Menu
News: i2Coalition EU Monitoring Report: January 2024
< BACK TO FEATURED NEWS
EU-Flag-by-Christian-Lue

,

i2Coalition EU Monitoring Report: January 2024

EU institutions gear up for a busy 2024

As the New Year begins, the European Union’s institutions have emerged from a two-week break to begin this year’s committee meetings in Brussels. While the agenda is currently light on digital files, this respite will be short-lived. With a packed legislative calendar, including an almost fortnightly plenary session until 22 April, we anticipate a dynamic period ahead. EU Competition Commissioner Margaret Vestager, known for her tough approach to competition law, particularly in the big tech sector, is returning to the Commission after an unsuccessful bid for the presidency of the European Investment Bank. Meanwhile, Council President Charles Michel’s decision to run for the European Parliament has sparked discussions about his successor, with the looming possibility of Eurosceptic Hungarian Prime Minister Victor Orban taking on an interim role this summer, adding to the complexity of the political landscape. Belgium began its term as President of the Council of the European Union on 1 January, coming at a critical time for finalizing a wide range of legislative dossiers. With elections on the horizon, the Belgian Presidency faces the challenge of managing legislative tasks in an evolving political scene. Its task is to steer key discussions and decisions before the election cycle, and it has about 8 weeks to do so.

What’s new this month?

1. Intermediary liability and content policy

    • CSAM: The Belgian presidency hopes to reach an agreement among member states in early March.
    • Network fees: The white papers on future telecommunications and the recommendation submarine cables to be published on February 21.

2. Data policies

    • Data Act: The text finally published in the official journal.
    • GDPR harmonization: The text is going through the legislative process, moving forward with the publication of amendments from the MEPs.

3. Law enforcement

4. Cybersecurity

Intermediary liability and content policy

CSAM Regulation

📜 Regulation (EU implementation) 🕐 Ongoing legislative procedure 🔗 Commission proposal

What is it? The CSAM regulation is a highly controversial piece of legislation that introduces harmonized rules for service providers to detect, report and remove child sexual abuse material on their services. Platforms and providers are concerned that the regulation could undermine end-to-end encryption and human rights. The regulation will also create an EU reporting center, which may conflict with existing US mechanisms.

Status: The text is well advanced and both institutions should soon have their own positions, paving the way for trilogue negotiations.

Council and Belgian Presidency seek CSAM agreement

  • Good news: with the Belgian Presidency at the wheel, there is a renewed sense of optimism in the Council’s approach to the CSAM Regulation. Belgium’s more favorable pro-encryption stance than Spain’s could steer negotiations in a direction that balances security and privacy concerns.
  • The Belgian Presidency aims to reach an agreement at the next JHA Council on March 4.

Progress on the temporary derogation 

  • The Council adopted a mandate to extend the temporary derogation for voluntary scanning to three years, deviating from the European Commission’s proposal of two years. 
  • Meanwhile, the Parliament has not yet started work on this extension. 

Network fees

📜 Unknown 🕐 Upcoming legislative or non-legislative act

What is it? Following strong telco-lobbying, the European Commission is considering adopting a legislative act that would somehow push large content providers (e.g., Netflix, YouTube) as well as potentially other actors (e.g., Cloud and CDN providers) that make up a large percentage of the traffic on the Internet, to contribute to the development of network infrastructure. 

Status: There are still many unknowns as to whether or not the Commission will introduce network fees in a Telecom Act or other proposals.

A date for the white papers

  • We have a date, the eagerly awaited white papers on Future Telecommunications and on Submarine Cables will be published during the European Commission’s press conference on February 21st. 
  • These whitepapers will give stakeholders a sense of what to expect from the announced 2025 Digital Networks Act, so stay tuned for the publication!

 

Vodafone is in town

  • Just one month before the publication of the white papers, Commissioner Breton and EVP Vestager met with Vodafone executives in Brussels.

Data Policies

Data Act

📜 Regulation (EU implementation) ✅ Finalized procedure 🔗 Commission proposal

What is it? This Regulation will facilitate the sharing and re-use of data generated by IoT objects with data subjects (consumers, businesses, public sector). It will also make it easier to switch between cloud service providers (by removing egress fees, reducing the notice period, and proposing functional equivalence between services) and regulate the circumstances in which the public sector can request data from the private sector in the public interest.

Status: The text was published in the official journal of the European Union.

The text published in the official journal

  • The “GDPR for non-personal data,” the data law, was published in the Official Journal of the European Union on December 22 and came into force 20 days later, on January 11.
  • Entry into force is scheduled for 20 months later, on September 12, 2025, while the IoT obligations are scheduled to start on September 12, 2026, some 36 months later.

