In a nutshell: European Parliament discussed tech sovereignty. European Commission presented European Preparedness Union Strategy, ProtectEU Security Strategy, and opened consultations on geographical indications, European Democracy Shield, Cyber Resilience Act. European Council presented conclusions on competitiveness, defence and security. European institutions outlined the EU legislative priorities 2025-2029. ENISA published a cybersecurity maturity and criticality assessment, and presented its vision for the future. EU ministers adopted a Warsaw call on cybersecurity.
European Parliament held a debate on tech sovereignty
On 18 March, the Committee on Industry, Research and Energy of the European Parliament held a debate on tech sovereignty. The debate among the rapporteur and shadow rapporteurs related to an ongoing non-legislative work on the report on European technological sovereignty and digital infrastructure (see our previous coverage here). In her intervention, the rapporteur Sarah Knafo (Europe of Sovereign Nations) highlighted the risk EU consumers are facing dependence on foreign suppliers of components such as semiconductors and service providers such as cloud or AI. The EU should be an economic space that attracts researchers, where there are not burdensome regulation and which fosters private investment. The rapporteur also highlighted the use of public procurement as a lever of supporting European businesses. Jörgen Warborn (European People's Party) noted that sovereignty should not be misused as a justification for protectionism; he welcomed the upcoming digital package from the European Commission that should simplify the obligations put on businesses. Elena Sancho Murillo (Socialists and Democrats) supported using public procurement to strengthen autonomy and supported strengthening of public cloud system in Europe. Finally, she noted that any deregulation should not undermine the rights of Europeans. Francesco Torselli (European Conservatives and Reformists) highlighted the need for more investment, improving digital literacy and protection of vulnerable users. Michał Kobosko (Renew Europe) underlined the importance of investments into the European digital infrastructure, including through more public-private partnerships. He also supported the idea of building European technology stack (Eurostack), which would include semiconductors, connectivity, sovereign cloud infrastructure, AI and underpinning standards and protocols. Alexandra Geese (Greens/EFA) supported public procurement requirements that would support European companies and Eurostack; setting up of a European tech fund to invest in open-source and open standards. She also noted that EU reliance on the US tech companies poses a challenge to the business continuity of European companies. Jussi Saramo (The Left) suggested using European public funds towards European companies; and supported open-source solutions. The representative of the European Commission’s Directorate‑General for Communications Networks, Content and Technology Kamila Kloc noted that the Commission is looking into the initiatives raised such as the Eurostack or changes to public procurement.
Cybersecurity
ENISA published a cybersecurity maturity and criticality assessment of NIS 2 sectors
On 5 March, ENISA published its first assessment on the cybersecurity maturity and criticality assessment of NIS 2 sectors. The assessment should assist Member States and national authorities in identifying gaps. It is based on data from national authorities, data from companies within the sector and insights from EU-level sources such as Eurostat. The “core internet service providers” include Internet Exchange Point providers, DNS service providers, TLD name registries and content delivery network providers. The report notes that the “core internet” subsector is one of the four most critical sectors for the economy and society. In terms of maturity, the subsector came in a second place. With regards to policy framework and guidance, the report notes that the coordinated efforts to ensure better alignment with NIS 2 requirements are still in the early stages for the subsectors of core internet. The Commissions’ NIS 2 implementing act on technical and methodological requirements for cybersecurity risk management is seen as a positive step forward. Furthermore, the report notes that the national authorities provide supervision and support but may lack the technical expertise required to effectively oversee the sector. The oversight by national authorities is generally viewed positively, both sector entities and national authorities however see opportunities to enhance the level of support provided at the EU level, including through ENISA guidance. For risk management and good practices, there is a discrepancy between the assessment of maturity by the authorities and by the sectoral entities, as “authorities provide more modest assessment of the sectors’ progress towards implementing NIS2-aligned measures for identifying, protecting against, and detecting cyber threats.” Regarding collaboration and information sharing the report highlights that core internet services “demonstrate the highest levels of collaboration and information sharing” through collaboration in CENTR and TLD-ISAC. Finally, in terms of operational preparedness, authorities view the entities other than telecoms, as “less prepared”. The report however notes that “it could indicate that these sectors are indeed less prepared, but it is also possible that authorities lack the necessary technical expertise or resources to effectively supervise them.” Digital infrastructure sector is broad and some entities within its scope are new to the NIS, “therefore, the perceived preparedness levels may reflect a combination of genuine preparedness gaps and limitations in regulatory oversight.” Recommendations on improving the digital infrastructure sector’s cyber maturity include helping national authorities to deepen their understanding of the sector and its unique challenges, “particularly in the core internet” subsector. Furthermore, “support sector entities particularly those with multi-Member State presence by harmonising compliance requirements and ensuring a more streamlined cross-border supervision and cross-border crisis management regime via clear protocols for interaction among national authorities and access to tools.”
