Tech Brief: EUCS options, ‘fair share’ questionnaire
“We are willing to discuss possible solutions brought up in the discussions regarding the issue on INL [Independence to non-EU law] criteria.”
Story of the week: The inclusion of sovereignty requirements that would exclude foreign companies from qualifying for the highest level of assurance of the Cybersecurity Certification Scheme for Cloud Services (EUCS) has proved a controversial topic in the EU Council. In the past weeks, the two camps, led by the Netherlands and France, respectively, have been working on a potential compromise to break the deadlock. In a joint document seen by EURACTIV, they have put forth a series of possible solutions, each with its pros and cons, to ask the other member states for feedback.
The solutions include creating sub-levels under the level of assurance ‘high’, under level ‘substantial’, in both, or in the so-called ‘Extension Profiles’. Alternatively, the immunity criteria could be separated from the scheme and covered in EU legislation or in a mechanism to evaluate trustworthiness before entering the single market. The question is now what position Germany will take now that Berlin committed in the French-German declaration signed on 22 January to a robust cybersecurity certification scheme to promote trust in cloud services. Last September, Germany was much more reluctant.
- The EU Parliament adopted its position on the platforms workers’ directive and political advertising regulation.
- MEPs discussed the categorisation of high-risk AI systems.
- EURACTIV provided an overview of the Data Act’s main changes ahead of a key committee vote.
- The Swedish presidency proposed to modify product lifecycle and vulnerability reporting in the Cyber Resilience Act.
- The European Commission prepped national authorities on Digital Services Act’s implementation.
Before we start: If you just can’t get enough of tech analysis, tune in to our weekly podcast.
The European digital identity’s pilot project
While the regulation to establish a European digital identity continues its legislative process, the European Commission has recently launched a pilot project to see how this could work in practice. We discuss the project and its potential impact on the …
Powering the Twin Transition
Learn more >>
High-risk categorisation. MEPs gathered this week to discuss how AI systems should be classified under the AI Act, according to an agenda obtained by EURACTIV ahead of the meeting. The co-rapporteurs proposed introducing a regulatory dialogue with the competent authority in case the AI developers ask for their systems under Annex III to be excluded from the high-risk category. A new proposal on the delegated powers for the Commission to amend Annex III was also on the table. Read more.
AI research cooperation. Washington and Brussels signed an administrative agreement last Friday to advance their research cooperation on AI applications in climate change, health, emergency response, and electric grid optimisation. Just a day earlier, the National Institute of Standards and Technology published its AI Risk Management Framework, a voluntary tool the US would like the EU to recognise as an alternative way to comply with the EU’s AI Act. Read more.
Creatives at risk. Artists and the organisations representing them have voiced their concerns over the rise of generative AI such as ChatGPT and Stable Diffusion, arguing that they pose both a copyright and existential threat to their work. Not only is their art often fed in, uncredited, to these AI models in the training process, they warn, but their increasing use could lead to the disappearance of vital jobs in the creative industries. Read more.
EP crunch time. The AI Act’s co-rapporteurs are pushing hard to finalise their report in the coming weeks, proposing a five-hour shadow meeting in Strasbourg on 15 February to find an overall agreement. The other shadows managed to scale down the marathon to ‘only’ four hours. Two parliamentary officials told EURACTIV that the timeline is unlikely as sensitive questions like the AI definition remain wide open, while Annex III has not been touched yet. On General Purpose AI, a compromise might circulate already next week.
Prohibited practices. Meanwhile, the work has started on the prohibited practices at the technical level. NGOs have mobilised to extend these prohibitions to emotion recognition, biometric categorisation, and predictive analytics. A major point of concern is that, whereas Annex III is updatable after the AI Act enters into force, Article 5 is not.
ChatGPT goes Premium. Microsoft unveiled a premium feature on Teams integrating generative AI software ChatGPT to perform functions such as producing meeting notes, recommending tasks and creating meeting templates. Microsoft already invests heavily in OpenAI, the company behind ChatGPT, which will soon introduce an enhanced paid version of the model, ChatGPT Plus.
Criminal profiling. In the context of its call for a ban on ‘predictive policing’, criminal justice watchdog Fair Trials has developed a test for assessing people’s likelihood of being profiled as at “risk” of committing a crime by law enforcement.
The scope question. A report by the Centre for Data Innovation has warned that the AI Act’s broad definition of AI could pose a threat to a broader set of technologies not in need of the same regulation, potentially harming the EU’s AI ecosystem.
SO for Microsoft. According to media reports, the EU competition authority issued a formal competition warning [a statement of objections] to Microsoft over its acquisition of gaming company Activision-Blizzard earlier this week. The statement of objections formally escalated an inquiry the Commission’s antitrust department launched into the $69 billion deal last November. A similar move is expected from the UK authority in the coming days, whilst the US Federal Trade Commission has already asked for the merger to be blocked.
Sponsored studies. The tech world is rife with lobbying, but much of this is being done by ‘economic consultancies’, on which there is less public visibility as they work on sensitive merger cases. The Corporate Europe Observatory is calling for more attention to be paid to the role of these economic consultancies, notably in terms of revolving doors and influence over expert groups. The Commission told EURACTIV that it was aware of these concerns but that it had been “uncompromising” in its transparency on lobbying.
