No, actually, it's the sign right on the top. That's our logo. Project Group for Technical Technology. Until now, I never translated it, but something like that. It's about development, developing technology within the means of the Constitution and the laws.

It's not only about compliance. We want to achieve more. We want to develop technology constitutionally so that most people can enjoy it without infringement

of their rights. Let me give you an overview of my talk. First, I'm going to talk about long-term security and long-lived systems, why we should secure those. And I'm talking about liability, then

about the regulatory framework, and then about trust services and long-term archiving. So in essence, I'm hammering on points that were already made, but with a little bit of a legal perspective. Long-term security of long-lived systems

as a legal obligation. So why long-lived systems? Why do we want to have long-lived systems from a legal standpoint? They may be a legal requirement. You want to keep certain electronic documents. You want to keep certain data for as long

as you would like to keep files that were printed out. Why long-lived systems also might be a contractual obligation to keep those systems running to service systems for as long a time

as you close the contract? That might be 10 years, might be 20 years, might be indefinitely. And certainly, a practical necessity. Even if you aren't required to provide a long-lived systems or by legal requirements or by contractual obligations,

it might be a practical necessity from your point of view. You want to keep those running because you want to keep records or you want to have certain kinds of provenance for your data.

Why long-term security for the same reasons? I just changed the colors of the Venn diagrams. If you want to keep this data and you have long-living systems, you have to provide long-term security usually. Why? Because you might have statutory retention periods.

That's a legal requirement. You might have laws on data protection and data security. They also get into the how of data security. You might have laws regarding competition and trade secrets. That might be a legal requirement why you want to keep data protected.

Contractual obligations, you provide a service or it's part of a service. It might be a secondary obligation to your service. And practical necessity, provenance, provenativeness, maybe the scientific outlook, you want to keep data as long as possible.

And for the aversion of risks, you feel more secure if you have the data. And in essence, it's about compliance. Compliance may be a model for implementing security technology for the public.

It's not only about waiting till something happens and then you have to defend yourself in court, but it's also about to comply with legal standards and to create an environment where, in your company, the laws are upheld.

Why you want to do that? Because you don't want to get liable. It is a common principle that liability arises directly

from unlawful actions on nitrogens. In the case of protection of long-term systems, nitrogens might be one key element or the reason for your company to be liable for something.

The specific requirements for these actions in each case depends on the elements of statutory and case law and our contractual obligations. So there might be various reasons why you are liable when you don't provide long-term security. There is currently no statutory law that allows to directly fine a lack of security

by a government body. But liability of damages might follow a law of contracts or tort law. So either you are negligent within the fulfillment

of your contract or you're encroached on somebody's right and there's a tort. Security is often a secondary obligation to a contract.

If it's not the first obligation or a high-profile obligation, it at least often is a secondary obligation. So these have to be fulfilled as well. And the tort follows a breach of statute that is intended to protect another person. That might be all legal statutes pertaining

to data security that can be found, for example, in the laws of data protection. So that's a wide range of possible liability reasons. So why you should secure long-lived systems

is not only because of practical necessity, but also because you might be liable if you don't do so. Let's have a look at the regulatory framework. So what laws pertain to cybersecurity

and the long-term security of long-term systems? First of all, we could think about the IT security law, IT Security Law, or the directive on security of network information systems. And this directive that has been

effectuated at the beginning of this month, but hasn't been transposed yet into national law. You could think less about that, but actually, these laws are more about transparency and disclosure of breaches into IT security.

So they are called Cybersecurity Act, but they don't actually force you to invest in cybersecurity. They do that indirectly, but not directly. As a second legal framework, and that's all about data protection, protection of personal data,

meaning any information concerning the personal or material circumstances of identified or identifiable individuals. You might think that most data isn't personal data, but if you really think about it,

most data doesn't depend what it is, has at least some kind of connection to a person. And if it's a person who put it into the system, so at least some metadata about him will be stored. And most data that is commercially viable nowadays, we're talking about industry 4.0 and internet 4.0,

is at least in some ways connected to an individual where it's personal data. And therefore, personal data law applies. And within most personal data laws,

there's a section or something about cybersecurity. For example, section 9, Federal Data Protection Act, that's Bundestagtenschutzgesetz in Germany, or the Individual State Data Protection Act of our 16 federal countries.

And there's also a European legislation. There is a data protection directive from R95, but there's a new one, that's the General Data Protection Regulation that has been implemented two months ago and will be effectuated like in 2018.

So when we're talking about cybersecurity for the protection of personal data, we have to take into account all these acts, presumably, depending on the body who works with the personal data,

who's responsible. That might differ, so... And you might think that now the General Data Protection Regulation will do away with all the other data protection acts,

but unfortunately, that's wrong. So it started out as a regulation that will be enforceable as law in all member states directly,

but the regulation has a lot of open points that will be supplemented by state laws. So there still will be an effect.

That's again about the IT security law. I went over this. The IT security law changed various laws and the goal is or was to increase cybersecurity. And it's mostly about transparency

and notification of cyber breach. Same goes for the directive on security of network and information systems. So in essence, they don't hold that much points for cybersecurity as to the how of cybersecurity. But on the other hand, the Data Protection Acts usually have address the security of systems

with personal data, and they don't detail specific security measures, but they do place an obligation for the one who works with the personal data

to have appropriate security measures regarding, for example, access control to prevent unauthorized persons from gaining access to data and processing systems, to admission control,

to prevent data processing systems from being used without authorization, to authorization control, to ensure that persons entitled to use a data processing system have access to only list data to which they have the right to access. And then there's also transmission control to ensure that personal data cannot be read,

copied, modified, or removed without authorization, input control to ensure that it's possible to check and establish whether and by whom personal data have been entered into the data processing system, job control to ensure that in the case of commission processing of personal data, the data are processed strictly

in accordance with the instruction of the principle, and availability control to ensure that personal data is protected from accidental destruction, or loss. And to ensure that data, and data separation is there to ensure that data collected for different purposes cannot be processed,

can only be processed separately. So these are principles, data security principles that have to be implemented by the data authority, by the authority that works with the personal data.

