The Council of the European Union had a busy fall. The season culminated 6 Dec. with a Ministerial meeting of the Transport, Telecommunications and Energy Council during which member states formally adopted an agreed position on two significant legislative proposals: the Artificial Intelligence Act and the eIDAS Regulation, with a hint of a heating sovereignty debate. This means both texts are closer to the finish line: The next step for both files is the three-way negotiations once the European Parliament reaches its own position.

AI Act

As the text continues its journey in the EU sausage-making process, the council finalized its position and it is now a “lengthy and complex” text, according to the Czech presidency. It contains important changes in a few key areas:

In order to avoid capturing AI systems and software that do not pose significant risks, the council narrows the definition of AI systems and added a horizontal layer on top of high-risk classification. It adjusts the requirements for high-risk AI systems to make them technically feasible and less burdensome. A limited set of obligations for providers of general-purpose AI is proposed in cases where such technology is integrated in high-risk systems.

The council also clarifies the scope of the AI Act regarding national security, defense and military purposes, as well as research and development, and introduces more flexibility in the use of high-risk AI systems by law enforcement authorities. It simplifies governance, reinforces the enforcement framework, and clarifies the relationship between the responsibilities under the AI Act and relevant responsibilities under other legislation. It introduces provisions to increase transparency of the use of AI applications. Finally, it substantively modified provisions in support of innovation.

eIDAS

The revised eIDAS Regulation on electronic identification and trust services aims strengthening e-identity solutions to improve access to both public and private services across the EU. European Commissioner for Internal Market Thierry Breton qualified the general approach reached in week by the council as a way to “help improve European sovereignty and further create the EU’s data space, and for Europeans to be in charge of their own identities.” Online authentication solutions need to be “fully secure, easy to use, reliable and fully compliant with privacy rights for (European) citizens,” he added.

Several member states doubled down on the need to calibrate different levels of assurance — substantive and high — to support end users’ adoption and trust. Several countries such as Estonia have already deployed advanced e-identity solutions, so it will be interesting to see how compatible they are with this updated regulation (and vice versa).

Sovereignty clash

The council also discussed the progress of two other legislative proposals: the Data Act, which seeks to harmonize rules on fair access to and the use of data, and the recent commission proposal on horizontal cybersecurity requirements for products with digital elements. Notably, the debate on Data Act negotiations was used by several delegations to flag their concerns with the potential inclusions of sovereignty requirements in the certification scheme for cloud services currently being finalized at the EU cybersecurity agency. Estonia, Finland, Ireland and the Netherlands collectively underlined the significant negative impact that such requirements could have on the economy and the European cloud sector. They called for more transparency and a proper assessment of the draft requirements at a technical level and for a political debate, as this approach crystallizes once again the different meanings the concept of sovereignty can have for EU policymakers.