EU Policy Update - March 2024

EU Policy Updates 04-04-2024

In a nutshell: The Council of the EU adopted the Regulation on Geographical Indications protection for agricultural products. The European Commission has presented a recommendation on the EU Intellectual Property toolbox, has opened a call for proposals for an EU repository of public domain works, and has published a delegated act on data centres' energy efficiency. The European Parliament adopted the Cyber Resilience Act, and Artificial Intelligence Act, and jointly with the Council of the EU adopted the EUID Regulation. The European Data Protection Supervisor presented their investigation into the European Commission’s use of Microsoft 365. The NIS Cooperation Group updated the compendium on securing the EU 2024 elections. ENISA published its Foresight report for 2030 cybersecurity threats. EU Member States shared their concern on the Insolvency proposal. Czech Ministry of Foreign Affairs published a position paper on the application of international law in cyberspace.

Intellectual property

The Council of the EU adopted the Regulation on geographical indications protection for agricultural products

On 26 March, the Council of the EU formally adopted the Regulation on Geographical Indication (GI) protection for wine, spirit drinks and agricultural products. According to the Council’s press release, the new regulation will “bring tangible benefits to the rural economy and safeguard the EU's gastronomic heritage across the world”. According to the Council, the Regulation also promotes greater protection of GIs online, including in “domain names that contain geographical indications, via geo-blocking”, and to that end, the EUIPO has been entrusted to set up a domain name information and alert system. For more information on how the new law affects domain names, see our previous reporting here. The regulation will now be signed and published in the Official Journal of the EU. It will enter into force on the 20th day following its publication.

The European Commission has presented a recommendation on the EU Intellectual Property (IP) toolbox

On 19 March, the European Commission has adopted a recommendation on Combatting counterfeiting and better protection of intellectual property rights. This non-binding document, also known as EU toolbox against counterfeiting, aims at improving cooperation between rights holders, service providers (including TLDs), and law enforcement for the purposes of combatting IP infringements. According to the toolbox, service providers are encouraged to participate in voluntary cooperation instruments with rightsholders, TLD registries are specifically encouraged to develop a domain name alert system. EUIPO is invited to expand the existing information and alert system for trademarks, established in cooperation with EURid, to other TLDs, and to include geographical indications. In addition, TLDs are encouraged to improve domain holder verification procedures and take “voluntary measures to detect incorrect registration data for existing domain names”. When access to domain name registration is sought, TLDs operating in the EU are encouraged to recognise IP rightsholders as legitimate access seekers. The Commission and EUIPO will monitor the effects and implementation of this recommendation within three years from the adoption. The Commission will then decide whether additional measures are needed at EU level

The European Commission opened a call for proposals for an EU repository of public domain works

On 12 March, the European Commission opened a call for proposals for an EU grant on a pilot project assessing the feasibility and possible benefits of setting up an EU repository of works in public domain and other openly licensed works. The repository aims to provide a centralised platform for accessing these works and increase opportunities for their re-use and dissemination online. In addition, the repository could support the implementation of the Directive on Copyright in the Digital Single Market, in particular the prohibition of blocking lawful content by content-sharing service providers. The repository is also expected to play a “crucial role in advancing AI training and development”. The pilot project should assess the feasibility of a “one-stop-shop repository”, including specific operational or technical challenges of setting it up. The deadline for applications is 15 May 2024. Grant agreements are expected to be signed in Q4 2024, for projects to start running from December 2024. The work programme foresees a maximum total contribution of 700 000 EUR.

Data protection

EU Member States express concerns with the provisions in the Insolvency proposal

The Council of the EU published a common position paper on Title VI of the proposal for a directive harmonising certain aspects of insolvency law (see our previous reporting here), as suggested by the German, Austrian, Cypriot, Estonian, Finnish, Irish, Polish, Slovenian and Swedish delegations. According to the common position paper, the group of aforementioned EU Member States argue that Title VI on ‘winding up of insolvent microenterprises’ of the insolvency proposal “adversely interferes with functioning insolvency systems that rely on the functions of insolvency practitioners” and “imposes unnecessary costs and burdens”. The group of EU Member States also highlight that changes in legal regimes “should be based on sound policy choices, a prudent analysis of expected impacts ([...]a thorough analysis of existing regimes and their apparent flaws) as well as consultations”. The aforementioned EU Member States conclude that Title VI should be deleted without replacement. As a reminder, Title VI includes provisions regarding the realisation of the assets belonging to an insolvent estate, including via public auctions. Since domain names are considered economic assets for the purposes of the proposal, this chapter may include a potential auctioning of domain names. For more analysis on the impact of insolvency reform on domain names, see CENTR position paper here.