And the question then is, what is an appropriate security measure? And the legal evaluation of the risk, how you measure what's appropriate, you have to evaluate the risk inherent in the processing. And implementation of measures to address these risks

might be encryption, they often are, not always, but most of them are. And the security measure should ensure an appropriate level of security, including confidentiality,

taking into account the state of the art, that's what we're talking about today, what's secure when we're talking about encryption, taking into account the cost of implementation also, and taking into account the nature of the personal data to be protected. And to assess data security risk,

the risk of accidental or unlawful destruction has to be considered, the risk of loss, the risk of alterations, the risk of unauthorized disclosure or access to data, and possible physical material or non-material damage. These are bullet points,

these are points you have to take into account when you evaluate what is an appropriate security measure in regards to the personal data you're processing. So not for every data processing,

the highest kind of security is necessary from a legal standpoint. As a second legal framework concerning the laws of encryption or laws of cyber security,

which you can use to infer conclusions for a legal standpoint or assessment of the whole thing, and that's the laws of trust services and long-term archiving.

Goals of cyber security are long-term protection, and they must be integrity and confidentiality, as was put down in the memorandum to this talk. Well, that's true, and the goals for trust services, the legal framework for this is integrity and authenticity,

so not only to make sure that the data is untampered with, and you can prove that it is untampered with, but also to show who it is from, who is the originator, who is the signator. These are the goals of the framework for electronic transactions in the electronic market.

So they have two things in common. They have one thing in common, integrity, and one can use the rules for integrity in the legal framework for electronics and tracks in the electronic market

to say something about cyber security measures or use them. The legal framework is, as was said before, the law on electronic signatures in Germany and the federal ordinance on electronic signatures,

and many, many sections concerning the application of electronic signatures in various German laws, for example, in the federal civil code or the laws

concerning the rules of the court. Actually, I don't really know how to translate that, but that's the rules for government bodies to work.

And last on this list is the regulation on electronic identification trust services. Like was said before, that has been effectuated at the 1st of July this month.

It's the EIAS regulation, which is a framework for various trust services, gives a framework for various trust services who all rely on encryption to work.

And these are services normally provided for payment, which consists in the creation and verification validation, for example, of electronic signatures, electronic seals. These are electronic signatures for not natural persons, but legal persons. For electronic timestamps, for certificates related

to above-mentioned services, for the creation, verification, validation of these certificates, and for the preservation of electronic signatures, seals, and certificates. So lying within this legal framework already is a way to ensure long-term encryption,

classical long-term encryption, by over-signing old signatures or seals with new signatures and securing the moment

of when it happens in order to show that the encryption hasn't been broken to that point. And the legal framework differentiates between trust services and qualified trust services.

All of the above are trust services always, but only the qualified trust services that work in accordance with relevant requirements to the regulations are considered to be of higher legal value.

There are various statutes within the regulations that appoint to these qualified trust services. For example, higher provability,

or say that these trust services can be used to prove certain real aspects while trust services, not qualified trust services, but plain trust services might not be able to do that

just from the legal point of view, just by looking at this as a statute. For those, it has to be proven that they are secure. All trust services use encryption

to facilitate security. And the assessment of the technical security depends in particular on the security, capability of the algorithms and the parameters used. Over time, the compatibility of cryptographic algorithms

for security may be compromised. And these come from threats to advances in computer and software technology, as well as advances in mathematics and cryptography, as well you know all, I don't know why I tell you that.

And these are advancements in these threats are monitored by the Supervisory Authority and evaluated with respect to the impact on the security of the algorithms and associate parameters. And from that derives the Algorithm Catalog, which is published by the Federal Network Agency,

but they heavily rely on the Bundesanfühstigheit Innerinformatschonstechnik, BSI, to get to this catalog. And this catalog determines whether certain

cryptographic methods keep in line with the state of the art and science and technology of cryptography. So from a legal standpoint, you have a body of work that directly points to you whether a certain form

of encryption was of high value or not. So that might be used in various court cases to determine if your encryption was negligent or not, was high enough or not.

So problems of long-term security are known in regards of integrity of data and security measures such as electronic signatures and other trust services. And the Algorithm Catalog is of a high standard. The European standard pertaining to the

EIAS regulation might be less high, but the compliance with at least the Algorithm Catalog indicates due diligence in part of the service provider and will indicate due diligence in part of the long-term service provider as well.

So in conclusion, just to reiterate, the need for long-lived systems might stem from statutory, contractual, or practical demands. The long-term security is often obligation,

at least secondary obligation to service of the long-lived systems. So you need security even from a legal standpoint. And the long-term security has to be adequate and reasonable depending on the risk and state of the art. And therefore, long-term security has to adapt

or be adaptable to state of the art, at least due to advancements in crypto analysis. And the legal framework that will be used by lawyers to determine whether, not only lawyers but judges too, unfortunately,

will be used to determine whether service providers have been due diligent, comes from as well laws on ITU security, but also laws on data protection.

Thank you very much.