In a nutshell: March was a particularly busy month in the cybersecurity sphere. The European Commission issued a call for evidence for an impact assessment on the upcoming Cyber Resilience Act and released a proposal for a Regulation laying down measures for a high common level of cybersecurity at the EU institutions, bodies, offices and agencies. In parallel, the NIS Cooperation Group issued its Technical Guidelines on Security Measures for Top-Level Domain Name registries, ENISA published a report on Security and Privacy for public DNS resolvers, and EU Ministers called for a strengthening of the EU's telecommunications and cybersecurity resilience. New documents were released regarding the trilogue negotiations on e-Evidence and the EUID proposal, and a political agreement between co-legislators was found on the Digital Markets Act. The European Commission and the United States agreed on a new Trans-Atlantic Data Privacy framework. Europol and the EUIPO issued a joint Intellectual Property Threat Assessment.
The NIS Cooperation Group issued its Technical Guidelines on Security Measures for Top-Level-Domain Name Registries
The NIS Cooperation Group issued non-binding Technical Guidelines on Security Measures for Top-Level-Domain Name Registries. The aim of the guidelines is to provide guidance to national authorities about “the security measures that are appropriate for TLDs to take under Article 14 the NIS Directive”, which requires operators to put in place “proportionate technical and organisational measures to manage the risks posed to the security of network and information systems”. The guidelines recommend that TLDs implement an Information Security Management System (ISMS) at least for the “network and information systems supporting the delivery of the TLD services, as well as the relevant processes”, by using industry standards such as ISO/IEC 27001. When the registration process is outsourced to registrars, TLDs should ensure that appropriate security measures are taken by them to protect the registry data, for instance by securing the provision system, supporting DNSSEC, and securing access to the domain portfolio by the domain owner. The guidelines also encourage multi-factor authentication for different reasons, including to secure the access to the domain information to the domain owner, but also to provide web portals access to registrars. The guidelines also provide a list of measures regarding zone file protection, the use of encryption, the protection of security critical data and many more.
The European Commission issued a call for evidence for an impact assessment on the Cyber Resilience Act
On 17 March, the European Commission issued a call for evidence for an impact assessment on the upcoming Cyber Resilience Act (CRA), asking for public feedback on “problems related to the cyber security of digital products and associated services” and on the possible policy approaches to address such issues. This CRA initiative was announced by President von der Leyen in her State of the Union speech, where she stressed that the EU should “strive to become a leader in cybersecurity” (see our previous reporting here). According to the call for evidence, “hardware manufacturers, software developers, distributors and importers” do not always put in place adequate cybersecurity safeguards “when placing digital products or services on the market”. Furthermore, the current legislation does not include all types of digital products, neither does it cover their entire lifecycle. The CRA therefore aims to set up “streamlined cybersecurity requirements covering a wide range of digital products and their ancillary services” including for tangible digital products and non-embedded software, with the aim of incentivising “vendors to offer more secure products”. The call for evidence stresses that the European Commission is currently considering 5 different options when planning the upcoming reform: 1) addressing the cybersecurity of tangible products through existing legislation, 2) introducing voluntary measures such as certification schemes, guidelines and recommendations, 3) ‘ad hoc’ regulatory interventions amending cybersecurity requirements in existing legislation, 4) mixing mandatory and soft rules and 5) horizontal regulation intervention addressing a “broad scope of tangible and non-tangible digital products”. Stakeholders have until 25 May to provide feedback to the European Commission.
The European Commission issued a proposal for a Regulation on cybersecurity measures in the EU institutions
On 22 March, the European Commission published a proposal for a Regulation on a high common of level of cybersecurity at the institutions, bodies, offices and agencies of the Union (EUIBAs) to mirror the NIS 2 Directive’s ambitions at EU administration level. To contribute to the security of the IT environment, EUIBAs will be obliged to establish an internal cybersecurity risk management, governance and control framework that ensures the effective and prudent management of all cybersecurity risks. According to the proposal, “to avoid imposing a disproportionate financial and administrative burden” on EUIBAs, the cybersecurity risk management requirements should be “proportionate to the risk presented by the network and information system concerned”. The scope of IT systems falling under the scope of the regulation includes “the entirety of the IT environment of the concerned institution[...] including any on-premise IT environment, outsourced assets and services in cloud computing environments or hosted by third parties, mobile devices, corporate networks, business networks not connected to the internet and any devices connected to the IT environment”. The proposal designates CERT-EU as the authority which cybersecurity incidents should be reported to. The proposal also envisages the establishment of an Interinstitutional Cybersecurity Board (IICB) that should be responsible for monitoring the implementation of the regulation and providing strategic direction to CERT-EU. The proposal also stresses that CERT-EU shall collaborate and exchange information with national CERTs and CSIRTs on “cyberthreats, vulnerabilities and incidents”, as well as on “possible countermeasures and on all matters relevant for improving the protection of the IT environments of Union institutions”. Cooperation with industry counterparts is also encouraged regarding “tools and methods[...]procedures and best practices, and on cyber threats and vulnerabilities”. The proposal coincided with a report from the European Court of Auditors which stressed that EUIBAs have not “achieved a level of cyber preparedness commensurate with the threats” and called on the Commission to introduce common binding rules. The report also highlighted the diverging security maturity levels at EU administration level that may expose other private and public organisations to cyber threats due to their interconnected nature.
