In a nutshell: The Council of the EU and the European Parliament reached a provisional agreement on the ‘Path to the Digital Decade’ 2030 policy programme. The Council of the EU released its Conclusions on EU Digital Diplomacy. The European Parliament issued a Study on internet fragmentation and on Europe’s PegasusGate. The Council of the EU issued its compromise text on the EUID proposal, while ITRE’s Draft Report received numerous amendments. Further information was provided on the political agreement on the CER Directive.
The Council of the EU and the European Parliament reached a provisional agreement on the ‘Path to the Digital Decade’ 2030 policy programme
On 22 July, the Council of the EU and the European Parliament reached a provisional agreement on the ‘Path to the Digital Decade’, which sets out a vision for 2030 to “empower citizens and businesses through the digital transformation” (see our previous reporting here). According to the ‘Path to the Digital Decade’, cooperation between the European Commission, the European Parliament, the Council and Member States will also accelerate in the area of the digital infrastructure sector, which will have to become “more sustainable, resilient, and energy- and resource efficient”. The provisional agreement also lays down digital targets to be achieved by 2030: 1) a digitally skilled population with highly skilled professionals, including gender balance, 2) secure, resilient, performant and sustainable digital infrastructures, 3) digital transformation of businesses, which will require at least 75% of EU enterprises to use cloud computing, big data or artificial intelligence, and 4) the digitalisation of public services, which includes the objective of 100% of EU citizens having access to a secure eID. The provisional agreement also encourages countries to take part in Multi-Country Projects to facilitate the achievement of digital targets, and provides a list of non-exhaustive areas of activity such projects could be conducted in (i.e. European blockchain services infrastructure, skills and training in cybersecurity…). Such Multi-Country Projects can be implemented by setting up a European Digital Infrastructure Consortium (‘EDIC’), which can include “regions or private entities with a public service mission”.
The Council of the EU released its Conclusions on EU Digital Diplomacy
On 18 July 2022, the Council of the EU released its conclusions on EU Digital Diplomacy, in which it invites the European Commission, in close coordination with Member States to ensure that Digital Diplomacy becomes a “core component and an integral part of the EU external action, including by strengthening existing multilateral, regional and multi-stakeholder processes, and matching the progress achieved with the EU’s Green Diplomacy and Cyber Diplomacy”. The EU’s digital diplomacy should be built on “human rights, fundamental freedoms, the rule of law and democratic principles” and carried out with like-minded partners. The conclusions also state that the purposes of EU Digital Diplomacy include promoting an “open, free, global, stable and secure Internet based on the multi-stakeholder model of Internet governance” and influencing the shaping of “ethical, safe and inclusive international technology standards based on human rights and fundamental freedoms”, with a view to negotiations in bodies such as the International Organisation for Standardisation (ISO) and the International Telecommunications Union (ITU). It will also contribute to “a coherent and mutually reinforcing implementation of the relevant parts of the EU’s security and defence policy, including on cyber and hybrid aspects” and to “safeguarding the EU’s security” in the context of countering hybrid threats, cyberattacks, and foreign interference. In its conclusions, the Council also stresses the importance of bilateral, regional, multi-stakeholder and multilateral initiatives in the digital field, and encourages the Commission to promote tools developed by the EU (i.e. standards) and “to explore additional initiatives to increase the visibility of the EU globally by learning from best practices of the Member States”.
The European Parliament issued a Study on internet fragmentation
In July 2022, the European Parliamentary Research Service issued a study entitled “‘Splinternets’: Addressing the renewed debate on internet fragmentation”, where it underlines how EU initiatives can be “seen as a driver for positive opportunities but also as a catalyst for the worsening” of internet fragmentation. Regarding current initiatives such as the Digital Services Act (DSA), the study stresses that imposing intermediary services obligations to DNS services could “contradict the EU's vision of a single and open internet and its commitment to the multistakeholder approach in internet governance”. As for NIS 2, the authors underline that the inclusion of the root name service within the scope of the Directive would have implied regulatory oversight by the EU, which could have resulted in conflicting regulatory requirements risking fracturing the root server system. The study nevertheless highlights that some current initiatives could reinforce the pattern of internet alignment, such as the e-Evidence Regulation, which would have an extraterritorial dimension by reshaping cross-border access to electronic evidence by judicial authorities. The eIDAS Regulation “signals the ambition of the European Commission to foster European standards in relation to electronic identification and website certification” and could therefore lead to a spill-over at a global level, according to the findings of the study. The study also raises different approaches the EU could take regarding internet fragmentation: keeping the status quo (i.e. regulating gatekeepers but not imposing rules affecting internet fragmentation and the unity of the internet), embracing fragmentation (i.e. the free flow of data without restriction on barriers between the EU and third countries), resisting patterns of divergence (revise its current policies to ensure that its rules have no fragmentating effects), or framing discussions as a matter of fundamental rights.
