×

EU Policy Update – November 2024

EU Policy Updates 15-12-2024

In a nutshell: The new European Commission College of Commissioners was voted in. The European Commission took action against the lack of transposition of cybersecurity legislation, adopted rules on the DSA transparency reports, and published EU Digital Identity Wallet draft implementing acts. EUIPO reaffirmed GI cooperation with the European Commission. ENISA published its NIS 2 implementing act guidelines, and the first report on the state of cybersecurity in the Union. The European Council published a Budapest Declaration on the New European Competitiveness Deal. Hungarian Council of the EU presidency reached a partial general agreement on the insolvency proposal. European Parliament ECON committee approves Framework for Financial Data Access for trilogues. INTERPOL operation took down IP addresses.

The new College of Commissioners was voted in

On 27 November, the European Parliament approved the new College of Commissioners, approving all the 27 Commissioners in a single vote (see our previous reporting here). The new Commission began its five-year term on December 1. The new College will be once again presided over by Ursula von der Leyen, this time, however, with a weaker mandate as she received only 370 out of 720 votes. Prior to the vote, the Commissioners have undergone hearings in the European Parliament. Henna Virkkunen, the Executive Vice-President for Tech Sovereignty, Security and Democracy among other things highlighted the Digital Networks Act. This upcoming proposal should review the EU telecom legislation with the aim of reducing bureaucracy and attracting investment in the anticipation of 6G networks. She also mentioned the Democracy Shield, an upcoming proposal on fighting electoral interference, disinformation and manipulation by foreign actors. Furthermore, building on the EU wallet, Virkkunen wants to introduce a “Business Wallet” which would be a single point of entry for business communication with the public sector. She will also focus on cybersecurity with working on securing EU cloud and connected devices including the supply of critical telecom equipment. Finally, as outlined in her mission letter, she will present a legislation on cybersecurity of hospitals and healthcare providers. Michael McGrath, the Commissioner for Democracy, Justice, Rule of Law and Consumer Protection, also highlighted the importance of Democracy Shield in protecting Europe from interference. He also said that upholding of the GDPR is a key priority for him. With regards to the Digital Fairness Act, which is a part of his mission letter, it should focus on the gaps in the already existing consumer protection legislation such as personalised behaviours, in-app purchases, and un-subscriptions. The Commissioner for Internal Affairs and Migration, Magnus Brunner, in his hearing highlighted security as one of the top priorities. One of the proposals he plans to introduce is a new European Internal Security Strategy enhancing cooperation among prosecution and law enforcement agencies and strengthening coordination with Europol.

Budapest Declaration on the New European Competitiveness Deal

On 8 November, the European Council published a declaration on increasing competitiveness in the EU. The document builds on top of the previous reports published by Enrico Letta and Mario Draghi (see our previous reporting here). The declaration outlines 12 actions that EU should take to ensure its “sovereignty, security, resilience and global influence”. One of the action focuses on strengthening the EU’s technological capabilities and accelerating the digital transformation, seizing the opportunities of the data economy while preserving privacy and security. The Commission is invited to make proposals in this regard by June 2025. Among others, the actions include efforts to deepen the EU Single Market, Banking, and Savings and Investment Union, increase investments into research, innovation and skill, update the industrial strategy, achieve strategic energy sovereignty and climate neutrality by 2050. These goals will be supported by public and private financing, with mobilising public financing in the form of already existing instruments such as the EU Multiannual financial Framework, but also through introduction of new own resources.

Cybersecurity

ENISA published its NIS 2 implementing act guidelines

On 7 November, ENISA opened a consultation on a draft implementation guidance for the NIS 2 implementing act on the technical and methodological requirements of cybersecurity risk-management measures. The document offers guidance to support entities in the scope of the NIS 2 implementing act, including TLD registries, on how to implement the technical and methodological requirements. This includes guidance and advice on what to consider when implementing the requirements through examples of evidence, which could be used to assess if given a requirement has been met. The document also maps relevant technical and methodological requirements as referred to in the implementing act, to international standards and national cybersecurity management frameworks. The legally non-binding document is open for consultation until 9 January 2025. The mapping of the technical and methodological requirements to international standards and national cybersecurity management frameworks should be reviewed at regular intervals by ENISA in cooperation with the European Commission and the NIS Cooperation Group.

