In a nutshell: The European Commission adopted its Work Programme for 2024, is planning to reform the EU telecom law and boosting investments into connectivity infrastructure, and issued a recommendation on coordinating incident response for the dissemination of illegal content. The EU formally approved the Regulation on geographical indication protection for craft and industrial products. The EU co-legislators reached a deal on the proposal for a Regulation on geographical indication protection for agricultural products. ENISA published its threat landscape report for 2023. The European Court of Auditors issued an opinion on the Cyber Solidarity Act. JURI issued a Draft Report on policy implications of virtual worlds.
The European Commission adopted its Work Programme 2024
On 17 October, the European Commission adopted its Work Programme for 2024 which reflects on the achievements of the past four years and outlines the Commission's new proposals for the months ahead of EU elections in 2024. The new initiatives outlined in the Work Programme are limited to those that are still needed to be delivered per the 2019 Political Guidelines, or to tackle emerging challenges. In the digital area, the Commission pledges to adopt initiatives regarding opening up “high-performance computers to AI start-ups”, to propose a European space law, and to continue “efforts to set the course towards a human-centred, sustainable and more prosperous digital future with the Digital Decade”. To reduce administrative burdens associated with regulation implementation and enforcement, the Commission opened the “digital Europe programme” to fund initiatives by Member States providing “simple technical reporting means, such as a single-entry point for the reporting of cybersecurity incidents” under the NIS2 Directive.
The European Commission is planning to reform the EU telecom law and boost investments into connectivity infrastructure
In October, EU Commissioner for the Internal Market Thierry Breton announced a future legislative reform of EU telecom sector, the Digital Networks Act (DNA). According to the announcement made by EU Commissioner Breton, the future DNA will address market fragmentation, increased investment, and security of the telecom infrastructure. According to Breton, “too many regulatory barriers to a true telecoms Single Market still exist, on spectrum acquisition, consolidation, legacy networks, security[...].” As a result, “low returns on investment, long payback periods and market uncertainties[...] reduce the attractiveness of the telecoms sector for investors” in building the networks of the future, rather than maintaining legacy networks. In the long run, this can weaken the sector by exposing it to hostile take-overs, despite the criticality of its assets, according to Breton. In the meantime, the European Commission also opened a set of calls for proposals worth over €240 million to “strengthen the deployment of ultra-fast, secure and sustainable digital infrastructure”. This set of calls includes 5G coverage along transport Corridors (€100 million); 5G and Edge Cloud for Smart Communities (€51 million); and backbone connectivity for Digital Global Gateways (€90 million). The latter call for support backbone connectivity is mainly targeted at submarine cables, “to improve the performance and resilience of connectivity networks in islands and seaside regions, as well as in remote, outermost and sparsely populated areas[...]”.
The EU formally approved the Regulation on geographical indication protection for craft and industrial products
On 27 October, the Regulation on the protection of geographical indications (GIs) for craft and industrial products was published in the Official Journal, after being formally adopted by the Council of the EU and signed by the President of the European Parliament and the President of the Council of the EU. The Regulation will enter into force on 16 November 2023, and its provisions will begin to apply after a transition period of 24 months. For the summary of domain name related provisions, see our previous reporting here.
The EU co-legislators reached a deal on the proposal for a Regulation on geographical indication protection for agricultural products
On 24 October, the Council of the EU and the European Parliament reached a provisional deal on the proposal for a Regulation on GI protection for wine, spirit drinks and agricultural products (see our previous reporting here). According to the Council’s press release, the revised rules regarding GI protection within domain names include “greater protection of geographical indications, including online, in domain names that contain geographical indications” that will be done through “geo-blocking and will be in line with the Digital Services Act”. According to the European Commission’s press release, the regulation “will also protect GI names in the domain name system, obliging Member States to block from their territory domain names that may be infringing a GI name”. According to the documents released by the Council of the EU in the beginning of the month and before the provisional deal was struck, Member States were consulted on the suggested wording to align GI enforcement with the Digital Services Act (DSA) and include removing or disabling access to domain names through orders against illegal content under Article 9 of the DSA. As next steps, technical work will continue in order to complete the legal text in accordance with the provisional agreement. When finalised, the text will be submitted to the Member States’ representatives in the Special Committee on Agriculture (SCA) for endorsement. The regulation will then need to be formally adopted by the Parliament and the Council before it can be published in the EU’s Official Journal and enter into force.
