Sanctions, Cybersec Policy, and the Future of Telecoms – EU Regulation Update May 2024

Summary:

• The RIPE NCC continues to alert decision makers about the unintended consequences of sanctions on the core operations of the Internet.
• We submitted preliminary feedback on the Global Digital Compact (GDC) Zero Draft in the context of an EU stakeholder consultation.
• The EU's cybersecurity policy agenda is moving forward with the adoption of new rules, including the Cyber Resilience Act, eIDAS2, the Cyber Solidarity Act, and NIS2 soon entering into force.
• Meanwhile, the European Commission is conducting a consultation on its White Paper on Europe's digital infrastructure needs, amid intense discussions about the future of telecoms regulation.
• The Belgians are about to conclude their six-month Council Presidency cycle, while the Commission is preparing a few legislative reviews, including the Terrorist Content Regulation (TERREG).
• Finally, with the parliamentary elections just around the corner, get prepared for a more fragmented EU political landscape in the next mandate.

To gain a better understanding of how and why the RIPE NCC complies with EU regulations, and to stay informed about current trends that are driving EU policy making, please refer to the first RIPE Labs article on this topic. Since our last update in November 2023, we have been focusing on priorities such as ongoing discussions related to Internet governance, recently adopted cybersecurity legislation, the future of telecom rules, and the upcoming elections.

Ongoing engagement efforts on sanctions

The RIPE NCC has been dealing with the complexities of economic sanctions for quite some time now. Our top priority is ensuring compliance with EU sanctions regulations while supporting a stable and secure Internet environment across our service region. We aim to explain how these regulations affect Internet number resource registration and the broader risks for the global Internet's integrity and security. To mitigate these risks, the RIPE NCC believes that the current exemptions applying to Internet number resources should be replicated and consistently implemented across all EU sanctions regimes.

As part of this effort, the RIPE NCC recently organised a roundtable discussion that brought together EU and Member States representatives, as well as the author of Sanctions and The Internet, a research paper published last year. The discussions focused on the technical, legal, and compliance challenges posed by the multiplication of sanctions regimes and how these affect core operations of the Internet. One of the main takeaways was that enhanced cooperation between EU Member States, the Commission, and the Internet technical community would help in drawing together more evidence on how sanctions impact the Internet's functioning. This would in turn better inform the design and implementation of EU sanctions.

It is also worth noting that both EU and US sanctions create technical and financial risks to our services and operations. As such, assessing and mitigating these risks to ensure the continued integrity and resilience of Internet routing is of paramount importance. If you want to get a sense of the impact sanctions have in terms of additional due diligence and compliance requirements, here is some prior reporting on the topic.

EU consultation on the UN Global Digital Compact

Discussions on the future of Internet governance are heating up ahead of the Summit for the Future, which will be held in September 2024 at the UN General Assembly in New York. In this context, the EU has launched its own Global Initiative on the Future of the Internet (GIFI) — which is described as a “multistakeholder process aimed at promoting the Open Internet, the Declaration for the Future of the Internet and the EU Declaration on Digital Rights and Principles”.

In early April, the EU invited the RIPE NCC alongside other EU-based stakeholders to participate in a consultation and share their positions on the recently unveiled zero draft of the Global Digital Compact (GDC) which has already been heavily commented upon in the community. The Permanent Representatives of Rwanda and of Sweden – both appointed as co-facilitators to lead the intergovernmental process – have also held a consultation with non-governmental stakeholders in April. The GDC consultations with member states only will continue in the month of May.

In our contributions, we welcomed the overall direction of the initial GDC draft, particularly its recognition of the technical community as a distinct stakeholder group and the commitment to uphold the Internet Governance Forum (IGF). However, we warned that the multiplication of forums and institutions dealing with Internet governance risks duplicating efforts and diluting the voice of the technical community. Instead, we suggested strengthening existing fora, including UN agencies and mechanisms to align already developed WSIS Action Lines. Additionally, we highlighted our unwavering commitment to promoting open standards, transparent policy development, and community engagement in the context of the GDC.

