In a nutshell: The upcoming months look busy on the legislative and policy front. France took over the presidency of the Council of the EU until the end of June with an ambitious digital agenda and the aim to finalise key legislative initiatives such as the DSA and NIS 2 before the national elections. The Council of the EU approved its General Approach on the CER Directive. The European Parliament adopted its position on the DSA and is ready to enter trilogue negotiations with the Council of the EU and the European Commission. The European Commission published its long-awaited call for proposals for the deployment of DNS4EU and is looking into proposing new legislative initiatives in the fields of cybersecurity, child protection and hate speech online. It is also expected to put forward an EU Toolbox against counterfeiting, and to publish its study on DNS abuse.
The French Presidency unveiled its programme for 2022
On 1 January, France took over the presidency of the Council of the EU with an ambitious digital agenda. The French presidency’s programme reveals that France aims to “push forward a number of strategic areas for European digital sovereignty in relation to data protection, artificial intelligence development, security, and network and infrastructure reinforcement for greater resilience”. The programme further insists that the improvement of cybersecurity will be a key focus of the French presidency and that negotiations on NIS 2 will be pushed forward, alongside other files such as the Digital Services Act (DSA), eID and the directive on the resilience of critical entities (CER Directive). France’s ambitious agenda to finalise the NIS 2 negotiations was also echoed by Commissioner Margaritis Schinas who has stressed the “political urgency around the subject” and the aim to conclude negotiations in June, as stated during the Cybersec Global online event. Additionally, the Presidency intends to work on “draft regulations and directives concerning access to electronic evidence, in compliance with fundamental rights and while implementing procedures that guarantee judicial authorities of the EU Member States swift access to electronic evidence”. France will also play a leading role in the start of the negotiations on the Commission’s upcoming proposal for legislation to tackle child sexual abuse online.
The European Commission published a call for proposals for a European recursive DNS resolver service infrastructure
On 12 January 2022, the European Commission published a call for proposals for the deployment of a recursive European DNS resolver infrastructure (DNS4EU). The purpose of DNS4EU is to serve “socio-economic drivers, public, corporate and residential internet end-users in the EU” and to offer “very high reliability and protection against global cybersecurity threats”. According to the European Commission in its Cybersecurity Strategy, “citizens and organisations in the EU increasingly rely on a few public DNS resolvers operated by non-EU entities”. The deployment of DNS4EU will “address such consolidation of DNS resolution in the hand of few companies” and is expected to avoid further vulnerabilities in the resolution process “in case of significant events affecting one major provider”. The initiative aims to offer “a high level of resilience, global and EU-specific cybersecurity protection, data protection and privacy according to EU rules, ensure that DNS resolution data are processed in Europe and personal data are not monetised”. The DNS4EU infrastructure is expected to adhere to the “latest internet security and privacy standards” and also “offer additional optional services such as free parental control as well as paid premium services for enhanced performance or security for corporate users”. In addition, DNS4EU is expected to adhere to EU rules on “lawful filtering”, based on national court orders and other content moderation rules within national jurisdictions. The call for tender also identifies further requirements that proposals should meet, which concern the EU-wide customer base, user-friendly accessibility rules, discoverability by major browsers, and an opt-in provision of premium security and wholesale services. The deadline to submit proposals for the EU funding for deployment of DNS4EU is 22 March 2022.
The European Commission is expected to publish its study on DNS Abuse
The European Commission is expected to publish its study on the “scope, impact and magnitude of DNS abuse” following its call for tender in August 2020. For over a year, the European Commission has been working with consultants, carrying out research and assessing the role of actors involved in the internet ecosystem at both European and international level, which include “domain name registries and registrars; internet service providers (ISPs); telecommunication providers; ICT providers; cybersecurity experts; standardisation bodies; technical internet organisations; governments, including law enforcement agencies”. The study aims to identify the causes of recurring abuses, including both cybersecurity threats and “the distribution of harmful or illegal content”. It will give an analysis of “the impact of DNS abuses on the European economy and society”, with a focus on the most affected sectors, whilst providing an “overview of existing policies, applicable laws and relevant industry practices to address DNS abuse”. The final aim of this study is to put forward a set of recommendations for actors involved in the DNS ecosystem to tackle abuses and “guide possible future policy developments”.
