The European Union and its institutions are the main arena in which they focus, shape and plan what they face and how they will address many of the new regulatory challenges facing their societies. They therefore carry out valuable legislative proposals.
To this end, we point out below significant events in this agenda:
[toc]
24 March 2021, European Council: Cybersecurity: how the EU tackles cyber threats
Critical sectors such as transport, energy, health and finance have become increasingly dependent on digital technologies to run their core business. While digitalisation brings enormous opportunities and provides solutions for many of the challenges Europe is facing, not least during the COVID-19 crisis, it also exposes the economy and society to cyber threats.
Cyberattacks and cybercrime are increasing in number and sophistication across Europe. This trend is set to grow further in the future, given that 22.3 billion devices worldwide are expected to be linked to the Internet of Things by 2024.
In light of these cybersecurity challenges, the EU is working on various fronts to:
- enhance cyber resilience
- fight cybercrime
- boost cyber diplomacy
- reinforce cyber defence
- boost research and innovation
- protect critical infrastructure
EU cybersecurity strategy
In December 2020, the European Commission and the European External Action Service (EEAS) presented a new EU cybersecurity strategy. The aim of this strategy is to strengthen Europe’s resilience against cyber threats and ensure that all citizens and businesses can fully benefit from trustworthy and reliable services and digital tools. The new strategy contains concrete proposals for deploying regulatory, investment and policy instruments.
On 22 March 2021, the Council adopted conclusions on the cybersecurity strategy, underlining that cybersecurity is essential for building a resilient, green and digital Europe. EU ministers set as a key objective achieving strategic autonomy while preserving an open economy. This includes reinforcing the ability to make autonomous choices in the area of cybersecurity, with the aim to strengthen the EU’s digital leadership and strategic capacities.
The EU is also working on two legislative proposals to address current and future online and offline risks:
- an updated directive to better protect network and information systems
- a new directive on the resilience of critical entities
EU Cybersecurity Act
The EU Cybersecurity Act entered into force in June 2019 and introduced:
- an EU-wide certification scheme
- a new and stronger mandate for the EU Agency for Cybersecurity
EU-wide cybersecurity certification scheme
Certification plays a critical role in ensuring high cybersecurity standards for ICT products, services and processes. The fact that different security certification schemes are currently used by different EU countries generates market fragmentation and regulatory barriers.
With the Cybersecurity Act, the EU has introduced a single EU-wide certification framework that will:
- build trust
- increase the cybersecurity market’s growth
- ease trade across the EU
The framework will provide a comprehensive set of rules, technical requirements, standards and procedures.
EU Agency for Cybersecurity
The new EU Agency for Cybersecurity builds on the structures of its predecessor, the European Union Agency for Network and Information Security, but with a strengthened role and a permanent mandate. It has also adopted the same acronym (ENISA).
It supports member states, EU institutions and other stakeholders in dealing with cyberattacks.
Network and information systems directive
The directive on the security of network and information systems (NIS) was introduced in 2016 as the first ever EU-wide legislative measure with the purpose of increasing cooperation between member states on the vital issue of cybersecurity. It laid down security obligations for operators of essential services (in critical sectors such as energy, transport, health and finance) and for digital service providers (online marketplaces, search engines and cloud services).
In December 2020, the European Commission proposed a revised NIS directive (NIS2) to replace the 2016 directive. The new proposal responds to the evolving threat landscape and takes into account the digital transformation of our society, which has been accelerated by the COVID-19 crisis.
The new rules will:
- strengthen security obligations for companies
- address the security of supply chains
- introduce more stringent supervisory measures for national authorities
- further increase information sharing and cooperation
The proposal is currently under discussion in the Council.
Cybercrime takes various forms and many common crimes are cyber-facilitated. For example, criminals can:
- gain control over personal devices using malware
- steal or compromise personal data and intellectual property to commit online fraud
- use internet and social media platforms to distribute illegal content
- use the ‘darknet’ to sell illicit goods and hacking services
Some forms of cybercrime, such as child sexual exploitation online, cause serious harm to their victims.
A specialised European cybercrime centre has been created within Europol to help EU countries investigate online crimes and dismantle criminal networks.
The European multidisciplinary platform against criminal threats (EMPACT) is a security initiative driven by EU member states to identify, prioritise and address threats posed by organised international crime. Cybercrime is one of its priorities.
Countering cyberattacks
The EMPACT action plan on cyberattacks aims to disrupt criminal activities related to attacks against information systems, particularly those following a crime-as-a-service business model and working as enablers for online crime.
