Yeah, the question is how to navigate the regulatory landscapes in digital identity and ai. I'd say it's not a landscape, but a seascape with a huge wave of legislation coming across us. And I've just listed a few of the most important ones. Some of these have been treated extensively during the conference, and there's a lot of information available online if you want to review those. I'll not go into all of those, just the first three. But what is important in this slide is that you see that a lot of them have been launched almost at the same time or in the same year.
Now these dates are not always very clear because when a legislation in the EU is being launched first there's different phases of acknowledgement and acceptance by the council of the European Union, by the member states. There's a lot of negotiations, then it's accepted, but then it needs to be, there's a textual review then.
So there's a long line of activities before a law is really applicable. And before a company really has to be compliant with legislation.
And even for me when I'm studying these laws all the time, it's not always easy to find out is it applicable and when will it be applicable and what is the current status. So, but at least you can see what's coming. I will talk about the first three, but not too extensively. The first one is the network and information security directive. Number two, it's a review of the number one. And the reason why it has to be reviewed is that they had no, they thought effective effectiveness could be better than it was.
And normally the EU always reviews legislation after it's been in force for a few years. They would consult the market, they would consult all the parties that were suffered subject to this law.
So they did that to the NIS as well.
And they, they found that in different countries, in the eu. In the eu, the applicability for NIS would be different because the effectiveness, which reduces the effectiveness. So if in one country of the EU you can be an essential entity, but in the neighboring country, you are not an essential country company entity, which means that the law is not fair, it's not equal, no equality. So that's not fair. So they're changing that and it means that they have to change where the accountability is.
Is it in the member states for legislation to do the under underpinning legislation or is it on EU level? That's always a search. Certain things are decided upon at EU level and different things are an underpinning legislation that is at the member states discretion. So embedding in other legislation was another thing because there's already a lot to go and to be compliant with, which could, yeah, these laws, they're trying to legislate the reality, but the reality is multifaceted.
So it's, yeah, you can legislate from different angles from the physical services or where for tele, tele telecoms, there's legislation. But yeah, is that digital infrastructure?
Yeah, that's true. It's also an essential in infrastructure. So there's many, many laws looking at the same topics. And now the question is how to define all these borders. So for the policy makers, that's also very difficult, not just for the people who have to be compliant for the companies and new is that the national cyber strategies are now mandatory then more profoundly described C search and in the sharing of vulnerability information.
Because if we all know where the gaps are, it's for all, it's easier of course to defend ourselves and you catch more fish with a big one, big net than with a number of small nets. So essential entities and important entities, well, it's not so difficult to define which are important or not important entities.
But the new thing is also that providers in the service chain of essential entities, which are themselves important entities, they should comply to the higher level of the requirements because they're in the service chain delivering services to the most important, the most essential entities. So, well, there are sessions on IAS two all around in this conference, so I'm not going to tell more about that. And of course, a e IDAs yesterday we had to complete T track only on e IDAs.
The, and I think I don't need to drill deeper into that. Main important thing is that in 2026, we're expecting the member states in the European Union to provide wallets to all of the citizens and and some countries it's going well in the Netherlands. I'm not so sure it will happen. And one of the things which is difficult is that the assurance level should be high.
And that's a problem because it, yeah, I don't think we're getting ready for that in the Netherlands, but, well, I'm keeping an eye on that.
But the main thing is that really how to do this and what standards should be accepted and how to build a compliant wallet, that's technology. Technology can't be written in law because it should be technology agnostic. And so they do that in implementing acts, which is more detailed legislation that is sort Yeah, underpinning for the, for the large regulation.
And yeah, many of the providers and the companies who want to be compliant, they're waiting for all these details. And you have to think about these implementing acts, describing the reporting lines, the formats for reporting technical standards. There's really a lot to be done in the a r track. Yesterday we had presentations telling us about the progress for that.
So if you were interested, I I, I would really download all yesterday's presentations and you know all about E iida. I think they were really, really extensive and really good.
And in 20, 30, 80% of EU citizens and in the member states should be using EOED wallets. It's not mandatory to use it. It should be free and man, not mandatory, free of choice to start doing it.
But while, as we can see also from the conference itself, 2022, I was explaining in a round table what, and while it is just explaining the concept, and that was a very small presentation and it was the only one almost. And one year later there was an a e IIDA track on the Friday morning and the room was too small. That was not expected.
And today, yesterday we had a complete e IDOs track. So that's how things move.
