Cyber Resilience, "Fair Share", and Sanctions - Our Regulation Update April 2023

Summary:

• The RIPE NCC responded to the proposed Cyber Resilience Act with an explanation of how we see the act affecting the RIPE NCC's operations and points that require further clarification, as well as an overview of some concerns expressed by the RIPE community about how the act could impact the open-source community and ecosystem within Europe
• The European Commission opened an "exploratory consultation" about "the future of the electronic communications sector and its infrastructure", which includes a section on a “fair contribution by all digital players” - you have until 19 May to share your views on whether big tech should be required to invest more in big telcos' infrastructure deployment
• We shared a briefing with the Dutch government about the impact of sanctions on the RIPE NCC; we're also funding an external researcher to assess the impact of sanctions on the Internet ecosystem and the final report will be available soon
• There's a new RIPE DNS Resolver Best Common Practice Task Force that will develop guidelines for running open DNS resolvers, in part as a response to the EU's DNS4EU initiative
• The European Commission just announced planes to strengthen the EU's collective cybersecurity through a European Cyber Shield and Cyber Solidarity Act
• The RIPE NCC was successful in asking that root name servers be exempt from the EU's NIS 2 Directive, which member states have until October 2024 to transpose into their national laws

For background on how and why the RIPE NCC follows EU regulation, as well as general trends currently driving EU policymaking, please see the first RIPE Labs article on the topic.

It's been way too long since our last update! Apologies for that - we've been pretty busy keeping up with all the regulatory proposals and initiatives since our last update, but it's just as important to keep the RIPE NCC membership and RIPE community informed and up to date about all those developments, so let's get to it!

While there haven't been as many formal legislative proposals for the RIPE NCC to respond to recently as there were in 2020 and 2021, there's still been a lot of activity in the regulatory space with the potential to affect the technical community in Europe - in addition, of course, to the war in Ukraine. We also have some updates on previous regulations we've been following for a while that have now been adopted, but let's start with the new stuff.

Cyber Resilience Act

In January, the RIPE NCC responded to the European Commission's proposed text for the Cyber Resilience Act (CRA), which aims to further harmonise and improve cybersecurity in the European Union by setting essential cybersecurity requirements for all products with digital elements that are placed on the EU market. The act was first announced as part of the European Commission's 2022 Work Programme and was something we've been following from the start, as it has wide-ranging implications for the technical community.

In our response, we commended the risk-based approach taken in the proposal, which means that lower-risk products are subject to fewer requirements and mandatory compliance checks compared to "critical" products, along with its cybersecurity-by-design approach and requirements for manufacturers to provide clear information to end users about their products.

However, we pointed out several areas in which further clarity is needed. One such point is the distinction between products that are designed as standalone products for end users, and would thus fall within scope, vs. software that connects to the Internet but is not meant to be a standalone product (e.g. a customer portal). It's our understanding that the latter would not fall within scope, but it's something for which we'd like to have more certainty.

We also explained the impact of the proposed CRA on the RIPE NCC's own operations and laid out some further questions about whether the RIPE Atlas and RPKI source code we publish for transparency and research purposes would fall under the act's scope (we hope it won't). In addition, we explained some concerns we have around the reporting obligations for low impact vulnerabilities and risks (especially the 24-hour deadline), and urged the European Commission to adopt a common vulnerability framework already in use in order to bring a common understanding to all member states.

Finally, as secretariat for the RIPE community, we felt that the RIPE NCC had a responsibility to share some of the concerns we'd heard at RIPE Meetings and on RIPE mailing lists about the potential impact of the CRA on the open-source community within Europe. In particular, we explained that the technical community welcomed the proposal's exemption for open-source software, but that further clarity was needed around the fact that the exemption applies only to open-source software that is “developed or supplied outside the course of a commercial activity” since the definition of commercial activity was unclear. We expressed community concerns that many open-source developers contribute to projects as a hobby or "for the good of the Internet" and may be dissuaded by overly burdensome obligations in trying to comply with complex regulatory measures.