2022 Competition Report. The European Parliament published its 2022 Draft Report on Competition Policy this week, emphasising that competition law remains relevant for digital markets, despite the DMA’s entry into force. While it welcomes the creation of a new tech directorate in the Commission’s DG COMP, it also ‘deplores’ member state unwillingness to make available additional funds.
CTO wanted. DG COMP opened the job advert for a Chief Technology Officer to oversee all data-related and digital projects in the department. Applications are due on 1 March.
Stakeholders’ meeting. The Commission is setting up a stakeholders meeting on 28 February to inform its upcoming proposal to combat the online piracy of live events. The discussion will cover current practices on removal requests, dynamic injunctions and cooperation with and between authorities. Read more.
Lifecycle, reporting. The Cyber Working Party met on Wednesday to discuss several changes to the Cyber Resilience Act, including an adjustment to the definition of the product lifecycle and a change to the vulnerability reporting mechanism. Also up for discussion at the meeting were a conformity assessment and critical products subject to pre-market third-party assessment, on which Stockholm has not issued compromise texts yet. Read more.
EP’s CRA stalemate. The possible step forward on the competency gridlock between ITRE and IMCO committees on the Cyber Resilience Act is expected on 14 February. A potential compromise could be giving IMCO exclusive competencies related to enforcement and market surveillance authorities. The issue is that this chapter also deals with ENISA, an ITRE competence. Meanwhile, ITRE rapporteur Nicola Danti is preparing another workshop for the end of February, this time more focused on consumer protection and open source.
Think about children. Euroconsumers is calling for the Cyber Resilience Act to be strengthened following an investigation which found that Internet of Things devices such as baby monitors and devices aimed at children often lack basic security features, leaving them vulnerable to hackers.
Data & Privacy
Changes overview. Ahead of ITRE’s vote on the Data Act on 9 February, EURACTIV detailed the key changes to the proposal introduced in the European Parliament, spanning areas including scope, Internet of Things environment, gatekeeper exclusion, trade secrets and cloud switching, amongst others. Read more.
Hold on now. 30 trade associations have issued a joint statement calling on the Data Act’s co-legislators to avoid “a leap into the unknown” and consider the potential impact of the regulation on companies with data-driven business models. Read more.
GDPR monitoring. The Commission committed to regularly checking the progress of large-scale GDPR cases across Europe. The commitment follows a complaint filed by the Irish Council for Civil Liberties before the EU Ombudsman, who suggested some technical improvements.
Digital Services Act
Prep talks. The Commission has delivered a presentation to member states on several aspects of the DSA in preparation for its implementation by national authorities, covering topics such as the designation of very large online platforms, risk management, governance architecture and information-sharing. Read more.
Surprise guidance. The Commission has published its guidance on the DSA’s requirement that service providers publish information on their user numbers. The guidance comes two weeks ahead of the deadline, and after that, the Commission said it was not deemed necessary several times.
I’ll be watching. This week, Commissioner Thierry Breton told Twitter CEO Elon Musk that he will remain “vigilant” over the company’s compliance with the DSA. Twitter is set to conduct a DSA “stress test” in the coming weeks.
Winners and losers. As anticipated by EURACTIV law week, ITRE’s eIDs text on Qualified Web Authentication Certificates (QWACs) was welcomed by Mozilla, which is now hoping it will make it through the trilogue. By contrast, DigiCert, one of the largest certificate authorities, considers that Parliament’s version gives disproportionate powers to web browsers as there is no measure to ensure accountability or even contest their decisions.
Specifications pending. The eIDAS Expert Group was due to adopt the Architecture and Reference Framework last week, to define how the wallet will be made and used. This version is based on the Commission proposal of June 2021 and will need to be adjusted depending on the legislation’s progress. The publication is expected in the coming weeks.
Avoid surveillance. 39 NGOs and experts have written to EU lawmakers regarding the upcoming ITRE vote on the eIDAS regulation, expressing concerns about its potential impact on fundamental rights.
EP’s position adopted. The EU Parliament adopted the controversial Platform Workers’ Directive on Thursday following months of contentious debate. 212 lawmakers voted against the initiative, including most of the EPP and half of Renew. Read more.
Fact-checking CSAM. Fact-checkers at the Dutch university TU Delft have called out the Commission for statements supporting the initiative to tackle Child Sexual Abuse Material (CSAM), which has stirred controversy over its potential implications for encrypted messaging services. Read more.
LIBE’s e-Evidence adoption. In a last-minute addition to the agenda of a LIBE committee meeting this week, MEPs endorsed the agreement on the new rules for obtaining electronic evidence across borders.
8 years for reporting. A high-profile Russian journalist has been sentenced in absentia to eight years in prison after publicly accusing Russian forces of purposefully shelling a maternity hospital in Mariupol, Ukraine, last March. Alexander Nevzorov, who left Russia last year, will be sent to a penal colony if he ever returns to the country, a Moscow court said. Read more.
