Make it clear bq 2 clear

Make IT clear - 12/2022

Authors

10 minute read 20 Dec 2022

Here is the Make IT clear special materials 12/2022

Topics discussed:

  • Intellectual property - NFT and intellectual property law 
  • IT - The Cyber Security Certification Scheme for Cloud Services
  • Cybersecurity - Statement of the Polish Financial Supervision Authority (PFSA) on the cyber security activities of insurance and reinsurance undertakings 
  • Data protection - 27 December 2022 is the deadline for SCC exchange for data transfers
  • E-commerce - Digital Markets Act
  • Legal alert on Cloud and Cyber - The regulatory tsunami is unleashed
Spot light on man with pink background
1

Chapter

Intellectual property

NFT and intellectual property law

What is NFT?

NFT stands for 'non-fungible token'. In this case, we should understand the word 'non-fungible' as 'having no equivalent in other objects/currencies'. Generally speaking, NFT is a type of cryptographic token based on blockchain technology. 

Popularity of the NFT

NFT gained huge popularity during the global lockdown in 2020. Initially, the technology was associated exclusively with art, particularly images and visuals. Nowadays, NFT is gaining popularity and is used in areas such as entertainment, gaming, fashion and even retail and real estate.

In 2021, the valuation of the NFT market was estimated at $40 billion.

Copyright of a work and NFT

The trading of NFT tokens has not yet been regulated in any way. Therefore, it is now necessary to adapt the existing legal regulations to the specifics of NFTs.

An NFT may constitute a work within the meaning of Article 1(1) of the Act of 4 February 1994 on Copyright and Related Rights if it fulfils the statutory prerequisites for recognition as a work within the meaning of copyright law.

First of all, it is necessary to distinguish between the situation in which a real existing e.g. work of art has its counterpart in the form of NFT, and the creation of a graphic or other work immediately in the form of NFT. In the first case, the sale of the NFT would not normally lead to a transfer of copyright in the associated existing artwork. In the second case, on the other hand, one should be able to distinguish between two situations. The first is the ownership of the NFT and the second is the ownership of the intellectual property rights to the NFT token.

It is important to note that the owner of an NFT may own, for example, a particular copy of a 'digital' photograph or music file, and not own the intellectual property rights to that photograph or music file.

The acquisition by the purchaser of an NFT token of the intellectual property rights to that token, is of great importance in the context of its further dissemination.

In order for the intellectual property rights to pass to the purchaser of the NFT, that purchaser must enter into an agreement for the transfer of copyright, as it is not sufficient to simply buy the NFT token in question. The consequence of the failure to effectively transfer copyright to the purchaser of the NFT token is that it is still the original creator who holds those rights. And as a consequence, the owner of the NFT may not be entitled, for example, to reproduce, distribute or publicly perform the NFT object.

Does the acquisition of an NFT result in a licence?

The acquisition of an NFT will most often not involve a transfer of copyright, but at most a licence.

On the legal side, the sale of an NFT is closest to a non-exclusive licence, which does not give the purchaser exclusive rights to the work. 

A licence agreement may be a more practical solution than an actor's rights transfer agreement for the reason, among others, that a non-exclusive licence does not have to be in writing. Depending on the platform on which NFT tokens are sold, the scope of the licence may vary. Typically, a narrow scope licence is granted, which does not include the right to commercially exploit the works acquired under NFT. 

Want to know more about blockchain technology and NFT?

We invite you to read our article: Blockchain, metaverse and NFT - are society, businesses and regulators ready for the challenges ahead? | EY Poland

Make it clear 5 makeitclear lp banner lp fuksja clear
2

Chapter

IT

The Cyber Security Certification Scheme for Cloud Services

ENISA (The European Union Agency for Cybersecurity) is currently drafting a regulation on cyber security certification for cloud services (EUCS). 

What is the purpose of the proposed EUCS?

The Cyber Security Certification Scheme for Cloud Services („Programme”) aims to further improve the conditions for the Union's internal market in cloud services by strengthening and streamlining the cybersecurity assurance of services. The EUCS project is a comprehensive set of rules, technical requirements, standards and procedures agreed at European level to ensure adequate cyber security of a specific product, service or process.

The draft legislation aims to harmonise the security requirements of cloud services with the provisions of other European acts, international standards, industry best practices, as well as with existing certifications in EU Member States.

Current stage of work

The public consultation has now closed. The project is currently in the dialogue phase. It is difficult to assess how quickly the work will progress. 

Highlights of the certification

  • At the moment, certification is voluntary i.e. cloud providers can decide for themselves whether they want their products to be certified;
  • Certification will apply to all types of cloud services - from infrastructure to applications
  • Certification will increase confidence in cloud services by setting reference security requirements;
  • Certification includes three levels of assurance: "basic", "substantial" and "high";
  • The certification scheme proposes a new approach inspired by existing national systems and international standards;
  • Certification can be issued for a maximum period of three years;
  • The certification scheme includes transparency requirements, such as the location of data processing and storage. 