EU Ministers highlighted their support in strengthening the EU’s telecommunications and cybersecurity resilience
On 8 and 9 March, EU Ministers in charge of telecommunications and digital affairs met in France to discuss the war in Ukraine. According to the French Presidency’s press release, Ministers “called on the Body of European Regulators for Electronic Communications (BEREC) and the European Union Agency for Cybersecurity (ENISA) to identify the gamut of risks threatening European communications networks and infrastructure and to formulate recommendations on how to strengthen their resilience”. Ministers also stressed the need for increased cooperation in Europe in the area of cybersecurity and reasserted “the need to swiftly adopt and implement” the NIS 2 Directive. The Ministers also “approved the creation of a cybersecurity emergency response fund” and requested national cybersecurity authorities to “step up their cooperation at operational level”. The Ministers called on the European Commission “to firm up the Cyber Resilience Act”. The Ministers also issued a Joint Appeal calling on players in the digital sector to take “the appropriate measures to ensure that their services remain trustworthy and safe”. This includes sharing data from their monitoring systems to help implement concrete actions, swiftly adapting policies “in anticipation of the risk-based approach” in the Digital Services Act (DSA) and dedicating more human resources to monitoring and taking swift action “on issues that may arise for users of their services in the conflict zones”.
ENISA published its report on the Security and Privacy of public DNS resolvers
On 10 February, ENISA published its report on the Security and Privacy of public DNS resolvers. The report analyses the shift of the DNS resolution market from local private DNS resolvers at telecom level towards public DNS resolvers, offered by inter alia Quad9, CIRA, Google and Cloudflare. According to the report, some of the drivers of the market shift towards public DNS resolvers are their additional value-added services (e.g. parental controls), swifter adoption of new standards for DNS resolution, encryption, as well as customers’ will to avoid geographical blocking restrictions. One of the benefits of such a market shift is that global public DNS resolvers protect the “integrity, authenticity and privacy of the DNS requests” by supporting DNSSEC and encrypted DNS protocols like DoH and DoT. The report stresses that the increasing complexity of DNS resolution also makes it “inefficient for smaller internet access providers to invest in secure DNS infrastructure”, who as a result outsource to larger public DNS resolvers. ENISA therefore encourages national authorities and policymakers to “share information and establish methods to measure and monitor the market share and customer base of public DNS resolutions providers” to help Member States identify them under the NIS Directive and provide alternatives to the current few DNS resolution providers (i.e. DNS4EU). Telecom providers and internet access providers, on the other hand, should “expand, secure and update their DNS resolver infrastructure, instead of outsourcing their requirements to major global public DNS resolvers”. Policy makers and national authorities are encouraged to “pay particular attention to enforcing the blocking of online content via the DNS resolution services of telecom providers and internet service providers, because for end-users blocked online content is an important driver for shifting to global public DNS resolvers”.
Member States and the European Parliament continued negotiating for consensus on e-Evidence
On 23 February, a 4-column document and a letter from the European Parliament’s Rapporteur Birgit Sippel to the French Presidency were released, providing details of the state of the negotiations between the European Parliament and the Council of the European Union on e-Evidence (see our previous reporting here). The document demonstrates that a provisional agreement has been reached regarding the definition of ‘emergency cases’, which are considered to be “situations where there is an imminent threat to life or physical integrity or safety of a person, or where the disruption or distribution of a critical infrastructure[…] would imply such a threat”. In such circumstances, authorities may issue cross-border orders for subscriber data without prior validation by a judge, a court or a public prosecutor in the issuing State if it cannot be obtained in time and if authorities would have been able to issue a similar order domestically. The document also stresses that European Preservation Orders shall cease after 60 days, but that the “issuing authority can extent the duration of the preservation by an additional 30 days, where necessary”. Both European Production Orders and European Preservation Orders “may be requested by a suspected or accused person, or by a lawyer in his behalf within the framework of applicable defence rights”. Finally, the Rapporteur’s letter highlights that the Parliament’s suggestion to include notifications for subscriber data and to provide executing authorities with grounds for refusal for production orders have been abandoned.
