EU Data Policy Update

No. 06 | 16 September 2022

Receive Dr2 Consultants’ EU Data Policy updates in your inbox!

Subscribe

Dr2 Consultants’ monthly newsletter on EU Data Policy developments will keep you updated on all political and policy developments at the EU level related to the data economy, from cybersecurity to smart energy to e-mobility.

In this sixth issue, you will receive a deep dive into the Cyber Resilience Act. This newsletter will also provide some information on the first EU-wide data space to simplify the exchange of official documents for citizens and businesses, the new US-UK law enforcement data deal. But also, the latest update on the Data Act. 

Deep dive: Cyber Resilience Act

Introduction

On 15 September 2022, the European Commission published a proposal for a Regulation on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020 (Cyber Resilience Act – CRA). The Cyber Resilience Act introduces cybersecurity rules to ensure more secure hardware and software products.  

The scope of the proposed legislation is far reaching as it covers products with digital elements placed on the market. Through the Cyber Resilience Act, the Commission aims to establish conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and ensure that manufacturers take security seriously throughout a product’s life cycle. Additionally, the Commission proposes conditions allowing users to take cybersecurity into account when selecting and using products with digital elements.  

Details of the proposal

Chapter I – Definitions 

Chapter I indicates the scope and definitions of the proposed Regulation. In particular, the CRA proposes cybersecurity rules to ensure more secure hardware and software products by laying down:  

  1. Rules for the placing on the market of products with digital elements to ensure the cybersecurity of such products; 
  1. Essential requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to these products with respect to cybersecurity;  
  1. Essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle, and obligations for economic operators in relation to these processes; 
  1. Rules on market surveillance and enforcement of the above-mentioned rules and requirements.  

The scope of the CRA is to apply to products with digital elements whose use includes a direct or indirect logical or physical data connection to a device or network. Importantly, Article 2 also lists the products with digital elements that shall not be covered under the CRA, such as those that have already been certified in accordance with other EU Regulations and those developed exclusively for national security or military purposes. 

According to Article 3, a product with digital elements is defined as ‘any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately’. Products with digital elements shall only be made available on the market if they meet the requirements as set out in sections 1 and 2 of Annex I. Articles 6-9 further define critical products with digital elements, general product safety, high-risk AI systems and machinery products.  

Chapter II – Obligations  

Chapter II details the obligations of economic operators, namely manufacturers, authorised representatives, importers, and distributors. In particular, Articles 10 and 11 aim to ensure that products with a digital element have been designed, developed, and produced in accordance with the essential cybersecurity requirements set out in this Regulation. Articles 13 and 14 state that the importers and distributors’ obligations ensure that only digital elements that comply with the cybersecurity requirements are placed on the market. This must be done by verifying products, take corrective measures if needed and storing products information for 10 years.  

Lastly, Articles 15 and 16 detail the conditions under which obligations of manufacturers apply to importers, distributors, or others, while article 17 provides economic operators with information to downscale to market surveillance authorities, for 10 years. 

Chapter III – Conformity 

Chapter III sets out the conformity of products with digital elements and processes. In particular, Article 18 details the powers of the Commission to specify the European cybersecurity certification schemes that can be used to demonstrate conformity with the essential requirements or parts thereof as set out in Annex I. Article 19 lists the cases in which the Commission is empowered, by means of implementing acts, to adopt common specifications in respect of the essential requirements set out in Annex I. Article 20 clarifies how the EU declaration of conformity should be drawn up by manufacturers and what such a declaration should entail. Articles 21-23 define the conditions for CE marking, while article 24 lists conformity assessment procedures, which are set out in Annex VI. 

Chapter IV – Notification of conformity assessment bodies 

Chapter IV introduces the notification procedures of conformity assessment bodies. Articles 26 requires Member States to designate a responsible notifying authority for setting up and carrying out procedures, while the following articles detail the requirements for notifying authorities and conformity assessment bodies in order to be designated as such. 

Additionally, attention is paid to small and medium sized enterprises (SMEs). Conformity assessment bodies shall operate in accordance with a set of consistent, fair and reasonable terms and conditions, in particular taking into account the interests of SMEs in relation to fees.  