EDPS investigation into the European Commission’s use of Microsoft 365

The European Data Protection Supervisor (EDPS) found that the European Commission has infringed several key data protection rules when using Microsoft 365, including those on transfers of personal data outside the EU/EEA area. The EDPS has decided to order the Commission (effective on 9 December 2024) to suspend all data flows resulting from its use of Microsoft 365 to Microsoft and to its affiliates and sub-processors located in countries outside the EU/EEA. The EDPS has also decided to order the Commission to bring the processing operations resulting from its use of Microsoft 365 into compliance with the GDPR, and to demonstrate compliance with both orders by 9 December 2024. A list of corrective measures that must be taken by the Commission to ensure compliance with the GDPR include carrying out a transfer-mapping exercise identifying personal data transfers to third countries, and ensuring compliance by contractual provisions and technical measures.


The European Parliament adopted the Cyber Resilience Act

On 12 March, the Members of the European Parliament adopted the Cyber Resilience Act (CRA) (see our previous reporting here). The CRA introduces EU-wide cybersecurity requirements for the design, development, production and availability on the European market of hardware and software products. The CRA will apply to all products with digital components ('Internet of Things') that need to be secure throughout the supply chain and their lifecycle. According to the Parliament’s press release, “important and critical products will be put into different lists based on their criticality and the level of cybersecurity risk they pose”, which will be proposed and updated by the European Commission. The following products are under the scope of the CRA as “important”: identity management systems software, password managers, biometric readers, smart home assistants and private security cameras, amongst others. The list of “critical” products includes: hardware devices with security boxes; smart meter gateways within smart metering systems and other devices for advanced security purposes, such as secure cryptoprocessing; and smartcards. After the CRA is also formally adopted by the Council of the EU, it will become legally binding in the EU.

ENISA revealed the executive summary of its Foresight report for 2030 cybersecurity threats

On 27 March, ENISA published an executive summary of its “Foresight Cybersecurity Threats for 2030” study that represents an assessment of emerging cybersecurity threats projected for the year 2030. The Foresight study identifies Top-10 cybersecurity threats leading up to 2030. According to the released executive summary, threats such as “Supply Chain Compromise of Software Dependencies” and “Advanced Disinformation/Influence Operations (IO) Campaigns” remain significant, despite experiencing slight declines in perceived prominence. These threats continue to pose substantial risks to cybersecurity, according to ENISA. Threats like “Skill Shortage” and “Cross-border ICT Service Providers as a Single Point of Failure” have “somewhat intensified”, according to the stakeholder input, and suggests “a growing recognition of the long-term challenges posed”. New entrants to the Top 10 list include “Exploitation of Unpatched and Out-of-date Systems Within the Overwhelmed Cross-sector Tech Ecosystem” and “Physical Impact of Natural/Environmental Disruptions on Critical Digital Infrastructure”.

The NIS Cooperation Group published an updated compendium on securing the 2024 EU elections

On 6 March, the NIS Cooperation Group, with the support of ENISA, the European Commission and the European External Action Service, released an updated version of the Compendium on Elections Cybersecurity and Resilience. The first edition of the compendium was released before the last EU elections, in 2018. The updated document aims to take stock of the evolved cyberthreat landscape and provide examples of good practices to EU Member States. The focus lies on ensuring security, integrity and trust in the full electoral cycle. This includes cyberattacks against the candidates, electoral infrastructure or government websites as well as “hybrid threats and foreign information manipulation and interference.” The document also discusses threats like Distributed Denial of Service, malware and phishing with examples of how they were previously perpetrated during European elections.


The European Parliament and Council adopted the EUID Regulation

The European Parliament and the Council of the EU have formally adopted the European Digital Identity Regulation (EUID regulation, see our previous coverage here) as previously agreed during the interinstitutional negotiations. The EUID Regulation will enable citizens to use digital wallets to authenticate and access public and private services across the EU. The wallet will be optional to use and will provide an alternative to existing commercial solutions. The open-source code of the EU Digital Identity Wallet as well as its latest Architecture and Reference Framework are already publicly available on the Commission’s repository. As an annex, the Commission has added two statements welcoming the final agreement. The first statement is on Article 45 on requirements for qualified certificates for website authentication (QWACs). The Commission notes that the agreement “clarifies that the requirement for the web browsers to recognise QWACs does not restrict browsers own security policies and […], leaves it up to the web browsers to preserve and apply their own procedures and criteria in order to maintain and preserve the privacy of online communications using encryption […]”. In the Commission’s view, the EUID Regulation does not impose obligations or restrictions on how web browsers establish encrypted connections with websites. In the second statement the Commission shares its opinion on the personal data processing by the wallet providers. The Commission is of the opinion that the amendments “do not allow for the processing of personal data contained in or arising from the use of the European Digital Identity Wallet by the Wallet providers for other purposes than delivering wallet services”. Furthermore, the Commission welcomes the inclusion of the concept of ‘unobservability’ (Recital 11c) which “should prevent wallet providers from collecting and seeing the details of user’s day-to-day transactions”. The provision should not allow for cross-service data correlation for the purpose of “tracking or tracing or for determining, analysing and predicting personal behaviour, interests or habits”, according to the interpretation of the Commission. Since the regulation has been formally adopted by both institutions, it will be entering into force 20 days after its publication in the EU’s Official Journal. The regulation will be fully implemented by 2026.

