Suzanne Taylor

Sanctions, Cyber Resilience and Other Hot Topics - Our EU Regulation Update November 2023

Suzanne Taylor
Contributors: Romain Bosc

10 min read


This is the latest in an ongoing series in which we give a brief overview of the most pertinent digital policies for the RIPE NCC and RIPE community currently being proposed, debated and implemented in the European Union.


  • We received confirmation from the Dutch authorities that Internet number resources are exempt from EU sanctions imposed on Russia and we are now pursuing a wider exemption for all our members
  • The final text of the Cyber Resilience Act, which will set cybersecurity standards for digital products on the EU market, is currently being negotiated and may be finalised in the coming days
  • The European Commission published the findings of its consultation on network infrastructure and investment, and is pushing ahead with plans for a future telecoms reform
  • BEREC is working on a new report on IP interconnection in the context of net neutrality
  • An agreement was reached on the eIDAS Regulation, which concerns the use of national digital IDs in the EU
  • An agreement was also reached on the Data Act, which aims to facilitate data sharing among device users and between the public and private sectors

For more background on how and why the RIPE NCC follows EU regulation, as well as general trends currently driving EU policymaking, please see the first RIPE Labs article on the topic.

Since our last update in April, we've focused our attention on the following policy priorities: a legal exemption from EU sanctions to ensure the smooth operations and stability of the Internet, the final phase of negotiations on the Cyber Resilience Act, and a likely overhaul of telecoms rules, along with a few other developments along the way.

Sanctions and cooperation with the Dutch authorities

As an organisation headquartered in the Netherlands, the RIPE NCC is subject to both Dutch and EU law, including sanctions. While we've dealt with sanctions in the past for various other countries that fall within our service region, the war in Ukraine has shone a new spotlight on the topic for us as we try to navigate the various EU sanctions packages against Russia that have come out in its wake.

One of the biggest developments since our last update is that in May, the RIPE NCC officially received confirmation from the Dutch authorities that Internet number resources fall within the scope of certain exemptions to EU sanctions imposed on Russia. These exclude "resources that are strictly necessary for the provision of electronic communication services” and exempt us from “the prohibition to engage in any transaction” with certain listed entities. In June, we began restoring our services for members and End Users who fall under these exemptions. Members and End Users who do not fall under these exemptions will continue to receive limited services according to our sanctions procedure. If you're interested in more details, the RIPE NCC publishes a quarterly sanctions transparency report.

Moving forward, we're now looking at how to engage EU authorities to obtain a wider sanctions exemption for our services that would apply across the RIPE NCC's service region. As part of these efforts, the RIPE NCC also contributed to a pre-consultation led by the Dutch Ministry of Foreign Affairs on modernising the Dutch sanctions system in August. We explained how sanctions — both at the EU level but also those originating from other jurisdictions — unintentionally affect our operations and our services to entities in countries such as Iran and Syria. In particular, we drew attention to how sanctions make it difficult for us to accept payments from entities in certain countries considered “ultra high risk” by banks, even when these entities do not fall under EU sanctions packages, and how difficult it is at times for the RIPE NCC to determine which specific entity is being targeted on sanctions lists.

The Dutch Ministry of Foreign Affairs also published its International Cyber Strategy in June (and an English version in September) and we were pleased to see that it supports the idea that the Internet should not be used for political purposes and that organisations operating its core functions (the Regional Internet Registries were explicitly mentioned) should not be affected by restrictive measures like economic sanctions.

Farzaneh Badiei of Digital Medusa, an independent researcher whose work we funded, also published her report on the impact of sanctions in May, which examines the impact of sanctions on the various layers of the Internet. Among the main findings, the report stresses that sanctions severely disrupt IP network operations, including registration of IP addresses, transfers, and the maintenance of RIR databases. More broadly, the report sheds light on how economic sanctions adversely affect Internet security and citizens’ and non-sanctioned service providers’ access to the global Internet.

All of these developments will help inform our larger strategy as work we with national and EU authorities to better inform the implementation and development of EU sanctions regimes and explore long-term solutions to achieve a stable and open Internet for all.

Cyber Resilience Act

As a refresher, the proposed Cyber Resilience Act (CRA) aims to further harmonise and improve cybersecurity in the EU by setting essential cybersecurity requirements for all products with digital elements that are placed on the EU market.

In a response to the European Commission's consultation on the proposal in January of this year, we explained how this legislation would affect RIPE NCC operations and "products", including the RIPE Atlas and RPKI source code that we make publicly available, and shared some concerns we heard from the RIPE community. Asking for clarification on a few terms, including what constitutes a "standalone product" as well as "commercial activity" in the context of open-source software, we also shared our concerns about the vulnerability reporting obligations and related timeframes (see more details in our last regulation update).

