The EU Commission presents next steps in the setting up of the Joint Cyber Unit
1. Background of the proposed changes
The COVID-19 pandemic has boosted digitalization and digital interaction at all levels of European society. Along with increased interconnectivity, however, came greater vulnerabilities and threats from a cybersecurity perspective.
In order to deliver seamless public digital services, the European Union (“EU”) focuses on increasing its cybersecurity capabilities, by implementing a series of measures announced in the EU’s Cybersecurity Strategy for the Digital Decade, communicated on December 16, 2020.
According to the Strategy, the European Commission (“Commission”) has been tasked with coordinating and implementing the setting-up of a new Joint Cyber Unit. The Joint Cyber Unit should become the infrastructure for increased cooperation between Member States and all the relevant EU cybersecurity institutions, bodies, and agencies, and for the full development of existing networks and communities with respect to information sharing, including with the private sector.
Further steps in this regard have been presented in the Commission’s Recommendation on the creation of the Joint Cyber Unit issued on June 23.
2. Cyber Joint Unit attributions
The Joint Cyber Unit is meant to function as a common EU platform for safe and efficient exchange of information among different cybersecurity communities and coordination and mobilisation of operational capabilities by relevant actors.
The Commission stresses that the Joint Cyber Unit would not be an additional, standalone body or affect the role and functions of existing authorities, but it would help bring them together and tap into each other’s expertise. The creation of the Joint Cyber Unit would rest on memoranda of understanding among the participants to the platform. Such participants should come from all cybersecurity communities, i.e., civilian, law enforcement, diplomacy, and defence.
The Joint Cyber Unit will have both a physical and a virtual presence. Its role is to bring together technical and operational crisis management experts from Member States and EU entities, in order to coordinate responses to cyber threats. The Commission hopes that the experts participating in the Joint Cyber Unit will be able to monitor and protect a much wider attack surface by making use of both the physical and virtual platform, especially in cross-border incidents.
3. Steps for setting-up the Joint Cyber Unit
The Commission aims for the Joint Cyber Unit to be operational by June 30, 2022. There are four main steps to be followed:
Financing for the creation of the physical and virtual platform of the Joint Cyber Unit and for creating and maintaining communication channels and improving detection capabilities will be ensured by the Commission mainly through the Digital Europe Programme.
Creating the Joint Cyber Unit is deemed by the Commission as an important step towards completing the European cybersecurity crisis management framework, within the EU Cybersecurity Strategy and the EU Security Union Strategy.
Cybersecurity remains a top priority for the Commission, given the increase of cyberattacks during the COVID-19 pandemic, which has shown the importance of vulnerabilities in critical infrastructure.
This article contains general information and should not be considered as legal advice.
On September 10, 2020, Advocate General Maciej Szpunar delivered his Opinion in Case C‑392/19 VG Bild-Kunst v Stiftung Preußischer Kulturbesitz, where a request for a preliminary ruling was lodged with the Court of Justice of the European Union (“CJEU” / “Court”) on May 21, 2019. In one of our previous articles1, we have analysed the opinion of the Advocate General Maciej Szpunar, mentioning that it will be interesting to see whether the CJEU will follow the reasoning of the Advocate General or whether it will stay faithful to the principles already established in its previous jurisprudence.
On March 9, 2021, the CJEU delivered its judgement in the case.
As a short reminder, the case concerns a conflict between Verwertungsgesellschaft Bild-Kunst (‘VG Bild-Kunst’), a copyright collecting society for the visual arts in Germany and Stiftung Preußischer Kulturbesitz (‘SPK’), a foundation under German law. According to the terms of the license offered by VG Bild-Kunst for the use of its digital library, the Deutsche Digitale Bibliothek (“DDB”), SPK was obliged to use technical measures to prevent third parties from framing the thumbnails of the protected works displayed on the DDB website.
The dispute that followed resulted in a question being referred to the CJEU, as to whether embedding a work (which is otherwise available on a freely accessible website with the consent of the rightsholder) in the website of a third party, by way of framing, constitutes communication to the public of that work within the meaning of Article 3 paragraph (1) of the Directive 2001/29/EC1, where embedding occurs through circumvention of the protection measures taken or instituted by the rightsholder.
Communication to the public is an exclusive right of the copyright holder. The stake of the preliminary question is therefore related to whether embedding copyrighted content by using the framing technique, in breach of technological measures imposed by the copyright holder, would constitute copyright infringement.
2. The reasoning of the CJEU
Although the ruling was not unexpected in terms of outcome, it was interesting to see that the CJEU’s reasoning diverged under certain aspects from the one proposed by Advocate General Maciej Szpunar in his Opinion delivered last October, namely:
The Court has firstly recalled that in the main proceedings the parties did not dispute the fact that publishing thumbnails as envisaged by SPK, from works protected by copyright belonging to the VG Bild-Kunst catalogue, constituted an act of communication to the public within the meaning of Article 3 (1) of Directive 2001/29 and was therefore subject to the authorization of rightsholders.
The Court has then reiterated the conditions for the existence of a communication to the public, namely:
Additional complementary criteria are to also be taken into consideration on a case-by-case basis.
At the same time, by reference to its previous jurisprudence, the CJEU has flagged out that posting content from another website by framing hyperlinking, when such framing conceals the source of the content, represents communication to the public. However, such communication would not require one to obtain a new authorisation from the rightsholder. This is since, in the CJEU’s view, the public (i.e., internet users) is not new and since the respective content had already been communicated through the same technology, i.e. the Internet.