ENISA published the first report on the state of cybersecurity in the Union

On 3 December, the European Union Agency for Cybersecurity ENISA, together with the NIS Cooperation Group and the European Commission published a first ever report on the state of cybersecurity in the Union. The report provides an overview of the cybersecurity landscape and the EU and national levels. It also identifies concrete policy recommendations in order to address the shortcomings. In terms of cybersecurity threats, Denial-of-Service and ransomware attacks accounted for more than half of observed cybersecurity events. The reports’ recommendations include strengthening of the technical and financial support given to EU institutions, and national competent authorities, as well as to entities falling within the scope of the NIS 2 Directive. The report also provides an overview of the cybersecurity maturity of critical sectors. For the sector of “Internet Infrastructure” the report notes that its maturity still needs improvement. The report adds that the “[e]ntities in these NIS 2 sub-sectors are very aware of cyber risks and have developed good practices in cyber management. However, the level of cyber experience among entities is highly divergent […]”. Operational preparedness is quite high, the report notes, but the lack of information sharing and collaboration between the entities and authorities makes crisis event collaboration more complicated. Furthermore, the understanding of Internet Infrastructure-related cyber risks by the EU and national levels is limited. The report also notes that “there is room for improvement regarding cybersecurity investments performed by Operators of Essential Services and Digital Services Providers regulated under the NIS 1 Directive”. One of ENISA’s recommendations to enhance the understanding of specificities and needs for sectors covered by the NIS 2 directive is to develop a harmonised approach for collecting sector-relevant data. ENISA could also assist EU Member States to assess the cybersecurity of entities falling within their respective jurisdictions.

INTERPOL cyber operation took down IP addresses

On 5 November, INTERPOL announced that it took down more than 22 000 IP addresses considered malicious, and servers linked to cyber threats. The operation which ran from the beginning of April to the end of August 2024 focused on phishing, ransomware and information stealers. Of the initially suspected 30 000 IP addresses, 76 % were taken down and 59 servers were seized. The operation took place across countries including Mongolia, Madagascar and Estonia. Besides INTERPOL, the operation was joint by private sector partners and law enforcement agencies from 95 INTERPOL member countries.

The European Commission took action against the lack of transposition of cybersecurity legislation

On 28 November, the European Commission published an infringement decision against those of the EU Member States that have not yet notified national measures transposing the NIS 2 and CER directives within the deadline of 17 October 2024. The Commission opened an infringement procedure by sending a letter of formal notice to 23 Member States (Bulgaria, Czechia, Denmark, Germany, Estonia, Ireland, Greece, Spain, France, Cyprus, Latvia, Luxembourg, Hungary, Malta, Netherlands, Austria, Poland, Portugal, Romania, Slovenia, Slovakia, Finland and Sweden) for failing to fully transpose the NIS 2 Directive. The press release notes that the “[f]ull implementation of the legislation is key to further improving the resilience and incident response capacities of public and private entities operating in these critical sectors and the EU as a whole.” The Commission also launched an infringement procedure on the lack of implementation of the CER directive by sending a letter of formal notice to 24 Member States (in addition to the list above the notice was sent to Belgium, Croatia and Lithuania, except Estonia and Ireland). The notified Member States now have two months to respond, complete their national transposition and notify the Commission on the measures taken. In the absence of a satisfactory response, the Commission may issue a reasoned opinion.

