Olga Gkotsopoulou
Law, Science, Technology and Society Research Group
Vrije Universiteit Brussel

The EU institutions and agencies have kept us too busy the past few weeks and days, as they have been publishing studies and guidelines in relation to the EU’s digital strategy and future plan. Many of those publications are (or will be) of relevance for the research and innovation taking place in Cyber-Trust and other security research projects, so please find below an overview.

On 16 December, the European Commission announced the new EU Cybersecurity Strategy. Further, the Commission is making proposals to address both cyber and physical resilience of critical entities and networks: a Directive on measures for high common level of cybersecurity across the Union (revised NIS Directive or ‘NIS 2′), and a new Directive on the resilience of critical entities. Moreover, take notice that the EU institutions have reached a political agreement on the establishment of a Cybersecurity Competence Centre and Network. The Cybersecurity Competence Centre will be located in Bucharest, and the Network of National Coordination Centres will aim at strengthening European cybersecurity capacities.

After two years of GDPR implementation, the European Commission few days ago announced the Digital Services Act package, as part of the European Digital Strategy, Shaping Europe’s Digital Future, which will upgrade the rules governing digital services in the EU, proposing two legislative initiatives. The goals of those two instruments are to create a safer digital space in which the fundamental rights of all users of digital services are protected and to establish a level playing field to foster innovation, growth, and competitiveness, both in the European Single Market and globally:

Additionally, the European Commission published late November its proposal for a Regulation on European data governance (Data Governance Act). The instrument aims to foster the availability of data for use by increasing trust in data intermediaries and by strengthening data-sharing mechanisms across the EU, creating European Data Spaces.

Please notice that those three proposals (DSA, DMA and DGA) will be in the middle of the EU digital regulation debate for the next few years (the ‘new GDPRs’ as some call them).

On 14 December, the EU Fundamental Rights Agency published its study Getting the future right – Artificial intelligence and fundamental rights , including an Annex on Research methodology  and an Annex on Examples of theoretical assessment of harm and significant impact of AI or automated decisions .  The European Parliament has also set up now a New committee on Artificial Intelligence, after the White Paper on Artificial Intelligence, published by the Commission in the beginning of this year.

Last month, ENISA published Guidelines on Securing the IoT Supply Chain, which builds on the 2019 Good Practices for Security of IoT – Secure Software Development Lifecycle , Baseline Security Recommendations for IoT, and  Industry 4.0 in the Context of Smart Manufacturing, Smart Cars, Smart Hospitals, Smart Airports, and the Online Tool – Good practices for IoT and Smart Infrastructures .  

The Council of the European Union has also just published its conclusions on the cybersecurity of connected devices and you can find a very nice timeline of its work on cybersecurity here.  Do not forget that in the summer, EU imposed its first ever sanctions against cyber-attacks, as part of its cyber-diplomacy toolbox.

The new European Electronic Communications Code (EECC) is due to take effect in EU Member States by 21 December. The Code outlines a set of revisions to the existing telecommunications regulatory framework, including an expanded definition of Electronic Communications Services and strengthened consumer protection.

Please notice that the debate on the e-Privacy Regulation has been started again, after several months of being stalled. Our VUB colleagues have also published a great overview of the developments in relation to the e-evidence framework and cross-border data transfers. The discussions on the e-Evidence framework have been prolonged, but you can find useful information on the 2019 situation in the report published by Europol, Eurojust and the European Judicial Network ‘SIRIUS EU Digital Evidence Situation Report’ in the beginning of December.

Just a short update on the consequences of a no-deal Brexit at the end of the year:

We still do not know what will happen in case of a hard/no-deal Brexit and as to when persons from UK and EU will be able to initiate collaborations within the framework of Horizon Europe. We expect information to be published here and in the Commission’s websites, but negotiations for possible agreements may take some time. Until then, the Withdrawal Agreement, as agreed between the European Union and the United Kingdom, is in force. In overall terms, on the basis of the Withdrawal Agreement and in line with the Contingency Plan, the UK-based legal entities will continue to be fully eligible to participate and receive funding in the current 2014-2020 EU programmes, including Horizon 2020, as if the UK were a member state until the closure of these programmes, unless security considerations apply. This means that UK beneficiaries can continue – without interruption – to receive grants awarded under the current and previous multiannual financial frameworks (MFFs) until their end dates, even if these are after 2020. When restrictions apply, these will be clearly specified in the call for proposals. More information and the Withdrawal agreement can be found here.