New Commission Executive Leadership, Internet Governance Consultation and Some Regulatory Policy Bits – EU Regulation Update November 2024

Summary:

• The new EU executive leadership team is set to officially begin its mandate on 1 December, following endorsement by EU parliamentarians.
• The European Commission has launched a targeted consultation on Internet governance ahead of the WSIS+20 review process kicking off next year.
• With the recent adoption of the UN Pact for the Future, which includes the Global Digital Compact, the EU is exploring possible next steps.
• The Commission has adopted its NIS2 Implementing Regulation, although most EU member states have missed the transposition deadline.
• The final version of the Cyber Resilience Act has been published, meanwhile the Commission is working on the technical descriptions of critical and important products under the new law.
• The Commission is reviewing a set of recommendations on access to data for law enforcement.
• Discussions a possible Digital Network Act proposal are intensifying ahead of the telecom regulatory review planned for 2025.
• Lastly, the Hungarian Presidency is preparing some conclusions on telecom policy in response to the Commission's White Paper on digital infrastructure and the Draghi report on EU competitiveness.

Incoming EU executive team

The new College of Commissioners has been confirmed by a plenary vote on 27 November. The European Commission's mandate for 2024-2029 is set to officially begin on 1 December. This agreement comes after a series of hearings where nominees were questioned by Members of the European Parliament (MEPs).

Finland's Henna Virkkunen will lead the tech and digital policy portfolio for the next five years as Executive President for Tech Sovereignty, Democracy, and Security. During her hearing, she outlined plans to boost innovation and investment in Europe, emphasising the importance of implementation and simplification. Virkkunen also hinted at upcoming initiatives such as the Digital Network Act, the Digital Fairness Act, a possible "European Cloud and AI Development Act" and some important legislative reviews on the horizon – including in telecoms and copyright policy, which are scheduled for 2025 and 2026, respectively.

Other key figures include Spain's Teresa Ribera, the Executive Vice President for a Clean, Just, and Competitive Transition, who will lead work on competition, and the French former MEP Stéphane Séjourné, Executive Vice President for Prosperity and Industrial Strategy. Austrian Magnus Brunner, the Commissioner for Internal Affairs and Migration, will oversee security matters including data access, law enforcement and encryption. Additionally, former Estonian Prime Minister Kaja Kallas, will serve as the Vice-President and High Representative for Foreign and Security Policy, thus representing the EU on the global stage and having a key role in the coordination and adoption of sanctions.

For more details on the new EU officials and their portfolios, you can consult their mission letters and the special briefings produced by the European Parliament Research Services (EPRS) for the occasion.

EU targeted consultation on Internet governance

The European Commission is currently discussing the necessity of defining a common EU approach to Internet governance in anticipation of the twenty-year review process of the World Summit on the Information Society (WSIS+20). Therefore, it has initiated a targeted consultation in response to the May 2024 Council Conclusions on the Future of Digital Policy, which emphasised:

"...the need to develop an EU strategy on the multistakeholder governance of the Internet to set out a common position to uphold in international fora with a view to ensuring an open, free, affordable, neutral, global, interoperable, reliable and secure Internet."

The conclusions also urged the EU to strengthen its influence in standardisation globally. As stated in its description, this targeted consultation takes place in a context where governments are increasingly favouring more state-centric models of Internet governance while prioritising digital sovereignty and national security.

The Commission and the European External Action Services (EEAS) will join efforts in defining such a common position along with EU member states through the Council of the EU. To prepare for these developments, the Polish Presidency of the Council, taking office from January to July 2025, is expected to publish some official conclusions around summer ahead of the WSIS+20 review process.

To note, this timeline coincides with the tenure of the Internet Governance Forum (IGF) due to take place from 23 to 27 June 2025 in Lillestrom, Norway. Other key milestones include the CSTD review starting over next spring, the organisation of a High-Level Forum by the ITU and UNESCO in Geneva on 7-11 July, and the official WSIS+20 Review event organised by the UN in New York in December 2025. If you’re interested in hearing more details about these processes, check out this panel discussion held at RIPE89.

In addition, the Polish Presidency and Commission will co-host a Conference on the governance of Web 4.0 and Virtual Worlds on March 31 and April 1. This initiative is part of a pilot foresight exercise looking at the evolution of the Internet and the World Wide Web in combination with various technological trends including artificial intelligence, social media, the Internet of Things (IoT) and immersive experiences.

Next year, all relevant stakeholders will engage in intensive discussions about Internet governance as we approach the WSIS+20 review process. While conversations about Internet and digital governance frequently overlap in public forums, it is essential to recognise their fundamental distinctions. As topics related to AI, data, and content often tend to dominate the landscape, it is important to differentiate the Internet's core functions and the applications built on it. Recognising the technical functions of the Internet and the transnational organisations that run them will be vital for maintaining its global, stable, resilient and interoperable nature.

GDC next steps

With the Global Digital Compact (GDC) adopted, the EU is exploring the next steps for its implementation. A key question that remains is how the UN should operationalise the principles, objectives and commitments formulated by the signatories of the compact – and how these will intersect with the WSIS+20 process.

As part of this effort, the RIPE NCC was invited to participate in a workshop - The Global Digital Compact: What’s Next? - organised by the Robert Schuman Centre for Advanced Studies, and the Global Governance Programme in partnership with the EEAS. This workshop was part of the EU’s flagship initiative known as the Global Initiative on the Future of the Internet (GIFI) and presented the RIPE NCC with an opportunity to explain its role in supporting the development of the Internet, particularly in the Middle East, and in bridging digital divides across its entire service region.

