i2Coalition EU Monitoring Report: October 2023
Looking back to look forward
The EU elections are fast approaching, marking a pivotal moment for the European Union to reflect on its achievements and the challenges ahead. In late September, the Commission presented the 2023 Report on the state of the Digital Decade. This important document provides a first-hand look at the EU’s progress towards its ambitious digitization goals, as set out in the 2030 Digital Decade Policy Programme. The report not only provides a holistic view of Europe’s progress towards these 2030 goals, but also describes the starting point for the implementation of the program. It also provides country-specific guidance to optimize the direction of their individual strategic digitalization roadmaps. Among its findings, the report highlights significant disparities in the deployment of key infrastructure, such as 5G networks, and underscores the challenges in addressing key technology needs, particularly in areas such as semiconductors and AI. Following the report’s findings, the Commission issued a recommendation in early October focusing on critical technology areas essential to the EU’s economic security. This document identifies technology areas that warrant further attention and research. The Commission intends to work with Member States to carry out a risk assessment, particularly in four core areas: AI, cloud, semiconductors and quantum technologies. Further initiatives on this front are expected by spring 2024. The overarching goal remains to strengthen the EU’s resilience against dependencies, especially from less reliable partners such as China.
What’s new this month?
- Intermediary liability and content policy
- CSAM: The Council faced challenges reaching consensus on encryption and other issues, while the LIBE Committee sought compromise amid delays; trilogue negotiations are anticipated to start post-November.
- Network fees: A “Digital Network Act” was officially announced by Breton; results of the public consultation are finally available; a white paper on telecom investment is expected in Q1 2024.
- Data policies
- Data Act: The Data Act, agreed upon in July, awaits a November plenary session vote in Parliament, with its application anticipated in the third quarter of 2025 (September update).
- New EU-US Data Transfer Framework: One of MP Latombe’s challenges has already been dropped, while we await the court’s decision on the other. Max Schrems may announce his challenge any day.
- Law enforcement
- e-Evidence package: The IT Decentralized Systems Expert Group will kick off this month.
- Recommendation on piracy of live content (dynamic blocking): No major updates after the political meeting in Alicante.
- eIDAS Regulation: After months of negotiations, technical negotiators finally agreed on a text that will be validated at the political level in early November.
- Cyber Resilience Act (CRA): Trilogues on the CRA have begun and all parties involved are optimistic that legislation will be completed by the end of the year.
- Cloud Cybersecurity Certification Scheme (EUCS): A lot of speculation about the timeline and a possible new draft, but still very little concrete action.
- Proposal for a Directive on corporate sustainability due diligence: Technical meetings are underway, and the file is being discussed mostly behind closed doors.
- Geographical indication: After the Parliament, the Council finally agreed on the final text; publication in the Official Journal is expected soon.
Intermediary liability and content policy
📜 Regulation (EU implementation) 🕐 Ongoing legislative procedure 🔗 Commission proposal
What is it? The CSAM regulation is a highly controversial piece of legislation that introduces harmonized rules for service providers to detect, report and remove child sexual abuse material on their services. Platforms and providers are concerned that the regulation could undermine end-to-end encryption and human rights. The regulation will also create an EU reporting center, which may conflict with existing US mechanisms. Status: The text is well advanced and both institutions should soon have their own positions, paving the way for trilogue negotiations.
The Council’s struggle for consensus
- Following the Spanish Presidency’s controversial proposal to roll back encryption safeguards and allow administrative bodies to take decisions to block and delist hosting providers and search engines, they faced opposition from key member states.
- Bowing to pressure, the original deadline of September 28 to reach a consensus was postponed. Now, the Council has postponed the adoption of its general approach until October 19. However, some member states remain stubborn and are holding up progress over issues such as encryption, blocking orders, and the dynamics between the EU center and Europol.
Parliament moves forward amid delays
- The LIBE Committee, which is responsible for the CSAM regulation file, has been working diligently to find middle ground. Initial compromises have focused on risk mitigation, app stores and certain platform obligations.
- However, the expected vote by the LIBE Committee, originally scheduled for late September, has now been pushed back to October 26, highlighting the challenges in reaching a unanimous decision.
Plenary and Trilogue Timelines
- Following the finalization of the LIBE Committee’s position, a plenary vote in the European Parliament is scheduled for November. This milestone will set the stage for the trilogue negotiations, which are expected to begin by the end of November.
