In a nutshell: The European Commission revealed its Work Programme for 2023 and issued its proposal for a Council Recommendation on a coordinated approach to strengthen the resilience of critical infrastructure, whilst the Council released its conclusions on ICT supply chain security. The Digital Services Act was published in the Official Journal of the EU. Parliamentary committees released documents on the reform of the geographical indications’ framework in the EU for craft and industrial products. Commissioner Johansson confirmed that blocking orders under the CSAM Regulation would not apply to DNS4EU. The European Court of Justice’s Advocate General stated that national authorities should be able to access data linked to IP addresses where no other means to identify holders of addresses suspected of copyright infringement is available.
The European Commission revealed its Work Programme for 2023
On 18 October, the European Commission revealed its Work Programme for 2023, entitled ‘A Union standing firm and united’, where it highlights a number of legislative and policy instruments planned for 2023. As part of delivering on the EU Strategy to fight child sexual abuse, the European Commission will propose a “revision of the Directive on combatting child sexual abuse” in order to target challenges brought about by technological change. This initiative will complement the recently proposed Regulation laying down rules to prevent and combat child sexual abuse. To “step up the prevention, investigation and prosecution” of crimes, the European Commission also intends to strengthen “cross-border police cooperation to address new and complex security threats”. It also aims to propose amendments “to the rules governing cooperation between consumer protection authorities” to ensure that consumers’ rights are enforced both online and offline. This will more specifically help “deter unfair business practices and support more effective investigations into breaches of consumer law”. The Commission will also propose the harmonisation of certain national procedures to improve the cooperation between national data protection authorities to strengthen the enforcement of the General Data Protection Regulation (GDPR).
The final version of the Digital Services Act was published in the EU Official Journal
On 28 October, the European Union published the adopted Digital Services Act (DSA) in the Official Journal of the European Union (see our previous reporting here). As highlighted before, the new law suggests that “domain name system (DNS) services, top-level domain name registries, registrars, certificate authorities that issue digital certificates, virtual private networks, online search engines, cloud infrastructure services” can benefit from the ‘mere conduit’ liability exemption when it comes to tackling illegal content online. As most DNS actors can be considered “providers of intermediary services” that most likely fall under the lightest regime envisaged by the DSA, they would have to comply with minimum due diligence obligations and orders from the authorities. Regarding the orders from the authorities, upon receipt of an order to act against illegal content or to provide information, “providers of intermediary services shall inform the authority issuing the order, or any other authority specified in the order, of any effect given to the order without undue delay, specifying if and when effect was given to the order”. Providers of intermediary services will also be required to “designate a single point of contact to enable them to communicate directly, by electronic means” with Member State authorities and the Commission. They shall also designate such a point of contact for recipients of their services to communicate with them directly and rapidly “by electronic means and in a user-friendly manner”. Intermediaries which offer services in but are not established in the EU will have to designate “in writing, a legal or natural person to act as their legal representative”. Member States will be in charge of designating one of their competent authorities as their ‘Digital Services Coordinator’ who will be responsible for the enforcement and supervision of the DSA.
Parliamentary committees released documents on the geographical indications reform for craft and industrial products
Following the European Commission’s proposal for the reform of geographical indications’ (GI) protection for craft and industrial products, Parliamentary committees started releasing their draft opinions/reports on the proposal (see our previous reporting here). First of all, the Committee on Legal Affairs (JURI) issued a draft report, stating that the distinction between trademarks and GIs can be confusing and that it is therefore “of outmost importance to clarify the criteria for the rejection of trade mark applications, the invalidation of trade marks and the coexistence between trade marks and geographical indications”. The draft report also suggests that the Regulation should create a sui generis protection for GIs of craft and industrial products and modifies the text to ensure that not only ‘producer groups’ but also ‘producers’ can protect their GIs. Secondly the Committee on Internal Market and Consumer Protection (IMCO) released its draft opinion, where it suggests that the European Union Intellectual Property Office (EUIPO) should be able to extend the domain name information and alert system (DIAS) to other TLDs administrated and managed by a registry established in the Union, including generic TLDs.
