Dear reader,

Welcome to Publyon’s new EU Digital Policy Update! Every month, we are happy to provide you with insights on the latest EU policy trends and developments.

Today, our Data Policy Update changes its name to Digital Policy Update, as we expand the coverage of the update to feature additional interesting digital files. We’re excited about this new chapter in the evolution of our update, and we will continue to deliver the same high-quality content as always.

Under this month’s spotlight, you will find key take-aways from the Interoperable Europe Act. We will also take you through the latest news on the Data Act, AI-Act and Cyber Resilience Act.

Furthermore, our update features an exclusive interview with one of the top experts in the field who will outline the latest developments in the EU Cybersecurity Certification. Read more about this subject in the short Q&A with our colleague and cybersecurity expert Stefano Mauro.


Did we spark your interest?

If you have an appetite for interesting content, visit us online for more insightful reading and helpful tips on upcoming relevant events.

And to remain in the Easter spirit, we’ve hidden some surprise eggs throughout this update. They include hints about where you can find us at upcoming events. After all, we’re always looking for an opportunity to further engage with our readers!

The spotlight

The spotlight

Interoperable Europe: connecting digital capacities within the EU

If you’re interested in EU digital policy, you might want to check out the latest draft opinion on the Interoperable Europe Act.

MEP Francisco Guerreiro (Greens/EFA, Portugal), the Rapporteur for the Committee on the Internal Market and Consumer Protection (IMCO) of the European Parliament, released his draft opinion on the Interoperable Europe Act.

The idea behind the Act is to stimulate collaboration between Member States’ administrations on IT solutions and data sharing. However, Guerreiro suggests some improvements to the proposal, such as enhancing trust through the proposal for the eID Regulation, promoting open-source solutions, and making digital public services more accessible.

Keep reading to find out more about how the EU is working towards a more interconnected and digital future!

The information provided below is crucial, not just for companies in the public sector or Govtech companies providing technological solutions for government agencies, but also for the broader tech ecosystem and the public sector as a whole.

Here are the significant takeaways from the draft opinion:

  1. It will facilitate procedures regarding cross-border cooperation between public services and administrations;
  2. It will simplify certain administrative procedures for businesses operating in more than one EU Member State;
  3. It will increase digital interoperability which will lead to structural and practical changes for businesses and administrations, and further expand areas of concern for data protection and cybersecurity.


What will happen next?

  1. The draft opinion is to be debated by the IMCO Committee on 28 or 29 June.
  2. Industry, Research and Energy (ITRE) Committee is planning to debate the proposal on 24 April.
  3. The Telecommunications Council is expected to adopt its general approach on its meeting date of 2 June.
Policy update

Policy update

EU Council finalises its stance on data protection: here’s what you need to know!

On 24 March, the Council of the EU adopted its general approach on the Data Act. The proposed amendments seek to clarify the scope of the regulation. Besides further developing appropriate safeguards to protect trade secrets and intellectual property rights from misuse, it also addresses questions related to data availability and data sharing.

The identification and classification of a business’ key data assets are vital components of its capacity to effectively carry on its business operations and  its cybersecurity strategy. Failing to properly identify and classify these assets could lead to misuse, loss or unauthorised access to sensitive data. Incorrect storage, processing, or disposal procedures could result in financial loss, operational disruption, and reputational damage.

The positions of the European Parliament and Council pave the way for interinstitutional negotiations with the Commission. Both the Parliament and the Council intend to reach a political agreement on the Data Act by June 2023.


Parliament says aye, to AI

Artificial intelligence system’ (AI system) means a machine-based system that is designed to operate with varying levels of autonomy and that can, for explicit or implicit objectives, generate output such as predictions, recommendations, or decisions influencing physical or virtual environments.” – Parliamentary draft definition of Artificial Intelligence

In a move aimed at clarifying the regulatory landscape for AI, the LIBE and IMCO committees shared a draft text on general purpose AI (GPAI) on 14 March. The rapporteurs of the Artificial Intelligence Act clarified the contentious definition of GPAI.

Earlier, the European Parliament had reached a political agreement to adopt OECD (Organisation for Economic Cooperation and Development) definition of AI, aligning its understanding with other OECD trading partners.

For businesses operating in the AI space, clear definitions are key to understand the rules their products must comply with. For any other organisation using AI, the regulation’s definition can offer a better framework for understanding what AI is and how to use it safely.

Globally, the acceptance of the OECD definition paves the way for a shared understanding of what AI is and how it works, which in turns facilitates a better application of AI legislation by businesses operating within and outside the EU.

On 26 April, the LIBE and IMCO committees are expected to vote on the partial parliamentary agreement on the Regulation. Even though the political deadlock in the Parliament seems to be broken, it is possible that several alternative amendments to significant parts of the draft report will be tabled during the plenary vote in May.


Rapid progress of Cyber Resilience Act in Council and Parliament, are they approaching a deal?

The Swedish Presidency of the Council of the EU has been busy circulating compromise texts on the Cyber Resilience Act, and their latest proposal on 15 March could have a big impact on businesses operating in the digital realm.

The sixth and final compromise text proposes new changes regarding product lifecycles, automatic security updates, connected devices and cloud services.

