Dear reader,
Welcome to Publyon’s Digital Policy Update. We are happy to provide insights on the latest EU policy trends and developments every month. It’s October now, a cosy month to sit inside, drink pumpkin spice and watch Halloween movies…or rather: read your favourite digital and tech policy update. This month, you will not only be our reader but also our interviewee! We would like to know which policy files you want to read about in the upcoming editions. Find more details below or answer the LinkedIn poll here.
You’ve got it, while you were out enjoying those last days of sun, we were out digging up spooky updates in the EU bubble. This month, we’re shining our torch on the Commission’s Work Programme, unravelling what actions will be implemented during the Commission’s final year in terms of digital and tech initiatives. We’ll further take you through the updates on the AI Act and the Cyber Resilience Act, and discover which skeletons hid in the trilogue negotiations’ closet. Finally, you’ll get some insights on where to find us in the upcoming weeks. Hint: it has something to do with the full moon…
Did we spark your interest?
If you have an appetite for interesting content read our blog for more insightful reading and helpful tips.
The spotlight
The Commission’s final ambition: Delivering today and preparing for tomorrow
Since President von der Leyen’s State of the Union speech last month, we have eagerly been waiting for the Commission to reveal its plans for the final year, and that is now officially a done job. On 17 October, the Commission presented its Work Programme for 2024: ‘Delivering today and preparing for tomorrow’.
The Work Programme details the proposals and priorities that will unfold before the end of the Commission’s current mandate. While it calls for concluding ongoing legislation before the political recess, it also presents several new initiatives. This year’s programme consistently focuses on supporting European industry and relieving the administrative burden for businesses, for example through the expansion of e-platform use to collect and share data.
In the digital sphere, the European Commission pledged to maintain its efforts to set the course towards a human-centred, sustainable and more prosperous digital future with the Digital Decade. The Commission will further support the development of artificial intelligence tools and large language models. A new initiative should open European supercomputer capacity to ethical and responsible artificial intelligence start-ups.
Moreover, a plan for advanced materials for industrial leadership will be adopted. It aims to accelerate the development and uptake of safe, sustainable and circular advanced materials, and their industrial uptake for the benefit of the green and digital transitions. The Commission will also prepare policy and regulatory actions regarding Digital Networks and infrastructure.
Lastly, next year, the European Commission will propose a European space law that will set rules for space traffic management and measures to keep critical space infrastructure safe. In addition, a strategy for the space data economy must increase the use of space data across economic sectors.
If you’re eager to make more sense of all this, we’re just two clicks away.
What to expect next?
As you may know, this is the final stretch for the European Commission. Time is pressing to close files before the election campaigning begins in Brussels, in light of the European elections on 9 June. The elections will lead to the appointment of a new college of Commissioners, which will set an agenda of its own for the new legislature to come.
Policy update
The story of FrankenstAIn
We are here to serve up the latest scoop on the Artificial Intelligence Act. On 2 and 3 October, the latest Trilogue was marked by a certain sense of urgency. Both the Council and Parliament wish to iron out their differences and wrap up the file by year-end.
Immediately following the negotiations, MEP Tudorache announced a breakthrough: the institutions cleared requirements and obligations for providers of high-risk AI systems, and they agreed on an architecture for the classification thereof. Regulatory sandboxes (except for real-world testing) were also approved. Additionally, compromises have been made on market surveillance and enforcement, penalties, and fines.
Moreover, it has been reported that the institutions seem to have reached a common understanding about foundation models, such as ChatGPT and Bard. Creators of such models will need to adhere to documentation, information obligations and testing requirements. Larger models may face additional safeguards like audits and oversight by a centralised EU authority.
However, some sticking points remain. The Parliament is not on board with the Council’s proposal to introduce various exceptions for law enforcement’s use of AI systems. The Council maintains that many countries rely on AI tools for combing through vast amounts of data in complex investigations and child protection. They also disagree on national security exemptions, with the Council supporting them and the Parliament objecting. Nevertheless, the Council has shown some flexibility by keeping dual-use tech, which encompasses AI tools for both civilian and military use, within scope.
Trick or treat?
