Dear reader,

Welcome to Publyon’s Digital Policy Update. We are happy to provide you with insights on the latest EU policy trends and developments every month. This month is a particular month for our DPU, as it stands under the star sign of artificial intelligence (AI). Don’t worry, we won’t make it an astrological theme, but the world has been spinning around AI in the past few weeks, and we know from experience world trends tend to influence the European Union…or is it the opposite when it comes to AI? Discover more in our spotlight on global AI trends and our monthly update of the AI Act below.  

Since we are creatures of habit, you will of course find your monthly update on the Cyber Resilience Act. This month’s rotating topic is also cyber-related, as we provide new insights on the Cybersecurity Act.  

Did we spark your interest?

If you have an appetite for interesting content read our blog for more insightful reading and helpful tips.

The spotlight

The spotlight

All hands on deck to regulate artificial intelligence

Policy discussion around technological developments and associated risks surrounding AI have increased globally in the last few years and even skyrocketed in just a few months since the launch of ChatGPT last November. The world has shown diverging approaches to AI. The US has opted for an innovation-first approach. China, unsurprisingly, is opting for a state-controlled approach. The EU, however, is taking the lead from an ethical approach with its own AI Act, a first of its kind, as concerns arise that AI might threaten our democracy.  

In this spotlight, you will find the latest international developments and regulations. The evolving AI regulatory framework will undoubtedly shape the operating environment for businesses across the world, influencing market dynamics, competition, and compliance requirements. Understanding these is crucial to adapt your business and thrive in a rapidly changing AI landscape. With the plethora of AI-related initiatives, it is crucial for your business to distinguish between those initiatives that have to be taken seriously and those that are not.  

 

The UK AI Safety Summit

All eyes were set on the UK, as they hosted the Artificial Intelligence Safety Summit on 1 and 2 November. The very ‘select’ Summit (only 100 people were invited, some sources say) gathered government representatives, AI businesses, academics, and NGOs and tackled the topic of serious AI risks, such as cyberattacks, bioweapon design, and national security threats.

During the Summit, Ursula von der Leyen, President of the European Commission, emphasised the need for a climate of responsibility and an effective system of AI governance.

The Summit’s main conclusion was a manifesto, the Bletchley Declaration on AI, which commits governments to collaborate towards trustworthy and responsible AI. The next summit will be held in South Korea in May 2024.

 

The G7 Code of Conduct

On 30 October officials of the G7 countries adopted an international voluntary Code of Conduct (CoC) on AI under the Hiroshima Artificial Intelligence Process. Some may remember the CoC from former Commissioner Margrethe Vestager’s engagement, in competition with Commissioner Thierry Breton’s AI Pact. The CoC includes a non-exhaustive list of 11 principles on the use and creation of advanced AI. These principles aim to promote the safety and trustworthiness of AI, in particular generative AI like ChatGPT. Companies could use this CoC to abide by their principles on the most advanced uses of AI. The EU itself was involved in the drafting of the CoC. The European Commission welcomed the adoption, and stated it reflects the EU’s values in promoting trustworthy AI and calling upon developers to sign it and implement it as soon as possible.

 

The US Intellectual property/copyright executive order

Coincidentally (or not?), the White House issued an executive order on safe AI also on 30 October, focusing further on intellectual property/copyright issues. You might remember the DPU edition of April on Hollywood strikes and artificial intelligence. The executive order introduces a mandate for US federal agencies to use existing mechanisms to oversee the roll-out of AI, as well as requirements for testing and reporting. This happened amidst a lobbying fight between parties who advocate for short-term AI rules, and those who push for long-term regulation. Critics however point at the absence of concrete enforcement within the executive order. 

The contrasting regulatory approaches between the US and EU spark some worries. Overregulation in the EU could scare businesses away or hinder innovation. Businesses can, however, use these developments to their advantage by actively participating in industry dialogue and engaging with policymakers. Do you wish to know how to advantage your business? Reach out to our expert Guillaume Baudour (g.baudour@publyon.com) for more information.  

Policy update

Policy update

AI Act in danger?

It has been an AI-xciting month for the Artificial Intelligence Act. On 24 October, another Trilogue took place between the Council of the EU and the European Parliament. Before this, the Parliament’s legal office challenged the legality of filter systems to classify high-risk AI systems. However, it appears to have been largely ignored by the EU policymakers. 

