In recent years, there’s been a trend towards increased EU regulation with the potential to impact more actors across the Internet landscape. Here, we give a brief overview of the most pertinent policies currently being proposed, debated and implemented in the European Union.
One-hour deadlines for responding to take-down requests. Cross-border e-evidence access for law enforcement. Data collection restrictions that could hinder the development of AI and the IoT. These are some of the policies being discussed by the European Commission right now, many of which have the potential to affect a large number of our members, from service providers to ccTLD operators to governments to competent authorities – not to mention the RIPE NCC’s own operations.
To keep up with everything taking place in the European Commission, we’ve been working with an intelligence firm for the past few years and want to share with you the most important information we’ve learned in the past few months. (We also delivered this as a presentation at RIPE 77.)
In general, the EU is proposing more ICT regulation and is placing more responsibility on service providers than ever before. Governments are also becoming increasingly aware of the importance of protecting their critical infrastructure. In large part, this is being driven by concerns over cybersecurity, intermediary liability (i.e. defining who is responsible for online content), a desire for better cooperation among law enforcement in different Member States, and the need to ensure privacy rights in the data economy (which include emerging technologies like AI, the IoT and big data). If GDPR taught us anything, it’s that the EU isn’t afraid to pass regulations with far-reaching implications.
The big focus in cybersecurity at the moment is the Cybersecurity Act, which aims to create an EU-wide certification framework for ICT products, services and processes. It also gives ENISA an expanded mandate as a permanent EU agency.
The main points of discussion at the moment are whether “essential service operators” and those services considered “high risk” should be forced to adopt the framework, or whether this should be voluntary if a national framework is already in place. Parliament is pushing for a mandatory approach and Member States are generally supporting a voluntary approach here.
Similarly, Parliament would like to see ENISA have more autonomy, while Member States generally want it to act as a central coordinator and supporting entity.
The European Commission released its proposal for the Cybersecurity Act in September, and it’s currently in negotiations between the European Commission, Parliament and Council. It’s one of the priorities of the Austrian Presidency of the Council of the European Union, so it will be pushing for Member States to reach an agreement by the end of 2018.
A European Cybersecurity Industrial, Technology and Research Competence Centre and an EU Network of Cybersecurity Centres is also in the works for 2021, with the goal of coordinating existing efforts and boosting research and innovation in this field.
Also falling under the umbrella of cybersecurity is the directive on security of network and information systems, known as the NIS Directive. The directive’s goal is to improve cybersecurity at the national level and increase cooperation throughout the EU, and involves risk management and incident reporting obligations for essential service operators and digital service providers.
The directive came into effect on 9 May 2018, but Member States have been given an extension until 9 November to define for themselves who qualifies as an “essential service operator”. The Dutch regulator evaluated the RIPE NCC as a potential essential service operator in our capacity as K-root operator; however, we were given an opportunity to respond to the assessment and made the case that we don’t believe we meet this definition. We will have to wait until the official list is published to discover whether we are included or not.
Although many already have their own security provisions in place, ccTLD operators, which fall under the directive’s scope, will have to decide whether their existing safeguards satisfy the directive. It’s important to remember that even if you aren’t considered an essential service operator yourself, you may have clients who are, so it’s good to think about the entire service chain when considering the policy’s implications on your business operations.
This topic covers policy relating to who’s responsible for online content, and at the moment there are two major pieces: one focusing on copyrighted material and the other on terrorism.
The EU Copyright Directive is currently being negotiated. A highly criticised feature – by civil society groups, academia and parts of the Internet industry – is upload filters for copyrighted material. Despite this criticism, some Member States want to see stricter obligations on the Internet industry for protecting society from illegal content online.
The European Commission held a public consultation in June to assess whether current efforts to keep illegal content under control were sufficient, the results of which should be published in the coming months.
There is also a Proposal for Regulation on Preventing the Dissemination of Terrorist Content Online being negotiated, and the focus here is on service providers. The main elements include being subject to a one-hour deadline to respond to removal requests from judicial authorities, along with data preservation obligations.