Following this, the ten-year review of the NETMundial declaration took place in late April, leading to the adoption of the São Paulo Multistakeholder Statement. This statement offers a few guidelines and recommendations that will indirectly feed into the upcoming twenty-year review of the World Summit on the Information Society (WSIS+20), for which a High-Level Forum is scheduled on 27-31 May.

While these discussions remain formally independent from each other, it is important to ensure alignment between governments and the Internet technical community on priority issues affecting the governance of the Internet's core operations. For more on the GDC and the RIPE NCC’s positions, read our contributions here.

Most relevant EU policy developments: CRA, NIS2, eIDAS, CSA, and more

The provisional version of the Cyber Resilience Act (CRA) was passed at the end of March 2024 and is considered one of the most important pieces of EU legislation under this legislature, at least for software and hardware developers. However, a corrigendum procedure was initiated to adjust some linguistic and technico-legal aspects. This means the final text will go through another round of votes due to institutional transition and be formally published only after summer, though no significant changes are expected. The CRA will be implemented 36 months after entering into force, most likely around Q4, 2027. Nonetheless, it's worth noting that provisions on reporting obligations (Article 14) and notification of conformity (Chapter IV) will be implemented before that, only 21 months after entry into force.

The CRA brings products with digital elements under the EU’s so-called New Legislative Framework (NLF), which governs accreditation and market surveillance across the Union. In fact, the NFL framework has been in place for more than a decade and its future review will be of significant interest. In the meantime, the Commission has requested that European Standards Bodies (ESOs) such as CEN-CENELEC and ETSI develop around 44 harmonised standards to support the smooth implementation of the regulation. In this context, ENISA and the Commission's Joint Research Centre (JRC) have published a joint study which provides a mapping of the CRA requirements with existing security standards to facilitate compliance of digital products manufacturers.

There is another major development underway: the entering into force of the NIS2 Directive. The EU-27 Member States are currently in the process of updating their national frameworks, and they have until October 2024 to do so. Some countries, like Croatia and Belgium, have already completed this task ahead of time, while others are still negotiating their draft laws. As an organisation based in the Netherlands, we are closely following local developments and discussion on the Security of Network and Information Systems Act, which has been in place since 2018 under NIS1. If you're wondering what NIS2 is and why it's important, our colleagues at Netnod have provided a timely refresher. You can also read the initial response from the RIPE NCC to the NIS2 proposal.

Meanwhile, the NIS Coordination Group released a report that provides an in-depth analysis of emerging threats and vulnerabilities of Europe's communications infrastructure and networks. Interestingly, the report recommends ENISA and EU Member States to raise awareness of BGP security and promote good practices for the security of global Internet routing. This report has also encouraged the RIPE NCC to participate in the ENISA Telecom & Digital Infrastructure Security Forum in May 2024.

The EU has also made important revisions to the Regulation on Electronic Identification and Trust Services for Electronic Transactions (eIDAS). The regulation requires Member States to provide EU Digital Identity Wallets (EDIW) to their citizens within 24 months after the adoption of the upcoming associated implementing acts – setting out the technical specifications for the wallets and national certifications. However, the regulation sparked some controversies over the requirement for qualified certificates for website authentication (QWACs), which raised concerns within the Internet technical community. As reported by our partners at CENTR, the annex to the Regulation clarified that QWACs do not interfere with the existing encryption and security practices of the browsers, which may also refuse certificates if they are not deemed secure.

The Cyber Solidarity Act (CSA) is yet another milestone achieved by the co-legislators. Adopted during the last plenary on 24 April, this Regulation aims to improve the EU's operational capabilities to prepare, detect, and respond to major cyber incidents. A network of trusted private organisations will provide technical support to the European cyber reserve and CSIRT network under the regulation.

These topics are all important priorities for the RIPE NCC and ranked high on the agenda of our Roundtable Meeting for South-East European governments and regulators held on 22 April in Athens.

