In a nutshell: The President of the European Commission delivered the State of the Union 2023 speech. The European Commission published its 2023 Report on the state of the Digital Decade, and issued guidelines on the NIS 2 Directive. The European Parliament adopted the Regulation for the geographical indication protection of craft and industrial products. Europol published the first “spotlight” report, focusing on cyberattacks and crime-as-a-service. The EDPB and EDPS delivered a joint opinion on the proposal for GDPR review.
The President of the European Commission delivered the State of the Union 2023 speech
In her State of the Union 2023 speech, the President of the European Commission Ursula von der Leyen looked back at the achievements of the Commission in the past four years and reflected on the remaining priorities in the next three hundred days before the upcoming European elections in 2024. Looking back, von der Leyen highlighted the establishment of a “geopolitical Union” in the wake of the ongoing war in Ukraine, a European Green Deal, and setting the path for the digital transition. In the digital area, von der Leyen stressed the importance of the internet “as an instrument for sharing knowledge, opening minds and connecting people”, while at the same time posing the challenges of “disinformation, spread of harmful content, risks to the privacy of [...]data”. In response, Europe has become “the global pioneer of citizens’ rights in the digital world”, by regulating big tech in the Digital Services Acy (DSA) and Digital Markets Act (DMA), and by leading the establishment of the global regulatory “blueprint” for the artificial intelligence (AI) in the AI Act. Amongst the priorities for the remaining 300 days, von der Leyen stressed the continuous support for Ukraine, investments into Global Gateway, and the finalisation of the AI Act.
The European Commission published its 2023 Report on the state of the Digital Decade
On 27 September, the European Commission published its first State of the Digital Decade Report that takes stock of the EU’s progress “towards a successful digital transformation”, as set out in the Digital Decade Policy Programme 2030. The report includes concrete recommendations to Member States ahead of the adoption of their national strategic roadmaps and for their future adjustments. According to the findings from the Eurobarometer 2023, the three top priorities according to the respondents across the EU are protecting users from cyberattacks, improving the availability of high-speed internet, and protecting users from disinformation and illegal content. Member States are encouraged to adopt “a whole-of-government approach to digitalisation efforts, involving stakeholders and reducing administrative burden”, and increase their investments in digital R&I to “regain technological leadership”, amongst other things. According to the report, the adoption of digital technologies by European companies is low, especially for the uptake of AI and big data. Another major concern is the domination of non-European players in the data service providers sector and the decreasing market share of European cloud providers.
The European Parliament adopted the Regulation for the geographical indication protection of craft and industrial products
On 12 September, the European Parliament adopted the legislative resolution on the proposal for a Regulation on geographical indication protection for craft and industrial products (see our previous reporting here). According to the adopted text of the Regulation and concerning domain name related provisions, the establishment of a “domain name information and alert system” has been omitted from the final text. However, the Commission will have to carry out an evaluation on the feasibility of such a system “against the abusive use” of craft/industrial GIs, and submit a report on its main findings to the European Parliament and to the Council of the EU within 18 months after the Regulation enters into force. Based on the outcome of this evaluation, the Commission should, when appropriate, come up with a legislative proposal to establish such a system. ccTLDs established in the EU offering alternative dispute resolution (ADR) procedures to settle domain name disputes should ensure that ADR procedures recognise registered GIs as a right that can be invoked in those procedures. Before becoming binding, the Regulation needs to be also formally approved by the Council of the EU. Once formally accepted by both institutions, the GI proposal will enter into force 20 days after its publication in the Official Journal of the European Union. Its provisions will begin to apply after a transition period of 24 months.