NIS2 developments

On 17 October, the deadline for EU member states to transpose the NIS2 Directive into their national legal frameworks officially passed. Only a few countries succeeded in fully implementing the new rules and notifying the European Commission on time.

In the Netherlands, Minister of Justice and Security D.M. van Weel sent a letter to Parliament highlighting the delays in transposing the NIS2 directive. He noted that relevant entities were already subject to certain effective provisions and could benefit from specific rights, including the right to assistance from a CSIRT in the event of cyber incidents. The letter also mentioned that the national draft bill, referred to as the Cyberbeveiligingswet (Cbw), Dutch for 'Cybersecurity Act,' is currently under review, with the aim of coming into effect by the third quarter of 2025.

Meanwhile, the Commission has adopted the Implementing Regulation and Annex that specify the risk-management measures and criteria for significant incidents applying to digital infrastructure, providers and ICT service managers. The final version of the Implementing Regulation introduces higher thresholds for defining significant incidents, such as financial losses exceeding EUR 500,000 or 5% of a company’s turnover. It also references international and European standards such as ISO/IEC 27001, ISO/IEC 27002 and ETSI EN 319 401, along with technical specifications like CEN/TS 18026:2024. Alignment with internationally recognised standards for information risk-management was a key point of attention in the feedback provided by the RIPE NCC on the initial draft.

Through this new framework, the Commission, ENISA and competent national authorities, envisage to set up a so-called 'multistakeholder forum' tasked with providing guidance in areas relating to the transition towards latest generation network layer communication protocols, the deployment of internationally agreed-upon and interoperable standards and application of best practices for DNS and routing security.

It is also worth noting that ENISA has published draft technical guidance and has an open consultation running until 9 January 2025.

Finally, last month the NIS Coordination Group had published non-binding recommendations on Article 28 of the NIS2 Directive dealing with the accuracy of domain name registration data. These aim to "ensure the accuracy, completeness, and accessibility to legitimate access seekers of domain name registration data, in compliance with Union data protection laws."

CRA formally published

The Cyber Resilience Act (CRA) was published in the EU's Official Journal on 20 November. It will take effect on 11 December 2027, but the reporting requirements for ‘actively exploited vulnerabilities’ and ‘severe incidents affecting the security of products with digital elements’ will come into effect earlier, starting on 11 September 2026. Finally, the provisions regarding the notification of conformity assessment bodies (CABs) will be effective beginning 11 June 2026.

In the meantime, the Commission has been preparing the draft implementing act specifying the technical description of the categories of products with digital elements that fall under the new legislation – a request for feedback will open soon.

Law enforcement

The Commission is examining possible measures on data access for law enforcement, based on the 42 recommendations from the "High-Level Group on Access to Data for Effective Law Enforcement." Although these recommendations do not represent the official views of the Commission, they offer considerations related to data retention, encryption, capacity building, and clarifying the concept of lawful interception.

In response to these, the European Data Protection Board (EDPB) emphasised in a statement that any new measures regarding data access and retention must be consistent with the jurisprudence of the Court of Justice of the European Union (CJUE) and adhere to privacy and data protection rules. The EDPB also noted the absence of evidence and measurable data supporting the group's recommendations. The Commission said it will assess various options, including the harmonisation of retention periods and possible rules on access based on specific categories of data and crimes.

Telecoms policy review and DNA

Discussions about the future of telecoms regulation and a possible Digital Network Act (DNA) proposal are heating up in Brussels and other EU capitals. This heightened interest has been driven by numerous mentions of the DNA in the new Commissioners' mission letters and during parliamentary hearings. At the moment, the main topics surrounding the DNA discussions include spectrum management, investment, market consolidation and the role of NRAs in relation to IP interconnections as well as the security of digital infrastructure in the context of 5G, including lawful access for law enforcement.

Submarine cables are also receiving increased attention due to recent incidents in the Baltic Sea, occurring just weeks after the EU signed the New York Joint Statement on the Security and Resilience of Undersea Cables in a Digitally Connected World at the UN General Assembly. Relating to this, the RIPE NCC has released a preliminary report on the impact of the cable cuts on Internet routing, noting relatively minor latency consequences and no visible packet loss.

The Commission intends to publish its review of the European Electronic Communications Code (EECC) by the end of 2025. In this context, it has commissioned three studies covering specific parts of the EU framework. One will focus on wholesale access, authorisations, the Relevant Market Recommendation and the Gigabit Infrastructure Act, while a second study will focus on cross-border aspects, spectrum allocation, the country of origin (COO) principle, and the potential extension of the regulatory scope. A third study will analyse the functioning and financing model of the universal service obligation (USO). These will help shape the Commission's view on a possible new legislative initiative.

Finally, with the Hungarian Presidency set to conclude its mandate next month, they will publish official conclusions in the coming days to elaborate on the Draghi report on EU competitiveness and the Commission's White Paper ahead of the ministers' meeting taking place in December. However, several governments have publicly distanced themselves from the main conclusions and recommendations of the White Paper, and called instead for a more thorough assessment of the current market dynamics before engaging in any reform. They also allegedly supported more consideration for consumer welfare and the "Open Internet" principles.