GDPR harmonization Regulation

📜 Regulation (EU implementation) 🕐 Ongoing legislative procedure 🔗 Commission proposal

What is it? This Regulation will set up concrete procedural rules for the authorities when applying the GDPR in cases which affect individuals located in more than one Member State. It will also aim at reducing disagreements and facilitating consensus among authorities, clarifying procedural deadlines for investigations and due process rights when a DPA investigates a potential breach of the GDPR. It comes in the context of the upcoming GDPR revision, scheduled for 2024.

Status: The Regulation was proposed in July 2023, and it is currently under discussion by the co-legislators. It is however unlikely that the text will be finalized before the elections.

Progresses on the horizon

  • 2024 started with a long list of amendments published by the two committees working on the file. Most of the proposed changes go in the direction of the report published by the lead MEP (rapporteur), a report that, as we reported in our December monitoring, was not received very positively by the Commission. This may cause even greater frictions in the coming weeks and undermine the already delayed path of the file. 
  • The Parliament still has not published any official date for a vote in the two committees and it is quite unclear if the MEPs will take more time to negotiate their position. One thing is sure though, they will do all they can to meet the April deadline and finalize their position.
  • Much less controversial, for now, seems to be the Council, which should circulate its first proposal on the file in the coming weeks. Member States however are not in a rush, with the deadline for the finalization of their position set for 14th June 2024.

Recommendation on piracy of live content (dynamic blocking)

📜 Non-legislative procedure  ✅ Published recommendation & KPIs 🔗 Recommendation

What is it? An EU Recommendation is a non-binding proposal to EU Member States on how to address a particular issue; the forthcoming Recommendation on piracy of live content would require Internet infrastructure service providers to quickly block websites that stream pirated live events, particularly sports events. Although right holders had hoped for a full regulation, it is possible that the next Commission will pursue additional measures beyond the Recommendation.

Status: The Commission has finally published its recommendation and set a review date of November 2025.

Stakeholders are meeting with officials

  • With the start of the data collection process initiated by the European Union’s intellectual property agency, the EUIPO, officials are meeting in Brussels with key stakeholders representing Internet intermediaries and rights holders to get their clocks in order. EuroISPA and CCIA Europe have scheduled discussions for February.
  • While not much is expected in 2024, the input gathered in the coming weeks will influence which points make it onto the next Commission’s priority list.

Cybersecurity

Cyber Resilience Act (CRA)

📜 Regulation (EU implementation) 🕐 Ongoing legislative procedure 🔗 Commission proposal

What is it? The Cyber Resilience Act aims to establish common cybersecurity standards for connected objects (IoT), including standalone software and ancillary services. New requirements include vulnerability and incident reporting, and impact and conformance assessments. While the security by design and by default requirements (Annex I) are straightforward, industry is concerned that the third-party assessment for Class I and II products (Annex III) will be burdensome for smaller players, including for open-source software.

Status:

The Council and Parliament have adopted their positions and the trilogue phase has officially started. 

Cloud Cybersecurity Certification Scheme (EUCS)

📜 Non-legislative (technical scheme) 🕐 Ongoing procedure 🔗 Early draft by ENISA 

What is it? This certification scheme aims to create Europe-wide standards for cloud security for cloud providers and services. It is not yet mandatory, but there are signs that it could gradually become so, especially for more sensitive uses (e.g., cloud services for healthcare purposes). From a purely technical draft, the EUCS has become increasingly political, with some member states pushing for the inclusion of a sovereignty clause.

Status: This procedure is advanced but will probably require several months, if not years, to conclude.

 

New proposals to get out of the impasse

  • At the beginning of December, several countries used the last Council meeting of the year to criticize the inclusion of sovereignty requirements in the scheme. In this vein, they proposed a third way out of the current framework, using instead of sovereignty criteria, adequacy decisions like the ones used for the GDPR to identify trusted countries.
  • Additionally, 12 Member States also asked to open a new public consultation, to gather feedback on the newest draft in the table.
  • As we reported in our December monitoring, ENISA circulated a draft again in November, but we should expect another one soon in response to the criticisms raised.

Related Posts

Internet Infrastructure Coalition
2920 W Broad St
Suite 80
Richmond, VA 23230

(202) 524-3183

Privacy Policy | Cookies Policy
The i2Coalition (Internet Infrastructure Coalition) ensures that those who build the infrastructure of the Internet have a voice in public policy. We are the leading voice for web hosting companies, data centers, domain registrars and registries, cloud infrastructure providers, managed services providers, and related tech. We protect innovation and the continued growth of the Internet’s infrastructure, which are essential to the global economy.
Share via
Share via
 
Send this to a friend