We followed up that submission with a letter to the MEPs responsible for the file in April. In this letter, we supported additional text proposed by the European Parliament to Recital 10, which aimed to help clarify the European Commission’s draft text around what constitutes “commercial activity” in the context of open-source software. While we were happy to see that the Parliament’s final position (reached in July) includes some clarification, discussions among the open-source community on the final outcomes are still underway as the file has entered trilogue negotiations (in which the Commission, Parliament and Council negotiate final text).

Recently, the European Parliament introduced the concept of "open source stewards" that would govern organisations overseeing open-source repositories and minimise the risk of legal penalties. Other aspects include revised timeframes for vulnerability and incident reporting, and whether CSIRTs or ENISA should manage these disclosures and the related vulnerability database.

We will continue to follow this file and report back to the community on any relevant developments.

"Fair Share" debate and a "Digital Networks Act"

Still a hot topic in Brussels, the so-called "Fair Share" or “Sender Pays” debate continues to rage on, with many different industry bodies, companies and governments having now weighed in. Other than ETNO and GSMA (and the large telcos they represent), the overwhelming majority of actors — including digital platforms, CDNs, consumer organisations and civil society groups — are against mandating network infrastructure contributions from big tech in order to finance the telcos' network infrastructure development. Various national governments have come down on one side of the argument or the other.

The European Commission, however, seems determined to produce a draft telecoms act (now being called the "Digital Networks Act" — not to be confused with the Digital Services Act or the Digital Markets Act), with Thierry Breton, the EU Commissioner for Internal Market, announcing plans for the proposal in October. That same month, the European Commission also published a summary of the feedback it received during the exploratory consultation held in the spring on the future of the electronic communications sector and its infrastructure. According to the Commission and the results of the consultation, market fragmentation is currently impeding telcos in scaling and adapting to the current environment, which includes regulatory barriers to a true telecoms single market in terms of spectrum acquisition, consolidation, legacy networks, security and more.

Although the RIPE NCC remains neutral towards its diverse membership, the RIPE Cooperation Working Group (expressing views from the broader RIPE community) submitted its own contribution. It pointed out that the interconnection market is currently dynamic enough to handle increased traffic demands. It also emphasised the lack of evidence for any regulatory intervention, and further argued that mandating direct financial contributions from content and applications providers to electronic communication networks would go against the basic principles of “net neutrality” and Autonomous Systems, also potentially hindering network diversity and resilience.

In its Working Programme 2024, the European Commission stated that it will prepare the ground for possible policy and regulatory actions regarding Digital Networks and infrastructure, notably to facilitate cross-border infrastructure operators in the Single Market, accelerate deployment of technologies and attract more capital into networks.” The Commission is expected to release a white paper in the first quarter of 2024 focused on ways to support telcos, as well as a recommendation for member states on subsea cables and spectrum. This white paper would be followed by a proposal for the Digital Networks Act, possibly in the first half of 2025.

While this particular topic doesn't impact the RIPE NCC directly, it's an important development with the potential to significantly disrupt the Internet ecosystem, and is one we'll continue to follow and update you on.

BEREC's IP interconnection assessment

The Body of European Regulators for Electronic Communications (BEREC) is preparing its latest report on IP interconnection in the context of net neutrality as an update from its 2017 report). It conducted a survey among European ISPs to help understand current market dynamics around the relationships between different market players, the use of paid peering, and the role of content delivery networks. BEREC published an article on RIPE Labs to raise awareness about the survey in the RIPE community. BEREC also invited the RIPE NCC to participate in a workshop it held on the IP interconnection market on 27 September, along with several other industry players.

eIDAS regulation

A provisional agreement between the Commission, Parliament and Council was reached on the eIDAS Regulation earlier this month. As a reminder, this is the regulation concerning Europeans using national ID systems to access public services across the EU. The final text on the new European Digital Identity Framework was unexpectedly released ahead of a vote scheduled on November 28. The final votes for formal approval in the various EU bodies should conclude in December.

Data act

An agreement was also reached in June on the Data Act, originally proposed by the Commission in February 2022, which "aims to boost the EU's data economy by unlocking industrial data, optimising its accessibility and use, and fostering a competitive and reliable European cloud market". Once formally adopted by the Parliament and Council and published, the Data Act will become applicable 20 months later.

Your feedback

Did you find this update useful? Does EU regulation affect your work or operations? Please share your comments or questions below. And if you'd like to stay up to date on these and other government and regulation topics, consider joining the RIPE Cooperation Working Group Mailing List.


You may also like

View more

About the author

Suzanne Taylor is a Public Policy & Internet Governance Consultant. In her work with the RIPE NCC, she has engaged with a broad range of Internet stakeholders including the RIPE NCC membership, governments, law enforcement and intergovernmental organisations. From 2012 to 2016, she worked in communications at the RIPE NCC and has previously worked as a journalist and in media relations and science communications.

Comments 0