It’s important to note that this proposal applies not just to the big content providers, but to micro, small and medium-sized enterprises alike. There are also high sanctions for systemic non-compliance, of up to 4% of global turnover.
Cooperation Among Law Enforcement
The desire for law enforcement agencies in one Member State to be able to cooperate more easily with their counterparts in other Member States has been growing, and one of the biggest things happening in this space is the E-evidence Proposal.
This proposal would make it easier for law enforcement to gather evidence across borders throughout the EU, allowing a judicial authority in one Member State to obtain electronic evidence directly from a service provider in another Member State.
For a time, real-time interception was being debated but was recently ruled out (although that doesn’t mean the concept won’t crop up in another policy proposal at some point), and Member States are now debating different models for a notification system between them.
The European Data Protection Board just released its opinion on the proposal, which highlights issues around unfeasible deadlines, a lack of judicial oversight, and the protection of fundamental rights. The opinion is non-binding, but it’s possible that some Member States will raise some of these issues moving forward.
There will be a public hearing on the E-evidence Proposal in the European Parliament on 27 November, and this is another of the Austrian Presidency’s priorities, so it’s hoping to get Member States to reach agreement before the end of its tenure this year.
Data economy covers everything that treats data as an economic asset, and the major focus at the moment is new ePrivacy text that takes a restrictive approach to metadata and content data processing, to the point that the current provisions would have a negative impact on the development of things like AI, IoT and big data business. The new text hasn’t been finalised yet, but it’s a good example of the continual struggle to balance privacy concerns with the economic potential being fuelled by the unprecedented amounts of data being collected today.
The European Commission also plans to release AI ethical guidelines by the end of the year as part of the European AI Alliance, an effort to bring together existing research centres working in the field. The Commission will also increase its funding for AI initiatives by €1.5 billion.
Finally, there is a proposal to update the .eu TLD legal framework, although this seems to be an effort to modernise the text rather than give it a substantial overhaul.
We’ve heard from you that these kinds of updates are useful, so we’ll continue to write RIPE Labs articles and give presentations at RIPE Meetings and other venues. If you have ideas about other ways you’d like to stay up to date or want to let us know which topics are of most interest to you, please comment below.
Comments are disabled on articles published more than a year ago. If you'd like to inform us of any issues, please reach out to us via the contact form here.
Mat Ford •
Is the RIPE NCC response to the Dutch regulator regarding the definition of an essential service operator public? Also, you say, "Data collection restrictions that could hinder the development of AI and the IoT." I think a lot of European citizens would prefer that the development of AI and IoT not be at the expense of their personal data becoming a private economic resource. Why does the RIPE NCC believe that, "the new ePrivacy text ... takes a restrictive approach to metadata and content data processing, to the point that the current provisions would have a negative impact on the development of things like AI, IoT and big data business."
Mihnea-Costin Grigore •
This is quite interesting, would be great to see continued coverage of the topic from the NCC. On a related note, does the NCC have any official or advisory position on any of these initiatives which will certainly affect the membership?
Chris Buckridge •
Hi Mat, Mihnea - to respond to your questions: At this point, the communication with the Dutch regulator has been of an informal nature. We plan to communicate more explicitly to the community when the official decision regarding Dutch essential services is made public. However, the key points in our communication have centred around the fact that a single root server operator, due to the distributed nature of the DNS, should not be considered an Operator of Essential Services under the NIS Directive. Regarding the RIPE NCC's position on some of these regulatory proposals, the RIPE NCC is not taking a position on whether such regulations are good or bad - our goal is to raise awareness with our community and membership of measures that could affect their operations. We believe (based on our discussions with our contacts and consulting agency in Brussels) that the current proposals would have an impact on development in these spaces, but as you note, this may well be in line with the broader preferences of the community. The key point for us is that our community (members of which are involved in the development of IoT and big data applications) be aware of this potential impact.