In a nutshell: November was a fruitful month for negotiations in the EU bubble, with both the Council of the EU and the European Parliament adopting the NIS 2 Directive, and the European Parliament adopting the CER Directive. Co-legislators also reached a political agreement on the e-Evidence proposal. The Council adopted its General Approach on the EUID proposal, whilst the IMCO Committee issued its Opinion on the file. As for geographical indications, the AGRI Committee issued its Draft Report on the proposal for agricultural products and received numerous amendments, which was also the case for IMCO and JURI regarding amendments on the craft and industrial products proposal. The EDPS released its Opinion on the Cyber Resilience Act.
The European Parliament and the Council of the EU adopted the NIS 2 Directive
On 28 November, the Council of the EU adopted the Directive on measures for a high common level of cybersecurity across the Union (NIS 2), following its approval in the European Parliament on 10 November. As reported earlier (see our previous reporting here), the NIS 2 Directive will require TLDs and entities providing registration services, such as registrars, to comply with registration data accuracy obligations, with verification processes to be conducted either ex ante or ex post. According to the text made publicly available by the European Parliament, domain name registries and entities providing registration services should collect and maintain accurate and complete domain name registration data in a dedicated database, containing the registrants’ name, contact email address and phone number. They shall also have procedures in place to ensure that their databases are accurate and complete (including verification procedures). The obligation for TLDs and entities providing domain name registration services to process certain data necessary to ensure the maintenance of accurate and complete registration databases should however not result in collecting the same data multiple times. Domain name registries will also have to provide access to personal and non-personal domain name registration data upon lawful and justified requests of legitimate access seekers and to respond to all access requests within 72 hours. The Directive also states that essential entities, such as TLDs will have to take “appropriate and proportionate technical and organisation measures”, such as risk analysis, information system security, and supply chain security policies. Non-personal domain name registration data should also be made publicly available after registration of a domain name, without undue delay. The official text is awaiting its publication in the EU’s Official Journal before it becomes legally binding. Member States will have 21 months to implement the Directive into national law.
The European Parliament approved the CER Directive
On 22 November, the European Parliament approved the Directive on the resilience of critical entities (CER), which aims to enhance the provision of services that are essential for the maintenance of vital societal functions or economic activities (i.e. critical entities), and which includes sectors such as energy, transport, public administration and digital infrastructure (see our previous reporting here). According to the Directive, Member States will have 3 years after its entry into force to adopt a strategy to enhance the resilience of critical entities. The Directive stipulates that digital infrastructure actors that fall under the scope of NIS 2 shall be excluded from the scope of certain obligations applicable to critical entities under the CER Directive (such as incident reporting and duties to carry out risk assessments). The reason for such an exclusion is due to the fact that the NIS 2 Directive already includes similar obligations applicable to digital infrastructure providers, such as TLDs and DNS service providers. The Directive also stresses that for infrastructure actors (including TLDs), the competent authorities under the CER Directive shall be the competent authorities under NIS 2. Furthermore, when assessing the compliance of a critical entity with its obligations under the CER Directive, the competent authorities under the CER should be able to request the competent authorities under NIS 2 to exercise their supervisory and enforcement power in relation to an entity under NIS 2 that was identified as critical under the CER. Digital infrastructure actors which are identified as critical may nevertheless be included in Member States’ strategies, risk assessments and support measures due to their importance to all other sectors of critical entities.
