EU Policy Update - June 2020
In a nutshell: The European Commission has revealed more details about the planned reforms on the NIS Directive, the protection of critical infrastructure in the EU, Europol’s strengthened mandate, and the eIDAS Regulation. Additionally, the European Commission is consulting the public on the Digital Services Act and has published its evaluation report of the GDPR. Members of the Stakeholder Cybersecurity Certification Group have been selected. The Council of the EU published its conclusions on EU external action on preventing and countering terrorism and violent extremism. Members of the European Parliament filed amendments for the own-initiative reports on the Digital Services Act.
The European Commission published a roadmap on the review of the NIS Directive
The European Commission outlined its preliminary plans for the revision of Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (the NIS Directive). According to the combined evaluation roadmap and inception impact assessment, the NIS Directive revision will be inter alia accompanied by the review of the European Programme for Critical Infrastructure Protection as there are several synergies and overlaps between these two instruments. In the course of the revision, the Commission is planning to re-evaluate "the lessons learned from the implementation of the NIS Directive and identify persisting and emerging issues affecting the functioning of the Directive". According to the ongoing work on evaluating the implementation of the NIS Directive across the EU, "the NIS Directive has largely contributed to improving the cybersecurity capabilities within the Member States". However, several issues prevail, including "significant inconsistencies and fragmentation in the regulatory landscape, which may undermine the level playing field for some" due to the minimum level of harmonisation in the identification process of "operators of essential services" (OES). In addition, the Commission considers that "an assessment of the regulatory approach" applied to digital service providers appears to be necessary. At the preliminary stage, the Commission is considering multiple policy options to move forward with the NIS Directive revision: 1) non-legislative measures, such as guidelines for less harmonised areas of the Directive, such as the identification of the OES with the purpose of avoiding inconsistencies; 2) targeted changes to improve harmonisation, such as amending some definitions and introducing more harmonised elements in the process of identifying OES; 3) a legislative act that would repeal the NIS Directive, and that would aim to achieve a higher level of harmonisation and consistency by means of more detailed and precise rules. The legislative proposal is expected to be published at the end of 2020, while the European Commission is currently consulting the public on the topic.
The European Commission published a roadmap to revise the measures to enhance the protection and resilience of critical infrastructure
Together with the NIS Directive, the European Commission is also planning to revise the European Programme for Critical Infrastructure Protection (EPCIP) and the European Critical Infrastructure Directive (ECI Directive). According to the Inception Impact Assessment, the landscape related to critical infrastructure protection has changed in the years since these two instruments were adopted as the different types of critical infrastructure become increasingly interdependent upon one another. The Inception Impact Assessment highlights that the OES protected in the NIS Directive "should also be secure and resilient against a range of non-cyber risks". The initiative aims to ensure that "all relevant sectors providing essential services are included in the critical infrastructure protection approach". The legislative proposal is expected to be published at the end of 2020.
Members of the Stakeholder Cybersecurity Certification Group have been selected
The Stakeholder Cybersecurity Certification Group (SCCG) has been established by the EU Cybersecurity Act (CSA) to advise the Commission and ENISA on strategic issues regarding cybersecurity certification and assist the Commission in the preparation of the Union's Rolling Work Programme (URWP). The SCCG is composed of 50 members from a variety of organisations, including academic institutions, consumer organisations, conformity assessment bodies, standard developing organisations, companies and trade associations or other membership organisations active in Europe with an interest in cybersecurity certification. The full list of members is available here. The SCCG had its first meeting on 24 June, discussing inter alia the first batch of candidate cybersecurity schemes for EU Common Criteria and cloud services. The SCCG is also expected to advise the Commission on its URWP that will define the EU priorities for certification in the next three years. The URWP will also be subject to a public consultation which is expected in Q3 2020.
The European Commission is planning to strengthen Europol's mandate
The European Commission is planning a legislative reform to strengthen Europol's mandate. The Commission's preliminary Inception Impact Assessment recognises the limited role of Europol in obtaining digital evidence to investigate cross-border cybercrimes and proposes to allow Europol to “gather and process data available in the online environment, including data requested and obtained directly from private parties, notwithstanding Europol’s obligation to notify the relevant national competent authorities of the Member States[...]”. Furthermore, the Inception Impact Assessment proposes to allow “Europol to request data directly from private parties or query databases managed by private parties (e.g. WHOIS) in specific investigations. The legislative proposal is expected to be published at the end of 2020.