ENISA presented its vision towards the future
On 27 March, ENISA published its vision towards the future. ENISA aims to adapt to the growing complexity of the cybersecurity policy landscape as it supports the implementation of NIS2, Cyber Resilience Act, EU Cyber Reserve and assist with situational awareness. The new agency’s strategy therefore focuses on horizontal objectives, namely empowering communities in an involved and engaged cyber ecosystem; foresight on emerging and future cybersecurity operations and challenges; and consolidated and shared cybersecurity information and knowledge support for Europe. These objectives are complemented by vertical objectives on supporting effective and consistent implementation of EU cybersecurity policy, effective EU preparedness and response to cyber incidents, threats and cyber crises; strong cyber security capacity within the EU; and building trust in secure digital solutions. These changes also came as a reflection of the latest report on the State of Cybersecurity in the EU (see our previous coverage here).
European Commission presented European Preparedness Union Strategy
On 26 March, the European Commission presented the European Preparedness Union Strategy, a document outlining how the EU should react to the ongoing global geopolitical, health and climate changes. The strategy reacts to the “new reality marked by […] Russia’s illegal war of aggression against Ukraine, rising geopolitical tensions, state-sponsored hybrid and cyberattacks, sabotage targeting critical assets, foreign information manipulation and interference, and electronic warfare”. The strategy covers the resilience of vital societal functions and as such refers to the CER and NIS2 Directives, it also notes the immediate priority of their transposition by EU Member States. As a part of public-private cooperation, the strategy highlights the upcoming revision of the Public Procurement Framework, which will aim to strengthen preparedness by reinforcing security of key supply chains, and enhance public warning and crisis communication, which can be also developed within the EU Digital Identity Wallet for emergency notification. Finally, the strategy intends to be mutually complementary with the ProtectEU: European Internal Security Strategy and the upcoming European Democracy Shield.
European Commission published ProtectEU Security Strategy
On 1 April, the European Commission published “ProtectEU: European Internal Security Strategy” (see our previous coverage here). The strategy was announced in the European Commission’s President von der Leyen political guidelines for the new Commission. The strategy outlines a wide range of actions to be taken by the Commission in order to reflect the changing security landscape. The actions are to be guided by three principles – “whole-of-society” approach involving all citizens and stakeholders; integrating and mainstreaming of the security considerations across all EU legislation, policies and programmes; and requiring investment by the EU, its Member States and the private sector. The strategy presents initiatives spanning from improving resilience against hybrid threats, fighting serious and organised crime to combating terrorism. In terms of cybersecurity, one of the actions proposed by the strategy is to for the Commission to propose an “ambitious overhaul of Europol’s mandate to turn it into a truly operational police agency”. Similarly, the Commission will assess the mandate of ENISA during the upcoming revision of the Cybersecurity Act and propose its modernisation. The Commission will also present in the first half of 2025 a roadmap setting out the legal and practical measures to ensure lawful and effective access to data. Furthermore, the Commission will develop a strategic planning for coordinated cybersecurity risk assessments together with the Member States. The strategy also notes that cybersecurity and technological sovereignty are closely interlinked, and technological dependencies should be addressed as a priority. The Commission explicitly supports timely deployment of the latest available internationally agreed Internet protocols, “which are essential to maintain a scalable and efficient Internet with an enhanced level of cybersecurity”. The European Digital Identity Framework shall enable secure access to online services and strengthen digital security across the EU. Similarly, the upcoming European Business Wallet should facilitate secure cross-border interactions between businesses and public administration. In terms of tackling illegal and harmful content online, the Commission will focus on “rigorous enforcement” of the Digital Services Act. It will also assess the Terrorist Content Online Regulation and suggest how to strengthen the framework. Finally, the Commission wants to use the upcoming revision of EU procurement rules to assess whether the law enforcement and critical entity resilience needs are sufficiently addressed in the Defence and Security Procurement Directive.
Commission opened a call for evidence on the European Democracy Shield
On 31 March, the European Commission published a call for evidence for the upcoming European Democracy Shield (see our previous coverage here). The initiative was introduced in the European Commission’s president von der Leyen Political Guidelines for 2024-2029 with the aim to increase the resilience of European democratic systems and societies, and to respond to challenges like foreign information manipulation and interference, disinformation and threats to the integrity of elections and democratic processes, such as cyber-attacks, and online and offline influence campaigns. The initiative should also support societal resilience through digital and media literacy and foster citizens participation in democratic processes. The call for evidence was not accompanied by an impact assessment as the non-legislative initiative will “outline broad policy directions for which the impact cannot be assessed at this stage”. In addition to the feedback provided through this consultation, the European Commission will also exchange views with the European Democracy Shield committee of the European Parliament.