The French Presidency issued its compromise text on the eID regulation
On 10 March, the French Presidency issued its compromise text on the proposal for a regulation establishing a European Digital Identity (‘EUID Regulation’), which aims to amend the eIDAS Regulation from 2014 (see our previous reporting here). The Presidency’s compromise text confirms the original intent of the European Commission that each Member State shall ensure that a European Digital Identity Wallet is issued within 12 months after the Regulation enters into force and reinstates a principle of mutual recognition of electronic identification across the EU. This entails that when a Member State requires eID to access a service provided online in another Member State, the eID issued in the other Member State “shall be recognised in the first Member State for the purposes of cross-border authentication for that service online”. The compromise text suggests revising a provision on the certification of European Digital Identity Wallets by “accredited public or private bodies designated by Member States”. European Digital Identity Wallets will be presumed to be compliant with cybersecurity requirements if they have been certified or if “a statement of conformity has been issued under a cybersecurity scheme” pursuant to the Cybersecurity Act. They will also have to be certified as compliant with the General Data Protection Regulation (GDPR) under Article 42 GDPR.
Europol and the EUIPO issued their Intellectual Property Threat Assessment
On 16 March, Europol and the European Union Intellectual Property Office (EUIPO) issued a joint Threat Assessment on intellectual property (IP) crime in the EU. According to the Threat Assessment, cybersquatting is an increasing concern for IP owners as “many suspicious domain names have been registered”. These do not always contain the full trademark or brand name, but “rather a deliberately confusing variant, for example a slight misspelling or replacement of a letter by a digit”. Europol and EUIPO highlight that digital content piracy is in some cases “linked to other cybercrime activities such as crypto-jacking or the distribution of malware”, and that a large part of the criminal profit “is generated by online advertising, paid subscriptions and malware attacks”. According to the Threat Assessment, “tackling the website domains selling counterfeit commodities, or involved with online piracy, has become a growing concern for all enforcement bodies due to the versatility of the criminals”. Europol and the EUIPO also claim that IP crime enforcement should be made a “priority in the fight against organised crime”.
The European Commission and the United States agreed on a new Trans-Atlantic Data Privacy Framework
On 25 March, the European Commission and the United States issued a Joint Statement on Trans-Atlantic Data Privacy Framework, announcing that they had in principle agreed on a new data transfer deal. According to the statement, the deal will foster trans-Atlantic data flows and “promote an inclusive digital economy” whilst addressing the concerns raised by the Schrems II case, where the Court of Justice of the European Union (CJEU) invalidated the ‘Privacy Shield’ adequacy decision, which enabled the free flow of data between the EU and the US (see our previous reporting here). Alongside the Joint Statement, the European Commission issued a factsheet, highlighting the key principles of the deal. According to the factsheet, safeguards will be put in place “to limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security”. A two-tier redress system will also be established in order to “investigate and resolve complaints of Europeans on access of data by US Intelligence authorities” and will include a Data Protection Court. The factsheet also states that new obligations for companies processing data transferred from the EU will also be put in place, alongside “specific monitoring and review mechanisms”. The deal must still be legally formalised and adopted in both the European Union and the United States.
The Council of the European Union and the European Parliament reached a political agreement on the Digital Markets Act
On 25 March, the Council of the European Union and the European Parliament reached a political agreement on the Digital Markets Act (DMA), which together with the Digital Services Act (DSA) aim to form a single set of rules for a safer digital space which fosters growth and innovation. Whilst the DSA lays down rules to tackle illegal content online for intermediary service providers, the DMA aims to prevent large online platforms (so-called ‘gatekeepers’) from putting in place unfair competitive practices in the single market. To be considered as gatekeepers and fall under the scope of the DMA, platforms must possess a turnover of at least 7.5 billion euros in the EU or a market valuation of 75 billion euros, as well as 45 million monthly end users and at least 10 000 business users within the EU. They will have to inform the European Commission of all their mergers and acquisitions and will be banned from carrying out unfair competitive practices such as self-preferencing, reusing data “collected during a service for the purpose of another service”, requiring app developers to use their specific services, and from pre-installing certain software applications. Gatekeepers which do not comply with the rules can be subject to fines equivalent to 10% of their total worldwide turnover.