The difference between the previous case-law and the current case was however that, in the case of the former, when the Court was asked to rule on the matter at hand, the relevant content had not been protected by any restrictive measure. Thus, in the absence of such restrictive measures for protecting the works, the Court found that the same were made available to all internet users.
Based on the above, the Court has conversely reasoned that, in a case where restrictive measures have been imposed by the rightsholder, the solution should differ. In this case, absent an intervention which would have circumvented the restrictive measures, only the users of the original website could have had access to the relevant content. In this respect the CJEU has noted that, in order to ensure legal certainty and the proper functioning of the Internet, “the copyright holder cannot be allowed to limit his or her consent by means other than effective technological measures”.
Although it has acknowledged that hyperlinking, whether by framing or not, contributes to the proper functioning of the Internet, being particularly important for the freedom of expression and information, the Court has reasoned that the act of making the relevant content available to all internet users despite the restrictive measures imposed by the rightsholder runs counter the exclusive and inexhaustible right of the same to authorize or prohibit any communication of their works to the public.
The Court has thus concluded that Article 3 paragraph (1) of Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society must be interpreted in the sense that incorporating, by the technique of framing, in a web page of a third party, works protected by copyright and made available to the public on another website with the authorization of the copyright holder, when this incorporation circumvents protective measures against framing adopted or imposed by this holder, constitute communication to the public.
Apart from certain divergent aspects, the CJEU decision is in line with the Opinion of Advocate General Szpunar. At the same time, by reinforcing the rights of copyright holders in the context of automatic linking, the decision shows the continued commitment of the European institutions to interpret the law as to offer authors a high level of protection. The decision will represent a very important benchmark with regards to the consent provided by a rightsholder in relation to hyperlinking. The aspects underlined by the Court with regards to consent will provide rightsholders and courts with a test to establish when framing of a website’s content is allowed or not.
Moreover, the reasoning offered by CJEU seems to preclude the use of purely contractual means of restricting the embedding of such content on other websites. To this end, oversight measures might have to be taken by rightsholders on how licensees fulfil their obligations to protect the content. In this regard, rightsholders will need to ensure either that their licensees maintain the measures that they themselves have placed on the protected content, or that such licensees institute their own effective technological measures.
This article contains general information and should not be considered as legal advice.
In the recent years, cybersecurity has become one of the crucial areas that the European Union (“EU”) decided to invest in to get fit for the digital era. In order to acquire leadership and autonomy in this field, the EU takes steps to develop competencies, capacities and capabilities.
One step in this regard is represented by the draft regulation establishing a new EU body – the European Cybersecurity Industrial, Technology and Research Competence Centre (the “Competence Centre”), which has been adopted on April 20, 2021 by the Council of the EU.
2. Role of the Competence Centre
As it now stands, the draft regulation provides that the Competence Centre’s main mission is to help increase the security of critical network and information systems. In order to fulfil the same, it will perform a dual role:
From an organisational perspective, the Competence Centre will consist of (i) an executive director, (ii) a governing board, and (iii) a strategic advisory group. In its activity, it can also call upon the expertise of natural persons as ad-hoc experts.
The draft regulation also establishes the organisation of:
• the Network of National Coordination Centres (the “Network”) which will consist of state-owned entities with research and technological expertise in cybersecurity; and
• the Cybersecurity Competence Community (the “Community”) which will gather stakeholders that have cybersecurity expertise in various domains.
Both entities’ role will be to support the Competence Centre’s activity.
The Competence Centre will be headquartered in Bucharest, Romania and will work closely with the Network and the Community and, where appropriate, with the European Union Agency for Cybersecurity (“ENISA”), on the following main tasks:
Through this approach, the Competence Centre will put an end to the fragmentation of the research and development efforts throughout EU and will shape a strategic orientation for the future of cybersecurity.
3. Next steps
The draft regulation will be sent to the European Parliament, who has to provide its input on the Council’s position within three months and to either:
If amendments are proposed, the Council will have to examine the same and either approve them all or convene the conciliation committee.
According to the draft regulation, the European Commission is entrusted with setting up and running the Competence Centre until the same can operate independently. Thus, pending the final vote in the European Parliament, the European Commission already started discussions with the Romanian authorities on the practical aspects related to the
incorporation of the Competence Centre.
The EU’s initiative to build a centre for cybersecurity is more than welcome given the fragmentation of expertise and know how across more than 660 cybersecurity expertise centres that now exist throughout EU. The Centre is thus expected to help Member States take a proactive, longer term and strategic perspective to cybersecurity industrial
policy. This should fuel the EU’s competitiveness in this field in a time when safeguarding data and creating more diverse supply chains environments are in the spotlight.
1 More information are available here: https://ec.europa.eu/info/horizon-europe_en.
2 More information are available here: https://digital-strategy.ec.europa.eu/en/activities/digital-programme.
Cybersecurity is at the forefront of the European Union (“EU”)’s efforts to build a resilient, green and digital Europe. In this respect, on December 16, 2020, the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy presented the European Union’s new Cybersecurity Strategy for the Digital Decade1 (the “EU Cybersecurity Strategy”).
The EU Cybersecurity Strategy is an ambitious document aimed at ensuring secure and reliable digital tools and connectivity throughout Europe, being part of the broader EU digital strategy that aims to transform Europe in a global leader for digital economy.
We live in a world where vital sectors such as transport, energy and health, telecommunications, finance, security, democratic processes, space and defence rely more and more on increasingly interconnected network and information systems. In the near future, there will be an exponential increase in the number of interconnected devices throughout all the industries.
