This is the latest in an ongoing series in which we give a brief overview of the most pertinent digital policies currently being proposed, debated and implemented in the European Union.
For background on how and why the RIPE NCC follows EU regulation, as well as general trends currently driving EU policymaking, please see the first RIPE Labs article on the topic.
Things have been busy since our last update a year ago! Since that time, the RIPE NCC has officially responded to one Dutch government consultation, one ITU consultation, two IGF consultations, four European Commission consultations and one draft report by the EU Parliament’s Committee on Foreign Affairs. I think it’s safe to say that we’ve never seen such an intensely active period of legislative proposals and other Internet governance discussions taking place with the potential to significantly impact everything from the daily operations of network operators to the future direction of Internet governance in Europe. So, let’s dive in…
This is one of the most significant proposals with the potential to impact a huge range of operators. You can see our previous report for more background, but this is the update to the Network and Information Security (NIS) Directive that came into force in May 2018. The European Commission came out with its proposed update in December 2020, which replaced the “operators of essential services” and “digital service providers” of the original NIS Directive with the updated concepts “essential entities” and “important entities”, laying out different obligations for each category.
It also explicitly included “all providers of DNS services along the DNS resolution chain, including operators of root name servers, top-level-domain (TLD) name servers, authoritative name servers for domain names and recursive resolvers” as essential entities, regardless of their size. As K-root operator, the RIPE NCC would therefore come under the proposal's scope. The essential entities category also lists all IXPs, TLD registries, cloud computing service providers, data centres, CDNs and trust service providers. Important entities, on the other hand, include online marketplaces, search engines and social networking platforms.
Another concern for the Internet community is the proposed requirement for mandatory identification checks when registering a domain name, which would apply to all top-level domain registries offering domains to EU citizens, possibly including those outside the EU. Many worry that this resource-intensive requirement would significantly impact the cost of registering domain names within the EU and would hamper European registries’ ability to compete in a global market. Others question how compliance could possibly be enforced among registries outside of the EU that provide domains to EU citizens.
The RIPE NCC responded to the proposal in March of this year. We laid out three main arguments: the proposal’s unintended consequences and overreach, as it would apply to non-EU root name servers operating in the EU (including US government entities) and the potential for other foreign governments reciprocating with their own extra-territorial regulatory measures; the likelihood of the proposal’s burdensome obligations dissuading root name server operators from operating instances within the EU, therefore reducing – rather than enhancing – the domain name system’s resiliency, reliability and security; and the fact that any proposal to subject the domain name system’s functioning to government oversight goes against the 2016 IANA stewardship transition and the multistakeholder approach to Internet governance. For these reasons, the RIPE NCC explicitly asked the European Commission to remove root name server operators from the directive’s scope.
Once the Commission comes out with a proposal, it’s then up to the European Parliament and Council to define their own positions on it. Since spring, we’ve engaged with the relevant MEPs involved with NIS 2 to explain the RIPE NCC’s position and ask for their support as the Parliament drafted its response to the proposal. We were pleased to see that the Parliamentary committee in charge of the file included the exclusion of root name servers and that the amendments were voted on and adopted by the committee on 28 October. The reasoning from the report stated the following:
"Root name servers should be out of scope; regulating them is contrary to the EU’s vision of a “single, open, neutral, free, secure and un-fragmented network” and could encourage and empower states advocating for a top-down, state-controlled Internet governance approach, instead of the multi-stakeholder approach."
The Parliament also voted to begin negotiations with the Commission and the Council to reach a final version of the directive.
The Council is still defining its position, and this is where our engagement has now shifted, as the 27 member states will need to come to their own agreement before the final negotiations with the other two institutions can begin. According to a leaked version of the Council’s position, it may propose that only root name servers with a significant footprint (more than 10 sites in the EU) should fall under the directive’s scope – which would still include the RIPE NCC’s operation of K-root. The Council vote could potentially take place on 3 December when the Telecommunications Council meets, but as of the time of writing, it has yet to be scheduled.
Whenever the Council adopts its position, the so-called “trilogue” negotiations between the three institutions can begin. However, these will undoubtedly take some time and member states will still have 18 months to transpose the directive into their national laws once the final text is agreed on, so the earliest this could affect service providers is 2023. In the meantime, we will continue to follow developments and are doing everything we can to engage with various member states to explain our position and push for the total exclusion of all root name server operators.
Digital Services Act
After publishing a position paper on the proposed Digital Services Act in September 2020, the RIPE NCC also took the opportunity to comment on the Commission adoption of its proposal in March of this year.
While we commended the Commission for a balanced proposal that takes into account the need to protect the public core of the Internet and to establish proportionate thresholds for interfering with core functions, infrastructure and service providers – and urged the Parliament and Council to do the same as they developed their own positions – we did ask for further clarification on the definition of online platforms.
The Parliament and Council are still preparing their own positions on the proposal. While it looks like the Council may agree on its position by the end of the year, the Parliament is still struggling to reach a compromise on a number of amendments and has postponed a vote originally scheduled for 8 November to sometime in December or January.