Tackling non-cash payment fraud
Fraud and counterfeiting involving non-cash means of payment pose a serious threat to the EU’s security and provide a significant income for organised crime. Moreover, this kind of fraud affects the trust of consumers in the security of digital technologies.
In April 2019, the EU adopted new rules to fight non-cash payment fraud. Member states should implement the new rules in 2021.
The dedicated EMPACT action plan aims to target criminals involved in fraud and counterfeiting involving non-cash means of payment, including large-scale payment-card fraud and emerging threats to other non-cash means of payment.
Improving the safety of children online
The European Commission plans to propose new legislation in 2021 to tackle online child sexual abuse and exploitation. In the meantime, the EU is working on temporary rules to allow providers of web-based email and messaging services to continue detecting child sexual abuse online, until permanent legislation is adopted.
The dedicated EMPACT action plan aims to combat child sexual abuse and child sexual exploitation, including the production and dissemination of child abuse material.
Access to e-evidence
Criminals exploit digital technology to commit offences and to hide illicit activities. Law enforcement and judicial authorities therefore rely more and more on electronic evidence, such as texts, e-mails or messaging apps, for their criminal investigations and prosecutions.
This is why the EU is working on new rules which will make access to e-evidence across borders easier and faster.
To further facilitate cross-border access to e-evidence for criminal proceedings, the EU:
- is negotiating an agreement with the US – the country where most service providers are located
- participates in the negotiations for the second additional protocol to the Budapest Convention
Data retention
To fight crime effectively today, it is important that service providers retain certain data that can be disclosed under certain strict conditions for the purpose of fighting crime. However, data retention can infringe individual fundamental rights, in particular the rights to privacy and to protection of personal data.
The Council adopted conclusions with regard to the retention of electronic communication data for the purpose of fighting crime. The Council tasked the Commission with gathering further information and organising targeted consultations as part of a comprehensive study on possible solutions for retaining data, including the consideration of a future legislative initiative.
The European Union and its member states strongly promote an open, free, stable and secure cyberspace where human rights, fundamental freedoms and the rule of law are fully respected for the social stability, economic growth, prosperity and integrity of free and democratic societies.
The EU invests much effort in protecting itself against cyber threats coming from third countries, especially through a joint diplomatic response called the ‘cyber diplomacy toolbox’. This response includes diplomatic cooperation and dialogue, preventative measures against cyberattacks, and sanctions.
The EU cybersecurity strategy adopted by the European Commission and EEAS in December 2020 reinforces the EU’s diplomatic response to cyberattacks.
Sanctions against cyberattacks
In May 2019, the Council established a framework which allows the EU to impose targeted sanctions to deter and respond to cyberattacks which constitute an external threat to the EU or its member states.
More specifically, this framework allows the EU for the first time to impose sanctions on persons or entities that are responsible for cyberattacks or attempted cyberattacks, who provide financial, technical or material support for such attacks or who are involved in other ways. Sanctions may also be imposed on other persons or entities associated with them.
Restrictive measures include:
- a ban on persons travelling to the EU
- an asset freeze on persons and entities
Stepping up cyber defence
Cyberspace is considered as the fifth domain of warfare, as critical to military operations as land, sea, air, and space. It is a domain encompassing everything from information and telecommunication networks, infrastructure, and the data they support, to computer systems, processors and controllers.
The EU cooperates on defence in cyberspace through the activities of the European Defence Agency (EDA), in collaboration with the EU cybersecurity agency and Europol. The EDA supports member states in building a skilled military cyber-defence workforce and ensures the availability of proactive and reactive cyber-defence technology.
The EU cybersecurity strategy adopted in December 2020 by the Commission and the EEAS reinforces:
- cyber defence coordination
- cooperation and building cyber defence capabilities
Recovery plan
Cybersecurity is one of the EU’s priorities in the response to the COVID-19 pandemic, which has seen increased cyberattacks. The plan includes additional investments in this area.
Further information:
European Council Policy-Cybersecurity
The EU fight against organised crime
18 March, Euroopean Parliament: JURI votes and exchange of views with EUIPO
On 17-18 March 2021, the JURI Committee voted on the report on on Liability of companies for environmental damage and on the opinions on Aarhus Convention on Access to Information and on Parliament’s right of initiative. The Committee also voted on legal basis on the Strategic Innovation Agenda of the European Institute of Innovation and Technology (EIT) 2021-2027 and on Amending the Visa Information System (VIS).