During the Trilogue, an initial agreement was reached on classifying high-risk systems, including a decision that AI systems using profiling would always be high-risk. Additionally, it has been decided that AI systems that use profiling will always be considered high-risk. “High-impact” models such as ChatGPT would be subject to stronger market obligations, with an AI office for oversight on foundation models. overseen by an AI office for oversight.  Contentious issues persisted such as exemptions for law enforcements, GPAI, governance models and the AI office. 

After the Trilogue we have heard that the European Parliament is close to accepting a compromise which would scrap the complete ban on real-time remote biometric identification (RBI), in exchange for concessions, such as a longer list of prohibited AI applications.  

A first legal draft text has also been leaked on the “tiered approach” for foundation models, general-purpose AI systems and “high-impact” models, including comprehensive definitions and obligations. However, following pushback from France, Germany, and Italy in the Council on foundation models, the Commission circulated a new compromise text shifting the focus to general-purpose AI.  

 

What’s next?

The Trilogue on 6 December was anticipated as the last one. With little chances to obtain a final agreement final, yet undetermined, Trilogue negotiation rounds under the Spanish Presidency, we can expect additional negotiations to continue into the Belgian Council Presidency.  

 

Cyber Resilience Act

Amidst all this artificial intelligence news, let us not forget we have another policy file slowly coming to conclusion: the Cyber Resilience Act. On 8 November, the second round of Trilogue negotiations took place around the act. All we got in store for you this month is that the Council of the EU and the European Parliament agreed on Article 10, targeting the securisation of internet-connected products. The final text should include a five-years period during which the manufacturer of internet-connected products needs to guarantee the effective handling of the product’s vulnerabilities. Yet on the topic of critical products and reporting obligations, although ground has been laid for a compromise, no agreement has been reached yet. 

Although little news has trickled down from the opaque negotiations, we have some other insights for you on the cybersecurity front. The EU Member States have reached a common position on a targeted amendment to the Cybersecurity Act, which is a parallel legislative initiative proposed by the Commission in April 2023. The Cybersecurity Act complements the Cyber Resilience Act through a certification system to ensure the cybersecurity of products. The amendment in question sets the green light for the adoption of European certification schemes for managed security services, which complements the list of other certification schemes for ICT products, services and processes introduced by the Act. The amendment covering so-called managed security services will ensure cybersecurity incidents are detected, prevented and responded to in time.  

 

What’s next? 

No date has been set yet for the next Trilogue negotiation (chirping birds are saying 30 November) on the Cyber Resilience Act, but you can count on Publyon to keep you in the loop with more news in our December newsletter. Two key points remain up for discussion: the agency to which companies will have to report vulnerabilities (the Commission hinted at increased responsibilities for national Computer Security Incident Response Teams) and the list of critical products.  

Rumour has it that the Belgians will make a move on closing the Cyber Resilience Act if the Spanish do not manage to conclude the deal by the end of their Presidency. They might even focus a part of their cyber-attention on the Cyber Solidarity Act, another cyber-related file that was somewhat forgotten amidst the many digital and cyber files this year.  

Blog

Blog

EU AI Act: what does it mean for your business?

Further under this month’s AI star sign, you can discover our latest blogpost on the AI Act, providing with all you need to know if you have missed discussions on the file up until now. Discover all about the objectives of the AI Act, the latest updates on its legislative process and the relevant implications for your business.  

READ ARTICLE
EU AI Act: what does it mean for your business?

Where to find us

It’s a busy end of the year at Publyon, as we are making sure we stay up-to-date with latest legislative developments and digital trends and create opportunities to meet with our readers.

This month, you will find our colleague Cathy Kremer at the European Business Summit on 28 & 29 November and at the D9+ Forum on 4 December, Guillaume Baudour and Irene Veth at the Young Professionals in Digital Policy on 6 December and Hazal Yilmaz on 30 November at the 3rd Annual Digital Consumer Event and on 5 December at the European Digital Competition Day 

Emmanuelle Ledure

Emmanuelle Ledure

Hi, my name is Emmanuelle and I am curating this monthly update to bring Brussels’ main digitalisation and technology insights to your inbox. I hope you enjoyed this edition of our update. We are always looking to provide our community with the most valuable content possible, and that starts with you. If you have any suggestions for topics you would like to see covered in our next edition, do not hesitate to reach out to me. 

Contact