In a nutshell: The Council adopted its position for the ‘Path to the Digital Decade’ 2030 policy programme. The European Parliament and the Council of the EU reached a political agreement on the NIS 2 Directive and continued negotiating for consensus on the CER Directive. The European Data Protection Supervisor issued its opinion on the Proposal for a Regulation on cybersecurity measures in the EU institutions. The European Commission issued its proposal for a CSAM Regulation and its Strategy for a better internet for kids. Europol published a report on misleading invoice fraud targeting the owners of intellectual property rights. The 2nd Additional Protocol to the Budapest Convention opened for signature in Strasbourg, whilst the European Union and the United States issued a Joint Statement at the Trade and Technology Council in Paris.
The Council adopted its position on the Path to the Digital Decade
On 11 May, Member States agreed on a common position on the ‘Path to the Digital Decade’, which lays out a vision to “empower citizens and businesses through the digital transformation” by 2030, in line with EU values. The Path to the Digital Decade is based around four main pillars: the digitalisation of businesses and public services, a digitally skilled population, and secure, resilient, performant and sustainable digital infrastructures. The Council specifies that these “digital targets should be established at the EU level”. Convergent conditions for “investments in digital infrastructure will be needed” in order to develop adequate frameworks and ensure that “all market actors benefiting from the digital transformation[…] make a fair and proportionate contribution to the costs of public goods, services and infrastructure”. The Path to the Digital Decade also encourages close cooperation between Member States and the European Commission in order to ensure a transparent and comprehensive form of governance and achieve the EU’s digital targets. To do so, a mechanism should be established to ensure the “coordination of convergence and effectiveness of policies and measures at Union and national level”. Member States suggest that this mechanism should “take into account the diversity of situations across and within Member states” and “be proportionate, notably with regards to administrative burden”. Member States should remain capable of following “a greater level of ambition when defining their national objectives”.
The European Parliament and the Council of the EU reached a political agreement on the NIS 2 Directive
On 13 May, the European Parliament and the Council of the European Union reached a political agreement on measures for a high common level of cybersecurity across the Union (NIS 2). According to the Council’s press release, NIS 2 sets out “minimum rules for a regulatory framework” and mechanisms for “effective cooperation among relevant authorities” in different Member States (see our previous reporting here). A European Cyber Crises Liaison Organisation Network (the so-called ‘EU CyCLONe’) will be established to “support the coordinated management of large-scale cybersecurity incidents”. The press release also stresses that the co-legislators have aligned NIS 2 with other sector-specific legislation such as the Directive on the resilience of critical entities (CER) to “provide legal clarity and ensure coherence” between the different pieces of legislation. Member States will have 21 months to implement NIS 2 into their national law. The Commissioner for the Internal Market, Thierry Breton, stated that the agreement is a major step forward in today’s cybersecurity landscape, where “cooperation and rapid information sharing are of paramount importance”. He also stressed that this approach will be complemented with the upcoming Cyber Resilience Act (CRA) to ensure that “digital products are also more secure whenever they are used” (see our previous reporting on the CRA here). On 16 May, Rapporteur for NIS 2 Bart Groothuis reported to the European Parliament’s Committee on Industry, Research and Energy (ITRE) and explained that the new directive will include both public administration bodies and research institutions. As for reporting obligations regarding incidents which have a significant impact on the provision of their services, or cyberthreats which could have resulted in a significant incident, essential entities will first have to notify the competent authorities or the CSIRT within 24 hours stating that such an issue has occurred. They will also have to send a second notification within 72 hours providing further details about the incident. The Rapporteur also noted that the text is expected to be finalised by the technical team in July and voted on in plenary in September.
Members States and the European Parliament continued negotiating to find consensus on the CER Directive
On 16 April, Alex Agius Saliba reported on the 2nd trilogue meeting held on the CER Directive to the Committee on the Internal Market and Consumer Protection (IMCO), which is one of the committees for opinion that is in charge of providing advice to the Committee on Civil Liberties, Justice and Home Affairs (LIBE) in the European Parliament (see our previous reporting here). According to the MEP, co-legislators discussed the scope of the Directive and whether public administrations should be included. Alex Agius Saliba pointed out that both the European Parliament and the Council of the EU agreed on the importance of ensuring that the CER Directive is coherent with other pieces of legislation such as the NIS 2 Directive. A discussion on the provisions applicable to the banking sector, financial markets and digital infrastructure sector also took place, in particular regarding Article 7, which stipulates that “Member States shall[…] identify the entities that shall be treated as equivalent to critical entities”. The co-legislators seem to have a common understanding of this article and will continue working together to find an appropriate wording. Alex Agius Saliba also raised the fact that no agreement was reached regarding the powers of the European Commission in the identification of critical entities. Discussions on these topics will continue in the 3rd trilogue, which is scheduled for 14 June.
The European Data Protection Supervisor issued its opinion on the Proposal for a Regulation on cybersecurity measures in the EU institutions
On 17 May, the European Data Protection Supervisor (EDPS) issued its opinion on the proposal for a Regulation on a high common of level of cybersecurity at the institutions, bodies, offices and agencies of the Union (EUIBAs), aimed at mirroring NIS 2’s ambitions at EU administration level (see our previous reporting here). In its opinion, the EDPS recommends that the proposal further clarifies the link between the cybersecurity measures in the proposal for measures in the EU institutions, the NIS Directive and the NIS 2 proposal. The security requirement for EU institutions should be “at least equal or higher than the minimum security requirements” in NIS and NIS 2. As for data protection concerns, the EDPS states that the proposal should lay down the categories of controllers, processors, or joint controllers, as well as the categories of data subjects and retention periods. The opinion also provides advice on the role of the CERT-EU in the new proposal, and claims that it should have an obligation to inform the EDPS “when addressing significant vulnerabilities, significant incidents or major attacks that have the potential to result in personal data breaches and/or in the breach of confidentiality of electronic communications”.
