In a nutshell: The European Commission published the 28th regime proposal and opened feedback for the Cyber Resilience Act guidance. The European Council adopted conclusions on competitiveness and the single market. The Council of the EU adopted conclusions on the EU’s capacity to counter hybrid threats. The EDPB and EDPS published a joint opinion on the Cybersecurity Act 2.0 and NIS 2 amendments. The European Economic and Social Committee published an opinion on the Digital Omnibus. CJEU Advocate General delivered an opinion on high-risk suppliers.
The European Commission published the 28th Regime proposal
On 18 March, the European Commission published a proposal for a Regulation on the 28th regime corporate legal framework “EU Inc.” (see our previous reporting here). The European Commission notes that innovative European companies often struggle to scale up and compete globally. The proposal, therefore, intends to stimulate the growth of European start-ups and attract financing. It introduces a corporate legal form for a new type of business under the “EU Inc.” framework, which covers the entire lifecycle of the business, from inception to scaling and insolvency. The EU Inc. companies would be able to choose their main establishment within all EU Member States. It should be possible to register such an organisation completely online within 48 hours and at a maximum cost of EUR 100. The registration process should be based on the “once-only” principle, avoiding the need to file multiple registrations across the Member States. The proposal also includes a new insolvency regime for EU Inc. companies with the aim of relying on simplified winding up proceedings of the debtor’s assets. The European Commission also encourages Member States to dedicate a specialised judicial chamber or court to handle disputes on EU Inc. company law.
The European Council adopted its conclusions on competitiveness and the single market
On 19 March, the European Council adopted its conclusions on, among others, competitiveness and the single market. To boost the EU’s competitiveness, the Council calls on the Member States and the EU institutions to work towards reducing barriers to the EU’s internal market, through key initiatives, such as the 28th regime proposal. Simplification and the reduction of administrative burden is another priority, as the Council urges the co-legislators to finish negotiations on all pending omnibus packages. It also calls on the European Commission to present additional omnibuses and further simplification initiatives. Investment and advancement of digital technologies should be achieved in a technologically neutral way and lead to a reduction of the EU’s strategic dependencies. To this end, the Council calls on the European Commission to map dependencies in the strategic sectors, such as digital technology, by the end of 2026. The Council also highlights the need to diversify trade and investment ties, supply chains, markets and technologies.
Cybersecurity
The European Commission published a call for feedback on the draft Commission guidance on the Cyber Resilience Act
On 3 March, the European Commission published a call for feedback on the draft Commission guidance on the Cyber Resilience Act (CRA). The aim of the guidance is to aid manufacturers, developers and other interested parties in understanding their obligations under the CRA. The Regulation applies to a broad range of products with digital elements, including hardware, software and other ancillary services, that are made available on the EU market. Among other topics, the guidance focuses on free and open-source software (FOSS) and on the conditions under which FOSS is considered to be in the scope of the CRA. The guidance notes that only software whose source code is publicly available and licensed under a free and open-source licence should be considered as FOSS. Whether a FOSS supplier is in the scope of the CRA depends on whether the specific FOSS product is monetised (“placed on the market”). This can happen through charging a price, processing of personal data or through the monetisation of other associated services. Monetisation may also happen if access to a specific version of the FOSS product, including certain benefits such as technical assistance, is conditioned on remuneration. However, the FOSS supplier might instead be considered as a FOSS “steward” with specific obligations under the CRA. This happens when either a legal person systematically provides support for a FOSS that supports commercial activities, or when the supplier of a monetised FOSS product is a not-for-profit organisation, and where the earnings are used to achieve the not-for-profit objectives. The document also offers concrete examples to inform the reader of the different cases. The call for feedback is open until 13 April.