Lack of agreement on the "sovereignty requirement"

The European Commission has asked the European Union Cyber Security Agency (ENISA) to add sovereignty requirements to the Programme to ensure resilience against foreign jurisdictions. Concerns about adding a „sovereignty requirement” to the draft Programme were raised by Denmark, Estonia and Greece, among others. Sovereignty requirements were supported by France and Italy, for example.

Accordingly, on 19 September 2022. Germany called on the European Commission for a political discussion on the sovereignty requirements that the European Commission wants to include in the Programme.

Why is this important?

In addition to the advantage of obtaining a certain level of safety, certification will certainly make it easier for non-EU operators to operate in the European market and help build confidence in the European market for such suppliers.

Make it clear bq 3 clear
3

Chapter

Cybersecurity

Statement of the Polish Financial Supervision Authority (PFSA) on the cyber security activities of insurance and reinsurance undertakings

The Office of the PFSA pointed out the incorrect practice: 

  • Overly simple and obvious encryption of documents containing insurance secrets by using PESEL number, date of birth as password;
  • Excessive use of active links in SMS/mail

 In the Authority’s Statement, attention was drawn to:

  • The need to use more secure customer interaction channels, such as the insurance company's mobile app;
  • The need to ensure the use of multi-factor authentication in accessing documents containing insurance secrets - indirectly, its absence could jeopardize the security of customer funds through unauthorized access to account number information;
  • The need to monitor third-party IT providers based on the IT guidelines for the insurance sector (equivalent to Recommendation D in the banking sector);
  • Expanding customer education campaigns to include channels other than the internet or the app, as this creates a gap among those who do not use these forms of communication.

  • The Statement is part of a European trend of insistence that financial entities attach particular importance to cyber security - in this case, in the relationship with the insurance company's customer. In the insurance company-customer relationship, it is incumbent on the company to look at the relationship from different perspectives:

    • The perspective of proper data inventory - what data, in which services and in which systems are processed;
    • Proper control over the development of IT systems, both within the insurance company and using external companies;
    • Proper control and guidance of IT implementations, especially of the insurance company's applications;
    • Continuous monitoring of applications for cyber security risks.

    The PFSA’s Statement addresses the threads of data leakage penalties from GDPR and also reputational risks for the insurance company.

    Given that the Statement was prepared by, among others, the cyber-security department of the PFSA Office, special attention should be paid to the proper conduct of IT projects in an insurance company. In this regard, in the Statement, the Office of the PFSA referred to the 2014 Guidelines for IT in Insurance and Reinsurance Undertakings, which detail the key areas of IT in insurance companies.

    It should be borne in mind that the Regulation of the European Parliament and of the Council on the operational digital resilience of the financial sector and amending Regulations (EC) No. 1060/2009, (EU) No. 648/2012, (EU) No. 600/2014 and (EU) No. 909/2014 (DORA) in certain spheres such as the need for penetration testing or contractual requirements will strongly affect the practice of conducting IT projects in insurance companies. 

Make it clear bq 4 clear
4

Chapter

Data protection

27 December 2022 is the deadline for SCC exchange for data transfers

Pursuant to the European Commission's Implementing Decision 2021/914 of 4 June 2021, the deadline for the implementation of the new standard contractual clauses (SCCs) for the transfer of personal data to third countries adopted under the aforementioned Decision expires on 27 December 2022.

    • The clauses adopted in 2001 and 2010 were drafted at a time when the applicable EU data protection legislation was still Directive 95/46/EC - while as of 2018, the GDPR is in force, which introduces new obligations;
    • The old clauses were drafted more than a decade ago in a different reality to the one we currently face. It was necessary to ensure that the sets of clauses allowed both to correctly reflect factual situations, e.g. long chains of processing and onward entrustment of data, and to allow for clauses between more than two entities and the dynamic accession of further entities to the contracts.

Spot light on man with pink background
5

Chapter

E-commerce

Digital Markets Act

Overview

Regulation of the European Parliament and of the Council on contestable and fair markets in the digital sector (Digital Markets Act) was published in the Official Journal of the European Union on 12 October 2022 and came into force on 1 November 2022.

The aim of the new regulation is to put an end to unfair practices by companies that act as „Gatekeepers” in the online platform economy

When will a company be considered an „Gatekeepers”?

  • When it has a significant impact on the internal market. This requirement will be presumed where the undertaking to which it belongs achieves an annual EEA turnover equal to or above EUR 6.5 billion in the last three financial years, or where the average market capitalization or the equivalent fair market value of the undertaking to which it belongs amounted to at least EUR 65 billion in the last financial year, and it provides a core platform service in at least three Member States;
  • This requirement will be presumed where the company provides a core platform service that has more than 45 million monthly active end users established or located in the Union and more than 10 000 yearly active business users established in the Union in the last financial year;
  • it enjoys an entrenched and durable position in its operations or it is foreseeable that it will enjoy such a position in the near future. A company is presumed to meet this requirement when the thresholds indicated above have been reached in each of the last three financial years.

