Provisional agreement in Europe to improve information exchange in terrorism cases

The European Council Presidency and European Parliament representatives reached a provisional agreement on a regulation aimed at improving the exchange of digital information in terrorism cases. The text agreed upon is subject to approval by the European Council and Parliament before going through the formal adoption procedure.

This draft regulation would be part of the ongoing work to modernise and digitise cross-border judicial cooperation.

These days, terrorism knows no borders; networks are built and attacks can be prepared and perpetrated within the territories of the European Union. Therefore, in order to be able to deal with it, the European judicial authorities must also have a cross-border strategy.

The agreed new system should allow better checking of information and ensure that any links are detected, regardless of where a terrorist crime has been committed in the EU.

Currently, member states share information with Eurojust on terrorism-related cases through various channels. This information is then included in the European judicial register for the fight against terrorism, a system that is currently technically obsolete as it does not allow for proper cross-checking of information.

The proposal aims to amend these shortcomings and enable Eurojust to play a more proactive and conclusive role in supporting coordination and cooperation between national authorities that investigate and prosecute terrorist offences.

Under the proposed rules, member states will have to provide Eurojust with information on any criminal investigations related to terrorist offences as soon as these cases are transferred to the judicial authorities.

According to the agreed proposal, this would entail:

  • Creating a modern, digital case management system that stores this information and allows it to be cross-checked.
  • Empowering Eurojust to better detect links between transnational investigations and prosecutions in the field of terrorism and to proactively inform Member States of links found.
  • Creating a secure digital communication channel between Member States and Eurojust.
  • Simplifying cooperation with third countries by granting liaison prosecutors attached to Eurojust access to the case management system.

_____

Aquest apunt en català / Esta entrada en español / Post en français

European Union strengthens cybersecurity and resilience across the Union

The European Council adopted certain legislative aspects in order to apply them to a high common level of cybersecurity across the entire Union. The goal is to further enhance the resilience and incident response capabilities of the public and private sector and the Union as a whole.

The new directive, called ‘NIS2’, will replace the current directive on network and information systems security (the NIS directive). With this initiative, the Council itself believes that cybersecurity will undoubtedly remain a key challenge for the coming years. In this sense, the new legislation is a huge gamble for our economies and our citizens.

The NIS2 will establish the baseline for cybersecurity risk management measures and reporting obligations in all sectors covered by the directive, such as energy, transport, health and digital infrastructure.

The revised directive seeks to harmonise cybersecurity requirements and the implementation of cybersecurity measures in the different member states. To this end, it establishes minimum rules for a regulatory framework and mechanisms for effective partnership among the relevant authorities in each member state. It updates the list of sectors and activities subject to cybersecurity obligations and provides for remedies and penalties to ensure enforcement.

The directive will officially set up the European Cyber Crisis Liaison Organization Network, EU-CYCLONE, which will support the coordinated management of large-scale cybersecurity incidents and crises.

Under the old NIS directive, member states were responsible for determining which entities would meet the criteria to qualify as operators of essential services. The new NIS2 directive, however, introduces a size-limit rule as a general rule for identifying regulated entities. This means that all medium and large entities operating within the sectors or providing services covered by the directive will fall within its scope.

Although the revised directive maintains this general rule, its text includes additional provisions to ensure proportionality, a higher level of risk management and clear criticality criteria to allow national authorities to determine other covered entities.

The text also clearly states that the directive will not apply to entities carrying out activities in areas such as defence or national security, public security and law enforcement. Judiciary, parliaments and central banks are also excluded.

The NIS2 will also apply to public administrations at the central and regional levels. In addition, member states may decide to apply it to these entities at the local level.

Furthermore, the new directive was aligned with sector-specific legislation, in particular the regulation on the digital operational resilience of the financial sector (DORA) and the directive on the resilience of critical entities (CER), to provide legal clarity and ensure consistency between the NIS2 and these acts.

A voluntary peer-to-peer learning mechanism will increase mutual trust and learning from good practices and experiences in the Union, thus contributing to achieving a high common level of cybersecurity.

The new legislation also streamlines reporting obligations in order to avoid cases of over-reporting and undue burden on covered entities.

_____

Aquest apunt en català / Esta entrada en español / Post en français

Hate crimes and mental illness in the U.S.

Last October, The New York Times published an article by researcher Eyal Press in which he questioned the treatment and response to mentally ill people involved in hate crimes in the United States. Press is the author of the book Dirty Work: Essential Jobs and the Hidden Toll of Inequality in America.

