White Label Consultancy

On 14 November, the European Commission’s AI Office published the first draft of the General-Purpose AI Code of Practice. The Code aims to address the key considerations for providers of general-purpose AI (GPAI) models and GPAI models with systemic risk. What is the role of the Code under the AI Act? Article 56 of the AI Act introduces the “codes of practice” as a temporary compliance tool, bridging the gap between GPAI obligations, effective 12 months after the Act’s entry into force, and formal standards, expected in three or more years. While not legally binding, adherence to the Code presumes compliance with obligations in Articles 53 and 55 until standards are established. Key Observations: 1.??????The draft Code details key obligations for GPAI providers scarcely covered by ?the AI Act: a.??????For all GPAI models, the draft Code outlines provision of technical documentation to AI authorities; and provisions of relevant information to downstream providers integrating GPAI models into their systems, including capabilities and limitations. b.??????To uphold the transparency principle GPAI providers are to make available; an up-to-date Acceptable Use Policy (AUP), defined as a set of rules outlining how a service or technology should be used, information on data used for training and testing, alongside details of the model training process; and implementing policies to ensure compliance with applicable EU copyright regulations. c.??????For GPAI models with systemic risk the following requirements were outlined; adoption and implementation of a Safety and Security Framework (SSF) to define policies for systemic risk management; regular evaluations and updates of both SSF and Safety and Security Reports (SSR), the establishment of effective incident reporting mechanisms to identify, address, and mitigate systemic risks; and implementation of corrective measures for identified risks. 2.??????Defining GPAI models with systemic risk: Under Article 51 of the AI Act, GPAI models exceeding 102? FLOPs (e.g., GPT-4 and Gemini Ultra) are presumed to have systemic risk. The AI Office may refine thresholds as technology evolves. Currently, the draft additionally identifies risks such as cyber offences, nuclear threats, loss of control, and large-scale discrimination as systemic. In the upcoming months, the AI Office, informed by multi-stakeholder consultation, will finalise the Code of Practice, additionally issue a training data summary template, and accompanying copyright-related guidance. The final documents are anticipated by May 1, 2025, providing companies approximately three months to prepare before enforcement begins. Stay tuned for updates as we continue to keep you informed on the latest developments! #securityleadership #cybersecurity #cyberleadership #AIAct #artificialintelligence #AI

The Digital Operational Resilience Act (DORA) will enter into force on 17 January 2025. DORA is a crucial regulatory framework within the EU aimed at enhancing operational resilience and cybersecurity maturity in the financial sector. Further, DORA has the objective of replacing multiple ICT risk management frameworks, with a single unified approach for mitigating all ICT-related incidents in Europe's financial services industry. DORA applies to a wide range of financial institutions and entities, including credit institutions, investment companies, trade repositories, investment managers, crypto-asset service providers, and crowdfunding service providers. Notably, there are several cybersecurity controls contained within the Regulation, which fall into five core pillars: 1. ICT Risk Management, 2. ICT Incident Reporting, 3. Digital Operational Resilience Testing, 4. Information and Intelligence Sharing and 5. ICT Third-Party Risk Management. Foremostly, DORA mandates that covered entities are to implement an appropriate governance and control framework that ensures effective ICT risk management. This obligation requires that management of financial entities should define, implement and oversee the ICT risk management framework, and effectively outlines that the management body of the financial institution or covered entity bears the ‘ultimate’ responsibility of managing ICT risk. DORA requires that financial entities covered within the Regulation, develop comprehensive ICT risk management frameworks. Notably, the ICT risk management framework must adopt strategies, policies, procedures, ICT protocols and tools that are necessary to effectively protect all information assets and ICT assets within the organisation. ? As the deadline for compliance fast approaches the European Commission has adopted several delegated regulations which support DORA, including regulatory technical standards which: 1. specify the harmonisation of conditions enabling the conduct of the oversight activities? 2. specify the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats? 3.?specify the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specify the details of reports of major incidents 4.?specify the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers 5.?specify ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework In the coming weeks, White Label Consultancy will be publishing a white paper with even greater analysis into DORA, so, please stay tuned. #securityleadership #cybersecurity #cybersecuritymaturity #cyberleadership #cybersecurityframework??