The community also felt that the framework laid out in the CRA proposal was at odds with the open-source ecosystem, which often includes source code being published rather than "manufactured" and which is an iterative process that builds upon itself, making it difficult to distinguish between commercial and non-commercial activity. Ultimately, the RIPE community wants to see a CRA that would strengthen and support the open-source community and ecosystem within Europe, rather than hinder it.

It's now up to the European Council and the European Parliament to define their own positions on the CRA before entering into trilogue negotiations with the European Commission to come up with a final version. Already, we've heard that the European Council's position has further defined what's meant by "commercial activity" in a way that seems to be reasonable, but we'll keep an eye on how things develop...

"Fair Share" / "Sending Network Party Pays" / "Cost Sharing" debate

Yep, there are a lot of names for it depending on who's framing the issue. According to several large telcos, they need big tech to invest more in building the network infrastructure required to keep the large amounts of data produced by their content and applications flowing to the telcos' customers. Big tech, on the other hand, points out that they're largely responsible for the increased demand in telcos' services in the first place, that they've already invested a lot in infrastructure, and that telcos already charge their customers for providing services.

While the "fair share" concept is not new and was debated (and quashed) a decade ago, the topic resurfaced last year when ETNO commissioned a study that once again pulled it to the forefront, and this time, it's being strongly supported by European Commissioner for the Internal Market, Thierry Breton. A lot of different actors have weighed in on the debate (including BEREC, eco, OECD, Euro-IX, the Dutch government and many more) as rumours started to swirl that the European Commission was considering putting forth a regulatory proposal on the issue by the end of 2023, which would be proceeded by an open consultation with industry stakeholders.

After several delays, the European Commission did launch an "exploratory consultation" in February that will run until 19 May and is open to everyone. (This is your chance to make your voice heard!) Although the consultation (a questionnaire) is about "the future of the electronic communications sector and its infrastructure" and not explicitly about the fair share debate, it does contain a section on a “fair contribution by all digital players”.

While the debate has largely been framed as "telcos vs. big tech", we believe that's a false dichotomy and that a lot of other voices - smaller telcos for example - are being lost among the noise or left out entirely. We heard some of those other perspectives during a panel session at RIPE 84 and encourage you to check it out. The RIPE Cooperation Working Group has also formed a small task team to look into how to respond to the open consultation on behalf of the RIPE community.

Sanctions

The RIPE NCC has been discussing the issue of sanctioned RIPE NCC members with the Dutch government (under whose jurisdiction we fall when it comes to enforcing EU-wide sanctions) and whether it might be possible for RIPE NCC registry services to be exempt from the sanctions we've seen put into place against Russia since the start of the war in Ukraine - but also before this, when it comes to other parts of our service region, such as Iran and Syria.

Last November, we shared a briefing with the Dutch government about the impact of sanctions on the RIPE NCC as part of our efforts to help policymakers understand the technical underpinnings of the Internet and the implications of various sanction regimes. The RIPE NCC is also funding an external researcher, Dr. Farzaneh Badiei of Digital Medusa, to assess the impact of sanctions on the Internet ecosystem. Her final report will be available in the coming months, and we'll be sure to make it available to the RIPE community.

The RIPE NCC is pursuing this because, regardless of political disputes, an accurate registry remains our ultimate goal as a key foundation to an open, secure and stable global Internet. You can learn more about how sanctions affect the RIPE NCC in this RIPE Labs article, or how and why the RIPE NCC responded to a request from the Ukrainian government at the start of the war here. You can also now find our quarterly sanctions reports online.

DNS4EU

The idea of a "DNS4EU" first surfaced in the European Commission's Cybersecurity strategy from December 2020, which in part focused on strengthening the DNS root system within the EU. The strategy referred to plans for the European Commission to work with ENISA, member states, the two root server operators based in the EU (i.e. the RIPE NCC and Netnod) and the multistakeholder community in order to develop a contingency plan “for dealing with extreme scenarios affecting the integrity and availability of the global DNS root system” and plans to “assess the role of these operators in guaranteeing that the Internet remains globally accessible in all circumstances.”

The RIPE NCC responded to the announcement by pointing out that the global DNS resolution infrastructure is, by its very nature, a distributed system and that the concept of an “EU DNS root server operator” could be misleading; however, we expressed our commitment to working with all stakeholders, including ENISA, member states and the multistakeholder community, to support the European Commission in developing technically sound policy with regards to the functioning of the DNS.