- Both the Council and the Parliament aim to conclude these critical discussions by the beginning of March 2024,’ the last possible deadline given the upcoming elections.
📜 Unknown 🕐 Upcoming legislative or non-legislative act What is it? Following strong telco-lobbying, the European Commission is considering adopting a legislative act that would somehow push large content providers (e.g., Netflix, YouTube) as well as potentially other actors (e.g., Cloud and CDN providers) that make up a large percentage of the traffic on the Internet, to contribute to the development of network infrastructure. Status: There are still many unknowns as to whether or not the Commission will introduce network fees in a Telecom Act or other proposals.
- The Commissioner for Internal Market, Thierry Breton, announced earlier this week a proposal for a new “Digital Networks Act” (DNA). This initiative will be built on the results of the exploratory consultation on the future of the electronic communications sector.
- The main goals of the “DNA” would be to overcome the barriers to a true telecoms single market, by allowing Telecoms operators to scale and be agile enough to adapt to the technology revolution in a context where market fragmentation “holds them back”.
What to expect next?
- The Commission is expected to release a white paper in the first quarter of 2024 exploring ways to support telecom operators, but also including a recommendation for Member States on subsea cables and spectrum.
- This white paper would be followed by a fully-fledged proposal, possibly in Q2 2025.
The long awaited results of the public consultation are finally out
- The results highlight three main takeaways: first, the need for innovation and efficient investment; second, the urge to leverage the Single Market to boost investment and innovation and, third, the importance of securing networks and critical infrastructure.
The deadline for amendments to the Annual Competition Report is fast approaching
- MEPs will have until the 18th of October to table amendments to the draft of the Annual Competition Policy report, authored by MEP Stéphanie Yon-Courtin (Renew Europe, France) and that, as advanced in the last report, “calls for the establishment of a policy framework whereby large traffic generators contribute fairly to the adequate funding of telecom networks without prejudice to net neutrality”.
State of the Digital Decade Report Insights
- The new report, published on 27 September, assesses progress towards the EU’s 2030 connectivity targets. There’s a call for Member States to identify connectivity gaps and seek financing solutions, especially in non-commercially viable regions.
- A list of infographics can be found on the Commission’s website.
📜 Regulation (EU implementation) ✅ Finalized procedure 🔗 Commission proposal What is it? This Regulation will facilitate the sharing and re-use of data generated by IoT objects with data subjects (consumers, businesses, public sector). It will also make it easier to switch between cloud service providers (by removing egress fees, reducing the notice period, and proposing functional equivalence between services) and regulate the circumstances in which the public sector can request data from the private sector in the public interest. Status: A final agreement has been reached in trilogues, meaning that the file is close to conclusion. Only a few more procedural steps before formal entry into force.
- After reaching an agreement on the Data Act just before the summer recess, the consolidated version of the July text has now been circulated. However, a few procedural steps remain before the Act comes into force.
- The text should first be translated before being formally adopted by the Parliament during the November plenary session. It is then expected to be published in the Official Journal a few weeks after.
- The actual application of this regulation is expected to start in the third quarter of 2025. All stakeholders are closely monitoring these milestones to ensure a smooth transition once the Regulation is in place.
New EU-US Data Transfer Framework
📜 Adequacy decision ✅ Finalized procedure 🔗 EU Communication
What is it? Third attempt to establish a trans-Atlantic data transfer framework between the United States and the EU. The agreement intends to replace the previous ‘Privacy Shield’ agreement which was invalidated by the European Court of Justice in July 2020 following the action of Max Schrems.
Status: The agreement was finalized in July 2023, and entered into force on 10th July 2023. Legal challenges are however already underway.
Hopes are high, but legal challenges loom
- As we reported last month, and as we all expected given the first two precedents, the newly adopted DPF is already facing criticism and legal challenges. French MEP Latombe filed two challenges with the EU’s second highest court, the General Court, seeking the annulment of the DPF on procedural grounds (the text was published only in English, instead of the 24 official EU languages) and substantive grounds (violation of fundamental rights).
- The challenge is currently under review by the Court, which must first determine the admissibility of Mr. Latombe’s claim before considering the merits.
- However, the first of the procedural claims has already been dropped as the Commission published the DPF in all 24 languages on September 20. For the second claim, we will have to wait for the admissibility assessment of the Court of First Instance, which many legal experts believe is unlikely to pass due to the very strict criteria for the procedure.
