The European Commission emphasized cybersecurity policy this week. It came out with three new legislative proposals that touch respectively on cybersecurity certification, preparedness/response and skills.
The NIS2 Directive adopted earlier this year is not even applicable yet, but the European Commission is aiming to twist its certification provisions indirectly. Its latest proposal is a targeted amendment to the Cybersecurity Act that governs cybersecurity certification in Europe and EU cyber agency ENISA's role in its development. In particular, it proposes to create a clearer path for European cybersecurity certification scheme to be made mandatory. It also suggests member states should not be able to introduce new national schemes if an EU-level one already addresses the product, services or process. Both points were heavily debated during the NIS2 negotiations. They received enough pushback from some stakeholders that NIS2 did not fully adopt the sovereignty view promoted by some institutional and industry stakeholders at the time.
For the past three years, though, some member states (France in particular) have pushed quite assertively to include sovereignty requirements in cybersecurity certification schemes for cloud services at the EU level, making it de facto a lot harder, if not impossible, for nondomestic providers to meet the certification requirements. These latest amendments contemplated for the Cybersecurity Act would make this push easier to repeat at the EU level. They might bring these market access challenges to reality sooner than anticipated for non-EU providers.
In a related announcement, the European Commission unveiled the "Cyber Solidarity Act" to help build EU capabilities "to better detect, prepare for and respond to significant or large-scale cybersecurity incidents." The proposed act would create a European Cybersecurity Shield (a pan-European infrastructure of national and cross-border Security Operations Centres operational by early 2024) and a Cyber Emergency Mechanism which would include capabilities such as financial support for mutual assistance and incident response services from trusted pre-contracted providers.
The European Commission also announced a Cyber Skills Academy aimed at boosting cybersecurity skills in the EU and helping close the talent gap among cybersecurity professionals.
Here is what else you might find interesting:
- Crypto-assets: Yes, it is about data protection. This week the Parliament finalized new legislation on information accompanying transfers of funds and certain crypto-assets. For data transfer nerds like myself, it is always interesting to read things like: "The fight against money laundering and terrorist financing is recognised as an important public interest ground by all Member States […] It is important that payment service providers and crypto-asset service providers […] not be prevented from transferring data about suspicious transactions within the same organisation, provided that they apply adequate safeguards." The European Data Protection Board is tapped to issue guidelines on the practical implementation of these provisions and the European Banking Authority to do the same on "suitable procedures for determining whether in such cases the transfer of crypto assets should be executed, rejected or suspended." That sounds promising! There is also an interesting tidbit about data retention, about keeping records of information for five years or more if justified by a member state's necessity and proportionality assessment.
- All aboard: The AI Act is moving along in the European Parliament. The co-lead committees (Civil Liberties and Internal Market) are expected to vote on their AI Act report on 26 April. If adopted, the report then goes to Plenary to be adopted as the official Parliament position before it goes into trilogue with Council and Commission.
- And then they were 101: The EDPB had a busy week. Among others, it published a report on the work of the "101 Task Force" set up among European DPAs to coordinate investigation into the 101 complaints lodged in 2020 by NOYB about Google Analytics and Facebook Business Tools. Currently, eight data protection authorities have issued decisions; many more DPAs have yet to issues many more decisions but the EDPB report highlights that DPAs are adopting consistent decisions.
For suggestions, comments and the occasional complaint: iroccia@iapp.org.