The Council of the EU issued its compromise text on the EUID proposal
On 25 August, the Council of the EU issued its third compromise proposal on the EUID proposal (see our previous reporting here). According to the limited information available, the compromise proposal seeks to promote the uptake of the proposed European Digital Identity Wallets by seamlessly integrating them with the ecosystem of public and private digital services already implemented at national, local or regional level. The compromise proposal also puts forward new provisions regarding cybersecurity requirements for trusted service providers. For instance, it stresses that it will be the role of NIS 2 authorities to provide information to supervisory authorities on the compliance of qualified trusted service providers with cybersecurity risk management measures under Article 18 of NIS 2 (i.e. technical and organisational measures such as risk analysis, incident handling). With regard to website authentication, the compromise proposal suggests maintaining web browsers’ ability to address cybersecurity concerns.
ITRE’s Draft Report on the EUID proposal received numerous amendments
Members of the Committee on Industry, Research and Energy (ITRE) proposed over 600 amendments (here and here) to their Draft Report on the EUID proposal (see our previous reporting here). Some notable amendments include the ‘once-only’ principle, which aims to ensure that EUID users only provide their information to public authorities once, complies with data protection rules (i.e. accuracy, purpose limitation). Other amendments include introducing the concept of ‘Zero Knowledge Proof’ (ZPK), which would allow the “verification of a claim without revealing the data that proves it”, ensuring a high level of security of EUID Wallets (including the encryption of content) and ensuring that the EUID Wallet is not made mandatory. Some MEPs are also advocating for open source and decentralised storage and the creation of a dispute resolution mechanism at EU level provided by the European Agency for Cybersecurity (ENISA), which would enable affected parties to report “trust service providers that are non-compliant with the privacy, security and interoperability requirements”. Finally, some amendments suggest that parts of the EUID Wallet which “have not been certified according to the European cybersecurity certification scheme” should be subject to a peer review mechanism.
LIBE received a briefing on the political agreement on the CER Directive
Following the political agreement reached by the Council of the EU and the European Parliament on 28 June on the Directive for the resilience of critical entities (CER Directive), the Rapporteur for the file, Michal Šimečka, provided further information on the final text during a meeting of the Civil Liberties, Justice and Home Affairs (LIBE) Committee on 5 September (see our previous reporting here). Rapporteur Šimečka explained that public administrations will fall under the scope of the Directive. . He also pointed out that the scopes of both the CER Directive and the NIS 2 Directive are in line with each other. Regarding the definition of ‘incidents’, the Rapporteur stressed that the text has been amended to include both threats to economic activities and to the rule of law. The European Commission, in conjunction with Member States, will be in charge of identifying ‘critical entities’ which fall under the scope of the Directive.
The European Parliament issued a Study on Europe’s PegasusGate
In July 2022, the European Parliament issued a Study on Europe’s PegasusGate following the revelations that governments around the world, including in the EU, were using Pegasus software to spy on “journalists, lawyers, activists, politicians, and high-ranking state officials”. The study also provides a list of ideas to help the public and private sector counter spyware abuse. For the public sector, one potential way forward would be to promote cyber resilience through governmental incentives and mandate cybersecurity risk management. In this regard, the Study mentions that it is uncertain whether NIS 2 will “contribute to hampering spyware attacks” as risk management and reporting obligations would most likely “not cover consumer products or services themselves”. A spill-over “benefiting the resilience of end-user devices and services” may nevertheless occur, for instance where “mitigating vulnerabilities in end-user products and services is a prerequisite to ensure sufficient cybersecurity”. The Study also mentions that the upcoming Cyber Resilience Act (CRA), may “reinforce contractual duties and impose an obligation on providers to notify users in case the provider becomes aware of a security breach” (see our previous reporting here). As for the private sector, the study stresses that “a vulnerability treatment plan, good disclosure practices, and a swift vulnerability identification and mitigation cycle would further enhance cyber resilience”. For these reasons, the study recommends that like-minded industries cooperate with civil society to exchange their expertise on cyber resilience. It also encourages intermediaries to refuse governmental orders to perform surveillance, and companies to introduce a human rights’ ‘due diligence procedure’, “comprising a human rights impact assessment, a risk classification, and singling-out mitigation measures”.