They also voted on Petition No 1311/2019 by Lech Obara (Polish), on behalf of Patria Nostra, on the enforcement in Germany of a final judgment by a Polish court and on several Pilot Projects and Preparatory Actions.
The Members further exchanged views with EUIPO’s Executive Director who will present activities and initiatives to support SMEs and they heard a presentation of European added value assessment on responsible private funding for litigation and of the accompanying research paper on the state of play of the EU private litigation funding landscape and the current EU rules applicable to private litigation funding. Moreover, they considered a report on the European Union regulatory fitness and subsidiarity and proportionality.
Further information:
JURI votes and exchange of views with EUIPO
European Union Intellectual Property Office
18 March 2021, Council of the European Union: EU’s response to the terrorist threat
New EU rules for removing terrorist content from the internet
On 16 March 2021, the Council adopted a regulation on addressing the dissemination of terrorist content online.
Competent authorities in the member states will have the power to issue removal orders to the service providers, requiring them to remove terrorist content or disable access to it in all member states. Internet platforms will then have to remove or disable access to the content within one hour.
The rules will apply to all providers offering services in the EU, whether or not they have their main establishment in one of the the member states.
The legislation also provides for a clear scope and a uniform definition of terrorist content in order to fully respect fundamental rights. It also includes effective remedies both for users whose content has been removed and for service providers to submit a complaint.
While the primary responsibility for combating crime and ensuring security lies with member states, recent years’ terrorist attacks have shown that security is also a common responsibility. The EU contributes to the protection of its citizens by assisting member states.
EU actions in this area include:
- enhancing information exchange
- reinforcing checks at external borders
- preventing online radicalisation
- improving firearms controls
- digitalising judicial cooperation
- criminalising terrorist offences
- cutting the financing of terrorism
- harmonising the use of air passengers’ data
- strengthening cooperation with non-EU countries
In 2015, EU leaders issued a joint statement designed to guide the work of the EU and its member states. This statement called for specific measures, focusing on three areas of action:
- ensuring the security of citizens
- preventing radicalisation and safeguarding values
- cooperating with international partners
In 2015, EU leaders issued a joint statement designed to guide the work of the EU and its member states. This statement called for specific measures, focusing on three areas of action:
- ensuring the security of citizens
- preventing radicalisation and safeguarding values
- cooperating with international partners
In November 2020, following the terrorist attacks in France, Germany and Austria, EU home affairs ministers agreed to further strengthen their joint efforts to fight terrorism, without compromising the EU’s common values, such as democracy, justice and freedom of speech.
Enhancing information exchange
Effective information sharing between law enforcement, judicial and intelligence authorities in the member states is crucial to fight terrorism, track foreign fighters and tackle organised crime.
The EU is currently looking at ways to better collect, share and use battlefield information with the aim of:
- making the data accessible to border guards through relevant EU databases
- improving criminal investigation and prosecution
Reinforcing checks at external borders
In 2017, the Council adopted a regulation amending the Schengen borders code to reinforce checks against relevant databases at external borders. The amendment obliges member states to carry out systematic checks on all persons, including those enjoying the right of free movement.
Preventing online radicalisation
Online communication has made cross-border communication easier for terrorists and has amplified terrorist propaganda and the spread of extremism. EU countries are working together to stop terrorists from using the internet to radicalise, recruit, incite to violence and facilitate the carrying out terrorist attacks.
On 16 March 2021, the Council adopted new rules to address terrorist content online. The aim of the legislation is a swift removal of terrorist content online and to establish one common instrument for all member states to this effect.
In 2015, Europol created a special unit to tackle terrorist propaganda on the internet. The EU internet referral unit (EU IRU) aims to identify terrorist and violent extremist content online and to advise member states on the matter.
Controlling access to weapons
To closed the legal loopholes which allowed terrorists to use reconverted weapons, the Council adopted in 2017 new rules on control of the acquisition and possession of weapons.
The directive includes measures to enhance traceability and stricter rules for the acquisition and possession of the most dangerous firearms.
Digitalising judicial cooperation
More and more criminals and terrorists are using technology to plan and commit offences. As a result, authorities are becoming increasingly reliant on e-evidence to track down and convict criminals. The EU is currently working on new rules to ensure a more efficient mechanism for cross-border access to e-evidence.
The legislative proposals under discussion aim to allow member states’ competent authorities to request e-evidence directly from service providers active within the EU, irrespective of their place of establishment and data location.