Rapporteur Nicola Danti (RE, Italy) of the ITRE Committee circulated his draft report on the Regulation. In the draft report, published on 31 March, Danti maintained the overall scope of the Regulation, while he also proposed to let manufacturers determine the lifetime of their respective products as long as that is in line with consumers’ expectations. Lastly, the rapporteur limited the scope of the reporting obligation only to actively exploited vulnerabilities and significant incidents instead of all incidents.

For businesses selling digital products or offering accompanying services, these modifications to the Cyber Resilience Act are particularly relevant, as they determine potential future requirements businesses will have to comply with.

On 2 June, the EU Member States will meet during a Telecommunications Council to discuss the file’s progress. Moreover, it is expected that the responsible ITRE Committee will vote on the Act on 19 July, which means that a plenary vote will take place after the summer recess of the Parliament.

Expert interview

Expert interview

Stefano Mauro

Stefano Mauro is an expert in Digitalisation and Technology Practice. In his role at Publyon, he advises clients on providing strategic intelligence and support in cyber and data legislation, e-privacy, digital identity, e-commerce, and more. Beyond his expertise in public affairs strategies, Stefano has a strong desire to help businesses grasp the many opportunities offered by the digital transformation.

Stefano Mauro

Stefano and other colleagues at Publyon have developed an EU Cyber Fitness Scan, a digital service that will help businesses identify the newly established cyber protection requirements for digital products in the EU. Furthermore, the scan will provide strategic advice and solutions to ensure organisations are fully aware of and equipped with the tools to enhance their cyber resilience.

On 19 March, the European Network and Information Security Agency (ENISA) launched a new site to promote and disseminate information on EU cybersecurity certification. The website allows for the exchange of information on cybersecurity certification schemes currently under development. The website includes the Common Criteria-based European Cybersecurity Certification Scheme (EUCC) for information and communication technology products, the Cloud Services Cybersecurity Certification Scheme (EUCS) and the EU 5G Scheme for Network Equipment and Identification.


Stefano, what can you tell us about the Cybersecurity Certification Scheme?

With so much sensitive information being transmitted and stored online in today’s digital age, the security of the technology we use is crucial. That is why the EU has implemented cybersecurity certification schemes to ensure that products and services on the market meet certain standards for protecting against cyber threats.

However, with each Member States issuing their own certificates, there can be some inconsistency and confusion in the requirements. The EU’s goal is to harmonise these certificates across Europe, so that all ICT solutions will have the same level of security and will be assessed in the same way.


Will the Scheme be an advantage or a drawback for ICT products and services?

Currently the market proposes various types of cybersecurity certificates, resulting in fragmentation and barriers for companies. However, if harmonised standards were implemented via a single certification, it would enhance the cybersecurity, resilience, and trustworthiness of your company’s ICT products, while streamlining your business operations in the EU.


Concretely, what does the Cybersecurity Certification Scheme mean for companies?

First off, if you are a business selling ICT products or processes, you need to keep an eye on the new requirements of the Scheme.

Second, if you are a business buying an ICT product, the European certificate is a strong indicator of the cybersecurity quality of your product. You won’t get worked up into the complexities of differing certificates and you’ll be able to safely trust the European certification label on the ICT product you want to buy.

Finally, if you are a Conformity Assessment Body, the Scheme presents a business opportunity for you. As a result, you will be able to propose new assessment tools and professional services responding to the Scheme.

As the Scheme is currently being constructed, it is paramount for your business to be able to provide input to this process. A public affairs firm like Publyon can help you with this.


Stefano’s tip

“There’s more to the Cybersecurity Certification Scheme than its structure and its advantages. I advise clients to attend the next edition of the ENISA Cybersecurity Certification Conference, scheduled on 25 May. It will give you the opportunity to understand the nuances of the Scheme, its opportunities, challenges, and outcomes. Rumour has it, two of our dedicated colleagues, Brecht and Sarah, will be attending too…”



European Cyber Resilience Act: can new requirements for products strengthen your organization’s cybersecurity resilience?

This month, we invite you to read up on our updated post on the proposal for a Cyber Resilience Act, which has seen revision by the EU institutions in the past two months. In our blog post, we give a concise overview of the technical specifications that businesses must comply with to ensure adherence to CRA obligations.

European Cyber Resilience Act: can new requirements for products strengthen your organization’s cybersecurity resilience?
Events update

Events update

The European AI Week: Towards tech convergence

Read more on linkedin

Masters of Digital 2023: A resilient Europe in times of crisis

Read more on linkedin

Where can you run into our team?

You can find Guillaume at the second NISDUC ConferenceFrom NIS to NIS 2.0: a path to take” on 25 and 26 April in Brussels.

Strike up a conversation with Brecht at the first day of the European Cyber Agora, organised by Microsoft on 25 April, and with Sarah at the EU Raw Materials Summit from 15 to 17 May.

Sarah Hautier

Sarah Hautier

Hi, my name is Sarah and I am curating this monthly update to bring Brussels’ main digitalisation and technology insights to your inbox. I hope you enjoyed the first edition of our update in the new format. We are always looking to provide our community with the most valuable content possible, and that starts with you. If you have any suggestions for topics you would like to see covered in our next edition, do not hesitate to reach out to me.