Energy efficiency

The European Commission published a delegated act on data centres' energy efficiency

On 14 March, the European Commission published a delegated act on the first phase of the establishment of a common Union rating scheme for data centres. This regulation was foreseen in the Energy Efficiency Directive (see our coverage here), which set out to improve the energy efficiency across industries, including in the ICT sector. The regulation applies to “operators of data centres with information technology” which have power demand of at least 500 kW. Such data centres will be obliged to share certain key performance indicators with the to-be-established European database on data centres by 15 September 2024, then by 15 May 2025 and subsequently every year thereafter. The key performance indicators are to measure “the energy consumption, power utilisation, temperature set points, waste heat utilisation, water usage and use of renewable energy of data centres”. The full detailed list of key performance indicators as well as the data centre sustainability indicators and the calculation methodology are listed in the annex. The information communicated to the European database will be available to the Commission, and to the Member States in their territory. The data will also be made public in an aggregated manner. The co-legislators, the European Parliament and Council of the EU, have two months to examine the text and object to its adoption, otherwise the delegated act is going to enter force.

Artificial intelligence

The European Parliament has adopted the AI Act

On 13 March, the Members of the European Parliament adopted the Artificial Intelligence Act (AI Act) as agreed upon during the interinstitutional negotiations (see our previous in-depth coverage here). The regulation takes a risk-based approach to the different use cases of AI systems. The Parliament’s press release outlines certain use cases that are outright banned, such as “biometric categorisation systems based on sensitive characteristics and untargeted scraping of facial images from the internet or CCTV footage”, emotion recognition in the workplace and schools, and social scoring. Additional transparency obligations are put on high-risk systems as well as on General-Purpose AI systems. The proposal still has to be voted on by the Council of the EU before the legislative process is finished and the AI Act is published in the Official Journal of the EU. The AI Act will then become applicable two years after its entry into force.

Outside EU bubble

The Czech Ministry of Foreign Affairs (MFA) published a position paper on the Application of International Law in Cyberspace

On 27 February, the Ministry of Foreign Affairs of the Czech Republic published a position paper on the application of international law in cyberspace. The Czech MFA “reaffirms that international law, including the United Nations Charter in its entirety, is applicable to State conduct in cyberspace and is essential to maintaining peace and stability in the ICT environment”. The Czech MFA postulates that the principle of sovereignty applies in cyberspace. An action in cyberspace, that might not amount to a prohibited intervention or a prohibited use of force, may still amount to a violation of a State’s sovereignty. The Czech MFA however notes that “the Czech Republic does not consider every cyber operation attributable to a State and having an effect in the territory or infrastructure of another State to be a violation of the latter’s sovereignty”. Determination of whether the sovereignty was violated shall be determined on case-by-case basis. Concrete examples of incidents amounting to the violation of sovereignty include cyberattacks causing death or injury, damage or disruption with a significant impact, and “interfering with any data or services which are essential for the exercise of inherently governmental functions”. The Czech MFA also shares two conditions of a prohibited intervention under international law. First is an activity that “tampers with the internal or external affairs of the State”, e.g. elections, court proceedings, treaty ratification. Second, the activity must be coercive, i.e. “an activity intended to deprive […] the State of its ability to exercise control or govern matters within its internal and external affairs”. In the contemporary debate on ‘hybrid threats and foreign information manipulation’ (see our summary of the EU elections compendium above) Czech MFA notes that “prohibition of intervention does not cover cyber activities broadly described as ‘propaganda’ […] mere influencing, criticism or persuasion do not meet the requirements to be qualified as prohibited intervention either”.

Published By Polina Malaja
Polina Malaja is the Policy Director at CENTR, leading its policy work and liaising with governments, institutions and other organisations in the internet ecosystem.
Published By Filip Lukáš
Filip is the Policy Advisor at CENTR, advising members on relevant EU policy and liaising with governments, institutions and other organisations in the internet ecosystem.