The European Data Protection Supervisor issued its Opinion on the Cyber Resilience Act
On 9 November, the European Data Protection Supervisor (EDPS) released its Opinion on the proposal on horizontal cybersecurity requirements for products with digital elements (hereinafter ‘Cyber Resilience Act’ or ‘CRA’). The EDPS starts by recalling that the proposal would “introduce cybersecurity rules for manufacturers and developers of products with digital elements[...], in order to establish a high common level of cybersecurity[...]” (see our previous reporting here). It also highlights that products covered by the CRA such as products with digital elements covering both hardware and software can be “embedded in the ICT systems of digital service providers, acting as entities under NIS 2, and can be used by individuals that use digital services” (i.e personal computers and operating systems). The Opinion also states that the cybersecurity of products with digital elements used by individuals is of “utmost importance to protect” individual rights and freedoms, including the right to privacy. The EDPS explains the importance of ensuring that data protection by design and by default is also applied to products with digital elements, as it would “facilitate the compliance of controllers” with this principle, and suggests to explicitly include the data protection by design and by default principle in scope of the CRA requirements. The EDPS also considers it necessary to explicitly clarify that the CRA proposal does not seek to affect the application of existing EU laws governing the processing of personal data, including the tasks and powers of independent supervisory authorities competent to monitor the compliance with those instruments. Finally, the EDPS suggests to include relevant definitions of ‘free software’, ‘open source software’ and ‘free and open source software’ to the proposal, and to clarify that any obtained European cybersecurity certification under the Proposal does not guarantee compliance with the GDPR.
AGRI issued its Draft Report on the reform of geographical indications for agricultural products and received numerous amendments
On 18 October, the Committee on Agriculture and Rural Development (AGRI), published its Draft Report on the proposal on geographical indications (GIs) for wine, spirits drinks, agricultural products, and qualify scheme for agricultural products (so-called ‘agricultural proposal’). In its Draft Report, AGRI suggests that the domain name revocation or transfer obligation should not be reserved to ccTLDs, but rather concern all TLDs operating in the Union (see our previous reporting here). The Committee also stresses that GI protection obligations in the proposal shall “apply to core platform services provided or offered by registries to business users established in the Union or to end-users established or located in the Union”. Regarding the establishment of a domain name information and alert system (DIAS), the Draft Report stresses that delegated acts could also empower the European Union Intellectual Property Office (EUIPO) to monitor “the registration of domain names in the Union which could conflict with the names included in the Union register of geographical indications”.
Following the publication of the Draf Report, over 800 amendments were submitted to the AGRI Committee (see here, here and here). Some notable amendments include a suggestion for the European Commission to “pay special attention to the need of including the protection of geographical indications rights at domain names' level in bilateral trade agreements and other international trade negotiations, and strengthen its mediation work with the bodies in charge of assigning domain names”, in particular with ICANN, with the “objective to include the GI's existing rights in the Uniform Domain Name Dispute Resolution Policy (UDRP)”. MEPs also put forward amendments to broaden the scope of the proposal: whilst some suggest that all “domain name registries established in the Union shall, ex officio, revoke or transfer a domain name registered under such domain to the recognised producer groups of the products” with the GI concerned, others state that it should include TLD registries operating in the Union. One MEP also stresses that the establishment and management of DIAS should be under the responsibility of the EUIPO, which could be “empowered to monitor registration of domain names in the EU” that may conflict with GIs. Collaboration between EUIPO and TLD registries operating in the EU should be encouraged, with a view to obtain “the relevant information and data”.
IMCO and JURI received numerous amendments regarding geographical indications reform for craft and industrial products
The Legal Affairs (JURI) and Internal Market and Consumer Protection (IMCO) Committees respectively received numerous amendments on their draft opinion/report on the proposal for the reform of geographical indications for craft and industrial products (see our previous reporting here). For JURI, notable amendments include allowing producer groups to “claim a domain name corresponding to the name of a geographical indication”, ensuring that the DIAS informs applicant about the availability of a GI as a domain name upon registration of the GI (rather than its submission), and that ‘domain experts’ are part of the Advisory Board. As for IMCO amendments, MEPs suggest that in case of conflicts on domain names with non-EU ccTLDs or with EU ccTLDs concerning non-EU GIs, “the dispute settlement should be conducted by EUIPO in cooperation with dispute settlement systems already in place, such as the ones managed by WIPO and ICANN”. Some amendments also include the need to provide financial help to micro, small and medium sized enterprises during the registration process and to ensure that homonymous indications (i.e spelt or pronounced in the same way but referring to different geographical areas) cannot be registered, unless “certain circumstances make its protection justified”.
