In a nutshell: the Czech Republic unveiled its Presidency Programme. Progress was made on many important legislative files for internet infrastructure actors: the European Parliament adopted the Digital Services Act, the Council of the EU published its political agreement on NIS 2, and political agreements were reached on the CER Directive and on core elements of the e-Evidence package. As for the EUID Regulation, ITRE issued its draft report, and Members of the European Parliament suggested amendments to the proposal within several Parliamentary committees.
The Czech Republic unveiled it Presidency Programme
On 1 July, the Czech Republic took over the presidency of the Council of the EU, setting the course of the EU co-legislator until the end of the year. According to its programme, the Czech Presidency will focus heavily on the ongoing crisis in Ukraine, with as their motto “Europe as a Task”, representing the challenges Europe is facing due to the current geopolitical situation on the continent. When it comes to the digital agenda, the Czech Presidency aims to “address cyber threats and the geopolitical context of new technologies” by focusing on the “the fight against disinformation and the security of cyberspace”. Particular attention will be paid to the cybersecurity of EU institutions, bodies and agencies. Emphasis will also be placed on the security of IT supply chains. The Czech Presidency will work on accelerating the process of concluding trade agreements and on deepening strategic cooperation in the framework of the EU-US Trade and Technology Council (TTC) with a focus on joint measures for supply chain resilience. The Czech Presidency has also highlighted its ambition to deepen the digital single market and to adopt the European Digital Identity Wallet during its mandate. Finally, the programme raises the need to strengthen “freedoms and European values in both offline and online environments” and to ensure that “fundamental rights and freedoms are respected in the digital environment”. The Czechs believe that the EU should “lay down the rules of the global game” in a number of areas related to new technologies (i.e. artificial intelligence).
The European Parliament adopted the Digital Services Act
On 5 July, the European Parliament adopted the Digital Services Act (DSA). Important provisions for the DNS include the fact that TLD registries, registrars as well as DNS service providers can benefit from a liability exemption under the ‘mere conduit category’ (see our previous reporting here). Regarding the scope of ‘illegal content’, the adopted text states that it should encompass a wide range of acts, including the provision of services infringing on consumer law, the illegal sale of live animals, the unlawful non-consensual sharing of private images and stalking. According to the adopted text, intermediaries will also be required to “designate a single point of contact for recipients of their services, which allows for rapid, direct, and efficient communication by easily accessible means” (e.g. phone number, email address, instant messaging). Regarding the powers of the Digital Services Coordinators (DSCs), the final text stipulates that the Board (consisting of appointed DSCs) should be entitled to ask the DSC of establishment (i.e. of the Member State where the main establishment of an intermediary or its legal representative is) to take “investigatory or enforcement actions” when issues concern at least three Member States. This final text will be the one to be implemented in the Member States if it is also formally approved by the Council of the EU (expected in September).
The Council of the EU published the political agreement reached on NIS 2
On 17 June, the Council of the EU published a 4-column document on the Directive for a high common level of cybersecurity across the Union (NIS 2). When it comes to the data accuracy obligation in Article 23, the document stipulates that registries and entities providing domain name registration services should “be required to process certain data” in order to ensure the security, stability and resilience of the DNS (see our previous reporting here). According to the agreement, such an obligation aims to achieve “a complete and accurate set of registration data per each TLD and it should not result in collecting and storing the same data multiple times”. The co-legislators have agreed that the database of domain name registration data should include: the domain name, the date of registration, the registrant’s name, email address, telephone number, as well as the email address and phone number of “the point of contact administering the domain name in case it is different from the registrant’s”. The agreement also stipulates that databases should include “accurate and complete information, including verification procedures”. Policies and procedures to collect and maintain accurate and complete registration data should “take into account to the extent possible the standards developed by the multi-stakeholder governance structures at international level”. They shall also “adopt and implement proportionate processes to verify such registration data”, reflecting the best practices used within the industry and the progress being made in the field of electronic identification. The definition of legitimate access seekers seems to have been broadened as it includes but is not limited to “competent authorities under Union or national law for the prevention, investigation or prosecution of criminal offences”, as well as CERTS, CSIRTs.
The Council of the EU and the European Parliament reached a political agreement on the CER Directive
On 28 June, the Council of the EU and the European Parliament reached a political agreement on the Directive for the resilience of critical entities (CER Directive). The CER Directive aims to reduce the vulnerabilities and strengthen the physical resilience of critical entities (see our previous reporting here). According to the Council’s press release, Member States will “need to have a national strategy to enhance the resilience of critical entities, carry out a risk assessment at least every four years and identify the critical entities that provide essential services”. As for critical entities, they will be required to “identify the relevant risks that may significantly disrupt the provision of essential services, take appropriate measures to ensure their resilience and notify disruptive incidents to the competent authorities”. The proposal for a directive also establishes rules for the identification of critical entities of particular European significance. The press release also stresses that for critical entities of particular importance (i.e. providing an essential service to a minimum of six Member States), the Commission may organise an advisory mission to assess whether the entities have put in place the necessary measures to meet their obligations under the CER Directive.