But let’s not forget about Schrems
- As many of you may be wondering, what about the Privacy Shield boogeyman, Max Schrems? He has yet to make an official statement, although he has made it very clear that we should expect a challenge from him as well. However, he is likely to take a different legal route than Mr. Latombe, going through the national – in his case Austrian – legal system first.
- Schrems had to wait until October 10th to file his challenge; the deadline has now passed and we are all waiting to see what will happen.
📜 Regulation (EU implementation) ✅ Finalized procedure 🔗 Regulation text
What is it? These proposals will allow EU Member State law enforcement authorities to request information regarding ongoing criminal cases directly from companies. It is the EU equivalent of the US CLOUD Act, as it sets out the rules for the preservation and production of data pertaining to electronic evidence directly from service providers.
Status: After almost five years of negotiations, the e-Evidence package has finally been adopted. Now the implementation phase has begun.
IT system expert group kick-off
- As mentioned in our last monitoring, the Regulation has now been adopted and is fully in the implementation phase, which will officially start on 19 October with the inaugural meeting of the Expert Group on the Decentralized IT System. The group brings together stakeholders from civil society, industry and institutions to set up the decentralized IT system for electronic exchange of evidence required by the Regulation.
Did you forget about transatlantic cooperation?
- As some of you may recall, a few months ago we mentioned the resumption of EU-US negotiations on a bilateral agreement based on the CLOUD Act and the eEvidence Regulation.
- Back then, we reported that there had been a 6th round of negotiations in June, which set the stage for the negotiations. Well, after the summer break, the two sides have resumed discussions and a 7th round of negotiations is underway.
Recommendation on piracy of live content (dynamic blocking)
📜 Non-legislative procedure ✅ Published recommendation & KPIs 🔗 Recommendation
What is it? An EU Recommendation is a non-binding proposal to EU Member States on how to address a particular issue; the forthcoming Recommendation on piracy of live content would require Internet infrastructure service providers to quickly block websites that stream pirated live events, particularly sports events. Although right holders had hoped for a full regulation, it is possible that the next Commission will pursue additional measures beyond the Recommendation.
Status: The Commission has finally published its recommendation and set a review date of November 2025.
A disappointing meeting in Alicante, spain
- Earlier this week, a meeting of policymakers and stakeholders took place in Alicante, Spain, to discuss the issue of live content piracy over two days. The first day welcomed public participation, while the following day focused on bilateral dialogues on the adoption of KPIs.
- While the discussions were engaging, they didn’t produce any new insights. Stakeholders held their ground, but the European Union Intellectual Property Office (EUIPO) seemed somewhat adrift, seeking broader powers in its discourse with the Commission.
eIDAS Regulation – Revision
📜 Regulation (EU implementation) ✅ Procedure completed 🔗 Commission proposal
What is it? The European digital identity framework aims to improve interoperability between digital identity wallets (for authentication and identification of citizens) and create a clear framework for trust service providers (TSP – digital signatures and web certificates, etc.) Web browsers are concerned that Member States would be able to force the acceptance of qualified certificates (Art. 45), while many industries see eIDAS as a business opportunity when it comes to identity verification.
Status: The text has been “technically finalized” for several months, but technical negotiators are still working on the text.
Will the long negotiations on the text be over soon?
- After an official political agreement, falsely claimed by the Swedish Presidency in July, technical negotiators have continued their work behind the scenes, hoping to reach an agreement soon.
- The process has been somewhat chaotic, but after three months of work we heard that an agreement had finally been reached between the three institutions.
Yet another political agreement needed
- However, as the agreement changed so many aspects of the text, another political trilogue, already scheduled for November 6, will be necessary. Yet one question remains: will the Spanish claim victory or will the fourth trilogue be swept under the carpet?
Cyber Resilience Act (CRA)
📜 Regulation (EU implementation) 🕐 Ongoing legislative procedure 🔗 Commission proposal
What is it? The Cyber Resilience Act aims to establish common cybersecurity standards for connected objects (IoT), including standalone software and ancillary services. New requirements include vulnerability and incident reporting, and impact and conformance assessments. While the security by design and by default requirements (Annex I) are straightforward, industry is concerned that the third-party assessment for Class I and II products (Annex III) will be burdensome for smaller players, including for open-source software.
