

• Loss of data control or service access

• Discrimina)on or reputa)onal damage

•

According to Recital 75, high-risk cases include:

Profiling

• Children’s data

• Large-scale opera)ons

•

Risk assessment should look at:

Origin, nature, severity

• Likelihood

• Impact on rights

•

Severity can go from low (minor issues) to very high (death or irreversible

harm). It’s oZen evaluated with a likelihood-impact matrix.

Now, under a risk-based approach, a DPIA is not mandatory for every

processing ac)vity, but Ar)cle 35(1) makes it compulsory when high risk is

likely.

Even if this threshold isn’t clearly met, controllers must s)ll manage risk

appropriately.

A DPIA is not required when:

- The risk is not considered high.

- A similar DPIA already exists under unchanged condi)ons.

- The opera)on is approved by law or a supervisory authority.

- When it’s on an op)onal exemp)on list.

DPIA is a con)nuous process, not a one-)me task. It must start before

processing.

The controller is ul)mately responsible, even if tasks are delegated. The

controller must also:

- Consult the Data protec)on Officer (DPO).

- Seek the views of data subjects.

- Get support from any involved processors.

If DPIA is not done when required, or done incorrectly, or without

consul)ng authori)es (Art. 36(3)(e)), fines can reach:

10 million euros or 2% of global turnover

•

A personal data breach is a security incident causing:

Accidental or unlawful loss, destruc)on, altera)on, unauthorized

• disclosure or access to data.

Not all security incidents are breaches – only if there is harm or a security

issue.

Controllers and processors must ensure:

Pseudonymiza)on and encryp)on

• Confiden)ality, integrity, availability

• Data recovery capabili)es

• Regular tes)ng

•

To manage breaches, the GDPR follows a five-step framework:

1. Prevent – Educate, reduce data exposure, secure systems, update

soZware, audit.

2. Detect – Iden)fy incidents, analyze what, when, who, where, use

logging, find root cause.

3. Evaluate – Confirm if it’s a breach, assess data type, people affected,

delay in detec)on.

4. Mi)gate – Take ac)on to fix the issue, document everything, no)fy as

needed.

5. Communicate – At 3 levels:

a) Processor → Controller

o Must immediately inform the controller when a breach occurs.

(Art. 33(2))

b) Controller → Supervisory Authority (DPA)

o Must no)fy the authority within 72 hours of becoming aware

of the breach. (Art. 33(1)) If full details aren't available, phased

no)fica)on is allowed. (Art. 33(4))

c) No)fica)on to the DPA must include:

o

- Descrip)on of the breach

- Number and type of affected individuals and data

- Contact details of the DPO

- Likely consequences

- Measures taken or planned

d) Controller → Data Subjects (Art. 34(1))

o If the breach poses high risk to individuals, they must be

informed without delay, unless:

- Data was encrypted or unreadable

- Risks were already mi)gated

- Individual communica)on is too difficult, so public no)ce is used

e) Informa)on to individuals must include:

o

- DPO contact

- Breach consequences

- Measures taken

f) Public Communica)on may be used when:

o

- Required by law

- Needed for transparency

- Useful to build trust and protect reputa)on

13° lecture: 10/11/2025

Ethical design is essen)al in technology and one important evalua)on is

the Value Sensi=ve Design (VSD), a method that embeds ethical values

into tech through:

Conceptual analysis (understanding stakeholders and value

• conflicts),

Empirical studies (studying tech’s societal impact),

• Technical implementa=on (transla)ng values into design).

•

A related