Chapter V – Market surveillance and enforcement 

Chapter V indicates that each Member State shall designate one or more, existing or new market surveillance authorities for the purpose of ensuring the effective implementation of the CRA. National market surveillance authorities shall carry out market surveillance in the territory of that Member State, in accordance with Regulation (EU) 2019/1020. The Commission shall facilitate the exchange of experience between market surveillance authorities and shall support the authorities when providing guidance and advice to economic operators. In turn, economic operators are asked to fully cooperate with market surveillance authorities and other competent authorities. 

While the scope of the CRA is broad, an exception exists for products with digital elements that are classified as high-risk AI systems under the AI Act. Such systems shall be under the responsibility of the designated market surveillance authorities under the AI Act. Article 41 sets out the establishment of a dedicated administrative cooperation group (ADCO) tasked with the uniform application of the CRA and be composed of representatives of the designated market surveillance authorities.  

Where the Member State can take measures against potentially cybersecurity threats, the Commission receives the competence to launch a consultation or evaluate whether such measures are justified. Where products with digital elements are deemed to present a significant risk, Article 46 requires the manufacturer to take all necessary steps to eliminate the risk. Subsequently, national market surveillance authorities may require a manufacturer to take measure. Should the non-compliance persist, the Member State must take appropriate measures to restrict or prohibit the product from being available on the market or recall the product from the market.  

Chapter VI – Delegated Acts  

Chapter VI, in its Articles 50 and 51, provides the technical details on the adoption of delegated acts, to ensure that the regulatory framework can be adapted where needed. The Commission holds this power and shall consult experts designated by Member States, before notifying the Parliament and Council. This power may be revoked at any time by both the Parliament and the Council, but this decision shall not affect any delegated act in force. Furthermore, the Commission should be assisted by a committee, for opinion. 

Chapter VII – Confidentiality and penalties 

This chapter contains the rules on confidentiality of information and data obtained in carrying out their tasks and activities. To ensure effective enforcement, Article 53 provides market surveillance authorities the competence to impose or request the imposition of administrative fines. However, the CRA also establishes the maximum levels of administrative fines that should be provided in national laws in case of non-compliance with the Regulation.  

Chapter VIII – Final provisions 

Chapter VIII includes the final provisions, amending Annex I of Regulation 2019/1020 on market surveillance and compliance of products and indicating that the latter will apply to products with digital elements insofar as there are no specific provisions with the same objective in the CRA.  

The Regulation will become applicable 24 months after its entry into force, except for the reporting obligation on manufacturers which shall apply already from 12 months after its entry into force.  

If you want to have a closer look at the content and the specific provisions of the Cyber Resilience Act, you can check out our in-depth analysis

First EU-wide data space to simplify the exchange of official documents for citizens and businesses  

On 6 September, the European Commission published the Implementing Regulation (EU) 2022/1463 on the Once Only Technical System (OOTS), following an agreement reached at Member States’ level. This new system lays the ground for the establishment of the first EU-wide data space, which will enable the sharing of information between public administrations across borders between EU countries. Available as of end of 2023, the Once Only Technical System (OOTS) will allow public authorities across the EU to exchange official documents and data at citizens and businesses’ request in a simplified and efficient manner. 

More concretely, the OOTS enables the interconnection between Member States’ national portals, allowing EU citizens and SMEs to supply a document only once to a public authority. In other words, if another public authority across the EU needs access to the same document, and with the citizen’s explicit authorization, it will be able to retrieve it via the OOTS. 

Today, the lack of interoperability and digital barriers between Member States obliges citizens to provide the same information to different authorities even if one of them already holds that information in electronic format. For instance, when applying for a master’s course at a university online, students need to provide a copy of their bachelor’s degree even though this document is held electronically by the university when the citizen graduated. 

Thierry Breton, Commissioner responsible for the Internal Market saluted this initiative, highlighting it was “a much-awaited step for an effective Single Market without digital barriers”. The OOTS will provide a reusable template for other dataspaces that require data to flow securely within the EU. 

New US-UK law enforcement data deal 

During Summer, London and Washington have signed a new data sharing agreement related to law enforcement investigations. As of 3 October, law enforcement agencies may require telecommunication providers in either country to hand over data related to investigations into crimes linked to serious offenses such as child sexual abuse or terrorism.  

The agreement is focused on speeding up the ability of both sides to access information held in the other jurisdiction. The U.S. government has tried to sign a similar deal with the European Union — under provisions in the U.S. Cloud Act — but some EU Capitals of the Old Continent raised concerns to give such widespread access to EU citizens’ data.  