The use of digital tools in criminal procedures related to terrorist offences across the EU is crucial in light of the evolving security threat landscape and the fast pace of technological development.
The EU has already adopted new rules to make more efficient and modernise cross-border judicial cooperation but more can be done.
Criminalising terrorist offences
In March 2017, the Council adopted a directive on combating terrorism. The new rules strengthen the EU’s legal framework to prevent terrorist attacks and address the phenomenon of foreign terrorist fighters. The directive criminalises acts such as:
- undertaking training or travelling for terrorist purposes
- organising or facilitating such travel
- providing or collecting fund related to terrorist groups or activitie
Cutting the financing of terrorism
Risks of money laundering and the financing of terrorism are a major concern for the EU’s financial system and the security of its citizens.
Since 2018, the EU has stronger anti-money laundering rules in place. These rules make it difficult to hide illegal funds under layers of fictitious companies, and strengthen checks on risky third countries. They also reinforce the role of financial supervision authorities, and improve access to and exchange of information.
Harmonising the use of air passengers’ data
Passenger name record (PNR) data is personal information provided by passengers and collected and held by air carriers. It includes information such as the name of the passenger, travel dates, itineraries, seats, baggage, contact details and means of payment.
On 21 April 2016 the Council adopted a directive to regulate the transfer of such data to member states’ law enforcement authorities and their processing for the prevention, detection, investigation and prosecution of terrorist offencesand serious crime.
Strengthening cooperation with non-EU countries
In 2015, the Council decided to step up external action to counter terrorism, in particular in the Mediterranean, Middle East, North Africa, the Gulf and the Sahel:
- cooperation with key partners will be strengthened
- new projects to support capacity building will be launched
- action to counter radicalisation and violent extremism will be intensified
The Council adopted the EU counter-terrorism/foreign fighters strategy focusing on Syria and Iraq in 2014. This strategy outlines several priority areas, including improving cooperation with third countries to identify recruitment networks and foreign fighters.
To reiterate its unwavering commitment to protecting EU citizens against terrorism and violent extremism, in June 2020 the Council called for further strengthening of the EU’s external counter-terrorism engagement and action in certain priority areas:
- geographic areas, including Western Balkans, North Africa, Middle East, the Sahel region and the Horn of Africa
- thematic areas, including human rights, rule of law, prevention of radicalisation leading to violent extremism, terrorism financing
The security of the Union and its citizens is directly linked to what happens outside Europe. The EU is currently looking at different ways to strengthen this link between the internal and external dimension of security in relation to counter-terrorism. For example by:
- cooperating with third countries to promote EU interests related to security
- better coordinating EU and member states’ efforts in the field of home affairs, foreign affairs and defence
Further information:
EU’s response to the terrorist threat
EUROPEAN UNION TERRORISM SITUATION AND TREND REPORT
March 18 2021, Eurojust: Further action against criminals defrauding online investors
Eurojust has coordinated a follow-up action against an organised crime group (OCG) that defrauded mainly German speaking online investors via fictitious companies operating from Bulgaria, Ukraine and other countries. By pretending to make huge profits on simulated websites, at least 350 victims were defrauded of approximately EUR 8,5 million. During an action day, five suspects were arrested in Bulgaria. In the same case, in December last year in Ukraine, EUR 50 million in luxury cars and goods were seized. In April last year, nine suspects involved with the same OCG were arrested in Bulgaria and Serbia.
Investigations into this type of fraud scheme started in 2019 by the General Public Prosecutor’s Office (PPO) of Bamberg in Germany after complaints from hundreds of victims in Germany, Austria and other European countries. This week’s operations are part of a continuous effort of judicial authorities to crack down on this type of fraud, with support and coordination by Eurojust, and are a follow-up to the actions in April 2020 in Bulgaria and Serbia.
The OCG asked victims to make an initial payment of EUR 250 to 300 to invest in financial instruments such as binary options, cryptocurrencies and foreign currencies. Following these payments, investors were approached via fake call centres or Messenger services, often speaking German to gain more trust.
By pretending they had made considerable initial profits and showing false online simulations, customers were lured into making bigger investments. Subsequently, significant amounts of money were lost, with funds transferred into various bank accounts and via credit card payments.
In reality, no investments took place. Via a complex money laundering network covering many European countries, the investments were transferred to participants in the fraud scheme. The companies at the end of this chain were under the control of the OCG members, withdrawing the funds for themselves.