In early 2022, the European Commission issued a tender for the deployment of a recursive European DNS resolver service infrastructure (DNS4EU), and in December of last year, it was announced that an international consortium would develop DNS4EU led by Czech company Whalebone. In the meantime, the RIPE NCC held an Open House to discuss the proposal with members of the RIPE community and, also in December of last year, formed a RIPE DNS Resolver Best Common Practice Task Force, which is being supported by the RIPE NCC, to develop a set of best common practices for running open DNS resolvers that will be available to the entire Internet community.

European Cyber Shield and Cyber Solidarity Act

Just a few days ago, the European Commission announced plans to strengthen the EU's collective cybersecurity through what's being called a European Cyber Shield that aims to harmonise member states' operational, political and technical approaches to cybersecurity.

The announcement touted the advancements made by the NIS 2 Directive and the Cyber Resilience Act, and highlighted the need for all member states to implement the EU's 5G security toolbox. It also discussed the launch of a cloud and edge alliance and made reference to anti-Cloud Act in the Data Governance Act (entered into force in June 2022) and the Data Act (currently in final negotiations).

The Cyber Solidarity Act, which the European Commission said it will propose in the next few weeks, will try to reduce the time it takes to respond to cybersecurity threats within the EU - from a current average of 190 days down to a few hours. The European Commission plans to establish "a European infrastructure of security operation centres (SOCs) which will scan the network using artificial intelligence technologies and detect weak signals of attacks." The act will also include a cyber emergency mechanism that will include a European Cyber Reserve to respond to threats on a member state, in technical cooperation with the CSIRT network.

Finally, the plans also highlighted the need for active and direct sanctions in order to deter cybersecurity threats to the European Union.

We'll continue to follow this latest development and report back to the RIPE community as we learn more.

NIS 2 Directive

And speaking of the NIS 2 Directive, we come full circle. This was a big one. We followed the development of the NIS 2 proposal closely, because it had the potential to affect a huge number of technical operators across Europe and beyond. You can see our previous report for more background, but this is the update to the Network and Information Security (NIS) Directive that came into force in May 2018. The European Commission came out with its proposed update in December 2020, which explicitly listed root name servers as falling in scope (previously, individual member states had been responsible for defining who was considered an "operator of essential services", and the RIPE NCC, as K-root operator, had not been included by the Dutch government).

As proposed, the RIPE NCC felt that the directive would have resulted in unintended consequences and overreach, as it would have applied to non-EU root name servers operating in the EU (including US government entities) and the potential for other foreign governments reciprocating with their own extra-territorial regulatory measures. We also believed that the proposal’s burdensome obligations would dissuade root name server operators from operating instances within the EU, therefore reducing – rather than enhancing – the domain name system’s resiliency, reliability and security. We also pointed out that any proposal to subject the domain name system’s functioning to government oversight goes against the 2016 IANA stewardship transition and the multistakeholder approach to Internet governance.

For these reasons, the RIPE NCC explicitly asked the European Commission to remove root name server operators from the directive’s scope. We also engaged with Members of the European Parliament and member states to explain our position.

I'm happy to report that the final text of the NIS 2 Directive explicitly excludes root name servers from scope in Recital 32, Article 6 20(b) and Annex I. In fact, during the vote in the European Parliament, MEP Bart Groothuis (who was leading the file and with whom we had several meetings) specifically mentioned the exclusion of the root name servers as an example of efforts to protect the free and open Internet.

We can't take too much credit here - there were others who also advocated for the exclusion of root name servers, including Netnod - but we'd call that a win! There are still new obligations for DNS providers, IXPs, TLD registries and others, though, so it's certainly something to be aware of if you're one of the service providers deemed critical. The NIS 2 Directive came into effect in January and member states have 21 months to transpose it into their national laws, which puts the deadline in October 2024.

Your feedback

Did you find this update useful? Does EU regulation affect your work or operations? Please share your comments or questions below. And if you'd like to stay up to date on these and other government and regulation topics, consider joining the RIPE Cooperation Working Group Mailing List.