In order to help reduce the vulnerabilities presented by such interconnected devices, the EU started setting the stage, by creating the conditions for the integration of cybersecurity into all digital investments (particularly when it comes to technologies like Artificial Intelligence, encryption and quantum computing).
2. The structure of the Cybersecurity Strategy
The new EU Cybersecurity Strategy is divided into three parts: (i) resilience, technological sovereignty and leadership, (ii) building operational capacity to prevent, deter and respond and (iii) advancing a global and open cyberspace.
2.1 Resilience, technological sovereignty and leadership
This part of the Cybersecurity Strategy focuses on the EU’s critical infrastructure and essential services. In the EU’s view both the private and public sectors must be able to have a choice amongst the most secure infrastructures and services.
2.1.1. Reforming NIS Directive
According to the European Commission, the Directive on security of network and information systems (“NIS Directive”) is at the core of the Single Market for cybersecurity. However, there is a need to increase the level of cyber resilience of all relevant sectors, including energy, transport, health and the financial sector, that are fundamental for the economy and society. Moreover, reviewing NIS Directive will help reduce the inconsistencies across the internal market, and it will provide specific rules for strategically important sectors, so that to become more cyber resilient.
2.1.2. The role of ISACs, CSIRTs and SOCs
In the race to become more cyber resilient, an important role will be played by the Information Sharing and Analysis Centres (“ISACs”), Computer Security Incident Response Teams (“CSIRTs”) and Security Operations Centres (“SOCs”). These centres are set up by the public and private sector to tackle cybersecurity threats, by disseminating relevant information, identifying real-time anomalies or detecting the activity of malicious executables. Taking into account the importance of such centres, the European Commission is willing to spend over EUR 300 million to build a network of SOCs that would create collective knowledge and share best practices on fighting cyber threats.
2.1.3.Securing both the communication infrastructure and the next generation of broadband mobile networks
The Commission plans to work together with Member States to build a secure quantum communication infrastructure (“QCI”) for Europe, that will ensure the security of communications of public authorities. The QCI will be composed both of fibre communications networks and of linked satellites covering the EU and EU overseas territories.
In March 2019, the Commission equally started working on 5G technology and the need to have secure next generation of broadband mobile networks, by publishing a Recommendation on the Cybersecurity of 5G networks (“EU Recommendation”)
In October 2019 this was followed by the EU coordinated risk assessment of the cybersecurity of 5G networks and in January 2020, by the Cybersecurity of 5G networks EU Toolbox of risk mitigating measures (“EU 5G Toolbox”), a common set of measures meant to mitigate the main cybersecurity risks of 5G networks.
In October 2020, the European Council called on the EU and the Member States “to make full use of the 5G cybersecurity toolbox” and “to apply the relevant restrictions on high-risk suppliers for key assets defined as critical and sensitive in the EU coordinated risk assessments, based on common objective criteria”.
In December 2020, the European Commission has published a report on the impact of the EU Recommendation, showing that Member States had made significant progress in implementing the EU 5G Toolbox, albeit with some variations and remaining gaps. However, the European Commission has encouraged Member States to continue implementing the main recommendations of the 5G Toolbox by the second quarter of 2021.
2.1.4. Keeping IoT and Internet secured
The European Commission will adopt the first Union Rolling Work Programme, as required by Article 47 of the Regulation 2019/881 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) in the first quarter of 2021. The Rolling Work Programme has the role to identify strategic priorities for future European cybersecurity certification schemes.
The European Commission is also considering enacting new horizontal rules for bolstering connected product cybersecurity, such as a duty for software manufacturers to address software vulnerabilities (for example, by continuing to provide software updates and to erase personal and sensitive data at the end of the lifecycle of the software product). Cybersecurity will be strengthened also in motor vehicles and some wireless products.
The European Commission will also be creating a contingency plan for extreme scenarios affecting the integrity and availability of the global DNS root system.
2.1.5. The importance of the technology supply chain
EU’s ambitions are to propel its Industry Strategy2 and leadership in digital technologies and cybersecurity across the digital supply chain (including data and cloud, next generation processor technologies, ultra-secure connectivity and 6G networks), in line with its values and priorities.
An important role will be played by the proposed Cybersecurity Industrial, Technology and Research Competence Centre and Network of Coordination Centres (“CCCN”) that will be located in Bucharest, Romania. The CCCN, alongside the industry and the academic communities, will help developing the EU’s technological sovereignty in cybersecurity, building capacity to secure sensitive infrastructures.
2.1.6. Developing cyber skills
EU plans to massively invest in upgrading the digital skills of its workforce, especially by raising cybersecurity awareness among children, young people, and small and medium companies.
2.2. Building operational capacity to prevent, deter and respond to cyberthreats
A Joint Cyber Unit is envisioned as part of building the EU’s operational capacity for fighting cybersecurity threats. The European Commission will work with the Member States and relevant EU institutions and agencies to build the Joint Cyber Unit not as a standalone body, but as a virtual and physical platform coordinating the different cybersecurity communities (private and public) in the EU against major cross border incidents and threats.
The objectives of the Joint Cyber Unit wouldbe to:
The steps for defining, preparing, deploying and expanding the Joint Cyber Unit must be presented by the European Commission by February 2021.
However, building resilience capacity is not sufficient to remove cybersecurity threats. The European Commission also plans to strengthen the response capacity of enforcement authorities, by providing them with the necessary skills and tools. One of the stringent problems the European Commission will work on is providing access to electronic evidence for criminal investigations in different jurisdictions. In this regard, the European Commission has prepared a package of proposals regarding e-evidence, which it hopes will be adopted swiftly by the European Parliament and by the Council.
