TOP
Search the Dagstuhl Website
Looking for information on the websites of the individual seminars? - Then please:
Not found what you are looking for? - Some of our services have separate websites, each with its own search option. Please check the following list:
Schloss Dagstuhl - LZI - Logo
Schloss Dagstuhl Services
Seminars
Within this website:
External resources:
  • DOOR (for registering your stay at Dagstuhl)
  • DOSA (for proposing future Dagstuhl Seminars or Dagstuhl Perspectives Workshops)
Publishing
Within this website:
External resources:
dblp
Within this website:
External resources:
  • the dblp Computer Science Bibliography


Dagstuhl Seminar 24112

EU Cyber Resilience Act: Socio-Technical and Research Challenges

( Mar 10 – Mar 13, 2024 )

Permalink
Please use the following short url to reference this page: https://www.dagstuhl.de/24112

Organizers

Contact

Dagstuhl Seminar Wiki

Shared Documents

Schedule

Motivation

The growth of Consumer Connected Devices such as Smart TVs and Smart Speakers has introduced unprecedented challenges for preserving consumers’ security and privacy, and nations’ cybersafety. The European Union has been at the regulatory forefront, developing strict regulatory frameworks to protect consumers and increase European cyber-resilience. However, the path towards compliance and enforcement is not straight-forward.

In May 2018, the EU General Data Protection Regulation (GDPR) was implemented to protect users’ privacy and digital rights. However, 5 years later, its success has been moderate due to developers’ inability (or lack of incentives) to comply with the regulation. This is aggravated by rule interpretation differences across DPAs, which is causing developers confusion and different criteria for enforcement. Now, the new EU Cyber Resilience Act aims to enforce security requirements for digital products like IoT devices by establishing a framework for secure development and empowering users to make security-aware decisions. This is complemented by a European-wide Cybersecurity Certification Framework (ECCS) and the new NIS 2 Directive, which puts in place cybersecurity requirements including supply chain measures. The combination of these regulations aims at ensuring that digital products are vulnerability-free, transparent, and vendor-supported throughout their life cycle, while also respectful with citizen’s digital rights and privacy. However, what will be the barriers and challenges for compliance and enforcement?

Device and software analysis methods—from formal methods to black-box testing—are essential for facilitating compliance at different stages of the product life cycle, but also for independent certification and enforcement as ECCS mandates. However, the rapid evolution and increasing complexity of new technologies and other socio-technical factors may add further challenges and barriers for compliance and enforcement. On the one hand, it is essential to understand whether regulatory requirements are realistic, unambiguous, and if they are completely misaligned with technology trends, manufacturers’ incentives and goals, and with users’ privacy and security awareness. For example, research evidence has shown that many developers do not fully comply with GDPR and COPPA requirements due to their dependency on obscure third-party components for development support and advertising, economic incentives, poor software engineering habits, or even lack of regulation awareness. On the other hand, we need to assess to which extent device and software analysis methods are fit for aiding developers and manufacturers in compliance, but also for independent certification and enforcement. Yet, current software and device analysis techniques (e.g., black-box testing) often over-simplify the complexity of digital products and present scalability and coverage limitations that prevent them from testing whether observed software properties comply with regulatory requirements at scale.

This Dagstuhl Seminar wants to unite a multidisciplinary group of tech and legal academics, industry actors and policy experts to holistically explore the complex landscape of research and socio-technical challenges for regulatory adoption and enforcement. These arise from developer practices and incentives, user awareness, and the feasibility of existing software analysis methods for certification and enforcement. By fostering multidisciplinary dialogue across communities that are often disconnected, this workshop aims to (1) shed light on pressing research challenges and barriers for adoption and enforcement of new tech laws; (2) promote cross-disciplinary research networks and collaboration in developing innovative solutions to strengthen digital security and resilience while preserving users’ rights, and (3) produce reports to inform the regulatory debate and future research agendas at the intersection of tech and policy.

Copyright Mila Dalla Preda, Serge Egelman, Anna Maria Mandalari, and Narseo Vallina-Rodriguez

Participants

Classification
  • Computers and Society
  • Cryptography and Security
  • Software Engineering

Keywords
  • Digital Law and Policy
  • Usable security and transparency
  • Cybersecurity and Cyber-Resilience
  • Software Engineering and Secure Development
  • Software Analysis and Certification