In a nutshell: The European Parliament urged the European Commission to reform EU administrative law and digitalisation. The Council of the EU adopted a set of recommendations on enabling factors for digital education, endorsed the agreement on the proposal for a Regulation on geographical indication protection for agricultural products, and agreed on a common position on targeted amendments to the Cybersecurity Act. The European Commission published an implementing regulation for transparency reporting under the Digital Services Act. The NIS Cooperation Group published guidelines on coordinated vulnerability disclosure. The co-legislators reached an agreement on a number of legislative proposals, including the European digital identity regulation and Cyber Resilience Act. The Data Act was adopted.
The European Parliament urged the European Commission to reform EU administrative law and digitalisation
On 22 November, the European Parliament adopted its resolution with recommendations on Digitalisation and Administrative Law. According to the European Parliament, it is necessary to simplify the EU’s “cumbersome administrative rules and procedures and to prioritise measures to improve the efficiency, transparency and accessibility of administration at European level” in support of the public’s right to good administration. The European Parliament also highlighted its consistent request for legislative action in that area since 2001. The inaction in reforming EU administrative law has resulted in fragmentation of relevant legal frameworks and significant duplication of efforts and non-interoperable practices. The reform is needed as “the current regulatory gaps are likely to worsen over time due to increased digitalisation and the growing number of Union agencies”, according to the resolution. The European Parliament also notes that “software developed for the purposes of public administration has often been closed-source, meaning that despite paying for it, citizens cannot audit or reuse the code” and calls for the respect of the “public money - public code” principle in open-sourcing any software developed within and by EU administration and Member States to bring down the cost of digitalisation. The resolution also calls for “interoperability of digital services offered by the public sector such as digital identity solutions with data portability allowed across the Union”. As a result, the European Parliament calls on the Commission “to urgently submit a legislative proposal[...] for a regulation on an open, efficient and independent European Union administration so that it can be adopted before the second half of the new legislative term”.
The Council of the EU adopted a set of recommendations on enabling factors for digital education
On 23 November, the Council of the EU adopted recommendations on enabling factors for successful digital education and training, and on improving the provision of digital skills and competences in education and training. The recommendation on enabling factors calls for “fostering the development of a high-performing digital education ecosystem” that is based on universal connectivity, digital commons, and cybersecurity awareness. The recommendation also encourages Member States to be involved “in creating digital commons in education and training through supporting and facilitating active cooperation between Member States in promoting open source, open content or open data solutions with shared and multi-stakeholder governance”. The recommendation on improving the provision of digital skills calls for development of advanced skills in AI and deep tech, as well as the roll-out of voluntary “European Digital Skills Certificate”.
The European Commission published an implementing regulation for transparency reporting under the Digital Services Act
The European Commission published a Draft implementing regulation laying down templates concerning the transparency reporting obligations under the Digital Services Act (DSA). The Draft regulation is now open for public feedback until 24 January 2024. As a reminder, the transparency reporting obligation is one of the minimum obligations applicable to all intermediary service providers under the DSA, with the exception of micro or small enterprises that are exempt from this obligation. According to the draft implementing regulation, transparency reports need to be machine readable and therefore published in a CSV format. The information provided in the transparency reports should, at a minimum, be broken down by calendar month. The intermediary services shall report annually, starting from 17 February 2024. The first report shall cover the period from 17 February until 31 December 2024.
The Council of the EU endorsed the agreement on the proposal for a Regulation on geographical indication protection for agricultural products
At the meeting of the Special Committee on Agriculture (SCA) on 27 November, Member States’ delegations in the Council of the EU approved the provisional deal on the proposal for a Regulation on Geographical Indication (GI) protection for wine, spirit drinks and agricultural products (see our previous reporting here). According to the text made available before the SCA meeting, GI protection applies to all domains that are accessible in the EU, irrespective of the place of establishment of the relevant registries. Alternative dispute resolution systems of ccTLD registries throughout the EU should acknowledge GIs as a right to be invoked during such disputes. The enforcement of GI protection online, specifically in connection to domain names, should follow the DSA and the framework within it: competent authorities should be able to take appropriate steps to remove or disable access to domain names registered in breach of the GI protection, taking into account the principle of proportionality and the rights and interests of affected parties. EUIPO is entrusted to establish and manage a domain name information and alert system, based on voluntary agreements with EU ccTLDs. By 18 months after the date of entry into force of the Regulation, the Commission shall carry out an evaluation of the necessity and feasibility of the information and alert system, taking into account the functioning of voluntary provision of data by EU ccTLD registries to EUIPO.
