In a nutshell: European Commission published its work programme for 2025, opened a call for evidence for European Internal Security Strategy and the Geoblocking Regulation, presented a new cybersecurity blueprint and an action plan on submarine cable security. ITRE published a draft own-initiative report on European tech sovereignty. ECON published a draft opinion on the insolvency directive. ENISA published a report on the threat landscape in the finance sector. The Court of Justice of the European Union ruled on data subjects’ requests.
European Commission published work programme for 2025
On 11 February, the European Commission published the annual work programme outlining legislative schedule until the end of the year. Legislative priorities outlined in the programme are grouped in seven pillars, including sustainability and competitiveness, defence and security, protecting democracy and leveraging partnerships around the world. The legislative and non-legislative proposals are based on the political guidelines presented in July 2024 by the European Commission president Ursula von der Leyen (see our previous coverage here). The work programme includes among others, proposal for the next Consumer Agenda 2025-2030 [Q4 2025], including a new action plan on consumers in the single market; European Business Wallet [Q4 2025] that should facilitate secure data exchange and unlock new business opportunities for trust service providers; European Democracy Shield [Q3 2025], which should tackle the “threats to our democracy and electoral processes”; AI Continent action plan and Digital Networks Act [Q4 2025]. The work programme was accompanied by a new strategy on Simplification of the EU regulations. The Commission aims to reduce administrative burden on EU businesses, facilitate reporting obligations, “stress-test” EU legislation, increase consultations with stakeholders, and prepare improved impact assessments. One part of the simplification was already presented through a legislative “omnibus” proposal across different sectors, e.g., simplification of sustainability. One “omnibus” proposal will “build synergies and consistency for data protection and cybersecurity rules” [Q2 2025].
European Parliament published a draft report on European tech sovereignty
On 25 February, the Committee on Industry, Research and Energy of the European Parliament published a non-legislative own-initiative draft report (in French only) the European technological sovereignty and digital infrastructure. The draft report highlights EU’s dependence on foreign technologies and notes that EU’s dependence on infrastructure developed and controlled by foreign powers weakens its competitiveness. Additionally, the reliance on US cloud service providers opens it to extraterritorial legislation. The report also lists issues like low investment and regulatory burden, lack of European advanced semiconductor fabrication plants, falling short in development of high-speed communication infrastructures, and high energy prices. To remedy this situation, the accompanying explanatory memorandum puts forth six recommendations: 1) better allocation of public subsidies and support for strategic mergers and acquisitions; 2) reserving a share of public contracts for European companies that meet the sovereignty criteria in the public procurement procedures; 3) aligning of the European Cybersecurity Cloud Certification Scheme for Cloud Services (EUCS) with the requirements of the French SecNumCloud certification; 4) reforming EU prudential rules to mobilise private capital; 5) simplifying EU legislative landscape; and 6) reforming European electricity market to allow nuclear power to be provided at competitive rates.
Data Protection
ECON restarted the work on its opinion on the Insolvency proposal
On 5 February, the committee on Economic and Monetary Affairs (ECON) of the European Parliament published a draft opinion on the Insolvency proposal. The draft opinion was already adopted at the end of 2023. However, with the new mandate the original draft has formally lapsed. The rapporteur re-introduced the draft opinion in its previously accepted version. The ECON opinion focuses only on provisions within the remit of its competence. It proposes an amendment to provisions on the assignment of debtors’ executory contracts, after consultation with the contractual counterparty of the debtor. The opinion also suggests extending the scope of access to simplified winding-up proceedings to SMEs. The deadline for filing amendments was 24 February, vote in the ECON committee is foreseen on 19-20 March.
Court of Justice of the European Union ruling on data subjects’ requests
On 27 February, the Court of Justice of the European Union (CJEU) ruled on the right of data subject to receive an explanation by data controllers on the use of automated decision systems. A mobile telephone operator refused to conclude a contract with a prospective customer due to her automated credit standing assessment, which the customer then challenged in a court. The Court found that the company infringed the GDPR as it failed to provide the customer with meaningful information about the logic involved in the automated decision-making. The Court noted that the data controller must describe the procedure and principles actually applied in such a way that the data subject can understand which of her personal data have been used, and how. Furthermore, the “communication of an algorithm does not constitute a sufficiently concise and intelligible explanation”.
European Commission published call for evidence for European Internal Security Strategy
On 13 February, the European Commission opened a call for evidence regarding the upcoming proposal for the European Internal Security Strategy. The initiative aims to set out a comprehensive EU response covering all internal security threats, online and offline. The Strategy seeks to mainstream security into EU policies, legislation and programmes, and specifically focuses on the capacity to anticipate and act on threats; prevent harm; act on all levels, and to ensure that international cooperation benefits the internal security of the EU. Europol and Frontex should increase their capacities, according to the strategy. Additionally, the Commission will consider measures on access to data for law enforcement and data retention, fighting cybercrime and terrorist content online, and boosting cooperation with tech platforms via the EU Internet Forum. It is possible to give feedback until 13 of March.