The negotiations surrounding the AI Act are moving along at a steady pace. The next trilogue is scheduled for 25 October. Prohibited AI systems and the classification of high-risk AI systems will be on the discussion table. Exemptions for law enforcement and national security will also be under scrutiny. It seems more likely than before that the AI Act will be completed by the end of the year – a trick or a treat? We will be there to keep you in the loop.
Watch out for the Cyber Resilience Act
Friday the 13th might bring unfortunate events, but Wednesday the 13th September was the Cyber Resilience Act’s moment of luck: the European Parliament officially adopted its position. The first trilogue followed on 27 September. Limited news has filtered through regarding the ongoing negotiations, but Publyon is keeping a close eye on the outcomes, and rest assured, we’ll keep the news fresh for you for our next DPU.
Despite the progress, more than 50 cybersecurity experts signed an open letter urging the EU to reconsider a specific provision mandating software publishers to report government agencies of unpatched vulnerabilities within 24 hours. They warn it could potentially compromise the safety of digital products and their users.
The fear is that a database of software with unresolved issues might be misused by governments for intelligence or surveillance purposes, and even leave governments vulnerable to malicious actors. The risk is particularly high in supply chain vulnerability cases, where vendors must collaborate with multiple parties to address issues safely.
Additionally, disclosing vulnerabilities too soon could disrupt the coordination between software publishers and security researchers, who need sufficient time to fix vulnerabilities before publicly disclosing them. The experts advocate for a responsible and coordinated disclosure process that balances transparency and security. They recommend that the CRA adopt a risk-based approach to vulnerability disclosure.
What’s lurking in the cyber-shadows?
After months of slow progress, some paranormal activity has been reported on the side of the Cyber Resilience Act. Sources say it could be closed off as early as the end of November! The next trilogue is on the horizon and set for 8 November. Reporting obligations of unpatched vulnerabilities are expected to be a focal point of discussion. Additionally, debates on data storage for products’ exploited vulnerabilities remain contested. We anticipate the conclusion of this file by year-end, as it holds high priority under the Spanish presidency.
Can’t get enough of the Cyber Resilience Act? Continue reading on the topic with our updated Cyber Resilience Act blog post.
Expert interview
This time is your turn!
For this month’s Digital Policy Update, we would like to turn this segment around and interview you, our readers. As you may well have heard, elections are looming for new Members of the European Parliament and so is a new College of Commissioners. Ahead of these two big 2024 changes, European policymakers will try to seal the deal on a wide variety of files.
With the conclusion of the Data Act, we are looking to complete our monthly policy trio with a companion for the AI Act and the Cyber Resilience Act. We wish to know which file you would like to see prioritised in our policy update in the upcoming months.
Head over to our poll here and let us know for which digital EU files you have been dying to receive more detailed updates! Or first, keep on reading to meet our candidates:
The Gigabit Infrastructure Act: this regulation aims to reduce the costs of network deployment for a faster, cheaper, and more effective rollout of Gigabit networks across Europe and close the digital divide by updating the current Broadband Cost Reduction Directive (2014).
AI Liability Directive: this directive updates the EU liability framework to include liability issues related to AI systems. This ensures that persons harmed by AI systems enjoy the same level of protection as persons harmed by other technologies in the EU, as well as reducing legal uncertainty for businesses developing or using AI.
European Data Spaces (Health and Mobility): As part of the European strategy for data, common European data spaces will ensure that more data becomes available for use in the economy and society while keeping companies and individuals who generate data in control. This will facilitate the use of data for innovative business ideas, both at sector- or domain-specific level and cross-sector.
Too cool for school – but never for networking
In the upcoming weeks, you can bust not ghosts but our Publyon colleagues at the following events:
Irene Veth will be at the CEPS event “Assessing the growing tech regulation rivalry between the EU, U.S. and China” on 6 November between 9:30 and 11:00 am.
Hazal Yilmaz will attend Intraw’s Responsible Sourcing and Traceability of Critical Raw Materials event on 14 November 2023 between 2:00 and 6:00 pm.
Irene Veth
Hi, my name is Irene and I am curating this monthly update to bring Brussels’ main digitalisation and technology insights to your inbox. I hope you enjoyed this edition of our update. We are always looking to provide our community with the most valuable content possible, and that starts with you. If you have any suggestions for topics you would like to see covered in our next edition, do not hesitate to reach out to me.
Contact