Tag Archives: Tristan Lockwood

Digital Services Act Decoded #1: DSA Enforcement – Key Points

by Laura Knoke, Lutz Riede, Tobias Timmann, Janet Kim, Tristan Lockwood, Luca Mischensky, and Juliana Heer

Top Left to Right: Laura Knoke, Lutz Riede, Tobias Timmann, and Janet H. Kim. Bottom Left to Right: Tristan Lockwood, Luca Mischensky, and Juliana Heer (photos courtesy of Freshfields Bruckhaus Deringer LLP)

The Digital Services Act (DSA) empowers both the European Commission (Commission) and Member State Digital Services Coordinators (DSCs) to take tough enforcement action against non-compliance. Since DSA obligations became fully applicable for most very large online platforms (VLOPs) and very large online search engines (VLOSEs) in August 2023, compliance has been at the top of the Commission’s regulatory agenda. With enforcement action continuing to ramp up over the past year, and obligations for all other intermediary services coming into force in February 2024, it is vital for service providers subject to the DSA to be familiar with the DSA’s different enforcement mechanisms and areas of focus. The enforcement landscape is one that is further complicated by the ability of private parties, such as service users and consumer protection organisations, to bring private actions to facilitate DSA compliance.

Continue reading

Lessons from The Financial Stability Board’s Report on Cyber Incident Reporting

by Luke Dembosky, Avi Gesser, Erez Liebermann, Kristin Snyder, Charu A. Chandrasekhar, and Tristan Lockwood

Photos of the authors

From left to right: Luke Dembosky, Avi Gesser, Erez Liebermann, Kristin Snyder, Charu A. Chandrasekhar, and Tristan Lockwood (Photos courtesy of Debevoise & Plimpton LLP)

Big businesses, especially those with a global footprint and operating in regulated sectors, are increasingly confronted with new and diverging cyber incident reporting requirements. A single incident—even a relatively minor one—may require notification to dozens of data protection, cyber, law enforcement, and sectoral regulators around the world, in addition to insurers, customers, and counterparties. Not only do many regulatory reporting obligations have materially different triggers, but also significant variation exists in reporting timeframes, content requirements, and subsequent regulatory engagement practices. The cumulative effect of this regulatory spiderweb of red tape is often to divert attention and resources away from substantive incident response and remediation, and to create a bureaucratic vortex for compliance and legal personnel.  To make matters worse, businesses cannot simply hire their way out of this morass. With a ~3.4 million person shortage in information security professionals, when regulators force too much attention on incident reporting they are invariably diverting eyes from actual information security.

Continue reading

EU Digital Operational Resilience Act (DORA): Management Obligations and the Role of the Board

by Robert Maddox and Tristan Lockwood

Photos of the authors

From left to right: Robert Maddox and Tristan Lockwood (photos courtesy of Debevoise & Plimpton LLP)

Back in November 2022, we highlighted the enactment of the EU’s Digital Operational Resilience Act (“DORA”) that will impose far-reaching operational resilience requirements and Board oversight requirements on almost all financial services firms regulated in the EU – including banks, insurers, payment services providers, crypto asset custodians, fund managers, among many others.  DORA also regulates critical service providers that, for the first time, will be directly regulated by EU financial services regulators. In this article, we take a closer look at the obligations DORA imposes on covered entity Boards.

Continue reading