Cybersecurity resilience also entails diplomatic response. In May 2019, the EU introduced its legal framework for targeted restrictive measures against cyber-attacks. To date, eight individuals and four entities involved in or responsible for cyber-attacks were listed. The EU is committed to further increase its efforts to strengthen the cooperation with international partners in order to develop cooperative diplomatic responses.
Not only diplomatic, but strengthened military response is planned. The Cyber Defence Policy Framework (“CDPF”) will be reviewed, and Member States together with the EU are encouraged to develop state-of-the-art cyber defence capabilities through different EU policies and instruments.
2.3. Advancing a global and open cyberspace
The overarching goal of the EU is promoting a model of cyberspace rooted in in the rule of law, human rights, fundamental freedoms and democratic values.
In order to promote these values, the EU will have to:
3. Cybersecurity in European institutions
This part of the Cybersecurity Strategy takes stock of the current situation of cybersecurity in relation to EU institutions. Progress is reported on protection of EU classified information as well as sensitive non-classified information. However, there is still a limited interoperability of classified information systems, which prevents entities to seamlessly transfer information. Moreover, the level of awareness of cyber risks needs to be raised within EU institutions.
Therefore, a Regulation on Information Security in the EU institutions bodies and agencies and a Regulation on Common Cybersecurity Rules for EU institutions, bodies and agencies are proposed as strategic initiatives.
The EU Cybersecurity Strategy sets ambitious goals, both in terms of new regulations, as well as in terms of international cooperation. Nevertheless, as long as cyber crime remains extremely profitable for perpetrators (with an annual estimated cost of cyber crime to the global economy in 2020 of €5.5 trillion, double that of 2015), the safety of critical infrastructures and goods of ordinary citizens and companies will continue to be threatened. Thus, EU will need to step up efforts in order to be able to counteract the cyber-attacks of the future.
* This article contains general information and should not be considered as legal advice.
1 More details can be found here: https://ec.europa.eu/commission/presscorner/detail/en/ip_20_2391
2 More information can be found here https://ec.europa.eu/info/strategy/priorities-2019-2024/europe-fit-digital-age/european-industrial-strategy_en
As the recent pandemic showed, the modern world fully relies on the good functioning of the electronic communication sector. Communication plays an important part these days for individuals, businesses, public authorities, and the implementation of 5G technology will create the premises for enhancing the way society uses and benefits from the electronic communication sector.
However, it is said1 that the implementation of 5G technology comes with its own risks. Currently, the European Union Member States are analyzing the measures to be adopted with a view to mitigating such risks. One important risk is closely related to ensuring the protection of national security, and in this respect certain strategic measures are envisaged2 in accordance with the 5G EU Toolbox3.
Undoubtedly, States have a legitimate and sovereign interest to issue enactments intended to protect the national security from adverse foreign actions. However, measures taken in this respect should not be at odds with the rule of law (including without being limited to the observance of national constitutions and of the EU legislation), human rights and freedoms and obligations under international treaties and conventions.
Electronic communication providers and equipment suppliers have agreements in place that cover the equipment already purchased, ordered or contracted (e.g., based on a promise to purchase) for the purposes of the 4G network (the “Existing Equipment”).
It is also envisaged that such equipment will be used in the deployment of 5G networks. In case electronic communication providers were prohibited to purchase equipment from certain suppliers for 5G network purposes, they may no longer be able to use the Existing Equipment to that effect.
In case the relevant prohibition infringed national, European or international law (and there are multiple sources warning against such potential infringement as a result of the implementation of the so-called “strategic measures”4), claims for compensation from mobile operators and equipment suppliers might potentially ensue.
This article provides a preliminary overview of some of the potential types of compensation that might be sought in such a case pursuant to Romanian law and the European Convention on Human Rights5 (“ECHR”) and related practice of the European Court of Human Rights (“ECHR Court”).
2. Types of compensation under Romanian law
2.1. Tortious liability claim against Romania
In case the restrictions that would be adopted by Romania would infringe national, European or international law, mobile operators could well be entitled to seek compensation by submitting tortious liability claims against Romania (“Tortious Claim”).
The compensation claims could for instance refer to damages incurred by the mobile operators as a result of contractual claims that might be filed by equipment supplier as a result of the inability of the mobile operators to perform further to the potential restrictions.
Should such contractual claims be upheld by the relevant courts, the mobile operators may be compelled to pay compensation for damages. The mobile operators may then seek to recover those amounts from Romania, including interest, the inflation indexation and litigation expenses.
Even assuming there will be no contractual claims from equipment suppliers (either because these would not be possible or because equipment suppliers would simply decide not to pursue mobile operators), the mobile operators may still decide to seek from Romania compensation for tortious liability.
Such compensation may for example refer to the following: (i) the amounts paid by mobile operators for already purchased equipment they could no longer use, (ii) the price difference between the equipment to be purchased from a new supplier and the one that could have been provided by the initial supplier, (iii) any additional amounts that would be incurred as compared to a scenario where the initial equipment could be used or purchased (e.g. higher maintenance costs, higher personnel training fees, etc.) and (iv) loss of business occurred, for example, as a result of higher prices to customers due to higher costs.
2.2. Indirect expropriation
Indirect expropriation is another potential cause of action based on which mobile operators could potentially seek compensation under Romanian law for the value of the business lost or the significant decrease of the business value as a result of the impossibility to use already purchased 4G equipment.
As it has transpired in the media6, it can be reasonably assumed that such restriction would trigger tremendous additional costs and delays for deploying 5G networks, which could in turn lead to mobile operators being forced to exit the market or to lose a substantial share thereof.