Media interference. An internal inquiry has opened within French channel BFM TV in response to concerns over potential foreign interference and a lack of proper editorial oversight. A journalist has been placed on leave as part of the enquiries, which are said to be looking particularly at a piece of reporting from last year on Spanish-Moroccan relations.
Pol ads adopted. The IMCO committee’s report on the political advertising regulation was formally adopted by the Parliament on Thursday, with none of the twelve tabled plenary amendments making it into the final text. MEP Sandro Gozi’s report, which had stirred controversy in particular over its prohibition on targeting using sensitive personal data, passed with 433 votes in favour and 61 against, opening the door for trilogue negotiations to begin. Read more.
AdTech is next. A Commission study on recent developments in the digital advertising ecosystem has found “a strong case to reform digital advertising” and defined the status quo for consumers and publishers as ‘unsustainable’. The report focuses on the industry’s transparency, privacy concerns and market concentration. As previously reported, this study will likely provide the basis for a new legislative initiative in the next mandate in case the ePrivacy is withdrawn.
Shady lobbying hotline. Corporate Europe Observatory has launched a new hotline, LobbyLeaks, for anonymous tips about Big Tech lobbying that violates the EU transparency register’s code of conduct or is considered unregulated. The hotline has been released in collaboration with LobbyControl and with the support of some MEPs like Paul Tang. It is intended to up the pressure on EU institutions to clamp down on problematic lobbying and increase transparency.
The sexy topic none wants. The lead on IMCO’s own-initiative report on the metaverse was not allocated last week because… none wants to pay for it. Every parliamentary committee has a point system whereby political groups can spend points based on the file’s importance. With an important pending file like the right to repair, no one seems interested in spending the remaining points on an INI report. If no one steps forward at the next coordinators’ meeting, the file will go to the first no-taker, which EURACTIV understands to be S&D, or it will be cancelled altogether.
EUTA’s chair. The European Tech Alliance has elected its new 2023-25 board, re-appointing the head of Zalando’s EU Public Affairs team, Aurélie Caulier, as Chair.
Getting there. On Wednesday, the European Parliament’s Conference of Committee Chairs issued its recommendation on the competency distribution for the AI Liability Directive. The opinion, seen by EURACTIV, consists of leaving the lead to the JURI committee and involving IMCO and LIBE in some shared competencies. In particular, IMCO will work with JURI on anything related to an injured person’s rights under the Product Liability Directive and the liability and due diligence obligations of the Digital Services Act. In turn, JURI’s work will focus on non-contractual fault-based civil law claims brought before national courts. The three committees will have to work together on the disclosure of evidence before national courts and on several aspects where the directive interacts with the AI Act, like how to assess if an AI system is faulty.
Don’t expect much. The competence distribution still needs to be confirmed by the Conference of Presidents before the work can begin. Still, rapporteur Axel Voss already made clear this file will have to wait until the Parliament’s position on the AI Act. Meanwhile, the EU Council has unceremoniously put the AI Directive on ice whilst progressing on the Product Liability Directive. However, in the Parliament, the IMCO-JURI fight on the PLD is still far from settled.
Council’s ITU push. Some EU countries are working on a non-paper to push for stronger EU coordination with ITU, the UN telecom agency, which is considering opening an office in Brussels. The non-paper, which is not finalised yet, will be discussed at the Telecom Working Party on 14 February and will touch upon the need to strengthen the relationship with ITU focusing on technical issues and enabling a decision-making process where ITU and the Council to have direct access to each other.
Think about CULTure. Sabine Verheyen, chair of the CULT committee and board member of the German public broadcaster Westdeutscher Rundfunk, is organising an event on the senders-pay initiative at the European Parliament next Thursday morning. “To date, the debate has been largely framed as an incumbent Telco vs Big Tech issue. Now I would like to invite you to a targeted and evidence-driven event, discussing the wider potential consequences for creative and cultural sectors,” reads the save-the-date note Verheyen’s office sent to other MEPs. No telco was invited to speak.
More Huawei sanctions. Washington has stopped approving licenses for exports of most items to Huawei, building on existing restrictions on items linked to 5G and other tech. The Biden administration is moving to establish a formal policy of banning shipments to Huawei and reflecting a tightening policy against the Chinese company over the past year. Read more.
Goals at risk. The European Telecoms Network Operators’ Association (ETNO) published its 2023 review of the State of Digital Communications this week, concluding that, while investment in the industry is higher than ever, levels in Europe are lower than in other regions and that without progress on 5G and fibre networks at the local level, there remains a risk of falling behind on gigabit goals.
More partnerships. The EU and Singapore have formally launched their Digital Partnership, first announced at the EU-ASEAN summit in December 2022. The deal will bolster cooperation in several areas of digital technology and trade, including semiconductors, trusted data flows, standards and digital skills.
What else we’re reading this week:
Chinese Search Giant Baidu to Launch ChatGPT-Style Bot (Bloomberg)
Web3: the next internet revolution (Bruegel)
A thousand Facebook-Cambridge Analytica scandals every day (EURACTIV)