  • „Gatekeepers " must comply with their obligations under Articles 5, 6 and 7 of the Digital Markets Act. For example, „Gatekeepers” have an obligation to refrain from combining personal data obtained through core platform services with personal data obtained through any other services offered by the „Gatekeepers”. In addition, they have an obligation to refrain from preventing or hindering business users from commenting to the relevant public authority on practices committed by the „Gatekeepers”, and they have an obligation to provide advertisers with information on advertising prices. 

Legal alert on Cloud and Cyber
The regulatory tsunami is unleashed

On 28 November 2022, the Council of the European Union announced of the Directive on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148, following its approval by the European Parliament on 10 November 2022 (NIS 2) 

  • The NIS 2 Directive introduces new provisions to support a high, common level of cyber security across the EU. It strengthens cyber security requirements for medium and large entities that operate and provide services in key sectors. NIS Directive 2 updates the 2016 NIS Directive.
  • The NIS 2 Directive is intended to address the shortcomings of the 2016 NIS Directive. The revised Directive aims to address discrepancies in cybersecurity requirements and the implementation of cybersecurity measures in different Member States.
  • The NIS 2 Directive will be published in the Official Journal of the European Union in the coming days and will enter into force on the 20th day after publication. From its entry into force, Member States will have 21 months to transpose its provisions into national law.

On 28 November 2022, the Council of the European Union announced of a Regulation on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014, following its approval by the European Parliament on 10 November 2022 (DORA)

  • The DORA regulation establishes uniform requirements for the security of networks and information systems of financial sector companies and key ICT service providers. DORA is addressed to almost all entities in the financial sector.
  • One of the most important changes that DORA will bring is the direct inclusion of ICT providers (designated as key ICT providers) in financial supervision (through the designation of a lead supervisory authority).
  • The DORA Regulation will be published in the Official Journal of the European Union in the coming days and will enter into force on the twentieth day after publication. The regulation will become applicable throughout the European Union 24 months after its entry into force.

On 10 November 2022, the joint EU Communication "EU Policy on Cyber Defence" was published.

  • The European Commission and the High Representative presented a joint communication on the EU's cyber defence policy and the Military Mobility Action Plan 2.0 to address the deteriorating security environment following Russia's aggression against Ukraine and to enhance the EU's ability to protect its citizens and infrastructure.
  • With the new cyber defence policy, the EU will strengthen cooperation and investment in cyber defence to better protect, detect, deter and defend against the growing number of cyber attacks.
  • The EU cyber defence policy aims to enhance the EU's cyber defence capabilities and strengthen coordination and cooperation between the military and civilian cyber communities (civilian, law enforcement, diplomatic and defence). It will increase the effectiveness of cyber crisis management in the EU, while strengthening the European Defence Technology Industrial Base (EDTIB). 

On 3 November 2022, a new draft Regulation of the European Parliament and of the Council on harmonized rules on fair access to and use of data (Data Act) was published

  • The regulation establishes rules governing who can access non-personal data generated within the EU and how. The new regulation is intended to contribute to the wider use of data for common prosperity, boost the market for data-driven products and services, and open up the field for innovation.
  • The Data Act and the Data Governance Act are part of a broader data strategy that aims to put the European Union at the forefront of modern legal solutions in a data-driven society.
  • Work on the Data Act is still going strong. Recently, the Czech Council Presidency submitted another, second compromise draft regulation to the Working Party on Telecommunications and the Information Society.
     

Contact us!

Justyna Wilczynska-Baraniak

EY Polska, EY Law, Intellectual Property, Technologies and Personal Data, Partner, Attorney-at-law
Intellectual Property, Technology and Personal Data Team Leader. Experienced in legal advisory for multi-jurisdictional clients.
Warszawa, POL

Joanna Ostrowska (Gałajda)

EY Poland, EY Law, Senior Manager
Joanna Ostrowska is a Senior Manager in TMT an IP practice, responsible for cloud computing and cybersecurity projects.
Warszawa, POL

Maciej Bisch

EY Poland, EY Law, Manager, Attorney-at-law
Lawyer with years of experience in intellectual property law, data protection, commercial company law and dispute resolution.
Warszawa, POL

Summary

Here is the second study prepared as part of the Make IT clear program.

Every month we will show you the trends that entrepreneurs should follow and the solutions that should be implemented in order to be up to date with the law of technology, intellectual property and data protection. We will also indicate the risks and challenges associated with your business.

Do not hesitate to contact us!

Contact us
Interested in the changes we have made here,
contact us to find out more.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.