Cybersecurity
ENISA published a report on the threat landscape in the finance sector
On 21 February, ENISA published a report on the threat landscape in the finance sector. The scope included organisations in the scope of the NIS directive and of the Digital Operational Resilience Act (DORA), e.g., banks, investment firms and digital infrastructure providers for the financial sector. ENISA analysed 488 publicly reported incidents of which 46 % were DDoS, 15 % data-related threats (such as data breaches or data leaks), 13 % social engineering and 10 % ransomware. The most prominent type of attack – DDoS – was related to geopolitical developments linked to the Middle East or to Russia’s invasion of Ukraine. The impact of DDoS attacks was often limited. In 2023 only 8 % of observed incidents were officially reported to national competent authorities as DDoS of significant impact. In terms of impacted assets, the most common targets included the IT infrastructure (35 %), as attackers targeted servers, routers, firewalls, etc; followed by operational data and infrastructure (29 %) and compromise of customer data (19 %). The consequences on the financial entities included operational disruptions (58 %), e.g., halting of transaction processing, customers losing access to their services, delay in the provision of key financial services. This is followed by the exposure and sale of sensitive data (17 %), including personal and corporate data.
European Commission launched a new cybersecurity blueprint
On 24 February, the European Commission introduced an updated blueprint on the framework for EU cybersecurity crisis management. The update to the blueprint comes as a reaction to the European Council conclusions on the future of cybersecurity from May 2024 (see our previous coverage here). The cyber blueprint is a non-binding instrument that should enable relevant EU actors, such as CSIRTs and ENISA to interact and make use of all available mechanisms during a large-scale cybersecurity incident. The preparation for a EU level cyber crisis should include collection of data, including “trends in incidents, tactics, techniques and procedures, and actively exploited vulnerabilities”. This should apply to all critical sectors listed in the NIS 2 Directive. The datasets should be collected, processed and shared in real-time. Furthermore, within 12 months of adoption of the blueprint, the NIS Cooperation Group should develop a common taxonomy with respect to cyber crisis management and provide a guide on the secure handling and exchange of information on cybersecurity incidents. The document also highlights DNS resolution diversification strategy, noting that Member States, relevant EU entities and private entities should use at least one EU-based DNS resolver, such as DNS4EU. ENISA and European cyber crisis liaison organisation network (EU-CyCLONe) should develop emergency failover guidelines that would outline the steps for switching to EU-based DNS infrastructure in case other DNS services fail, ensuring continuity of critical services during a crisis. Finally, in line with the NIS 2 implementing act, Member States should actively promote participation of relevant stakeholders in the multistakeholder forum tasked with identifying best available standards and deployment techniques for network security measures. The cyber crisis management procedures and responsibilities are detailed in the annex to the blueprint.
European Commission presented action plan on submarine cable security
On 21 February, the European Commission and the EU’s High Representative for foreign affairs presented an action plan on cable security. The action plan builds on Connecting Europe Facility and Recommendation on Secure and Resilient Submarine Cable Infrastructures (see our previous coverage here). The action plan will also contribute to the upcoming Internal Security Strategy, the Preparedness Union Strategy and the White Paper on the Future of European Defence. The document notes that submarine cables are essential as they carry 99 % of inter-continental electrical traffic, in the case of telecommunication cables, and connect electricity markets. The action plan notes that the submarine cables have been “increasingly the target of deliberate hostile acts” particularly in the Baltic Sea. Therefore, it is important to enhance the security and resilience of the submarine cable infrastructures. The plan presents four actions – preventing disruption, improving of the detection capacity, increasing EU’s capacity to respond in a coordinated way, and finally enhancing the deterrence posture of the EU. The actions will be complemented by reinforcing cooperation with NATO on achieving cable security.
Consumer protection
European Commission launched an evaluation of the Geoblocking regulation
On 11 February, the European Commission started the planned call for evidence of the Geoblocking regulation from 2018. The regulation aims to ensure that individuals and businesses can enjoy better access conditions to goods and services and prevent unjustified geoblocking based on the residence or establishment of the customer. The regulation implements the “shop-like-a-local” principle, under which customers from other Member States should be able to purchase under the same conditions as those of the domestic customers. The regulation does not apply to audiovisual, transport, financial services, electronic communications and healthcare services. The evaluation should assess whether the regulation has met its objectives by collecting evidence on its implementation, application and enforcement. Commission will present the outcome to the European Parliament and European Council. The call for evidence will close on 11 March with a subsequent public consultation opening in the second quarter of 2025.