The author explains that since the onset of the COVID pandemic, a wave of violence against Asian Americans has spread across the country. There have been blatant assaults in which victims have been spat on, beaten, pushed from the subway platform, stabbed or shot with firearms. This shocking number of attacks that have made the news has meant that most of those arrested have turned out to have serious mental health problems.

Although the number of hate crimes against Asian Americans in New York went down during the first half of 2022, the overlap between hate crimes and bias attacks has remained. The New York Police Department announced that, of the 100 people arrested for hate crimes in the city during the first four months of 2022, half had previously been classified as emotionally disturbed.

Press believes that, because of these patterns of behaviour, the role that mental illness may play in racially motivated violence makes it a pending and necessary issue to resolve. And we must avoid the belief that such a debate would reinforce negative stereotypes, since people experiencing mental illness are much more likely to be victims of violence than to be its perpetrators. Another danger would be if mental illness were invoked to divert attention from the rhetoric and ideas that breed acts of violent extremism.

Edward Dunbar, professor of psychology at the University of California, a researcher on bias-motivated crime, believes that it is not surprising that during the pandemic some people with mental disorders committed aggressive acts, because of the constant anti-Asian speeches in the public debate.

What Press exposes in his article is that most of the mentally ill people who were arrested for attacking Asian people in New York City during the pandemic were not only mentally ill, but homeless.

The community organization The Anti Police-Terror Project proclaimed in a propaganda leaflet that mental illness is not a crime, advocating keeping such people out of the criminal justice system.

Brian Levin, director of the Center for the Study of Hate and Extremism at California State University, San Bernardino, has proposed creating a separate classification for mentally ill offenders as a way of highlighting that their cases are different. The goal would be for these people to receive treatment rather than incarceration. The imposition of harsh criminal penalties on these offenders is perhaps ineffective.

A better approach would be to invest resources in the flawed mental health systems that leave so many highly unstable people without long-term care. Addressing other social problems would also be useful, as a growing body of research suggests that people with severe mental illness are more likely to carry out violent acts when exposed to other risk factors, such as traumatic childhood experiences, financial instability, or living in high-crime neighbourhoods. Treatment alone would not solve these problems, but locking these people in prisons won’t make them go away either.

_____

Aquest apunt en català / Esta entrada en español / Post en français

The European Council Approves Conclusions for a Unified Cyber Posture

The European Council has approved conclusions on the development of the European Union’s stance against cyber-attacks. The posture is intended to demonstrate the EU’s determination to provide immediate and long-term responses to threats that seek to deny the EU secure and open access to cyberspace and affect its strategic interests, including its partners’ security.

Ministers, among other things, call on the European Commission to propose common EU cybersecurity requirements for connected devices and associated processes and services. They also invite relevant authorities, such as the European Union Agency for Cybersecurity (ENISA), to make recommendations to strengthen the resilience of communication networks and infrastructures within the EU. The Council also stresses the importance of establishing regular cyber exercises to test and develop the EU’s internal and external response to large-scale cyber incidents.

Cyberspace has become an arena for geopolitical competition. The EU must therefore be able to respond swiftly and forcefully to cyber-attacks, such as malicious cyber-activities targeting the Union and its member states. It must also make full use of all the instruments at its disposal. Perpetrators should be aware that cyber-attacks against member states and EU institutions will rapidly be detected, identified and fought with all necessary tools and policies.

In the conclusions, the Council highlights the EU’s five roles in the cyber domain:

1. Strengthen resilience and protective capacities. Malicious behaviour in cyberspace has intensified in recent years and emanates from both state and non-state parties. This includes a sharp and steady increase in activities targeting critical infrastructure and supply chains.

2. Improve solidarity and comprehensive crisis management. In the current geopolitical climate, the Union’s strength lies in unity, solidarity and determination, and the implementation of the Strategic Compass. This should enhance the EU’s strategic autonomy and its ability to work with partners to safeguard them, while respecting their values and interests, including in the cyber domain.

3. Promote the EU vision of cyberspace. Consolidate peace and stability in cyberspace and in favour of an open, free, global, stable and secure cyberspace, and coordinate short-, medium- and long-term actions to prevent, identify and respond to cyber threats and attacks.

4. Improve cooperation with partner countries and international organisations. The overall level of EU cybersecurity needs to be raised and see a rapid adoption of the draft Directive on measures to achieve a high common level of cybersecurity across the Union (NIS), the draft Regulation on Digital Operational Resilience for the Financial Sector (DORA) and the draft Directive on Critical Entity Resilience (CER).