The ITRE Committee issued its Draft Report on the proposal for a European Digital Identity
On 31 May, the Committee for Industry, Research and Energy (ITRE) issued its Draft Report on the proposal for a Regulation establishing a framework for a European Digital Identity (EUID Proposal). The report firstly suggests that the EUID Wallet be used both offline and online, and that legal and natural persons should be entitled to it (see our previous reporting here). ITRE’s Report also states that a harmonised EUID could “significantly reduce operational costs linked to identification procedures[…] or damages related to cybercrimes, such as data theft and online fraud”. To ensure that Member States implement the EUID framework, ITRE recommends the use of the ‘once only’ principle, which implies that EUID users would only supply the same data to public authorities once. That same data could then be used “at the request of the user for the purposes of completing cross-border online procedures”. ITRE also introduces the possibility of identifying users via the ‘zero knowledge proof’ (ZPK) principle, which would allow the “verification of a claim without revealing the data that proves it[…] to preserve the privacy of the user” of the EUID Wallet. As for cybersecurity requirements, ITRE’s report suggests that, when implementing the EUID Wallet, Member States should rely on “common standards and technical specifications[…] to adequately increase the level of IT security, strengthen robustness against cyber-attacks and thus significantly reduce the potential risks of ongoing digitalisation for citizens and businesses”. The EUID Wallet shall also ensure cybersecurity by design. Finally, ITRE’s report suggests deleting the proposed obligation on web-browsers to recognise EU Member States issued qualified certificates for website authentication.
Members of the European Parliament suggested amendments to the proposal for a European Digital Identity
Several committees within the European Parliament proposed amendments to the EUID proposal. Members of the Committees on Legal Affairs (JURI), Civil Liberties, Justice and Home Affairs (LIBE), and the Internal Market and Consumer Protection (IMCO) suggested revising the proposal to reflect issues falling within their respective competencies. Some notable amendments include:
- JURI: Data localisation amendments that would require personal data storage in the European Union; the free and equal availability of the EUID Wallet for disadvantaged groups, persons with disabilities and with functional limitations etc; interoperability provisions relying on in-house technologies developed by the public sector, including open-source technologies; the validation of EUID Wallets, selective disclosures and the authentication of users to access online services should respect the right to pseudonymity; the prohibition to require the use of the EUID Wallet for natural persons to access essential services.
- LIBE: The possibility to continue using digital key generators or ID card readers, without being obliged to only rely on the EUID Wallet when accessing online services; a registration obligation for private parties to be able to use the EUID Wallet for the provision of their services; an obligation to provide users with an interface where they can review the data that has been shared with private parties and withdraw their consent for access to their data; the possibility for users to disclose their data in a selective way; the use of pseudonyms as a privacy enhancing technique; the publication of the source code of the EUID Wallet as open source; safeguards against profiling users of the EUID Wallet.
- IMCO: The real-time audio-visual controls of identity should be reserved to public sector bodies or notaries; only entities established in a Member State may use the EUID Wallet to offer their services to users; an obligation for Member States to lay down arrangements for the use of EUID Wallets by children; the European Commission shall determine the business model for EUID Wallets in a delegated act; every Member State shall designate a single point of contact for the users to report security breaches; the EUID Wallet needs to comply with the ETSI standards on ID proofing; the establishment of an “EU database of trusted websites” by the European Commission.
The Council of the EU and the European Parliament reached a political agreement on core elements of the e-Evidence proposal
On 28 June, the European Parliament and the Council of the EU reached a political agreement on core elements of the e-Evidence proposal, which aims to facilitate the secure access to electronic evidence held by service providers in other jurisdictions or to require them to preserve such data for the purposes of criminal investigations (see our previous reporting here). The new legislation would allow national authorities to request evidence directly from service providers in other Member States, or to ask for the data be preserved for future use. The new rules would also mandate companies to appoint EU legal representatives to deal with electronic evidence requests in a centralised way. According to the European Parliament’s press release, orders from national authorities for traffic and content data should be notified to authorities established in the Member State “where the service provider is located”, unless the “suspect resides in the issuing member state and the crime is committed there”. Orders should be communicated through a “specific, secure IT system” and could be refused on certain grounds, in particular where concerns occur regarding fundamental rights. According to the Rapporteur MEP Birgit Sippel (S&D), the Parliament also made it clear that service providers will have the right to raise concerns to both the issuing and the enforcing Member State, for example, where the right to freedom of expression is at stake, or when orders for data access and preservation are issued. According to the press release, co-legislators also agreed on rules regarding “the reimbursement of costs and sanctions that could be imposed to the service providers” in cases of non-compliance.