In a nutshell: The portfolios of the upcoming European Commissioners were unveiled. The European Commission published its second GDPR report. The NIS Cooperation Group published recommendations for implementing NIS 2 Article 28. ENISA published its annual cybersecurity overview in the EU, and it will support the EU Digital Identity Wallet certification. The Hungarian presidency shared an update on the proposal for the Insolvency Directive. The European Parliament Research Service published a study on the AI Liability Directive. The UN General Assembly adopted the Global Digital Compact. Mario Draghi outlined how to make the EU more competitive.
New Commissioners’ portfolios have been unveiled
On 17 September, European Commission President-elect Ursula von der Leyen presented the candidates and the portfolios of the new College of Commissioners. The basis for the diverse portfolios stems from von der Leyen’s Political Guidelines (see our coverage here). Each Member State designated a Commissioner to which the portfolio was assigned by von der Leyen. The Commissioner responsible for technology should have the title of “Executive Vice-President for Tech Sovereignty, Security and Democracy” boasting a broad mandate spanning across several policy areas. Henna Virkkunen (Finland) has been nominated for this post. Her mission should focus among other on “cyber threats, attacks on critical infrastructure, foreign information manipulation and interference”. She will also work on the single EU-wide cloud policy for public administrations and public procurement and encourage investments in digital infrastructure to improve access to connectivity through the Digital Networks Act. Finally, she will be responsible for deploying the EU wallet. The work on the European Democracy Shield, with the aim to counter harmful disinformation, will be led by Michael McGrath (Ireland), the Commissioner for Democracy, Justice and the Rule of Law. His mission includes ensuring that the EU GDPR “remains in line with the digital transformation and responds to law enforcement and commercial needs”. He will develop a Consumer Agenda 2025-2030 framework, and “focus on the impact and opportunities of digital technologies on consumers and our justice system”. Magnus Brunner (Austria), the Commissioner for Internal Affairs and Migration, will work on a new European Internal Security Strategy, focusing on online and offline threats. He will also work on strengthening the mandate of Europol. He will work on securing the “critical physical and digital infrastructure” and on updating law enforcement’s tools for access to digital information. The designated Commissioners will be reviewed by respective Committees of the European Parliament (EP) starting from the week of 4 November, and subsequently approved by an EP vote. Not all designated Commissioners are expected to pass the EP scrutiny.
Mario Draghi outlined how to make the EU more competitive
On 9 September, the European Commission published a report commissioned to Mario Draghi, former European Central Bank President and Italian Prime Minister. The report identifies areas where the EU can take further action to increase its competitiveness on the global stage. The report discusses sectoral policies such as high-speed/capacity broadband networks, computing and AI, energy, defence and transport. There is also a horizontal approach with focus on innovation acceleration, closing of the skills gap, and sustaining investment among others. For each of these sectoral and horizontal policies, a range of specific recommendations is offered. The report notes that the declining profitability of the telecom sector is a risk for the industrial capacity in Europe and its undergoing digitalisation. Proposed solutions include focusing on telecom mergers and EU-wide harmonisation of radio spectrum licensing. Additionally, Draghi suggests simplifying and harmonising the EU’s cybersecurity and legal intercept architecture, improving cooperation with EU cybersecurity agencies and introducing “proportionate, consistent and technologically neutral rules on critical national infrastructures”.
Cybersecurity
The NIS Cooperation Group published its recommendations for the implementation of Article 28 of NIS2
The NIS Cooperation Group, composed of representatives of the Member States, European Commission and ENISA, published non-binding recommendations on Article 28 of the NIS 2 directive, concerning “Database of domain name registration data” (see our previous reporting here). While the recommendations are not binding, Member States are encouraged to follow these in their NIS 2 transposition laws. The document recommends that for every new domain name and renewal, the contact email address and the telephone number of the registrant are verified both syntactically, and operationally. The identity verification of domain name holders should be based on a risk-based approach with a strong preference for eID verification. This should apply to both natural and legal entities. All medium and high-risk registrations should undergo identity verification. As a minimum, Member States should ensure that all competent cybersecurity authorities under NIS 2, and those responsible for “the prevention, investigation, detection or prosecution of criminal offences, CERTs or CSIRTs” are designated as legitimate access seekers in the national transposition legislation. Optionally, Member States may also designate other public and private entities working on DNS related infringements, e.g. intellectual property rights holders, as legitimate access seekers. Their requests for data should be provided within 72 hours. For more information, you may read our blogpost on the topic.
ENISA published its annual cybersecurity overview in the EU
On 19 September, ENISA published its annual Threat Landscape report for 2024. The report identifies main cybersecurity threats within the EU, comprehending its present state of cybersecurity. The top cybersecurity threats according to the report are ransomware, malware, social engineering, threats against data, threats against availability, e.g., Denial of Service (DDoS) attacks, information manipulation and interference, supply chain attacks. The report notes that DDoS attacks increasingly target the DNS protocol, with the aim to disrupt the “DNS translations” and make DNS requests unavailable to average users. The number of DDoS attacks saw a 28% increase in 2023 and 80% year-on-year in Q1 2024. In general, network attacks increased at the end of 2023 by 117%, according to the report. Another recorded threat includes impersonation of legitimate entities, where threat actors would mimic websites on domain names similar to the actual news websites (typo-squatting). In the meantime, the US Department of Justice (DOJ) seized 30 “doppelgänger” domains impersonating established media outlets. In its announcement, the DOJ indicated its intention to “be aggressive in countering and disrupting attempts by the Russian government, or any other malign actor, to interfere in […] elections and undermine […] democracy”.