The European Commission issued guidelines on the NIS 2 Directive
On 13 September, the European Commission issued a guideline on the application of Article 3(4) of the NIS 2 Directive that requires Member States to establish a list of essential and important entities, as well as entities providing domain name registration services by 17 April 2025. For this purpose, Member States should require entities to submit at least the following information to the competent authorities: name, address, contact details (incl. email), IP ranges and phone numbers. The Commission’s guidelines include an Annex I that sets out a template for the collection of that information for the purposes of establishing the list. In addition, Member States should be able to establish national mechanisms for essential and important entities, as well as entities providing domain name registration services to register themselves. By 17 April 2025 and every two years thereafter, Member States must notify the Commission and the NIS Cooperation Group of the number of essential and important entities for each sector and subsector referred to in Annexes I and II of the NIS 2 Directive. Member States are encouraged to exchange with the Commission information about essential and important entities and, in the case of a large-scale cybersecurity incident, relevant information, such as the name of the entity concerned. Additionally, the European Commission also issued another guideline on the application of Article 4(1) and (2) of the NIS 2 Directive, clarifying its relationship with other sector-specific EU legislation concerning cybersecurity risk-management measures and incident reporting requirements. According to the NIS 2 Directive, the essential and important entities are required to adopt cybersecurity risk-management measures under sector-specific legislation if they can be considered equivalent in effect to the obligations laid down in the NIS 2 Directive. When assessing whether the sector-specific requirements on cybersecurity risk-management measures are at least equivalent in effect to those laid down in the NIS 2 Directive, the requirements in that sector-specific Union legal act should “at a minimum, correspond to the requirements of those provisions or go beyond them, meaning that the sector-specific provisions may be more granular on substance”. The Appendix of the guideline gives a (non-exhaustive) list of sector-specific Union legal acts on cybersecurity risk-management measures or incident reporting that for now includes only one legislation: Digital Operational Resilience Act (DORA) for financial entities. Per the NIS 2 Directive, the Commission is yet to deliver implementing acts substantiating technical cybersecurity risk-management measures for TLD registries, DNS service providers, and other technical infrastructure actors, as well as when a security incident can be considered ‘significant’.
Europol published its annual Internet Organised Crime Threat Assessment report
Europol’s European Cybercrime Centre (EC3) published the Internet Organised Crime Threat Assessment (IOCTA) report on key findings and emerging threats and developments in cybercrime. According to the IOCTA report, the year 2022 shifted the world’s attention from the COVID-19 pandemic to Russia’s invasion of Ukraine. The invasion of Ukraine showed “cybercriminals’ adaptability and opportunism”. Online fraudsters set fake webpages to solicit money, using URLs that “included misleading key words” and sent emails pretending to raise funds from fraudulent addresses. They also impersonated celebrities or spoofed the humanitarian organisations’ domains, inviting victims to donate in cryptocurrencies. IOCTA also highlights the most common services used by cybercriminals to mask identities, locations and the infrastructure of their operations, such as VPNs, ISP services that do not engage in “extensive customer monitoring practices” (e.g. Know-Your-Customer procedures), and bulletproof hosting. In connection with IOCTA, Europol also published the first “spotlight” report, focusing on cyberattacks and crime-as-a-service. According to the spotlight report, “malware-based cyber-attacks, specifically ransomware, remain the most prominent threat[...]”. The infrastructure of cybercrime services is built to be resilient to law enforcement tracing and disruption, e.g. by being hosted with a bulletproof provider located in an uncooperative jurisdiction, according to the report.
The EDPB and EDPS delivered a joint opinion on the proposal for additional procedural rules for GDPR enforcement
On 19 September, the European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) adopted a joint opinion on the proposal for the Regulation laying down additional procedural rules relating to the enforcement of the GDPR (see our previous reporting here). The EDPB and EDPS welcome the proposal for the Regulation. It aims to complement the GDPR “by specifying procedural rules, streamlining the cooperation and dispute resolution mechanisms, and harmonising the procedural rights of the parties under investigation and complainants in cross-border cases”. According to the Opinion, its “timely adoption[...], taking into account the recommendations set forth by the EDPB and EDPS[...], is of paramount importance to further improve the efficiency and consistency of GDPR enforcement”. On a general note, the EDPB and EDPS stress that more resources to supervising authorities, including the EDPB, are needed to be able to respond to increasing workload. In terms of improvement of the proposal, the EDPB and EDPS urge the co-legislators “to go further and provide for exhaustive harmonisation of admissibility requirements which would pre-empt conflicting national admissibility requirements”, and call for “clarifying in the Regulation existing arrangements on ‘preliminary vetting’, by providing a clear legal basis to supervisory authorities for carrying out investigative acts”. The EDPB and EDPS also call for a “tighter framework for certain procedural steps, including time limits” that would be necessary to ensure swift and efficient enforcement.