Well, let's see. And of course, ai, it's been treated as well. It's really to the risk and to reduce risk for the citizens or the affected persons as we call the subject that could suffer from ai. This is of course very difficult. Why this is important. I think everyone on the globe is watching this and seeing if the impact will be okay and, and how to regulate that. That's really a challenge. So that makes this legislation quite important. 'cause it's the first one on the globe. The real good try, but I'm not sure it's, there must, this is the final one. There should be a lot of reviews.
And I know that for years and years there's been a lot of pre-work in the EU as well. So those are the three main acts that are imminent or already in force that have large impact to the, the companies for, for, for corporates, small medium business and companies.
Some of the small companies are ex excluded for all of these three legislations. So the NIS has ex exclude is excluding if you're a really small to medium business and you, you couldn't have all the obligations 'cause yeah, you could go bankrupt, maybe the cost of compliance would be too high.
So there is also some balancing, but these are also things that are going to be fine-tuned and so on now. But we don't only have a huge, a lot of legislation in addition, the reality that is going to be regulated has become a lot more complex because we have very nice, really nice technical interoperability and standards. That's nice, eh, that's good for your ease of use and portability really nice. But it also means that more things are more connected to more other things. So they're less standalone things because interoperability is now easier.
So it's more difficult to define who is accountable for what in the change. Hyperconnectivity is made easy by all this interoperability and it makes the, the value change in services and not only in digital services a lot longer than they used to be because it's more easy to connect now platforms but also finer grain services to world and more personalized and, and well, that goes across national borders about jurisdictions, domains of industries, but also across technologies.
So the world is more complex and it's more difficult to define who decides on what, who is accountable for what, who's liable for what. And yeah, the regulation itself, that's the next puzzle. So we have one puzzle, what legislation is applicable, when, why, how, and then we have the puzzle on what, what, what is my scope in the, this legislation Then decentralization, that's an opposite from the, that's also an impact of the connectivity, making more parties involved per service, but also integrated shared services.
So the, yeah, the mix is becoming even more complex. And so reality becomes more personal, more fine grains and ag next to that, these are ecosystems of ecosystems.
So it's, yeah, another puzzle. How this whole connectivity is plus all the services. So we have a puzzle of legislation of the services and of the technical real reality. And of course then we have malformation, disinformation and misinformation coming into the mix. That's another puzzle to define if something is real or fake.
And yeah, the complexity, the barrier to make things more complex has been really made very low because AI helps this interoperability, helps personalization that is wanted in the companies or for selling your services is help helping. So it's really more easy to make things even more complex than they are.
Okay, well what are the basic challenges to manage when we are looking at legislation and your, well in legislation, full stop of course, scope of legislation and applicability.
That has to be decided upon keeping track of all these amendments. Where are we? And when we'll be in enforced, being compliant is something else. Then demonstrating that you are compliant. I've seen this many times in the financial sector where the auditor came three times, be a internal auditor, external auditor, European central bank risk management. And there were huge lists.
And the problem was not that maybe it could be secure or fine and and compliant, but I had to demonstrate, really prove that I had been, demonstrate that I had been compliant with my whole identity stuff for customers and employers, employees by hindsight. So not at the moment, but also previously I had to prove that this person had left the bank and that all his things were deleted and gone and I had to prove it. In historic truth, that's already difficult, but when you have extra layers of legislation entering, it can become more difficult.
And then the cost of compliance goes up.
And also then finally, finally the main core thing that legislation is about what are the obligations? What are the, the obligations that I have to fulfill? What should I do? What is now actually the content of all this legislation and which is applicable now? Then we have engineers who just develop and we have legal guys who don't want to listen to it that much in my, they exist, they also exist, who do? But in my experience, I went to the corporate legal stuff guys, that was in the year 2000. I had to connect all the, the employee identities of a global bank in 60 countries at services.
And I had to connect those and it was very difficult to, to convince that I, I had thought by myself, oh, but that's privacy because it's personal information of all my employees.
They need to go into the other that across the world as well. Be the global email backbone po wow, let's lead the Dutch legislation, which I could easily read. I'm a linguist. So that was not a problem. I understood the legislation and then I went to corporate and I told them, well here, this is the legislation. This is my architecture. What do you think? How to go ahead, what can you do for me?
Hmm, not so easy. And yeah, apart from that, if you're a smaller company, you don't have this corporate bunch, the whole floor filled with legal experts and you want to hire one, legal experts are expensive. So then next to this, there's the who is who, bingo. And the who is who Bingo starts internally, whom to talk to. This is Y stain. In Dutch we have an expression, a household of Y stain.
And then it means it's very difficult to define any clear line into that. But this is what a, A global bank looks from the inside you have the C-suites and they change.