European Data Protection Board and Supervisor published a joint opinion on the Cybersecurity Act 2.0 and NIS 2 amendments
On 18 March, the European Data Protection Board and Supervisor (EDPB and EDPS) adopted a joint opinion on the Cybersecurity Act 2.0 (CSA 2.0) and the NIS 2 Directive amendments proposals (see our previous reporting here). The EDPB and EDPS reiterate their support for establishing a single-entry point for the notification of personal data breaches, as it would reduce administrative burden for notifying organisations. Due to the sensitive nature of incident reports, the EDPB and EDPS underscore the importance of ensuring robust cybersecurity safeguards. The proposal for CSA 2.0 introduces measures to secure ICT supply chains, focusing on non-technical risks such as geopolitical, legal, or ownership in sectors of high criticality. The joint opinion notes that while supply chain security measures do not directly address data protection issues, they may have a beneficial impact on the protection of fundamental rights by limiting foreign interference. The EDPB and EDPS also welcome amending the NIS 2 Directive to include the European Digital Identity Wallets and European Business Wallets providers as essential entities regardless of their size.
The European Economic and Social Committee published an opinion on the Digital Omnibus
On 18 March, the European Economic and Social Committee (EESC), an EU consultative body representing employers and workers, published its opinion on the Digital Omnibus. The EESC notes that the Digital Omnibus is a step in the right direction, with the need for further simplification measures. Furthermore, it strongly supports an interoperable single-entry point, which should also enable English-language submissions, the reuse of previously submitted information, and include strict “need-to-know” access controls for authorities. In relation to the changes to the GDPR, the EESC notes that the definition of personal data should be formulated in an objective and adequately broad manner, ensure legal certainty and prevent subjective interpretations and guarantee high levels of data protection while allowing for a reasonable reuse of data. To determine what data should be considered as pseudonymised, the European Commission should specify the conditions in an implementing act.
The Council of the EU adopted conclusions on the EU’s capacity to counter hybrid threats
On 16 March, the Council of the EU adopted conclusions on the EU’s capacity to counter hybrid threats. The conclusions touch upon cybersecurity and mitigating foreign information manipulation and interference (FIMI). With regards to cybersecurity, the conclusions underline the need to further enhance the protection of Member States’ critical infrastructure and strengthen their resilience against hybrid threats. For this reason, the Council calls on Member States to implement the NIS 2 and CER Directives. It also underlines the importance of implementation of the Cyber Blueprint, as a collective response to large-scale cyber incidents (see our previous coverage here). The Council also underlines the malign use of critical and emerging technologies, including artificial intelligence, quantum technologies and distributed ledger technologies. The Council calls on Member States to counter FIMI hybrid threats through measures to improve media literacy and digital skills.
CJEU Advocate General delivered an opinion on high-risk suppliers
On 19 March, Advocate General Ćapeta delivered her opinion in the CJEU case on excluding high-risk software and hardware vendors from national telecom infrastructure. The case originates from Estonia where an ex ante authorisation procedure allows the competent authorities to prohibit the use of certain equipment used within national telecom infrastructure, most notably for 5G, if deemed to pose a risk to national security. The national telecom provider challenged the procedure and argued that in case certain crucial suppliers are excluded from use, the telecom operator must be compensated for it. The referring court asks the CJEU to clarify whether national laws excluding high-risk vendors based on ex ante authorisation are compatible with existing EU telecom law, including freedom to provide telecom services. According to the opinion, where measures adopted for safeguarding national security conflict with EU rules, the public interest of protecting national security may be used to justify that conflict. However, those measures nevertheless have to meet the proportionality test in order to demonstrate that they are lawful. In the present case, the Advocate General considers the restriction to the provision of the telecom services to be justified, in principle. However, the national assessment of risks cannot be based on a general suspicion and must involve a specific assessment of the use of the equipment. The referring courts should verify whether the national restriction lays down precise criteria for the competent authority to base its decision on. Existing EU soft law instruments, such as the 5G Toolbox, can serve as a guidance for specific criteria followed by national legislation. The telecom operator is not entitled to compensation, as a result of a national decision to exclude high-risk vendors from its infrastructure. However, the referring court must assess whether the telecom operator had sufficient time to adapt to the national prohibition, and if not, a reasonable compensation for the damage suffered should be considered. The opinion is not binding, and the CJEU is not obliged to follow it. However, the opinions of Advocates General are often influential and the final judgments often follow the similar line of reasoning.