White Paper on the future of telecom and digital infrastructure

The Commission's White Paper on "How to master Europe's digital infrastructure needs" definitely is a hot topic in Brussels and beyond. The Paper provides an overview of market trends and discusses the way forward for Europe to meet its connectivity targets, stimulate innovation, and enhance security and resilience of its digital infrastructure. It also highlights some challenges faced by the European telecom sector, including the alleged regulatory imbalances between telecom and digital services providers, limited investment opportunities, and lack of cross-border integration, all of which are preventing Europe from becoming a truly single market for telecoms. To address these issues, the Paper suggests several measures, such as improving spectrum allocation, harmonising rules and authorisation procedures across member states, enhancing resilience and security, notably through the promotion of a "de-risking approach" to digital networks and telecom infrastructure, including submarine cables.

In addition, the White Paper acknowledges the changing nature of internet traffic exchange in the context of IP interconnections. It asserts that the current IP interconnection market is operating efficiently, without any need for specific intervention. However, the paper anticipates an increase in disputes and recommends closely monitoring how the situation evolves in the future. It suggests the establishment of a dispute resolution mechanism that could be overseen by national regulators or BEREC in case no commercial deals can be met.

There is much more to be said about the paper, including how some of its main recommendations find a direct echo in the much discussed report on the future of the EU’s single market by former Italian prime minister Enrico Letta. The discussions on possible plans for a "Digital Networks Act (DNA)" or reviewing net neutrality rules will be interesting to follow, and it remains to be seen how these recommendations will influence the next EU agenda especially in light of the review of the European Electronic Communication Code (EECC) tabled for December 2025. The Commission has a consultation open until June 30, and the RIPE community will be hosting a guest speaker from the Commission to present the paper during an Open Hour session on June 6. So, please stay tuned!

Concluding mandate and legislative reviews

The six-month rotating mandate of the Belgian Presidency will be concluding at the end of June, leaving the seat to the Hungarians for the July-December 2024 period. Meanwhile, both the Council and Commission are getting ready for the institutional transition and preparing to hand over their conclusions and recommendations ahead of the next mandate. Voices from both industry and public sector have called upon the EU institutions to focus on the implementation and enforcement of recently adopted legislation rather than enacting new rules. An important activity will go into evaluating legislation adopted during this mandate and the previous one – these include reviewing the Digital Services Act, alongside the EU’s new copyright regime and geo-blocking rules, and the Data Governance Act.

The Commission has already started evaluating several legislative files – of particular interest is the Terrorist Content Online Regulation (TERREG), for which it is preparing its periodic evaluation to be completed by June 2024. Another ongoing discussion is on the review of the EU General Data Protection Regulation (GDPR) for which the Commission has been collecting feedback from stakeholders earlier this year. A formal report building on its previous 2020 review is in preparation, while parliamentarians have recently adopted amendments initially intended to improve GDPR enforcement and cross-border cooperation of supervisory authorities.

Parliamentary elections ahead

Europeans are preparing for upcoming elections on June 6-9, and are anticipating a shift towards the right side of the political spectrum. Polls suggest that the political landscape might be more fragmented, both in Parliament and Council. However, the results may not have such a significant impact on the political dynamics in the next mandate. In turn, the European People's Party (EPP) is expected to regain a few seats, thus likely to remain the leading group and to retain the Presidency for the next Commission. In the Parliament, the European Conservatives and Reformists (ECR) and Identity and Democracy (ID) groups are anticipated to see a surge in support, leading to a possible alliance that may gather around a third of parliamentarians, but divisions among the two groups remain quite visible. The Renew group (liberals) should continue to play the role of "kingmaker," but their ability to form majority coalitions will be more limited due to the highly polarising political climate. This fragmented setup could lead to more political volatility and instability under the next EU mandate.

Your feedback

If you have any comments or questions, feel free to comment below or on the RIPE Cooperation Working Group Mailing List. And if you'd like to stay up to date on these and other government and regulation topics, consider joining the mailing list.