Abu Dhabi was simply buzzing last week, with conferences and networking events happening across the city. White Label Consultancy was fortunate enough to attend a handful of events including the GovCyber Summit Abu Dhabi, on Tuesday, 5 November, hosted by the Cyber Security Council . The GovCyber Summit was a day filled with exceptional presentations and panel discussions discussing everything cybersecurity, from the current threat environment, to the disruption AI poses to the industry. Key areas of discussion included: ·?????The evolving threat of landscape impacting the Middle East region; ·?????Strategies for securing public digital assets and infrastructures from AI powered attacks; ·?????Discussion occurred on how the sector needs to improve policies, procedures and structures to counter digital threats; ·?????Discussed the new threat trends and challenges facing critical public infrastructure and how to prepare for them; ·?????Exploration of the latest best practices and solutions to improve resilience of critical infrastructure software and hardware assets from attacks; and ·?????The emerging technologies in IT/OT Security - strategies and best practices. WLC would like to thank all the speakers and panellists who contributed to the discussions at Summit, and a special thanks to H.E. Dr. Mohamed Al-Kuwaiti, H.E. Eng. Matar Almheiri, @Faisal Abdulaziz, Dr.Hoda A.Alkhzaimi, Khaled Essam Ali, Thomas Heuckeroth, Lori Baker, Sarfaraz Muneer CISSP, CISM, CEH, CCIE and Lt. Colonel Saeed M. AlShebli, for their invaluable contributions. DUBAI FUTURE FOUNDATION World Economic Forum #securityleadership #cybersecurity

Latest decisions by European Data Protection Authorities repeatedly underscore the importance of transparency and lawfulness in cookie use. These ongoing decisions compel organisations to review their cookie practices, serving as a constant reminder that non-compliance with cookie rules can lead both to reprimands and substantial fines. - In Spain, the Spanish Data Protection Authority recently fined a website provider €90,000 for setting non-essential cookies without user consent and failing to inform users of the cookies’ existence and function. This case reinforces that any lack of transparency in cookie practices can result in significant financial penalties. - In Norway, in a similar decision, the Norwegian Data Protection Authority reprimanded a controller for further processing and sharing data collected through cookies set without user consent. This case emphasises that user consent is required not only for initial data collection but also for any subsequent processing and sharing of that data. These enforcement actions coincide with the European Data Protection Board’s recent update to its Guidelines on the Technical Scope of Article 5(3) of the e-Privacy Directive. The new guidelines clarify the applicability of Article 5(3) to different technical solutions, including cookies, to help organisations align their tracking technologies practices with regulatory standards and mitigate the risk of enforcement actions. White Label Consultancy has also recently published a blog post offering practical advice on enhancing cookie banners transparency and effectiveness based on regulatory best practice. Considering these recent cases and updated EDPB’s guidance, now is an appropriate time for organisations to review their cookie practices to ensure they align with current standards. Recommendations for organisations: - Review Your Cookie Banners to ensure they provide transparent information about the types of cookies used and their purposes. - Obtain Consent for Non-Essential Cookies if your organisation’s website uses different types of cookies, all of which are not essential. While essential cookies required for basic functionality do not require user consent, cookies used for analytics, third-party services, and behavioural advertising do. It’s crucial for organisations to identify the types of cookies in use and obtain consent for non-essential cookies accordingly. - As GDPR requires that cookie consent requests are presented in a clear, informative manner to allow users to make an informed choice, make sure that your consent requests are clear and Informative. Users must have the option to accept or decline non-essential cookies. At White Label Consultancy, we bring extensive experience in data protection advisory. Our team is skilled in conducting cookie scans and implementing compliant cookie practices. Reach out to learn more on how we can support your organisation. #dataprotection #privacy #GDPR #Cookies #ePrivacy

What a week!! Abu Dhabi was simply buzzing, last week filled with conferences and networking events. White Label Consultancy was lucky enough to attend a handful of events including two networking functions organised alongside the Abu Dhabi International Petroleum Exhibition and Conference (ADIPEC). Here’s our review of the events we attended: Norway Energy Networking Reception WLC also attended Norway Energy’s Networking Reception, an event showcasing the success of Norwegian companies who operate in the Middle East. It was great to see so many Norwegian companies expanding into the region, a trajectory we hope continues. WLC met with several companies and were able to discuss the growing requirements of cybersecurity governance with several organisations, highlighting that the energy and power sectors remain critical throughout the world. WLC would like to personally thank?Business Norway?,?Innovation Norway Asia and the Middle East?and?Royal Norwegian Embassy in Abu Dhabi for a splendid evening of networking. Rystad Energy Networking Function and Market Briefing Our final event for the week, hosted by Rystad Energy, was an insightful evening whereby Deputy CEO, Lars Eirik Nicolaisen provided an in-depth market update relating to the energy sector. It was very interesting to see the trends of energy consumption, and the trajectory of future growth. This another fantastic opportunity to meet with energy and power professionals operating within the Middle East. Video/Photo: Ry Palis / Business Norway #TeamNorway #MiddleEast #SecurityLeadership #ADIPEC

