During his State of the European Union speech on Wednesday 13 September, the President of the European Commission, Jean-Claude Juncker, announced that he wanted to set up a European employment authority by the end of 2018, which guaranteed respect for European Union rules on labour mobility.
Contrary to last year, the President of the European Commission, Jean-Claude Juncker, made only brief references to the digital dossiers in his speech on the State of the Union on Wednesday 13 September. He was particularly keen to highlight the new initiatives in the fight against cyber-attacks but he did not go in to any detail and did not mention any initiatives adopted that day on the free flow of data.
President Juncker informed Parliament, “cyber-attacks are sometimes more dangerous to the stability of the democracies and economies than rifles and tanks. Last year alone, 4000 malware attacks were detected and 80% of European businesses experienced at least one cyber security related incident”.
No fewer than six documents were adopted on 13 September on digital policy: a regulation on data free flow, a general communication on cyber security, a regulation involving the European Network Information Security Agency (ENISA) and certification, an assessment report on ENISA, a recommendation for organising an effective European response in the event of an attack and a communication for facilitating implementation of the Network Information Security directive (NIS).
Cyber security
The first raft of measures seeks to protect the European Union from cyber-attacks. The general communication, “Resilience, Deterrence and Defence: Strengthening Cybersecurity in Europe” sums up the Commission’s strategy.
Unsurprisingly, it proposes an enhanced role for ENISA by giving it a permanent mandate. The agency will have an advisory role in development matters and implementing policies, as well as organising annual European exercises for cyber-attack preparation. The Commission is also proposing to create a voluntary certification framework. It is encouraging stakeholders to focus on three priority areas: security for critical or at-risk applications; cyber security for products/network/system/ digital services used by the private and public sectors for defending themselves against attacks; using methods relating to “security during conceptualisation” for frequently used connected objects.
More surprising, on the other hand, is the fact that it mentioned the idea of setting up an emergency intervention fund in the event of cyber-attacks. The communication indicates, “given that cyber security related incidents could have a significant impact on the functioning of economies and the daily lives of people, one option would be to examine the possibility, in the event of emergency, a cyber security intervention…This would enable member states to request EU level aid during or following a major incident, on the condition that the member state had set up a cyber security precautionary system before the incident”. In a different recommendation, the Commission calls on member states and the European institutions to create a crisis response framework outlining what procedures to follow in the event of a large-scale attack.
Data free flow
At the same time, the European Commission published a draft regulation for promoting the free flow of non-personal data in the European Union. As indicated in the previous issue of the newsletter (see EUROPE 11855), the text focuses on four different areas: data localisation conditions, their availability to the appropriate authorities, contractual transparency in data access and storage security and processing. It will be focusing on data storage and processing services and will put to one side the sensitive issue of the portability of cloud computing services.
In practice, this makes it incumbent on member states to notify national rules that would introduce localisation obligations and compel them to remove any unjustified restrictions that exist a year after application of the said regulation. It also explains that a member state that wishes to maintain provisions to the contrary, would be obliged to provide notification and justification for this approach to the Commission. These provisions would be included in a “single online information point” that is freely accessible. On the question of access, the project plans to adopt codes of conduct two years after its entry into force. It does explain, however, that if self-regulatory measures are not implemented within “a reasonable period of time” it will still be possible for the Commission to establish the conditions for this access by way of an implementing act.
Digital initiatives prior to 2018
In his letter of intent to the presidents of the European Parliament and Council, Jean-Claude Juncker announced an initiative on online platforms within the online economy that seeks to guarantee a fair, predictable and sustainable environment that promotes trust. He also announced Commission guidelines on the application of the general regulations on data protection, as well as the revision of the guidelines on market analysis and assessing market dominance in the electronic Communications sector.
Responses
The European Telecommunications Network Operators' Association (ETNO) responded positively to the Commission proposals on cyber security, “We recognise that voluntary certifications and labels could benefit consumers’ trust in connected devices and online services and we recommend that these schemes provide for enough flexibility to adapt to the fast-evolving cyber threat landscape”. Jan Philipp Albrecht MEP (Greens/EFA, Germany), the vice chair of the civil liberties, justice and home affairs committee called on his colleagues to work towards mandatory minimum requirements, such as secure end-to-end encryption and secure default passwords.
On a question of the free flow data, led Business Software Alliance (BSA) responded by congratulating the Commission on the work it had carried out. “While the Commission’s proposal needs certain clarifications regarding its scope and the nature of the limitations it seeks to impose on Member States, we are pleased that the process is moving forward,” said Thomas Boué, Director General, Policy of the Europe, Middle East and Africa Office (EMEA). (Original version in French by Sophie Petitjean)