5. Prevent, defend and respond to cyber-attacks. Competent authorities, such as the Body of European Regulators for Electronic Communications (BEREC), the European Union Agency for Cybersecurity (ENISA) and the Network and Information Security (NIS) Cooperation Group, together with the Commission, will formulate recommendations based on risk assessment in the member states and the European Commission to strengthen the resilience of communications, networks and infrastructures within the European Union.

_____

Aquest apunt en català / Esta entrada en español / Post en français

The European Union Strengthens IT Security for Financial Institutions

Taking into account the ever-increasing risks in relation to cyberattacks, the European Union is reinforcing IT security in various sectors, in particular financial institutions such as banks, insurance companies and investment firms.

The European Council and Parliament reached a provisional agreement on the Digital Operational Resilience Act (DORA), which will ensure that Europe’s financial sector is prepared in the event of a severe operational disruption.

DORA establishes uniform security requirements for the network and information systems of companies and organizations operating in the financial sector. These also apply to third parties providing ICT (information and communication technology) related services, such as cloud platforms or data analysis services.

According to the regulatory framework on digital operational resilience that DORA has created, all companies have to ensure that they can withstand, respond to and recover from all types of ICT-related disruptions and threats. These requirements are the same for all EU member states. The main objective is to prevent and mitigate cyber threats.

Under the provisional agreement, the new rules will provide a very robust framework for enhancing IT security in the financial sector. The extent financial institutions must go to in order to protect their information will be proportional to the potential risks.

Critical third country providers of ICT services to EU financial institutions will have to establish a subsidiary within the EU so that supervision can be properly implemented.

Regarding the supervision framework, the co-legislators agreed upon an additional joint supervision network that will strengthen coordination between European authorities on this cross-cutting issue.

In light of provisional agreement the, DORA interacted with the Network and Information Security (NIS) Directive in order to provide financial institutions with full clarity on the different digital operational resilience standards they have to comply with. This will also prepare financial institutions holding multiple authorisations and operating in different EU markets. The NIS policy will continue to apply. DORA is based on the NIS Directive and addresses possible overlapping through a lex specialis exemption.

The provisional agreement reached is subject to approval by the European Council and Parliament before going through the formal adoption procedure.

Once the DORA proposal is formally approved, each EU member state will also approve it. European Supervisory Authorities (ESAs), such as the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA) will develop technical standards for all financial institutions, from banking to insurance and asset management. The respective competent national authorities will take on the task of compliance monitoring and will enforce the regulations when necessary.

This package fills a gap in existing EU legislation and ensures that the current legal framework does not pose barriers to the use of new digital financial instruments. It also ensures that the new technologies and products fall within the scope of financial regulation and operational risk management arrangements for companies active in the EU. Thus, the package aims to support innovation and the adoption of new financial technologies, while providing an adequate level of consumer and investor protection.

_____

Aquest apunt en català / Esta entrada en español / Post en français

Consolidating cybersecurity and resilience throughout the European Union

The European Union is working on improving resilience in the face of increasingly serious cyber threats so as to consolidate security in society at large and in the digital economy.

The European Council has reached a joint agreement on shared high-level cybersecurity measures throughout the European Union with a view to further improving resilience and the ability to react to incidents in both the public and private sectors and in the EU as a whole.

Once approved, the new directive, referred to as NIS2, will replace the current directive on the Security of Network and Information Systems (the NIS Directive).

NIS2 will establish the base line for measures to manage risks to cybersecurity and obligations to provide information in all the sectors covered by the Directive, such as energy, transport, health and digital infrastructure.

The revised directive is intended to eliminate divergences in cybersecurity requirements and the implementation of cybersecurity measures in different Member States. To this end, it establishes minimum standards for a regulatory framework and mechanisms for effective cooperation between the relevant authorities in each Member State. It also updates the list of sectors and activities subject to cybersecurity obligations, and provides for resources and sanctions to ensure their implementation.

The Directive will formally establish the European Union Cyber Crisis Liaison Organisation Network, EU-CyCLONe, which is intended to provide support for the coordinated management of large-scale cybersecurity incidents.

While according to the terms of the former NIS directive Member States were responsible for determining which entities would meet the criteria to qualify as operators of essential services, the new NIS2 Directive introduces a rule to establish the limits of their scope. This means that all the large and medium-sized entities that operate within the sectors concerned or that provide services subject to regulation by the Directive will come under its scope of application.

Although the Council’s position maintains this general standard, it also includes additional provisions to ensure proportionality, a higher level of risk management and clear criteria for the definition of the entities to be covered.

The Council’s text also clarifies that the Directive will not apply to entities that develop activities in fields such as defence or national security, public security, the police and the courts. National parliaments and central banks are also excluded from the scope of the Directive.