The European Commission issued its proposal for a Council Recommendation on a coordinated approach to strengthen the resilience of critical infrastructure
On 18 October 2022, the European Commission issued its proposal for a Council Recommendation on a coordinated approach by the Union to strengthen the resilience of critical infrastructure, such as services which are crucial for the maintenance of vital societal functions, economic activities, public health and safety or the environment, including digital infrastructure. The proposal starts by explaining that society relies “heavily on both physical and digital infrastructure” and that “the interruption of essential services, whether through conventional physical attacks or cyberattacks[…] can have serious consequences for citizens’ well-being, our economies, and trust in our democratic systems”. It further explains that despite a number of measures taken at EU level to increase the resilience of critical entities, action is nevertheless “urgently needed to step up the EU’s capacity to stand up to potential attacks against critical infrastructure” and that the proposal aims to ensure EU level coordination in terms of preparedness and response. The proposal then puts forward a range of recommendations, starting with a section on enhanced preparedness for Member States (i.e. updating the risk assessment on the resilience of entities, accelerating the preparatory work to transpose the Critical Entities’ Resilience (CER) Directive and the process of identification of critical entities) and at EU level (i.e. strengthening cooperation among Member State experts). Regarding enhanced cooperation, the proposal states that Member States should coordinate their response and “accelerate preparatory work for the transposition and application of the NIS2 Directive, by starting immediately to enhance the national Computer Security Incident Response Teams (CSIRTs) capabilities”. The NIS Cooperation Group is invited “to prioritise its work on the security of the digital infrastructure[...], including by preparing policy guidance and cybersecurity risk management methodologies and measures based on an all-hazard approach in relation to undersea communications cables[...]”.
The Council issued its conclusions on ICT supply chain security
On 17 October, the Council issued its conclusions on ICT supply chain security, stating that it is of “utmost importance to appropriately take the geopolitical environment into consideration not only when reacting to malicious cyber activities, but also when building and maintaining the resilience of information and communication technologies (ICT)”. The Council then moves on by stating that an ‘all-hazard approach’ is necessary to secure ICT assets, and that strengthening the overall resilience of and security of ICT supply chains is equally as important than “enhancing resilience against supply chain attacks conducted via cyber means”. The conclusions also explain that the Council supports the “need to maximise and streamline the use of existing EU instruments[…] as well as the need to continually adapt to the changing cyber threat landscape by introducing additional suitable measures and mechanisms”. The Council also affirms that the Commission and Member States should “assess the risks for supply chains of critical infrastructure in various domains, including the digital domain” in 2023. Finally, the Council states that it supports the proposal for a Directive on measures for a high common level of cybersecurity across the Union (NIS 2) and the Cyber Resilience Act, encourages all “stakeholders to participate in the preparatory work on individual European certification schemes in order to build trust in secure ICT products, processes, and services[…] and calls on the Commission to swiftly prepare implementing acts on the European certification scheme”. It also invites the NIS Cooperation Group, in cooperation with ENISA, to develop an ICT Supply Chain Toolbox to reduce critical ICT supply chain risk.
Commissioner Johansson confirmed that blocking orders under the CSAM Regulation would not apply to DNS4EU
Following the proposal for a Regulation laying down rules to prevent and combat child sexual abuse, a question for a written answer to the Commission was put forward by an MEP, asking whether orders obliging “a provider of internet access services under the jurisdiction of a given Member State to take reasonable measures to prevent users from accessing material known to contain child sexual abuse” would result in the DNS4EU having to block URLs (see our previous reporting here). On 3 October, Commissioner Johansson replied that “blocking orders can only be issued subject to stringent conditions and safeguards” and that “competent judicial or independent administrative authorities would only be entitled to address blocking orders to internet access service providers under their jurisdiction”, subject to strict proportionality requirements. She then explained that the DNS4EU is not an internet access service provider and can therefore not “be the addressee of blocking orders” under the Regulation.
The European Court of Justice’s Advocate General opinion on access to data linked to IP addresses
In its Opinion, the CJEU first Advocate General, Maciej Szpunar, concluded that administrative authorities responsible “for protecting copyright and related rights against infringements of those rights committed on the internet” should be able “to access data which is limited to civil identity data corresponding to IP addresses”. The Advocate General stipulates that such access can enable authorities to identify holders of addresses suspected of having committed infringements and “if appropriate, take action against them, where that access is not subject to a prior review by a court or an independent administrative body”. It nevertheless also suggests that such data access should only be possible provided the civil identity data corresponding to IP addresses is “the only means of investigation” which can help identify the person who committed the infringement. It is notable that the Advocate General disagreed with the French government on whether combating infringements of intellectual property rights falls within the ambit of combating serious crime. According to the Advocate General, “the interests relating to the protection of intellectual property rights should not be confused with those underlying action to combat serious crime”. However, the strict interpretation of the CJEU case-law regarding the retention of IP addresses needs to be adapted, according to the Advocate General. When detecting and prosecuting online criminal offences for which the IP address is the only means of investigation enabling identification of potential offenders, EU law should not preclude measures providing for the general and indiscriminate retention of IP addresses, provided it is done for a limited period of time that is strictly necessary, according to the Advocate General.