The Council of the EU published its conclusions on EU external action on preventing and countering terrorism and violent extremism
On 16 June Council of the EU published its conclusions on EU external action on preventing and countering terrorism and violent extremism. In these conclusions, the Council of the EU underlined "the need to improve the conservation and transmission of electronic evidence during cross-border criminal investigations and prosecutions linked to terrorist cases". Furthermore, "all action on this issue must be consistent with the principles of a free, open and secure Internet, without compromising human rights and fundamental freedoms, including freedom of expression, or the protection of personal data". Regarding the misuse of the internet for terrorist purposes, the Council of the EU called upon "the tech industry to take on more responsibility for countering terrorist propaganda and radicalisation leading to violent extremism and terrorism and pro-actively address prevention, detection and removal of illegal content online".
European Commission published the GDPR evaluation report
On 24 June, the European Commission published its GDPR evaluation report, two years after the legislation entered into force. The general view expressed in the report is that in the last two years "the GDPR has successfully met its objectives of strengthening the protection of the individual’s right to personal data protection and guaranteeing the free flow of personal data within the EU". However, some areas of concern exist, although the Commission acknowledges the fact that more time is needed to adequately assess the GDPR’s application across the EU. One of the areas of concern is the fact that sufficient human, financial and technical resources to national data protection authorities are not consistently provided by Member States. The Commission, therefore, calls on Member States to provide the national data protection authorities with adequate resources as required by the GDPR. Additionally, the report notes that even though the GDPR provides for a consistent approach to data protection rules throughout the EU, it still requires Member States to legislate in some areas. As a result, there is still a degree of fragmentation in areas such as the age of consent in relation to information society services, the reconciliation of the right to the protection of personal data with freedom of expression and information, and the proper balancing of these rights. According to the report, such reconciliation must be provided for by law, respect the essence of those fundamental rights, and be proportional and necessary.
The European Commission published a public consultation on the Digital Services Act
On 2 June, the European Commission revealed its long-awaited public consultation on the Digital Services Act (DSA). The pubic consultation seeks citizens' and businesses' input on safety online, freedom of expression, fairness and a level-playing field in the digital economy. As stated earlier by the Commission in its communication on "Shaping Europe's Digital Future", the DSA package aims to propose new and revised rules for digital services, by increasing and harmonising the responsibilities of online platforms and information society service providers. In its public consultation, the Commission is collecting information on the following topics: 1) how to keep users safer online; 2) reviewing the liability regime of digital services acting as intermediaries; 3) issues deriving from gatekeeper power of digital platforms; 4) online advertising; and 5) what governance models should be in place to reinforce the Single Market for digital services. The consultation also specifically asks about the "appropriate and proportionate measures that digital services acting as online intermediaries, other than online platforms, should take – e.g. other types of hosting services, such as web hosts, or services deeper in the Internet stack, like cloud infrastructure services, content distribution services, DNS services etc".
Members of the European Parliament filed amendments for the own-initiative reports on the Digital Services Act
- Amendments for the Draft Report by the Committee on Civil Liberties, Justice and Home Affairs (LIBE) - one specific amendment identifies a concern with "single sign-in services" that can be used to track users across platforms. It "therefore opposes the creation of a single Union sign-in system; recommends that providers which support a single sign-in service with a dominant market share should be required to also support at least one open and federated identity system based on a non-proprietary framework". Some amendments call for stronger judicial oversight over illegal content online, by also allocating more resources to national judiciary authorities, to allow them to fulfil their role more effectively; and allowing digital services to use "automated tools with human oversight to detect, remove or block access to content whose illegality has either been established by a court or can be easily determined without contextualisation".
- Amendments for the Draft Report by the Committee on Legal Affairs (JURI) (here and here) - some amendments call for a limited scope of the DSA that should not apply to "non-commercial content hosting platforms and platforms with less than 100,000 users". Some amendments also call for a broader stay-down principle according to which digital service providers should "make best efforts to prevent future uploads of the same content" that has been previously removed or made unavailable by them.
eIDAS revision expected at the end of 2020
The European Commission is planning to update the regulatory framework concerning digital identification in the EU at the end of 2020. The Commission has already determined that the current eIDAS Regulation is not fit for purpose and it is working on a new legislative proposal. The evaluation of the eIDAS Regulation has shown that out of 27 Member States, only 13 have eID schemes in place, 8 of which are operational cross-border. Furthermore, in its current shape the eIDAS Regulation does not work for the private sector, according to the European Commission. The aim with the updated framework is to provide all EU citizens with "their own trusted digital identity". Additionally, the revision needs to take into account the most current technology, such as mobile identification schemes, in comparison to ID-card systems that are deemed not to be future-proof. A public consultation is expected to be launched soon.