ENISA will support the EU Digital Identity Wallet certification
On 24 September, the European Commission has requested ENISA to develop a candidate European cybersecurity certification scheme in accordance with the Cybersecurity Act. The Commission’s request calls for ENISA to support the establishment of the national certification schemes through harmonised certification requirements under the European Digital Wallet Identity Framework. ENISA will be involved in the preparation of the implementing acts that will establish the list of reference standards. Additionally, ENISA will launch the preparation of a candidate European cybersecurity certification scheme for the EUDI Wallets and their eID schemes under the Cybersecurity Act.
Data protection
Hungarian presidency updated the list of national asset registers in scope of the Insolvency directive proposal
On 29 July, the Hungarian presidency shared its second draft compromise on the proposal for an Insolvency Directive, concerning Title III – Tracing assets (see our previous reporting here). The original European Commission proposal aims to facilitate tracing assets in cross-border insolvency cases across national asset registries, which also includes access to data held by “registers of internet domains”. The proposal also includes provisions on facilitating transfers and auctions of assets belonging to insolvent estate (incl. potentially domain names). In its latest publicly available text, the Hungarian presidency suggests deleting “registers of internet domains” from the scope of the cross-border access procedures under the Insolvency proposal. The negotiations in the Council of the EU are still ongoing. It is therefore too soon to say whether this change will make it into the Council’s general approach.
European Commission published its Second Report reviewing the GDPR application
On 25 July, the European Commission published its Second Report on the application of the GDPR. The first report was adopted in 2020 (see our previous reporting here). The Commission notes that since the 2020 report, the EU has adopted a range of initiatives which “aim to put individuals at the centre of the digital transition”. These include the Digital Services Act, the Digital Markets Act, the AI Act, and the European Digital Identity Regulation. Further areas of improvement in the coming years are supporting stakeholders’ compliance efforts, including SMEs, small operators and researchers, as well as “providing clearer and more actionable guidance from the data protection authorities”. Fragmentation of the GDPR application across the EU remains a challenge. With regard to the EDPB, the report notes that the EDPB adopted 35 guidelines as of November 2023. While these are useful, stakeholders and data protection authorities note that the EDPB guidelines should be delivered quicker and with improved quality. Stakeholders also underline the need for additional guidelines, in particular on legitimate interest. On data subject rights, controllers report that the right of access (Article 15 GDPR) is the most frequently invoked right by data subjects. At the same time, controllers require more guidance on interpreting the notion of ‘unfounded or excessive requests’, and when dealing with requests which are made for purposes unrelated to data protection, for example to gather evidence for legal proceedings.
AI
The European Parliament Research Service published a study on the AI Liability Directive
On 19 September, the European Parliament Research Service published a complementary impact assessment (IA) to the proposal for AI Liability Directive (AILD). The proposal should cover civil liability for AI. However, the Product Liability Directive (PLD) already covers some AI aspects in its scope. The PLD proposal is in the final stages of adoption, which makes lawmakers hesitant to continue with the AILD discussions. However, the complementary IA notes that there still is a legal gap between the AILD and PLD and proposes to align the AILD proposal with the adopted AI Act. Another suggestion is to align legal frameworks and repurpose the AILD directive into a directly applicable regulation. The complementary IA also suggests broadening the scope of the proposal to software liability in general.
Outside of the EU bubble
The UN General Assembly adopted the Global Digital Compact
On 22 September, the United Nations General Assembly adopted the Global Digital Compact (GDC) as an annex to the Pact for the Future (see our previous coverage here and here). The negotiations on the GDC are concluded after almost 6 months since the zero draft was published in April 2024. The GDC, as a non-binding document, puts forth 5 goals each with specific commitments to be reached by 2030. The objectives entail closing of digital divides, making the digital economy more inclusive while protecting human rights in the digital space, enhancing interoperable data governance and exchange, and ensuring international governance of AI for the greater good. These efforts are guided by 13 principles which include multistakeholder cooperation and an explicit recognition of the technical community as one of the distinct stakeholder groups within Internet Governance (IG). The Internet Governance Forum (IGF) is acknowledged as the “primary multi-stakeholder platform for discussion of IG issues”. In addition, the GDC proposes to establish an UN-based Scientific Panel on AI, Global Dialogue on AI governance, and to establish an office in New York on the basis of the UN Secretary-General Envoy on Technology to “facilitate system-wide coordination, working closely with existing mechanisms”. The GDC and its implementation will be reviewed during the UN General Assembly 82 in September 2027.