The Council of the EU and the European Parliament reached a provisional agreement on the EUID Regulation
On 8 November, the EU co-legislators reached a provisional agreement on the European digital identity regulation (EUID Regulation, see our previous reporting here). The EUID Regulation aims to ensure “universal access for people and businesses to secure and trustworthy electronic identification and authentication”, according to the Council’s press release. The Member States will offer citizens and businesses voluntary digital wallets “that will be able to link their national digital identities with proof of other personal attributes (e.g., driving licence, diplomas, bank account)”. The wallet will be free to use for natural persons, but Member States may limit the free-of-charge use to “non-professional purposes”. The wallets must be open-sourced but Member States may close the source code of certain components for “justified reasons”. On 7 December, the provisional deal was approved by the European Parliament’s Industry, Research and Energy Committee (ITRE). It is yet to be approved by the Council of the EU before it becomes law.
The Council of the EU and the European Parliament reached a deal on the Cyber Resilience Act
On 30 November, the co-legislators reached a provisional agreement on the Cyber Resilience Act (see our previous reporting here). The Cyber Resilience Act (CRA) introduces EU-wide cybersecurity requirements for the design, development, production and availability on the European market of hardware and software products. The CRA will apply to all products with digital components ('Internet of Things') that need to be secure throughout the supply chain and their lifecycle. The CRA obliges manufacturers to report vulnerabilities to national CSIRTs and ENISA via a single reporting platform, while Member States will be able to restrict the information sent to ENISA. On open source software, non-profit organisations that sell open source software but reinvest all the revenues in non-profit activities are excluded from the scope of the CRA. The agreement reached is now subject to formal approval by both the European Parliament and the Council of the EU. Once adopted, the Cyber Resilience Act will enter into force on the 20th day following its publication in the Official Journal.
The Council of the EU agreed on a common position on targeted amendments to the Cybersecurity Act
On 15 November, the Council of the EU reached a common position on the targeted amendments of the EU Cybersecurity Act (CSA; see our previous reporting here). The targeted amendments to the CSA aim to include European cybersecurity certification schemes for ‘managed security services’ in the scope of the 2019 CSA. The Council of the EU suggests aligning the definition of ‘managed security services’ with the NIS 2 Directive that includes services for incident response, penetration testing, security audits and consultancy related to technical support (non-exhaustive list). Other amendments concern the alignment of security objectives of European certification schemes for managed security services with the security objectives of other schemes (for ICT products, ICT services and ICT processes) under the current Cybersecurity Act.
The NIS Cooperation Group published guidelines on coordinated vulnerability disclosure
The NIS Cooperation Group, consisting of representatives of the EU Member States and supporting the strategic cooperation and exchange of information among the Member States, published Guidelines on implementing national coordinated vulnerability disclosure policies under the NIS 2 Directive. The guidelines are targeted at the national competent authorities that will integrate vulnerability management and disclosure processes in their national cybersecurity strategies and policies per the NIS 2 Directive requirements. The guidelines identify a number of legal challenges for NIS 2 implementation when it comes to coordinated vulnerability disclosure, including within criminal law, civil liability, data protection, and intellectual property rights protection. The guidelines also recommend possible solutions for Member States to adapt their legislative frameworks to allow identification and disclosure of vulnerabilities. When it comes to domain name related areas, the guidelines advise Member States to “adopt legal solutions”, including granting CSIRTs the right to obtain WHOIS data in order to be able to contact the owners of vulnerable systems.
The EU adopted the Data Act
In the course of November, both the European Parliament and the Council of the EU adopted a Regulation on harmonised rules on fair access to and use of data (Data Act) (see our previous reporting here). The Data Act puts obligations on manufacturers and service providers to let their users, both companies or individuals, access and reuse the data generated by the use of their physical connected products and related services (from coffee machines to wind turbines). It also allows users to share that data with third parties. The Data Act aims to support the ability to switch between providers of data processing services (such as cloud providers), and the development of interoperability standards for data to be reused between sectors. The Regulation provides the means for public sector bodies, the European Commission, and EU bodies to access and use data held by the private sector that is necessary in exceptional circumstances or to fulfil a task in the public interest. Once the Data Act is published in the Official Journal and will come into force on the 20th day after the publication, Member States will have 20 months to incorporate it into national legislation.