This could be seen as a downright expropriation of the mobile operators’ business, as a result of legislative measures.
However, according to Article 44 paragraph 3 of the Romanian Constitution “Noone can be expropriated unless for a public utility reason, declared as such by law, subject to equitable and prior compensation”. The Romanian Constitution makes no distinction regarding the type or object of the expropriation. And although at present there are no laws regulating in detail the procedures for claiming compensation in such cases (unlike the cases where the expropriation concerns immovable assets), the ECHR Court practice makes it clear that indirect expropriation (i.e., loss of an asset or business or significant decrease of the value thereof due to State measures) requires compensation just like direct expropriation (when the State takes over the relevant asset or business).
As ECHR provisions prevail over the national legislation and even over the provisions of the Romanian Constitution, one could argue that compensation for indirect expropriation should be awarded in Romania also where, for instance, the value of business was substantially diminished or the authorization to carry out a certain economic activity has been withdrawn. Compensation for indirect expropriation can be thus sought where the business loss was so drastic that it can be assimilated with an actual seizure thereof7.
Conversely, it can be argued that businesses are to act on the market only in accordance with and within the limits of the applicable legislation, there being Romania’s sovereign right to issue legislation (so that any losses incurred due to legislation being adopted would be merely seen as a business risk). However, international law provides certain limitations and compensation mechanisms arising from a State’s sovereign right to enact legislation, to the extent that the latter infringes certain fundamental principles.
3. Claims under the ECHR
It is well established that the ECHR Court awards compensation for damages resulting from violations of the ECHR. This happens when the claimant fails in its attempts before the national courts.
Hence, should mobile operators seek compensation before Romanian courts due for instance to indirect expropriation or other infringements of the ECHR (such as discrimination, e.g. as compared to mobile operators having purchased 4G equipment from other suppliers than those subsequently restricted, or the right to a fair trial, e.g. when claimant would be unduly prevented from having access to certain classified information in order to properly state its case) and these would reject mobile operators’ claims, legal action before the ECHR Court would not be excluded.
In the event that a claim filed by the mobile operators proved to be successful before the latter court, compensation that might be awarded there to could for instance include (i) compensation for financial damages (arising from the harmful consequences of the violation8), (ii) compensation for indirect expropriation, (iii) monetary compensation for non-financial damages; this could be for instance the case of compensation for moral damages9; and (iv) litigation costs and expenses incurred both before the national courts, and subsequently in the proceedings before the ECHR itself (fees for legal assistance, court registration fees, travel, accommodation, and daily allowance costs incurred when attending hearings, etc.).
The importance of ensuring the security of critical infrastructures is paramount. However, under the rule of law, this objective may only be achieved with lawful means. Should restrictive measures be adopted without observing the limitations and safeguards stemming from national and European legislation or the international law, mobile operators (as well as other parties that may incur prejudices) may potentially rely on various causes of action to seek compensation from Romania.
In order to mitigate risks of lengthy and costly litigations and/or significant delays in the implementation of 5G networks in Romania and/or prohibitive prices of 5G services that would eventually be borne respectively by taxpayers and consumers, Romania should carefully assess any restrictive measure it would seek to enforce to this effect from a legal perspective. Seen the dangers raised by the strategic measures referred to in the EU5G Toolbox if implemented in an improper manner, properly balanced and thoroughly thought out technical measures may eventually prove as a safer alternative.
This article contains general information and should not be considered as legal advice.
1 More information can be found here https://www.eubusiness.com/topics/internet/5g-security, here https://www.euractiv.com/section/cybersecurity/news/political-need-for-5g-cybersecurity-certification-enisa-head-says/ and here https://www.enisa.europa.eu/news/enisa-news/enisa-draws-threat-landscape-of-5g-networks
2 Such as, amongst others, (i) assessing the risk profile of suppliers and applying restrictions for suppliers considered to be high risk – including necessary exclusions to effectively mitigate risks – for key assets (so-called “vendor screening”) and (ii) ensuring that each electronic communication provider that will deploy 5G networks has an appropriate multi-vendor strategy that promotes the existence of more suppliers in order to avoid or limit any major dependency of one supplier (or of similar high-risk suppliers)
3 Cybersecurity of 5G networks EU Toolbox of risk mitigating measures (“5G EU Toolbox”) was created based on the EU coordinated risk assessment of 5Gnetworks security and lays out a range of security measures aimed at mitigating risks effectively and ensure secure 5G networks are deployed across Europe. The EU 5G Toolbox presents detailed mitigation plans for each of the identified risks and recommends a set of key strategic and technical measures, which should be taken by all Member States and/or by the Commission. It also provides guidance in the selection and prioritisation of measures that should be part of national and EU risk mitigation plans. The ultimate goal is to create a robust and objective framework of security measures, which will ensure an adequate level of cybersecurity of 5G networks across the EU, through coordinated approaches among Member States. It intends to present a risk-based approach that should be solely based on security grounds. Such approach is in full respect of the openness of the EU internal Market as long as the EU security requirements are respected.