The European Parliament and the Council of the EU reached a political agreement on the e-Evidence proposal
On 29 November, the European Parliament and the Council of the EU reached a political agreement on the proposal for a Regulation on European Production and Preservation Orders for electronic evidence in criminal matters (e-Evidence proposal). According to the European Commission’s press release, Member States will have to respond to European Production Orders (EPOC) within ten days or within eight hours in cases of emergency (see our previous reporting here). These will enable judicial authorities in one Member State to request e-evidence “through a decentralised IT system, directly from a service provider in another Member State”. As for European Preservation Orders (EPOC-PR), these will “prevent data from being deleted, allowing judicial authorities in one Member State to oblige a service provider in another Member State to preserve specific data”. The Commission’s press release also clarifies that authorities can only issue the orders in the framework of criminal proceedings and to “localise convicts that are evading justice”. Safeguards and remedies will also be put in place, such as “imposing additional requirements to obtain certain categories of sensitive data”. For EPOCs concerning traffic and content data where a person “does not reside in the issuing State or the offense has not been committed there”, Member States will have to “notify the national authorities where the service provider is located”. Notified authorities can also invoke “several grounds to refuse the order, such as the protection of fundamental rights or of immunities and privileges”. Service providers failing to comply with an EPOC or EPOC-PR can be subject to a fine representing up to 2% of their worldwide turnover.
The Council of the EU adopted its General Approach on the EUID proposal
On 6 December, the Council of the EU adopted its General Approach on the proposal establishing a framework for European Digital Identity (EUID proposal). In its position, the Council explains that each Member State will have to ensure that an EUID Wallet is provided within 24 months after the entry into force of the implementing acts under the Regulation (see our previous reporting here). It also highlights the importance of facilitating “a similar approach to design, development and implementation of online services in all Member States” in order to ensure the cross-border availability of EUID Wallets, and states that non-binding guidelines on “how to design, develop and implement online services” relying on EUID Wallets will be developed. The Council also highlights that “private relying parties providing services” in the area of digital infrastructure should accept the use of EUID Wallets for the provision of services where “strong user authentication is required by national or Union law or by contractual obligation”. The General Approach explains that mechanisms which will “allow for the verification of attributes against authentic sources” should be made available. Member States will also be required to provide “for technical and organisational measures to ensure a high level of protection of personal data used for record matching and to prevent the profiling of users.” The Council also stipulates that trust service providers will have to take the appropriate technical and organisational measures put forward in NIS 2, and notify any incidents having an impact on the provision of their services. EUID schemes which comply with cybersecurity requirements shall be certified for a maximum period of five years. This certification will be “conditional upon a regular two-year vulnerabilities assessment”.
The JURI Committee released its Opinion on the EUID proposal
On 7 November, the Committee on Legal Affairs (JURI), released its Opinion on the EUID proposal. According to JURI, a harmonised EUID framework will help to streamline “the economic aspects applicable to the provisions of electronic attestations of attributes, and thereby further reduce discrepancies among Member States” (see our previous reporting here). Member States should ensure that it does “not lead to the widening of the digital divide” and should therefore make the use of EUIDs voluntary and free of charge. EUID Wallets should also allow users to “securely request and obtain, store[…] and share the necessary legal person identification data and electronic attestation of attributes, while ensuring that selective disclosure is possible” and to use qualified e-signature and seals which are accepted across the EU. According to JURI, EUIDs should be developed under a high level of security, including the encryption of content, and should “ensure seamless interoperability”. JURI also suggests that the use of person identification data (or a combination of person identification data) is essential to “ensure that the identity of the user[…] can be verified”, and that the EUID Wallet should therefore be able to store identifiers and “disclose them upon request by the user in those cases where the identification of the user is required by law”. The Opinion also stresses that “unless specific rules of Union or national law require users to identify themselves for legal purposes, the use of services under a pseudonym should always be allowed”. JURI suggests adding references to the NIS 2 Directive, for instance by stating that when informed by national competent authorities that “the qualified trust service provider” fails to fulfil its cybersecurity requirements under Article 18 of NIS 2, the supervisory body may withdraw the qualified status of that provider.