And that's not always clear who does what. C-I-O-C-T-O is reporting structure. Sometimes they report to themselves that I have, that happens in my elder. Then there's the data protection officer, but that's also legal guy. So maybe not too much first into technology. Then of course there's the operations department who execute the whole thing and implement. And they are always a bit like, yeah, well we don't know, we just, we just implement, we're the builders. We're not the architect. So we don't know the IT department.
Multiple levels of risk management, the local ones, the global ones, different sorts of risk being managed group audit, local added audit, external audit, first line, second line, third line of defense partners in the value chain have the same bunch of things. So, and then of course there's a lot of bureaucracy and formality and if you go to the liberal part, they would always say, well that depends.
Okay, so that was the internal household of yang. But the external household of YTE also exists. Every legislation, at least in the EU has their own governance for report reporting structures. INA is overarching for the network and information security. And they are supporting a lot. They're based in Greece and they do a lot of sort of administrative facilitating expert groups. They're in the background, they're your best friend I think in this.
But the member states have their own bodies, the expert groups here, cooperation groups there, data protection officers, the European data protection supervisor, AI boards, data protection, data protection boards, the cyber crisis liaison organization network. Well just Google a bit on anything. And this is just for these three legislations that I've mentioned.
And then you have a whole host of them for the financial services themselves, their their internal European organizations, the the Stab financial Stability board, the European Banking Association, and they all talk, yeah, well, if I'm in a corporate, it's very difficult to know who to talk to.
And then also the rules that a corporate could have in such a game are different. Any IDAs you have, you can be a verifier, an issuer or a wallet provider as a role in this legislation. And for ai, you have more roles than that.
There are, I think six up to 70 definitions in the AI act. In EI does. I think there were only sort of maybe 30 or 40. So a lot less. So a lot shorter document also.
So, and the policies are also difficult because they're also, the policy makers also have a problem because they're all, law is always behind on the techno technology reality. And that's also in law itself because the details implement, implementing acts only follow after the legislation itself is there. And then security can't be measured. How do I prescribe security bus without prescribing technology? Because that will be all when the ink is dry.
So there's a lot of discussions on technical standards and operational standards, and that could be taking a lot of time.
Reporting structures per the legislation, as I said, are also different than the status of any regulation contradictions in the content. It's not harmonized. And of course the now, so actually we have this whole pile. This is there next to each other, but in fact they're on a pile on top of each other. So for every topic, you have to drill through the whole pile of, of, of sort of puzzles to know, to get, to sort of filter the applicability to content and what you have to do. So who should react with this and what to do about this?
Well, as a business, you could always say, okay, sorry, too much information, too difficult. Let's just accept, pay a million, million dollar fee every now and then because we'll fine, if they find out, let's do some debits on the side and okay, that's it.
Well, maybe that's not a very good idea because you don't know how bad it can be because it also means you, you don't know where you are and you will be checked one day. So maybe I, and, and I don't know who has heard in this conference. I haven't. And it used to be hot topic, at least let's say 2019, you could read it over everywhere. Re tech regulational technology.
So I did my own RegTech, I made a spreadsheet with, and I think, you know, so 'cause you've been working on that as well, my spreadsheet, the matrix of all the articles of the EU legislation, putting all the topics next to each other so they can, you can plot, if it's about this topic, it's in this, this, and this article of this, this and this regulation. So making your own spreadsheet, rec tech, that's, yeah, it's a lot of work.
But yeah, okay. It's minimum viable product. And if you like, you can do it one more slide. So that's also not a very good idea.
So my, I think you digital reality is department agnostic and organizations are not at all department agnostic. So you need to create a multidisciplinary meeting point. I did that at AB with the legs on the table, not a formal thing, making decrees and things, but just talk with all these silos, risk audit, CO experts, it invite the businesses well because they're normally staying far away from that to do their thing. Un noticeably. So they had have at least launched a ticky app that's not safe. But at least they didn't have any trouble with audit and risk.
And the policy makers, of course, they help, they do a lot of integration as well. So, and the member states have their obligations because they are, I think in campaigning with education and awareness. And I would say drink tea with with each other. Get together, talk to your peers, make
Sure you're doing these toge. But in the end there's hope. And then I have one more, this is my last slide. In the end, these legislation all have the same objectives. Securing the customer, making, have an ambition to protect users and prevent manipulation.
So if you're just being a prudent operating prudently, operating organizations, all these measures, you would do them and they would be covered by all of these legislations. They would all have the same target. So that's where the simplification ends. So the garden will be nicely pruned and all that, whatever tool you need and from wherever you were hiring it. So in my opinion, yeah, that's, that, that, that's the best you can do. Thank you. Thank you so much.