4 See for instance, with respect to potential infringements of international obligations, EU legislation and current telecommunications framework Ioannis Glinavos, „Huawei and ISDS: 5G Infrastructureand Investment Claims”, Kluwer Arbitration Blog, June 11 2020, http://arbitrationblog.kluwerarbitration.com/2020/06/11/huawei-and-isds-5g-infrastructure-and-investment-claims/, Andrew D. Lipman, Partner, Washington, DC, Christina Renner Partner, Brussels, Morgan Lewis „Securing 5G Networks in the EU: High-Risk Vendors or High-Risk Legislation?”, https://www.jdsupra.com/legalnews/securing-5g-networks-in-the-eu-high-91517/, Ion Dragne, Alexandru Dragne, Dragne & Associates, „Germany and Austria: Forerunners of 5G Security Measures? https://www.dragne.ro/germany-and-austria-forerunners-of-5g-security-measures/ Legal challenges in implementing the 5G EU toolbox and potential damaging effects on electronic communication providers and consumers, Alina Popescu, Cristina Crețu, Maravela, Popescu & Asociații, “Legal challenges inimplementing the 5G EU toolbox and potential damaging effects on electronic communication providers and consumers” https://www.lexology.com/library/detail.aspx?g=f87c09e8-d1c2-4930-8217-9141ee3b330f.
5 The European Convention on Human Rights (formally the Convention for the Protection of Human Rights and Fundamental Freedoms) drafted in 1950 by the Council of Europe and signed on November 4, 1950, in Rome. The convention entered into force on 3 September 1953. Romania is a signatory of the Convention.
6 More information is available here https://uk.finance.yahoo.com/news/deutsche-telekom-describes-potential-huawei-ban-as-armageddon-scenario-101041104.html and here https://www.handelsblatt.com/technik/it-internet/ausschluss-von-netzausruester-armageddon-szenario-telekom-spielt-huawei-bann-durch/25918402.html (in German)
7 Case no. 3991/03 of Bulves AD against the Republic of Bulgaria, Case no. 18928/91 of Fredin against Sweden, Case no. 51728/99 of Rosenzweig and Bonded Warehouses LTD. against Republic of Poland.
8 In establishing the amount of the compensation, the principle is that the claimant should be placed, as far as possible, in the position in which they would have been had the ECHR violation found not taken place. Both the loss actually suffered and the loss of opportunities to gain, to be expected in the future are to be part of the compensation
9 The ECHR Court has previously upheld the protection of the rights to reputation of the companies as moral persons. See for instance Case Tønsbergs Blad AS and Haukom v. Norway.
1. What is the 5G EU toolbox
On January 29, 2020, the European Commission adopted the Communication that endorsed the Cybersecurity of 5G networks EU Toolbox of risk mitigating measures (“5G EU Toolbox”)1. The scope of the 5G EU toolbox is to pencil out a coordinated European approach based on a common set of measures aimed at mitigating the main cybersecurity risks of 5G networks2 namely:
Some of the strategical measures, such as for example (i) assessing the risk profile of suppliers and applying restrictions for suppliers considered to be high risk – including necessary exclusions to effectively mitigate risks – for key assets (so-called “vendor screening”) and (ii) ensuring that each electronic communication provider that will deploy 5G networks has an appropriate multi-vendor strategy that promotes the existence of more suppliers in order to avoid or limit any major dependency of one supplier (or of similar high-risk suppliers), may be perceived as very intrusive.
Whilst protecting national security from adverse foreign actions is by all means a legitimate goal, the measures referred to above may be at odds with the existing electronic communication legal framework (as well as with fundamental principles, human rights, freedoms and investment protection standards under EU law, international law and national legislations).
Moreover, it can be reasonably expected that such measures may under certain circumstances severely damage, amongst others, electronic communications providers, the electronic communication market and ultimately consumers.
2. The implementation of the 5G EU toolbox may only be made in accordance with EU law and national legal framework
The European Commission called on Member States to take steps to implement the set of measures recommended in the 5G EU Toolbox, leaving the decision to choose specific security measures in the hands of each Member State.
Nonetheless, seen the procedure for its adoption and as it is a non-binding document, the 5G EU Toolbox may not be construed as derogating from the EU treaties, the EU legislation or the Romanian law. Indeed, according to Article 148(2) of the Romanian Constitution, only the EU treaties and mandatory EU enactments take precedence over national law.
This being the case, the recommendations within the 5G EU Toolbox could only be implemented at national level within the limits of the existing EU and national legal framework.
3. Ensuring compliance with the current electronic communications framework
Ensuring compliance with the existing legal framework of the restrictive measures set out in the 5G EU toolbox is no easy feat.
For example, both the EU and national legislations require that the principles of objectivity, transparency, proportionality and non-discrimination are observed3 whenever new obligations are imposed on electronic communications providers. At the same time, any implemented measure must not lead to an infringement of the obligation to ensure a regulatory framework that is predictable, secure and consistent4.
Requiring electronic communication providers to give up or drastically reduce the use of equipment produced by certain suppliers (further to vendor screening and/or multiple vendor requirements), appears to come counter the essential obligation of ensuring the predictability, security and consistency of the legal framework, to the extent that providers have already purchased equipment from those suppliers.
Furthermore, it seems very difficult to draft and enforce vendor screening or multi-vendor regulations in such a way as not to give rise to massive discrimination between electronic communication providers.
It also seems a very complicated task to ensure that transparency and proportionality requirements are observed in case of vendor screening restrictions grounded on national security considerations that are likely to be, by their very nature, subject to secrecy and which may even be, in certain cases, the exclusive and discretionary prerogative of intelligence and defence authorities.
In any case, it is very important for Member States to closely scrutinize all potential legal issues triggered by the implementation of restrictive measures and to find appropriate solutions to ensure that no infringements of applicable European, international and national laws occur.
Given the size and variety of the legal challenges in implementing the 5G EU Toolbox, it is to be expected that Member States will reach very different regulatory solutions that may greatly complicate the functioning of the electronic communication markets within the EU, ultimately putting EU’s technological advances at risk.