As a refresher, this regulation is the update to the current ePrivacy Directive that will complement the GDPR by defining which data is covered. It was first proposed by the Commission in January 2017 and the Parliament agreed on its position in October of that year, but it was then stuck in complicated, drawn-out negotiations in the Council for years. The Council finally agreed on its position in February this year.
The Council’s position is considered more lenient than that of the Parliament because it allows metadata to be processed for reasons other than those for which prior consent was granted and doesn’t prevent cookie walls. It includes additions on the retention of data for public security purposes and the exclusion of national security from the regulation’s scope. It also stipulates legal bases for processing content, metadata and data related to online communications, including access to terminal equipment under certain circumstances, such as ensuring the integrity of communications services and the security of devices from malicious software or viruses.
Trilogue negotiations between the three EU institutions began in May and are ongoing, with an aim to conclude in the first half of 2022. Even once a final agreement has been reached, there will be a grace period (the Council proposed two years) before the regulation comes into effect.
Data Governance Act
The European Commission published its proposal for a Data Governance Act just after our last update, in November 2020, as the first step in its European Strategy for Data. The goal is to encourage and increase data sharing between and among the public and private sectors and individuals by boosting trust in neutral data intermediaries and strengthening data sharing mechanisms and processes. The act also sets out mechanisms for sharing data for the public good (“data altruism”).
The Council defined its position on the proposal in October and started negotiations with the Parliament, which have so far focused on data sharing, interoperability, data intermediary services, third-county data transfers and data altruism. The Council and Parliament hope to reach an agreement by the end of November.
Critical Entities Resilience (CER) Directive
The European Commission also released its proposed CER Directive in December 2020, an update to the Critical Infrastructure Protection (CIP) Directive, which seeks to protect critical infrastructure within the EU from natural or man-made disruptions and expands the scope of the original from the energy and transport sectors to cover new sectors, including digital infrastructure.
The CER Directive is based largely on the definitions set out in the proposed NIS 2 Directive (which we responded to in March) and stipulates how member states will be responsible for protecting those critical entities operating within their borders.
Following our NIS 2 response, we responded to the CER proposal by urging the Commission to ensure consistency between the NIS 2 and CER Directives to safeguard against the possibility of the RIPE NCC (as a root name server operator) being exempt from NIS 2 but somehow included in CER.
In December 2020, the European Commission published its Cybersecurity Strategy for the Digital Decade, a non-legislative paper that lays out the framework for the EU’s initiatives in the cybersecurity space over the coming decade which included a strategy to reinforce the security of the DNS root system. The strategy refers to plans for the European Commission to work with ENISA, Member States, the two root server operators based in the EU (the RIPE NCC and Netnod) and the multistakeholder community in order to develop a contingency plan “for dealing with extreme scenarios affecting the integrity and availability of the global DNS root system.” It also introduced the idea of a “DNS4EU” initiative to “offer an alternative, European service for accessing the global Internet.”
The RIPE NCC was surprised to see that the strategy also included plans to, “assess the role of these operators in guaranteeing that the Internet remains globally accessible in all circumstances” and we issued a response that welcomed the opportunity to work with all stakeholders on this matter, but assured the Commission of the ability of the DNS to provide stable and secure service for Internet users within the European Union. This response provides the basis of our ongoing engagement with the Commission on matters of cybersecurity.
Of interest to the RIPE community, the Commission also stated that it would, “in liaison with Member States and industry, accelerate the uptake of key internet standards including IPv6 and well-established internet security standards and good practices for DNS, routing, and email security, not excluding regulatory measures like a European sunset clause for IPv4 to steer the market if there is insufficient progress towards their adoption.”
In June, the Parliament officially supported the strategy and agreed with the proposal for a DNS4EU and highlighted the need for better protection to prevent BGP hijacks.
European Parliament draft report on the state of cyber defence capabilities
In April, the RIPE NCC responded to the European Parliament Committee on Foreign Affairs draft report on the state of cyber defence capabilities. This is what’s called an “own-initiative” report that is legally non-binding but which still carries political weight. In response to the report’s reference to the use of sanctions, we suggested adding that such measures be taken “while respecting the European vision for the Internet, which is one of a single, open, neutral, free, secure and unfragmented network”. We also asked that “technical stakeholders” be included in a list of strategic partners mentioned in the report, which included “Member States, the EU institutions, NATO, the United States and other strategic partners”.
While a specific reference to the technical stakeholders did not make it into the final report, we’re pleased to share that our first suggestion was taken on board by the various MEPs we spoke with and was included in the final text of the report.
European Cyber Resilience Act
In its Work Programme 2022, the European Commission announced that it would propose a European Cyber Resilience Act “to establish common cybersecurity standards for products” in order to “defend ourselves in a world increasingly prone to hacking of connected products and associated services.” This falls under the Commission’s “path to the digital decade” and plans for Europe’s “digital transformation” by 2030. We will continue to follow this as more details emerge.
The work programme also announced that the Commission would begin building an EU space-based global secure communications system to provide broadband connectivity across the EU.
The Commission’s overarching goal of increasing Europe’s influence globally was also evident in its work programme.
Did you find this update useful? Does EU regulation affect your work or operations? Please share your comments or questions below. And if you'd like to stay up to date on these and other government and regulation topics, consider joining the RIPE Cooperation Working Group Mailing List.