Data Protection

Hungarian presidency reached a partial general approach on insolvency proposal

On 4 December, the representatives of the Council of the European Union reached a partial general approach on certain titles of the insolvency proposal (see our previous reporting here). The proposal aims to facilitate insolvency proceedings by providing cross-border access to “national asset registries”, which also includes domain registration information. The partial general approach removes the reference to “registers of internet domains” from the list of national asset registers in annex to Article 18, effectively removing domain name registries from the scope of cross-border access procedures in insolvency proceedings. However, no agreement was reached on the provisions concerning the rules on winding-up procedures and electronic auction systems for the sale of the assets of the debtor, which may include existing domain contracts. The Council of the EU is continuing its work on the file with a ministerial-level meeting on 13 December. In parallel, the European Parliament’s work is ongoing on the committee level, with a new rapporteur Emil Radev (European People’s Party) appointed to lead on the file in October 2024.

European Parliament ECON committee approved Framework for Financial Data Access for trilogues

On 4 December, the European Parliament ECON committee approved to start the interinstitutional negotiations on the proposal for Framework for Financial Data Access (FiDA) with the Council of the European Union and the European Commission. The proposal aims to facilitate the access to and reuse of consumer data across the financial sector. The FiDA proposal includes an enforcement measure that could lead to a domain name deletion for non-compliant financial service providers. The Council of the EU version of the proposal enables Member States to nominate the supervisory authority for the purposes of FiDA. The domain level enforcement action is still present in the text, however, it is now aligned with the existing language of the Consumer Protection Cooperation Regulation. The upcoming Polish presidency of the Council of the EU has the ambition to conclude the interinstitutional negotiations on the proposal before July 2025.

Content moderation

European Commission adopted rules on the DSA transparency reports

On 4 November, the European Commission published an implementing regulation that specifies the templates for transparency reports required from all providers of intermediary services under the Digital Services Act. Intermediary services providers should fill out the form with noting down the different orders against illegal content and orders to provide information as received from Member States’ authorities, as well as content moderation at the intermediary services provider own initiative. Organisations qualifying as micro or small enterprises are exempted from these transparency reporting obligations. The information should be provided in a machine-readable format and published annually by intermediary services, hosting providers and online platforms, and biannually by very large online platforms and very large search engines. The first reporting period shall cover the period from 17 February 2024 to 31 December 2024. Intermediary services providers shall make the reports publicly available at the latest by two months from the date of the conclusion of each reporting period.

Intellectual property

EUIPO and the European Commission reaffirmed cooperation in Geographical Indications protection

On 4 December, the European Union Intellectual Property Office and the Directorate-General for Agriculture and Rural Development (DG AGRI) signed a revised administrative agreement on the protection of agricultural geographical indications (GIs). The Agreement reflects the changes in the EU GI framework stemming from the Regulation geographical indications for wine, spirit drinks and agricultural products. The revised agreement includes new responsibilities for the EUIPO, including the responsibility for the maintenance and updating of the Union register of GIs for agricultural products. With the goal of preventing misuse online, DG AGRI and EUIPO will jointly explore the expansion of existing domain name alert system, developed for trademarks, to include agricultural GIs. A part of the agreement outlines examination practices for GIs, their pre-assessment of application, and the cooperation with WIPO and the Geneva Act, as well as establishing guidelines for both agricultural and crafts GIs. The agreement also covers training programmes which aim to educate and foster collaboration with national authorities and stakeholders. Finally, the agreement wants to foster transparency to increase public awareness and trust in the GI system. The actions outlined in the Agreement are also laid out in the anticipation of EUIPO’s new role as the EU competent authority with respect to the management of the registration process of crafts and industrial GIs from December 2025.

eID

The European Commission published EU Digital Identity Wallet draft Implementing Acts

On 29 November, the European Commission published 5 draft Implementing Acts, further specifying the rules on the use of the EU Digital Identity Wallets. The published consultation asks for feedback on the rules for the submission to the Commission of the information on certified wallet solutions by EU countries (link here); unequivocal identity matching for accessing online cross-border public services (link here); registering relying parties in EU countries (link here); requirements for issuing and validating electronic attestations of attributes (link here); and security breaches mechanisms (link here) . The consultations will close on 2 January 2025.

Published By Filip Lukáš
Filip is the Policy Advisor at CENTR, advising members on relevant EU policy and liaising with governments, institutions and other organisations in the internet ecosystem.