Last year, the operation concerned complaints of over a thousand German speaking investors. In this follow-up, it is likely that many more than the 350 mentioned investors are involved given the perpetrators targeted people in many countries in Europe and beyond.
Furthermore, investigators assume a high number of unreported cases since many investors may have mistakenly considered their losses a result of the high risks associated with the trading of certain financial products. During this week’s action day, multiple places were searched and computer and telecommunications equipment was seized.
Eurojust supported the operation by facilitating the execution of European Investigation Orders and European Arrest Warrants (EAWs), helping to organise and enabling the cooperation during the action day. Furthermore, assistance was provided with the coordination of investigations and the execution of requests for Mutual Legal Assistance from Germany to Ukraine, which lead to a successful action day in Ukraine in December 2020.
The operation was led by the Bavarian Central Office for the Prosecution of Cybercrime at the Bamberg General PPO and the Criminal Investigation Department Bamberg. In Bulgaria, the action day was prepared and coordinated by the Specialised Prosecutor’s Office. The five EAWs were simultaneously executed by the Sofia City Prosecutor’s Office, Pernik District Prosecutor’s Office and Blagoevgrad District Prosecutor’s Office.
In Ukraine pre-trial investigations of criminal proceedings are carried out under the procedural guidance of the Prosecutor General’s Office by the Main Investigation Department of the National Police of Ukraine, with operational support of the Department of Strategic Investigations of the National Police of Ukraine.
Further information:
11 March 2021, European Council: Informal video conference of justice ministers
Data retention
Ministers held an exchange of views on the retention of electronic communication data by service providers, which can disclose it to law enforcement and judicial authorities under certain strict conditions. The ministers considered, in particular, whether legislation should be adopted at EU level to ensure a harmonised legal regime or whether police and judicial cooperation should rely solely on national data retention laws.
Ministers reiterated their concern at the impact of the recent case-law of the European Court of Justice on criminal investigations. They highlighted the need to find a common approach on this issue which complies with the rulings of the court and fully respects fundamental rights, and a large majority considered that a common European legal framework would be needed to achieve a coherent response at EU level. The Presidency and European Commission will now reflect on the next steps.
The retention of data is a crucial tool for our law enforcement authorities when carrying out investigations, and it is clear the current situation of uncertainty increases the risks to the security of our citizens. Today we reiterated our commitment to finding a common solution; one which allows our police and judicial authorities to carry out their work while fully ensuring the rights to privacy of our citizens, said Francisca Van Dunem, Portuguese Minister for Justice.
Fundamental rights
Ministers discussed how to strengthen the application of the EU Charter of Fundamental Rights, and welcomed the Commission strategy presented in December 2020 and the recent Council conclusions on this topic. They also highlighted the important role of the EU agency for fundamental rights (FRA).
The Commission Strategy and the Council conclusions focus on targeted, practical actions, such as training, awareness raising for the public, proper funding and monitoring of the relevant acts, through which the implementation of the Charter can be concretely enhanced.
Judicial training
Ministers were informed about the conclusions on boosting the training of justice professionals, adopted on 8 March 2021.
These conclusions welcome the ambitious European judicial training strategy for 2021-2024, presented by the Commission in December 2020, and emphasise that European judicial training should contribute to fostering respect for the rule of law and strengthening the European rule of law culture. The conclusions also highlight the close ties between judicial training and the digitalisation of justice in the EU.
In the conclusions, the Council calls on member states to encourage the use of training possibilities, invest in the digitalisation of judicial training, enhance training in EU law, emphasise the multidisciplinary approach of judicial training and provide support to the judiciaries beyond the EU, in particular those in the Western Balkans.
European Public Prosecutor’s Office
Justice ministers were informed by the Commission about the state of play with regard to the implementation of the EPPO regulation. Work is ongoing in several areas in order to get the EPPO up and running as soon as possible.
In past months progress has been made on the appointment of the European Delegated Prosecutors, however nominations by a number of member states are still pending. Work is also ongoing on the EPPO’s relations with third countries and international organisations. This includes the notification of the EPPO as competent judicial authority under relevant UN conventions and in relation to the 1959 European convention on mutual assistance in criminal matters. It also concerns the identification of third countries with which the EPPO could conclude operational agreements.
Further information:
Informal video conference of justice ministers
JUDGMENT OF THE COURT (Grand Chamber), 6 October 2020
COUNCIL REGULATION (EU) 2017/1939 of 12 October 2017
EUROPEAN DATA PROTECTION BOARD
Leave a Reply