Since public administrations are often also the targets of cyber attacks, NIS2 will apply to the public administrative organisms of Member States’ central governments. In addition, Member States can decide which regulations will apply to these entities at a regional and local scale.

The Council has aligned the text with specific sectoral legislation, particularly the Digital Operational Resilience Act (DORA) regulation for the financial sector and the Critical Entities Resilience (CER) Directive to provide legal clarification and ensure consistency between NIS2 and these new regulations.

A voluntary mechanism for peer learning will increase mutual confidence and the learning of good practices and experiences, and will thus contribute to achieving a high level of shared cybersecurity.

Member States will have two years starting from the date that the Directive comes into force within which to incorporate the provisions into their national legislations.

_____

Aquest apunt en català / Esta entrada en español / Post en français

Safe online shopping awareness campaign for the upcoming high consumer season

Europol is launching the #SellSafe awareness campaign in November as part of a series of consumer protection and e-commerce initiatives in the run-up to the peak shopping season.

Online shoppers need to be more vigilant than ever as organised crime groups continually adapt their online fraud methods to defraud both citizens and e-commerce companies.

Since the start of the pandemic, many businesses have had to go online to continue their activities. At the same time, with people now using online services several times a week and increasingly shopping online, there is a much greater opportunity for attack by cybercriminals.

Even when online shopping has been made secure through the implementation of new technologies, such as secure customer authentication or two-factor authentication, cybercriminals still find ways to steal money from online shoppers.

Europol, together with the Merchant Risk Council and participating countries, has launched the #SellSafe, campaign, following the success of last year’s campaign, to highlight key tactics to combat online fraud. The aim of the campaign is to make e-commerce safer by promoting secure online shopping methods and helping new vendors to open their first online shop by minimising the risk of cyber-attacks.

Participating countries will promote the campaign through their social media channels using the hashtag #SellSafe to help consumers understand the risks of e-commerce fraud.

To protect consumers, Europol has provided a number of useful tips to try to keep them one step ahead of fraudsters and ensure they do not steal money.

Tips for protecting an e-business:

• Make sure all employees are aware of fraud issues affecting online shops.

• Stay up to date on the types of payment fraud that affect businesses and have the tools to prevent them. Your payments organisation will have details on the types of payment fraud.

• Get to know your customers so you can verify their payments.

Tips for online shoppers:

• Never send your card number, PIN or any other card information to anyone by email.

• Never send money to anyone you do not know.

• Always keep all documents related to your online purchases.

• If you don’t buy anything, never send your card details to anyone.

_____

Aquest apunt en català / Esta entrada en español / Post en français

Is technology efficient in the fight against domestic violence?

Domestic violence affects approximately one in three adults in the United States at some point in their lives. It represents more than 40% of all women’s murders: 856 women died in 2017, according to the latest official figures.

Law enforcement has an inefficient history of responding to the problem. According to a Justice Department report, domestic violence, as a category, generates the largest number of calls to police, but advocates for victims of domestic violence have long criticized police for not taking allegations of abuse seriously enough, or they respond with a narrow approach, focused on protection orders, arrests and trials, which do not always help the victims.

However, when one of the world’s largest technology companies, Ring, offers free cameras to help solve the problem, this can be an attractive proposition. Police believe that this could be an ever-available sentry guarding the homes of victims of repeated crimes.

When Ring’s pilot programs began in 2019, these were small in size. Bexar County set aside 50 cameras to protect victims of domestic violence and anyone with a protection order. San Antonio assigned 171 devices to victims of domestic violence and sexual assault who had filed police reports. And in Cape Coral, where this program for fighting domestic violence was supposed to last a year, 100 devices were assigned to victims of domestic violence.

Former Cape Coral police chief David Newlan had the idea to implement the program in that city after a 2017 case in which a case of domestic violence turned into a murder-suicide. The perpetrator had been banned from approaching the victim by a restraining order and was required to wear an ankle bracelet controlled by a third party. On the day of the murder, the monitoring company did not notify the police when he violated the protection order when approaching the victim’s home.

Police departments want to know everything they legally can. But is growing surveillance technology in the public interest?

At least today, more than 1,800 U.S. law enforcement agencies use the Neighbours app, along with more than 360 fire departments. Ring associations, with many police forces using it, give the participating departments a much broader surveillance system than the police themselves could build legally.