The European Parliament adopted its position on the DSA
On 20 January, the European Parliament adopted its final position on the Digital Services Act (DSA) by voting predominantly in favour of the Committee on the Internal Market and Consumer Protection’s report (IMCO) with a few amendments tabled last minute for discussion in plenary (see our previous reporting here). On the liability exemption regime, the report adds that a single webpage can include different elements which “qualify differently between ‘mere conduit’, ‘caching’ or hosting service” and that exemptions rules should therefore “apply to each accordingly”. The Parliament’s position also adds a possibility for judicial authorities to restore content, where such content “has been erroneously considered as illegal by the service provider and has been removed”. The definition of the ‘mere conduit’ intermediary services has been expanded to include “technical auxiliary functional services”, according to the Parliament’s position. The definition of ‘illegal content’ has also been clarified to include only information and activity that is not in compliance with the EU or national law. The Parliament’s position also contains a provision that precludes Member States from imposing a general obligation to limit the anonymous use of intermediary services. As for the traceability of traders’ obligation (the so called ‘Know-Your-Business-Customer’ principle), the European Parliament limits its scope to online platforms, similarly to the Commission’s initial proposal. The report also gives clarifications regarding the role of the Digital Services Coordinators (DSC) by stating that their interim powers should be “proportionate” and could include requests to relevant judicial authorities to avoid the risk of serious harm. The European Parliament’s final position also emphasises that no general obligation to monitor, “neither de jure, nor de facto, through automated or non-automated means” shall be imposed on providers of intermediary services.
The European Commission presented its initiative to extend the list of EU crimes to hate speech and hate crime
On 9 December 2021, the European Commission presented its initiative to extend the list of EU crime in article 83(1) of the Treaty on the Functioning of the European Union (TFEU) to hate speech and hate crime. The European Commission explains that there has been a “sharp rise in hate speech and hate crime in Europe”, partly due to the increasing use of the internet, eased by the “presumed anonymity on the internet and sense of impunity”. According to the European Commission, these heavily under-reported hate crimes and speeches threaten “our democratic values, social stability and peace and heighten social divisions, erode social cohesion”. To help tackle these issues, the European Commission has invited the Council to adopt a decision on the extension of the list laid in article 83(1) TFEU, which currently includes an exhaustive list of crimes such as terrorism, illicit drug trafficking and sexual exploitation. This will then provide the European Commission with the required legal basis to propose legislation in this field, establishing “minimum rules on the definition of criminal offences and sanctions for hate speech and hate crime” that could apply cross-border. To precisely define the scope and content of the rules that could be proposed, the Commission will base it on “the developments of hate speech and hate crime, in light of the most recent data and trends”.
The Council of the European Union adopted its General Approach on the CER Directive
On 20 December, the Council of the European Union adopted its General Approach on the Directive on the resilience of critical entities (CER Directive). The CER Directive considers all sectors falling under the category of “essential entities” under the NIS 2 to be potentially identified as “critical entities” under the CER Directive. The criticality of sectors and corresponding providers is left for the Member States to identify. The Council highlights the importance of avoiding “duplication and unnecessary burden on critical entities” when being part of several sector-specific legislative regimes (see our previous reporting here). According to the Council, the General Approach retains the design of the Commission’s proposal in which large parts of the CER do not apply to critical entities in the sectors of banking, financial market infrastructure and digital infrastructure. For the digital infrastructure sector, the Council’s position explicitly considers that the physical security of network and information systems is part of the cybersecurity risk management and reporting obligations under the NIS 2 obligations. However, certain provisions of the CER Directive should still be applicable to services falling under the digital infrastructure sector in case they are identified as “critical entities”. These provisions include being part of national strategies on the resilience of critical entities, and national risk assessments by competent authorities. To avoid any unnecessary legislative overlaps for critical entities, Member States shall also be able to exempt critical entities from putting in place specific measures under the CER Directive if they have already taken equivalent measures “to comply with their obligations under sector-specific acts of Union law”. The General Approach also states that for critical entities within the digital infrastructure sector (such as TLDs), the designated competent authorities in charge of the enforcement of the CER Directive should be the ones designated in NIS 2. Finally, the Council’s position specifies that the national strategies put in place by Member States as part of the CER compliance should be based on relevant existing national and sectoral strategies wherever possible.