From this perspective, it may be more appropriate for the various measures and their limits to be established by mandatory enactments (rather than non-binding documents) adopted at EU level, following the well-established EU legislative process, which encompasses significant consultations with all stakeholders and, importantly, the involvement of the European Parliament.
4. Potential damages to electronic communication providers and consumers
It is well known that, in a first stage, the electronic communication providers holding 5G Spectrum licences will build the new network starting from the already installed 4G equipment.
Considering the significant investment costs of 4G and 5G technologies, it is reasonable to expect that, in deciding whether to implement 4G networks, electronic communication providers equally considered the fact that the 4G equipment would be eventually used also to support 5G implementation. This would have ensured an efficient investment when deploying the electronic communication networks, in line with the current telecom framework5.
Applying a set of measures that would force certain providers to discard investments already done would trigger huge additional costs in the charge of those suppliers.
It is after all not for nothing that, according to recent press articles6, an internal Deutsche Telekom report stated that a ban on using network equipment from a certain equipment supplier would constitute a real “Armageddon”. Indeed, pursuant to said report, the replacement equipment would cost the company billions of Euros.
Thus, electronic communication providers having purchased equipment that would be subject to restrictions would be put at a tremendous disadvantage as compared to their competitors that had different suppliers at the time when 4G networks were created. Such differences would furthermore have cascading effects on competition on the market at all supply chain levels, severely affecting all undertakings involved and substantially distorting competition.
This may severely affect both to consumers and tax payers: firstly, because they maybe passed on all the additional costs triggered by the restrictive policies (which can be expected to encompass, inter alia, not only the additional investments themselves but also potentially significant litigation costs ensuing from the restrictive measures being challenged by the concerned undertakings); secondly, because competition distortions of such magnitude may give rise to dominant positions or even monopolies, inherently leading to potential abuses, higher prices, lower quality, less variety of products and services and delayed innovation.
Needless to say that this may also lead to prohibitive costs for certain consumers and undertakings, which may deprive a substantial part of the population and of the small enterprises of the loudly hailed benefits of the 5G technology.
At last, there is the time issue: according to the above-mentioned report of Deutsche Telekom, replacing equipment may take them up to five years. This may either potentially take concerned providers out of the market (as meanwhile their competitors would develop the network and start operating quicker and presumably at much lower costs) or delay the technological advances of the countries thus restricting the implementation of 5G technologies.
In trying to protect European and national values and security, there is a high risk that both Europe and Member States end up (i) breaching fundamental principles and values that are at the core of the European and national legislation as well as of the rule of law and democracy, (ii) creating severe distortions on the electronic communication markets and thereby severely disturbing the national economies concerned, and Europe’s global position and (iii) significantly delaying technological advances that may be otherwise enabled by 5G technologies.
Whilst ensuring security of critical infrastructures is a must, attaining it might require different solutions that should be carefully sought by the relevant public stakeholders, in accordance with the EU treaties and the principles set out in the existing national and European legislation, and ideally with the strong participation of citizens and private undertakings in the resolution of the issues concerned, as recently envisaged at section 21 of the draft national security strategy send to the Parliament by the Romanian President7.
This article contains general information and should not be considered as legal advice.
1 More information is available here https://ec.europa.eu/commission/presscorner/detail/en/IP_20_123
2 As identified in the EU coordinate risk assessment report. More information is available here https://ec.europa.eu/commission/presscorner/detail/en/ip_19_6049
3 As per Article 24 paragraph (2) of Emergency Ordinance no. 111/2011 on electronic communications (“EO no. 111/2011”).
4 As per Article 8 of Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (“Framework Directive”).
5 Article 5 of Government Emergency Ordinance no. 22/2009 provides that the National Authority for Management and Regulation in Communications (“ANCOM”) must ensure an efficient usage of the limited resources in the field of electronic communications, including by encouraging efficient investments in infrastructure and by promoting innovation. The Directive (EU)2018/1972 of the European Parliament and of the Council establishing the European Electronic Communications Code (“EEC Code”) states the same principles
6 More information is available here https://uk.finance.yahoo.com/news/deutsche-telekom-describes-potential-huawei-ban-as-armageddon-scenario-101041104.html and here https://www.handelsblatt.com/technik/it-internet/ausschluss-von-netzausruester-armageddon-szenario-telekom-spielt-huawei-bann-durch/25918402.html (in German)
7 Source of information: https://www.g4media.ro/exclusiv-fenomenul-coruptiei-evacuat-aproape-complet-de-presedintele-iohannis-din-noua-strategie-de-aparare-a-tarii-serviciile-secrete-nu-mai-au-ca-tinta-strangerea-de-informatii-despre-actele-de-co.html
The way technology is used has changed significantly in the past decade and continues to change at a rapid pace, disrupting the way people interact both within the private and the public sector.
Advances in technology make possible achieving efficiencies by streamlining processes, open markets for new products and services, and help communities reach social goals. Data, both personal and non-personal, is at the core of these changes. The European Union strives to harness the power of data to drive innovation forth while observing European values and human rights.
On February 19, the European Commission unveiled its strategy for Europe’s digital future, a strategy that aims to be the stepping stone for creating an effective single market for data in the European Union (the “Digital Strategy”). On the same day, the European Commission released a communication on the European data strategy, as well as a White Paper on Artificial Intelligence (the “AI White Paper”), highlighting the benefits, but also the risks of artificial intelligence and proposing human-centred policy options.