White Label Consultancy will attend the IAPP Europe Data Protection Congress in Brussels from November 20 to 21, 2024! If you're attending too, we’d love to meet for a coffee or a quick chat. Drop us a message here on LinkedIn or email us at [email protected] to arrange a time. We are eager to connect with fellow privacy enthusiasts! See you in Brussels! #IAPP #DataProtectionCongress #Privacy #AI #Governance #Networking

Our Partner for Cyber Security André ?rnes presented on the critical topic of #cloudsecurity from a Cloud Security Alliance Norway meeting in Oslo yesterday, alongside Per Jakobsen from the Public Sector Marketplace for Cloud Services #mps at Direktoratet for forvaltning og ?konomistyring. #securityleadership #cybersecurity #dataprotection

An update from the Norwegian annual event #Attack2024 by our Partner for Cyber Security André ?rnes - on digital threats against critical infrastructure.

Our Partner for Cyber Security André ?rnes contributed to the Norwegian #governance, #risk, and #compliance network gathering hosted by JUC in Oslo yesterday, alongside Hedvig Moe, Gunhild Hernes Synnestvedt, Andreas Fredriksen, and Eirik Str?mmen Engum, focusing on national and societal security and the regulatory landscape surrounding digital security with a focus on #NIS2 and #DORA, with(unavoidably) a flavor of #AIAct. One clear takeaway is that successful compliance and security strategies are rooted in well-coordinated risk management, building on: ???? Board and top management ownership – Ensuring senior leaders take ownership and understand the full scope of the risks involved. ? Roles and responsibilities – Maintaining consistency in who does what, whether in routine operations or crises. ?? Business continuity – Being prepared with a robust plan for handling unexpected incidents. ?? Collaboration – Recognizing that digital security is not just a tech issue; it’s also about governance and third-party risk management. ?? Culture building – Developing a solid culture of security and compliance at all levels in the organisation. This discussion is a powerful reminder that stepping beyond traditional compliance and into a proactive advisory role is crucial in today’s landscape. Thanks to the network group leaders Siri Skollerud-Blegen and Marianne St?kken Pilgaard for the valuable exchange! #SecurityLeadership #NationalSecurity #SociatalSecurity #DigitalSecurity

The 9th Edition of GovWare held recently as part of Singapore’s International Cyber Week, brought the global cybersecurity community of experts, vendors, practitioners, and academics together under the theme of ‘Securing Dynamic Digital Roadmaps: Relooking Signposts in Identity, Trust, and Resilience’. Once again, artificial intelligence (AI) has taken centre stage, underlying most sessions and stamping its growing importance in the cybersecurity field. On the other hand, quantum computing’s impact should not be underestimated. The top three takeaways: 1. The progress of AI governance with regulations such as the EU AI Act is much welcomed and needed, but the focus on the AI ecosystem and traditional/non-AI systems is largely ignored. As such, will such regulation effectively deter cyber threat actors already leveraging AI technologies and methods against traditional/non-AI systems to achieve their intended goals? Complementary regulations such as the EU Cyber Resilience Act could be expanded to address such gaps. 2. The trinity of cybersecurity threats fueled by AI and quantum technologies could form an ideal storm. Collectively, they introduce rising complexity, scale of attack surfaces, and methods at an alarming pace that existing defense mechanisms, be it people, processes, or technologies, would be overwhelmed if they remained status quo. ‘We are not ready for AI’ organisations would be wise to reconsider their stand given the risks posed, especially those in critical sectors such as national infrastructures, financial services, and health, to name a few. 3. The clarion call to action for increased public-private collaboration is evident and observed in regional/country-driven efforts such as the EU’s NIS2 Directive and Singapore’s Cybersecurity Act. Cyber threat actors are collaborating globally to increase their effectiveness and share lessons learned. Therefore, it is clear that public and private organisations must do the same to better defend against such threat actors. White Label Consultancy?has extensive experience supporting organisations with cyber security advisory and leadership. Reach out or schedule a call to learn more about our service offerings and how we can support your organisation. #govware2024 #govware #sicw2024 #artificialintelligence #quantumcomputing #ciso #cybersecurity #securityleadership