IT-Security Regulatory UpdatE
| APRIL 2022

Highlight from April 2022

EU citizens see need to catch up on data protection

At Conference on the Future of Europe, EU citizens pointed out, among other things, that they consider the implementation of the GDPR by companies and the enforceability of their rights to be insufficient.

“Stay up to date with our monthly regulatory update on IT Security Management!”

European Parliament addresses EU citizens’ expectations on data protection

Many EU citizens took the opportunity at the Conference on the Future of Europe to express their vision for the future of data protection and privacy in the EU. This has shown that citizens want a high level of data protection and stringent implementation of the same. In particular, they are concerned with ensuring that companies comply with applicable regulations, citizens are given more control over their data, and surveillance, profiling, and manipulation of citizens by companies are reduced.

The European Parliament has taken this as an opportunity to publish a briefing on the future of European data protection. In it, it shows the input of citizens and states that it addresses these requirements to the greatest extent possible through implemented legal acts or introduced initiatives. At the same time, however, it recognizes that the citizens involved see a need to catch up in the current implementation status of the GDPR.

Above all, the way in which companies currently implement the GDPR is criticized. This shows that EU citizens consider the level of compliance with the GDPR and the enforceability of their rights to be insufficient. In the briefing, Parliament goes deeper into the feedback and highlights where there are disagreements between it and citizens.

The European Parliament briefing can be found here on their website.

Source: © European Union, 2022 – EP


Laptop with people network transparent over image

Will there be a revision of the Solvency II Directive?

The European Parliament has published a briefing on the impact assessment around Solvency II (Directive 2009/138/EC on the taking-up and pursuit of the business of insurance and reinsurance).

The European Commission has identified five issues that it considers to be material and that will be considered in more detail in the course of the impact assessment:

  • incentives to contribute to the long-term financing and environmental performance of the European economy are limited;
  • insufficient risk sensitivity and limited ability of the directive to mitigate the volatility of solvency positions;
  • lack of proportionality of prudential regulations, which cause high compliance costs, especially for small and low-risk institutions;
  • Shortcomings in the supervision of (cross-border) insurance companies and groups and insufficient protection of policyholders against insurer defaults;
  • limited specific supervisory tools to address the potential buildup of systemic risk in the insurance sector.

The impact assessment concludes that negative effects on the economy as a whole and on consumers are to be expected without EU intervention. Accordingly, it sheds light on the impact of various EU measures under consideration.

While adjustments due to increasing ICT risks (risks in the context of information and communication technologies) were also taken up by the public during the consultation phase of the Solvency II review, the Commission refers to existing measures. Examples include the Digital Operational Resilience Act (DORA) and the regulatory framework for cyber resilience. More details on the regulatory framework can be found here
in our Regulatory Update of March 2022.

An adjustment of the Solvency II Directive seems likely, so insurance and reinsurance companies should prepare themselves for this.

You can find the briefing of the European Parliament here on its website.

You can find the Impact Assessment of the European Commission here on their website.

Source: © European Union, 2022 – EP


Assistance with the exit strategy
for cloud service providers for CI

CI (Critical Infrastructure) operators must secure critical services that they outsource to the cloud against failure so that IT security and, in particular, the availability of the critical service is guaranteed. This also requires a prior risk analysis.

In a recommendation around the exit strategy for cloud service providers, the BSI brings this obligation into focus. Specifically, the recommendation addresses the following issues:

  • the decision to use a cloud service,
  • the failure before the end of the contract / the early termination,
  • the planned migration,
  • contractual agreements.

The recommendation of the BSI can be found here on its website.

Source: German Federal Office for Information Security – BSI,

From the perspective of EU citizens, there is a need for action on data protection, which the Parliament at least does not fully deny. It remains to be seen whether this will result in adjustments to the GDPR. However, it is certain that there is a need to catch up in the implementation of the current GDPR.

We at ADWEKO are happy to assist you in this process.

talk to

Pia Streicher!