European Commission opened a consultation on Cyber Resilience Act
On 13 March, the European Commission opened a consultation on an implementing act on categories of important and critical products with digital elements to the Cyber Resilience Act. The Act lays down rules on the cybersecurity of products with digital elements; it puts an obligation on manufacturers, importers or distributors to undergo conformity assessment procedures to the category of “important products”. Products from the “critical products” category may be required to obtain a European cybersecurity certificate under the Cybersecurity Act. Whether a product with digital element fits into the important or critical category depends on its “core functionality”, which refers to its “fundamental features and capabilities that fulfil the primary purpose for which the product with digital elements has been made available on the market and without which the product would not be able to meet its intended purpose or reasonably foreseeable use.” The important and critical products are listed in the annexes to the regulation. The opened consultation further specifies the technical description of these categories of important and critical products with digital elements such as identity management systems and privileged, access management software and hardware; network management system; public key infrastructure and digital certificate issuance software. The consultation is open until 15 April.
European institutions outlined the EU legislative priorities 2025-2029
On 14 March the European Commission, Council of the European Union and the European Parliament published two declarations, one on the EU legislative priorities for 2025 and one on the legislative priorities for 2025-2029. Drawing on the Commission work programme for 2025, the institutions want to focus, among other policy objectives, on strengthening of the cyber defence capabilities as part of a broader exercise to bolster European defence; boost Europe’s competitiveness by deepening the Single Market; and work on countering disinformation, foreign information manipulation and interference online. For the longer horizon of this legislative mandate going until 2029 the institutions want to focus on security and defence as one of their top priorities. The EU is challenged by disinformation, hybrid warfare, terrorism and organised crime, the institutions therefore want to employ “all available instruments to ensure the security of European citizens and to enhance the resilience of our critical infrastructure”. The EU should also improve its preparedness and resilience, including to cyber emergencies. This should be achieved by building on the recommendations of the Niinistö report (see our previous coverage here). The institutions also want to boost competitiveness, drawing on the recommendations of the Draghi report (see our previous coverage here), by boosting innovation and giving “technological neutrality a much more prominent place in our economy”.
European Council presented conclusions on competitiveness, defence and security
On 20 March the European Council, the institution representing the heads of states and prime ministers of EU Member States, published a conclusion of their meeting. The document include several key areas, among them competitiveness and defence and security. To boost competitiveness, the Council agreed to prioritise simplification and reduce regulatory and administrative burdens and supported the Omnibus simplification packages. To improve competitiveness, the Council calls for creating a more integrated European capital market. To reach that goal the Council expects that the European Parliament and the Council of the EU “quickly agree” on the proposal for insolvency. The Council also calls for stepping up Europe’s industrial innovation and to grow in technologies such as AI, quantum technologies, semiconductors, 5G/6G and other critical technologies. Finally, the Council highlighted the need to improve Europe’s defence readiness within the next five years.
EU ministers adopted a Warsaw call on cybersecurity
On 5 March, EU ministers responsible for cybersecurity adopted the Warsaw call on cybersecurity challenges. The document comes as a reaction to the rise of new cyber threats and changes to the geopolitical situation, including Russia’s war of aggression against Ukraine. The declaration’s 13 points call for, among other things, timely adoption of the EU cybersecurity blueprint (see our previous coverage here) as it presents a necessary tool to address the current challenges and complex cyber threat landscape; enhancing cooperation and information exchange on cybersecurity between Member States and the EU entities through existing structures; enhancing of the civilian-military cooperation, including EU-NATO cooperation; further developing of the cybersecurity risk assessments, including for risk scenarios at the EU level for all essential sectors; noting that the NIS 2 Directive should be the main horizontal legislation on cybersecurity and caution against legislative overlap or fragmentation; focusing on harmonised and innovation friendly implementation of cybersecurity legislation and to find ways for simplification; recognising ENISA’s key supportive role for improving the level of cybersecurity in the EU and the Member States and the need for strengthening its mandate.
Intellectual property
European Commission opened a consultation on geographical indications
On 26 March, the European Commission opened a consultation on an implementing act for the purpose of regulation on geographical indications (GIs) for craft and industrial products. The implement act lays down rules for the registration, cancellation and amendment of the product specification, mutual assistance with and cooperation on controls, and for the usage of the EU symbol, fees and the IT system used for the submission of applications. The implementing act is a part of setting up the registration procedures and union register of GIs in expectation of the full regulation entering into application from December 2025.