This decision comes on the back of the Court of Justice of the European Union’s invalidation of the EU-U.S. Privacy Shield back in 2020 with the so-called “Schrems II” ruling. Based on the EU General Data Protection Regulation, judges in Luxembourg concluded that data transfers in a jurisdiction that does not have an equivalent level of data protection are illegal unless adequate safeguards are in place.  

The question brought forward by this ruling lies into the notion of “digital sovereignty”. Understood as “the EU’s ability to act independently in the digital world” and pushed by EU Member States such as France. In this case, the question of which jurisdiction would have applied was front and center. In other words, EU regulators were concerned that U.S. intelligence services have disproportionate access to the data of EU residents without the possibility of judicial redress. That is why the EU institutions have set a legislative framework to deal with both personal and non-personal data transfers to foreign jurisdictions. As a matter of facts, the Data Governance Act and the Data Act have provisions that concern data intermediaries to take all reasonable measures to prevent the international transfer or governmental access to non-personal data held in the EU that could create conflict with EU or national law. 

For European regulators, the reasoning behind these measures is not meant to be punitive but to ensure that the rigorous rules that the EU is putting in place to create a marketplace for industrial data cannot be bypassed simply by residing outside the bloc.  

Undoubtedly, this question will remain the main point of discussions in the remit of the New Trans-Atlantic Data Privacy Framework negotiations between the Washington and Brussels.  As things stand, the U.S. government should release the Executive Order that gives effect to the surveillance reforms agreed to. On its part, the European Commission is expected to publish a draft implementation act and seek the non-binding opinion of the EDPB/EDPS and the European Parliament, before the Council also has to agree on the final text.  

Data Act update 

The inter-institutional negotiations within the Council of the EU and the European Parliament have already started in the past weeks. 

As far as the European Parliament is concerned, it endorsed the allocation of competences between its committees on 30 June, after more than four months of internal discussions and bounces. In the final shape, the competences have been attributed as follows: 

  • Adam Bielan (ECR, PL) in the Internal Market and Consumer Protection (IMCO) Committee has shared competences on the entire file, plus exclusive competences on Articles 23, 24, 25 and 26, as well as Recitals 70 until 76, 
  • Sergey Lagodinsky (Greens, DE) in the Civil Liberties, Justice and Home Affairs (LIBE) Committee has shared competences on the entire file, plus exclusive competence on Articles 4(3), 4(6), 5(5), 5(8), 8(6), 17(2)(c), 27(3) sub-paragraph 2, 35 and 37, as well as the last sentence of Recital 63 and Recital 84, 
  • Ibán García del Blanco (S&D, ES) in the Legal Affairs (JURI) Committee has exclusive competences on Articles 1(3), 1(4), 4(5), 5(6), 5(7), 5(9), 6(1) (only on the caveat for the protection of personal data), 6(2b), 16(2), 18(5), 19(1b), 31(2a), 32(3) (only on specific cooperation mechanism of the GDPR), 33(3) and 33(4). The committee also shared competences on Articles 1-6, 8-12, 14-19 and 31-32.


MEP del Castillo Vera handed in her report last week for translation. The official report will be published soon. On the one hand, the focus of the report is to widen the exemption to the data-sharing obligations to include medium-sized enterprises with fewer than 250 employees; on the other hand, the draft report focuses on the obligations for companies to share data with governments (B2G) in which public emergencies need to be better clarified. Moreover, a lot of concerns from stakeholders on trade secrets, investments and intellectual property would be resolved by excluding sophisticated processed data. On the Council side, Member States are moving ahead with the proposal with some compromises already made. Until now, the focus has been on increasing legal clarity and consistency with existing EU legislation but there is still some work to be done. On 15 September, the Council of the EU discussed the next compromise text under discussion on cloud switching, international data transfers and interoperability. In the Council meetings, the discussion on B2G data transfers showed that most Member States understand the wording of exceptional need rather vague and find the definitions too wide. 
 

If you would like to stay up to date with the developments regarding EU digital policies and related events, please sign up to our monthly EU Data Policy Update here. Learn more about our EU Data Policy Services here. 

Learn more about our EU Data Policy services

Dr2 Consultants offers tailor-made solutions to navigate the evolving policy environment at EU level and anticipate the impact of the EU data-related legislation on your organization. Visit this webpage to learn more about our EU Data Policy services.

For more information on Dr2 Consultants’ full range of services, don’t hesitate to contact us. 

Learn more

Previous updates

Visit our archive page to read our previous EU Data Policy updates.

Go to archive