The popularity of these programs is unclear. The San Antonio program distributed 158 of its 171 cameras. However, in the first year of the Bexar County program, no more than 15 victims opted for one of the 50 cameras, according to Rosalinda Hibron-Pineda, a victim services specialist at the sheriff’s office. And in Cape Coral, where there were 100 cameras available, only 24 had been given out.

Unless they give law enforcement the tools to arrest and imprison the assailants, the cameras would not be effective.

_____

Aquest apunt en català / Esta entrada en español / Post en français

Council adopts conclusions on sports-related violence ahead of the European football championship

The Council has adopted a series of conclusions on sports-related violence. In these conclusions the Council emphasises the unique challenge to security posed by the UEFA EURO championship, given that the competition will take place in 11 European cities simultaneously.

The Council emphasises that the organisers of major events taking place during the COVID-19 pandemic should continue to adopt measures and procedures that prevent the spread of the virus among all actors involved.

The Council also stresses the relevance of international police cooperation and information exchange to ensure a safe and secure competition. Acknowledging that monitoring the movement of risk supporters may be vital to prevent public disorder and associated criminal activity, it encourages effective international cooperation through the deployment of specialised law enforcement officers as well as other liaison officers, even if a sports event takes place without general public attending.

The Council recognises that, in view of several recent incidents of sports-related violence, it is crucial to address this issue beyond the sports venues themselves. The scope of preventive measures should be enlarged to cover locations such as public transport, hotels, training centres, night-life areas and other public spaces.

The Council stresses the importance of protecting public spaces and private spaces open to the public, namely through the implementation of security-by-design concepts and the use of surveillance and detection systems that incorporate artificial intelligence, while respecting fundamental rights. It also calls on member states to continue to monitor online content, with a view to preventing and mitigating the dissemination of messages that incite violence, extremism, radicalisation and xenophobia.

Lastly, the Council stresses the need for member states to increase the risk assessment of risk supporters, especially those with extremist ideologies, so as to identify, prevent and limit possible hostile and criminal activity during international sporting events.

_____

Aquest apunt en català / Esta entrada en español / Post en français

Crime prevention through environmental design gains popularity. The new ISO 22341 and other news

For years, criminology and other disciplines have raised the need for a cross-cutting, multi-actor approach to dealing with security.

One of the more structured cross-cutting approaches is Crime Prevention through Environmental Design (CPTED) which, in essence, responds to the questions raised by environmental criminology through knowledge of how our surroundings (environment) condition security (and crime) and the methodologies that need to be designed and used to work in this field effectively. Although initially focused on the design of physical spaces, CPTED has since been extended to include social aspects relating to the movements and activities of the population within those spaces, a critical factor when considering security-related issues.

The approaches proposed by CPTED have been adopted, more or less implicitly, by influential organisations such as the European Forum for Urban Security (EFUS), the Spanish Forum for Prevention and Urban Security (FEPSU), and by several urban regeneration projects in various cities around us.

Recent developments have confirmed the growing influence of this perspective and increased recognition of its effectiveness. A long standardisation process finally resulted in the approval of technical recommendations (CEN/TR 14383-2) in 2007, and this year, an ISO has been approved globally, ISO 22341, demonstrating the consolidation of the approach. The ISO constitutes an agreement on the minimum standards required to ensure environmental design principles are respected in specific spaces and areas. While the standards may still be more centred on the more physical aspects of spaces, they confirm the movement’s widespread acceptance.

The European Cutting Crime Impact (CCI) project, of which the Ministry of Home Affairs is a member, has also included this approach to prevention among its four fundamental lines of work as an effective and reliable way to reduce insecurity and limit its impact.

In Catalonia, multiple security, criminology and police professionals have recognised the need for a structured approach to promoting this type of prevention, creating the Catalan Association for the Prevention of Insecurity through Environmental Design (ACPIDA), which will be launched publicly and begin its activities in the coming months. Integrated within the framework of the International Association for the Prevention of Crime through Environmental Design (ICA), it will provide training, information and advice in the field.

Finally, on a state level, a new Spanish publication called A guide to crime prevention. Security, urban design, citizen participation and police action, provides a clear and practical guide on how to apply the CPTED principles to public spaces. César San Juan and Laura Vozmediano, professors at the University of the Basque Country and prestigious authors in the field of environmental criminology, have made an effort to translate the principles into concrete actions that can act as a practical guide for a range of public security managers and actors when planning, renovating and organising public spaces. The work offers the considerable benefit of clarity and exemplification by specifying how public spaces should be designed and how the various actors involved must adopt CPTED principles in order to ensure the resulting spaces facilitate security and quality of life for all who use them.

_____

Aquest apunt en català / Esta entrada en español / Post en français