Status: The Council and Parliament have adopted their positions and the trilogue phase has officially started.
All quiet on the CRA front
- Sometimes trilogues can really feel like a battle between very different parties, and each political meeting means hours of back and forth on often just a handful of provisions. In the case of the CRA, however, the situation looks rather optimistic. The first trilogue began on September 27, and it was more of a setting the stage than a deep dive into the sticking points of the legislation.
- The three parties (the Commission, the Council and the Parliament) all presented their positions and, according to the statements of the stakeholders present in the room, they all agreed that there are no major gaps between them and they are all optimistic that the file can be closed by the end of the year.
What did the negotiators discuss?
- The discussions touched lightly on the main issues – OSS, reporting obligations and vulnerability handling, obligations of economic operators, skills, classification of products – but the real detailed work will be hammered out in the so-called technical trilogues.
- Technical trilogues are different from political trilogues in that they involve the technical experts of the three institutions and are usually mainly focused on finding the legal language and ensuring legal compliance: they set the stage for political agreements, where decision-makers meet to negotiate political agreements, which are then detailed by the technical experts.
- After this first political trilogue, technical trilogues are now taking place to prepare the work for the next political trilogue, scheduled for November 8.
Cloud Cybersecurity Certification Scheme (EUCS)
📜 Non-legislative (technical scheme) 🕐 Ongoing procedure 🔗 Early draft by ENISA
What is it? This certification scheme aims to create Europe-wide standards for cloud security for cloud providers and services. It is not yet mandatory, but there are signs that it could gradually become so, especially for more sensitive uses (e.g., cloud services for healthcare purposes). From a purely technical draft, the EUCS has become increasingly political, with some member states pushing for the inclusion of a sovereignty clause.
Status: This procedure is advanced but will probably require several months, if not years, to conclude.
A lot happening under the surface
- Following the circulation of the August draft, many are speculating about the possibility of a new draft in the coming days or weeks. This is because the ECCG meeting scheduled for September 22, which was supposed to conclude this phase of the process and adopt a decision, was in fact inconclusive.
- This means that the process is still stuck in a ping-pong between the national expats of the ECCG debating where to add these infamous “sovereignty requirements” and ENISA trying to draft a scheme that still resembles the original candidate scheme.
- At the moment there is a lot of speculation and rumors about possible approaches to the sovereignty debate, but we should wait for a new draft to be leaked to see where the discussions end up. What seems certain is that the front of countries that still want to allow non-EU companies to get the “high” level certification is getting stronger, and we may see some developments in that direction in the new draft.
- There is no set date for a new EECG meeting at this time, but many expect it to be later this month or early November to discuss the new draft that we expect any day now.
Corporate sustainability due diligence (CS3D)
📜 Directive (MSs implementation) 🕐 Ongoing legislative procedure 🔗 Commission proposal
What is it? The proposal establishes a corporate sustainability due diligence duty to address negative human rights and environmental impacts. Companies will therefore be required to identify and, where necessary, prevent, end, or mitigate adverse impacts of their activities on human rights (i.e., child labor and exploitation of workers) and on the environment (i.e., pollution and biodiversity loss).
Status: The process is quite advanced in the legislative process, with trilogues well under way.
Technical negotiations ahead of a likely fourth trilogue
- As we reported last month, a fourth trilogue is scheduled for the second half of November, and several technical meetings are underway to try to iron out some of the most contentious issues. Throughout October, the Spanish President will lead Member States in reviewing their position on CS3D and trying to reconcile the conflicting views on how the sector should be covered.
- Not much has happened on this front and we will wait for next month’s meeting to see if any significant developments will be made.
Geographical indication protection for craft and industrial products
📜 Regulation (EU implementation) ✅ Finalized procedure 🔗 Final agreement
What is it? This law concerns the protection of geographical indications (representing places such as a city or region), including in website domain names. It establishes the rights of individuals or groups to revoke or transfer website domain names that use geographical indications without being entitled to do so or that use them in a way that is contrary to the rules (Art. 41). Registries established in the Union must set up a warning system (Article 31).
Status: The process has been completed and the text will soon enter into force.
After Parliament, it is now the Council’s turn to agree on the text.
- After the Parliament validated the trilogue agreement with a near-unanimous consensus last month, the Council finally gave its green light to the text.
- The text will soon be published in the Official Journal of the European Union and will then enter into force on the twentieth day following its publication.