The European Commission plans to unveil the European Cyber Resilience Act
As reported earlier, the European Commission is planning to propose a new legislative proposal, coined the European Cyber Resilience Act. The proposal is expected to see the light in September 2022. According to the European Commission’s plans, the European Cyber Resilience Act is expected to set common security standards for ICT products, in order to improve the cybersecurity for products in the European internal market. The Commission is also expected to open a public consultation on the upcoming standardisation legislation in February, according to a statement made by Commissioner Margaritis Schinas during the Cybersec Global online event. Meanwhile, the Netherlands has published a non-paper calling for the EU to expand its Cyber Resilience Act plans to cover all digital products and services, including their entire lifecycle. According to the Netherlands, the Cyber Resilience Act should fill cross-sectoral gaps and cover “the entire digital domain” by complementing existing EU cybersecurity efforts.
The European Commission will propose new rules to tackle child sexual abuse online
The European Commission is expected to publish its (awaited) proposal to combat child sexual abuse material online (CSAM) in the first quarter of 2022 (see our previous reporting here). According to the Commission’s inception impact assessment, “efforts to combat child sexual abuse in the EU are fragmented, duplicated and insufficient”, and the absence of a legal framework on CSAM creates uncertainty for law enforcement and private sector actors. The upcoming initiative will therefore aim to tackle such issues by laying down obligations ensuring the efficient “prevention, investigation and prosecution of child sexual abuse offences”. On 8 December 2021, Commissioner Ylva Johansson delivered a speech where she stated that “protecting [...]children must be our top priority”. The Commissioner urged companies to report and remove child sexual abuse material, to support investigations by law enforcement authorities, and to use “technological know-how and design” in order to tackle online sexual abuse material. Such obligations are likely to be made mandatory as Commissioner Johansson stated in an interview with a German newspaper that the CSAM proposal “would oblige companies to identify, report and remove child sexual abuse” and that “a voluntary report will [...] no longer be sufficient”.
The European Commission is expected to come up with an EU Toolbox against counterfeiting
The European Commission is expected to establish an EU Toolbox against Counterfeiting in Q2 2022. According to its 2020 Action Plan, imports of counterfeit and pirated goods into the EU have increased, and “new forms of IP infringements have arisen on the internet, such as cyber theft of trade secrets […], illegal internet protocol television (IPTV) and other forms of (live) streaming”. To efficiently tackle these issues, the Commission has decided to “upgrade the responsibilities of online platforms” via the DSA, to strengthen the role of the European Anti-Fraud Office (OLAF), and to establish an EU Toolbox against counterfeiting, “setting out principles for joint action, cooperation and data sharing among right holders, intermediaries and law enforcement authorities”. This new toolbox will reinforce cooperation between “all involved players – right holders, suppliers, various sets of intermediaries (e.g. online platforms, the advertising industry, payment services, domain name registrars/registries […]) and public enforcement authorities”, such as customs, the police and public prosecutors. The toolbox will determine the responsibilities of different players and identify ways for them to efficiently collaborate and is therefore likely to provide guidance regarding data sharing on traders and products. It will also “promote the use of new technologies, such as image recognition, artificial intelligence and blockchain”.