The European Commission issued a recommendation on coordinating incident response for dissemination of illegal content
On 20 October, the European Commission published a recommendation on coordinating responses to incidents arising from the dissemination of illegal content. The recommendation is aimed at Member States to coordinate their response regarding the spread and amplification of illegal content, such as terrorist content or unlawful hate speech, before it can lead to a serious threat to public security. The DSA will apply in full form as from 17 February 2024. However, it already applies to the providers of online platforms and online search engines that the Commission has designated as very large online platforms and very large search engines on 25 April 2023. According to the recommendation, so far “less than 10% of Member States have already formally appointed their Digital Services Coordinator”, the national authority responsible for the DSA enforcement. For the remaining 90% of Member States, the Commission recommends appointing “an independent authority to be part of an informal network of prospective Digital Services Coordinators” (Informal Network). According to the recommendation, “taking swift and coordinated action is key to prevent illegal content, and in particular terrorist content and illegal hate speech, from circulating online, including by going viral.” In order to prevent fragmentation, increased uncertainty and response times, the Commission calls for more coordination across the EU for taking action against dissemination of terrorist content and hate speech via the Informal Network before 17 February 2024.
ENISA published its threat landscape report for 2023
On 19 October, ENISA published its Threat Landscape 2023 report, an annual report on the status of the cybersecurity threat landscape. It identifies the top threats, threat actors and attack techniques, as well as impact and motivation analysis. According to the report, the prime threats in 2023 remain ransomware, malware, social engineering, threats against data and availability, information manipulation, and supply chain attacks. DDoS and ransomware rank the highest among the prime threats, according to ENISA. Public sector is the most targeted sector (19%), followed by targeted individuals (11%), health (8%), digital infrastructure (7%) and manufacturing, finance, and transport. Cybercriminals increasingly target cloud infrastructure, have geopolitical motivations, and have increased their extortion operations. Phishing remains the top attack vector, with increased use of artificial intelligence and new types of techniques for social engineering. According to the report, “internet shutdowns are at an all-time high” and “internet availability threats are keeping up their momentum[...]” due to the increasing reliance of society on internet technologies.
The European Court of Auditors issued an opinion on Cyber Solidarity Act
On 26 September, the European Court of Auditors (ECA) issued an Opinion on the proposal for a Regulation laying down measures to strengthen solidarity and capacities to respond to cybersecurity threats and incidents (Cyber Solidarity Act) (see our previous reporting here). The ECA welcomes the objective of the proposal to “to strengthen the EU's collective cyber resilience” and identifies a few risks in relation to the lack of impact assessment, the financial aspects, and implementation of the measures laid down in the proposal. In particular, the ECA highlights that the proposed Regulation “risks making the whole EU cybersecurity galaxy more complex”. The proposed Cyber Solidarity Act establishes the “European Cyber Shield” composed of national security operations centres (SOCs) and cross-border security operations centres (cross-border SOCs). According to the ECA, there is a risk of potential overlap between existing CSIRTs and the SOCs, despite the Commission’s intention to keep two groups complimentary to each other. In order to mitigate this risk, the ECA recommends “clarifying how national SOCs, cross-border SOCs, CSIRTs, and the CSIRTs network should interact by laying down clear governance arrangements and responsibilities in order to ensure effective coordination[...]”.
The European Parliament’s JURI committee issued a Draft Report on policy implications of virtual worlds
On 10 October, the European Parliament’s Legal Affairs Committee (JURI) issued its Draft Report on policy implications of the development of virtual worlds – civil, company, commercial and intellectual property law issues. The Draft Report notes that although virtual worlds have not yet been widely taken up, “their deployment[...] in various sectors has raised general awareness and has attracted the attention of public authorities”. JURI also highlights the lack of definition of a “virtual world” and stresses “the key importance of promoting standardisation and interoperability” for the full development of an ecosystem of interconnected virtual worlds (including metaverse). JURI also highlights a number of challenges the undefined virtual world is already posing in areas of private international law, civil law, intellectual property law. Notably, the Draft Report stresses that traditional territoriality principles on applicable law and jurisdiction are inadequate to virtual worlds enabled by decentralised technologies, such as blockchain that pose enforcement challenges. The Draft Report also considers “that the implementation of effective identity management systems is key in order to allow for [...]proper identification and to combat fake identities”.