The European Commission issued a proposal for a Regulation laying down rules to prevent and combat child sexual abuse
On 11 May, the European Commission proposed a Regulation laying down rules to prevent and combat child sexual abuse. According to the proposal, voluntary actions taken by providers have not proven to be sufficient to “address the misuse of online services for the purposes of child sexual abuse”(see our previous reporting here). The proposal therefore aims to create a harmonised legal framework to “provide clarity to providers as to their responsibilities”. Whilst providers of hosting services and of interpersonal communications services will be required to detect and report online child sexual abuse material (‘CSAM,’) internet access services will be asked to “disable access to uniform resource locators indicating specific items of child sexual abuse material that cannot reasonably be removed at source”. Coordinating Authorities designated by Member States will be able to issue such orders to detect, report or disable access to CSAM content. The proposal clarifies that the term ‘online child sexual abuse’ includes material confirmed to constitute CSAM, material which could potentially constitute CSAM, and grooming. To ensure that providers meet their responsibilities, an ‘EU Centre’ will be established to “create, maintain and operate databases of indicators of online child sexual abuse” and to “facilitate cooperation and the exchange of information and expertise”. It will work in close cooperation with Europol, which will together aim to become a “knowledge hub on combatting CSAM”.
The European Commission issued the new European strategy for a better internet for kids
On 11 May, the European Commission issued its new European strategy for a better internet for kids (so-called ‘BIK +’), proposing actions around three pillars: 1) “safe digital experiences to protect children from harmful and illegal online content”, 2) digital empowerment to enable children to make sound choices and 3) providing children with a say in the digital environment. According to the strategy, the Commission will invite policymakers, children, civil society and industry actors to work on a comprehensive EU code of conduct on age-appropriate design to ensure the “privacy, safety and security of children when using digital products and services”. In the context of the eID proposal, the Commission also intends to strengthen age verification methods with a “robust framework of certification and interoperability”. More specifically, it aims to issue a “standardisation request for a European standard on[…] age verification”, starting from 2023, and to support the “development of an EU-wide recognised digital proof of age based on date of birth”, from 2024. It also invites Member States to support “effective age-verification methods, in line with the eID proposal”.
Europol published a report on misleading invoice fraud targeting the owners of intellectual property rights
On 12 April, Europol published a report on “Misleading invoice fraud targeting the owners of intellectual property rights”. These fraudulent activities are carried out by Legal Business Structures which “mimic the activities of the official IP offices, using names and logos that look and/or sound like genuine offices”. According to the report, Europol identified 40 different Legal Business Structures “involved in the misleading invoice scheme in 2020-2021”. In order to tackle such scams, Europol stressed that “additional stakeholders could be involved, such as the consumer protection associations and authorities (at national and European level), and especially the European Consumer Centre Network”. It also states that banking associations could increase their usage of the Know-Your-Customer process (so-called ‘KYC principle’). Finally, Europol advises national, regional or international IP agencies, where appropriate, to “initiate procedures with domain name registrars, authoritative registries or engage in UDRP procedures against fraudsters’ Legal Business Structures” in order to block the online aspect of the scam.
Outside the EU bubble
The 2nd Additional Protocol to the Budapest Convention on Cybercrime opened for signature
Following its formal approval on 17 November, the 2nd Additional Protocol to the Budapest Convention on Cybercrime opened for signature at the Council of Europe in Strasbourg on 12 May. The 2nd Additional Protocol concerns cross-border access to electronic evidence across all signatory parties to the Cybercrime Convention (see our previous reporting here). It aims to enhance cooperation on “cybercrime and the collection of evidence in electronic form of any criminal offence for the purpose of specific criminal investigation” between “competent authorities and service providers and other entities in possession or control of pertinent information”. The 2nd Additional Protocol also includes provisions on requests for domain name registration information (Article 6), which state that competent authorities shall be able to request information from domain name registration services in another signatory country “for the purposes of specific criminal investigations or proceedings”. Once signed and ratified, the Cybercrime Convention together with its additional protocols will be considered as a legally binding and enforceable international instrument.
The European Union and the United States issued a Joint Statement at the Trade and Technology Council
On 16 May, the European Union and the United States issued a Joint Statement at the Trade and Technology Council (TTC) held in Paris, highlighting their intention to better promote “the open, interoperable, secure and reliable” internet globally and to build further digital and cyber capacities together. The document reveals that a joint EU-US Taskforce has been launched to support EU and US flagship infrastructure initiatives and “to advance and prioritise high-quality” information and communications technology and services (ICTS) infrastructure projects which “support an open, interoperable, secure and reliable internet”, respect democratic values and “use sound cybersecurity policies and frameworks”. The Statement also states that digital ecosystems must be secure and “based on open and transparent standards” in order to ensure the security and resilience across the ICTS supply chain. The EU and the US also stressed that they intend to further “promote the responsible use of technologies, including by working together on policies, standards and technology governance, to foster the use of critical and emerging technologies in line with democratic values and protection of human rights”. For that purpose, a Strategic Standardisation Information (SSI) mechanism on international standards development has been created, aimed at encouraging “engagement in new standardisation opportunities and explore taking coordinated action if standardisation activities pose a challenge to EU-US strategic interests and values”.