2. Objectives of the Strategy
The Digital Strategy sets the objectives of the European Commission for the next five years. It rests on three main pillars:
(i) technology that works for people;
(ii) a fair and competitive economy; and
(iii) an open, democratic and sustainable society.
The main ideas of the Digital Strategy revolve around safety of and trust in the digital services and infrastructure. Europe’s ambition is to create its own resilient networks and communications infrastructure, so that it is less dependent on technologies from other parts of the world and may freely instil its values, rules and standards in the European economic ecosystem.
2.1. Technology that works for people
The Digital Strategy promotes:
(i) investing in research and development for the creation of digital capacities in AI, cyber, super and quantum computing, quantum communication and blockchain; investments in AI are discussed in more detail in the AI White Paper;
(ii) accelerating investments in connectivity infrastructure (including 5G and future 6G);
(iii) encouraging private-sector investments in digital innovation, to complement the EU funding that shall be made available;
(iv) increasing cybersecurity, including by creating a European cybersecurity strategy and establishing a joint Cybersecurity Unit, as well as a single market for cybersecurity;
(v) equipping citizens with the necessary digital skills.
It is noteworthy that the European Commission places a heavy focus on investments in research and development and innovation, but also in security and enhancing human digital skills. Indeed, it is already apparent that having the infrastructure alone cannot help societies reap the benefits of technology, as long as a majority of citizens cannot fully use the digital tools at their disposal.
2.2. A fair and competitive economy
The main goals of this objective are:
(i) to reduce Europe’s dependency on technologies controlled by non-European entities;
(ii) to create a level playing field for both tech giants and SMEs;
(iii) to adapt EU competition law rules to the digital environment.
The central role of competition-related goals reflects the pioneering work of the Commission and of other European competition authorities in regulating aspects of the technology market, in particular as regards large players and their perceived abuses.
2.3. An open, democratic and sustainable society
By its third objective, the Digital Strategy aims to:
(i) strengthen and modernise the rules applicable to digital services, for increasing and maintaining trust in such services;
(ii) protect democracies from specific digital environment threats, such as targeted and coordinated disinformation;
(iii) clarify the rules on responsibilities and liability of online platforms and information service providers, as well as enforce existing rules;
(iv) implement electronic identification of citizens;
(v) support the transition to decarbonisation and a climate-neutral society.
By its Digital Strategy, the European Commission recognizes the major impact of the technology society in various aspects of society, including politics, the impact of tech companies on the economy and the interplay between large companies and SMEs or consumers, security and environment, all major challenges of today’s world.
Well-thought, multi-angled strategy responding to today’s needs shows proficiency of policy making at EU level. We will closely follow the developments in this exciting sector and will report on the findings.
Who would have believed that what we had only seen in movies or we read about in our childhood would eventually become real in our lifetime?
We are witnesses and co-creators to the fourth industrial revolution, where artificial intelligence, robotics and advanced automation will bring about changes at every level and in every sector of our society.
In this context, unmanned aircraft systems (UAS) or drones are one of the most innovative and disruptive technologies of our day. Their exponential growth is determined by the new services associated with new jobs, new business and new opportunities. We see that drones are used now in sectors that once were reserved only to nature itself; a mega-corporation recently filed a patent for ‘pollination drones’ that could act like bees and there is only one step until flying cars will arrive.
The drone services market is estimated to increase from €200m to several billion by 2020 with a direct impact on drone services providers and indirect impact that will determine a wider EU market.
European Union regulatory framework
Currently, the European Union member states have competence to regulate the UAS with a maximum take-off mass (MTOM) of less than 150kg that are not used for military, customs, police, firefighting, search and rescue, and experimental work, as per Regulation (EC) no 216/2008 of the European Parliament and of the Council of 20 February 2008 on common rules in the field of civil aviation and establishing a European Aviation Safety Agency, and repealing Council Directive 91/670/EEC, Regulation (EC) no 1592/2002 and Directive 2004/36/EC (Regulation no 216/2008).
Therefore, for the safe and effective use of the airspace and the need for protection of citizens based on safety, security, privacy and the environment, a new proposed regulation is currently under discussion between the Council, the European Commission, and the European Parliament, aiming to harmonise the member states’ internal legislation, extend the competence of the EU to regulate all UAS regardless of their MTOM. The new regulation is to be adopted by the end of 2018.
Until the new regulation comes into force, the Romanian regulatory framework applicable to drones is trying to keep up with this fast development.
Flying a drone under Romanian regulatory framework
At present, Romanian legislation in the field consists of Regulation no 216/2008, Civil Aeronautical Code, government decisions, ministry’s orders and directives issued by the Romanian Civil Aeronautical Authority (RCAA), which provides that any UAS with a MTOM over 0.5kg should be registered with the RCAA, should bear an electronic identification device and a national identification mark imprinted on it.
Any UAS with a MTOM over 15kg should obtain a national flight permit and a flight authorisation based upon a flight plan submitted with the RCAA by the drone operator and a proof of a third-party liability insurance concluded for the UAS.
There are certain restrictions imposed for UAS flight and take-off/ landing. The flights below 300m height above the densely populated area or any flight outside the densely populated area below 150m height and UAS are forbidden. In addition, the activities of aerial photography or filming or any flight over Bucharest below 3,000m height should be performed based on a prior approval issued by the National Defence Ministry, drones distributors should be authorised by the RCAA.
The Romanian Transport Ministry and RCAA are trying to adapt to this fast-changing industry having published a draft updating the internal regulation applicable to drones. The draft aims to separate the commercial flight activity from the sport, recreational, research and development flights, as well as to create a framework for the latter to be operated. The UAS registration with the RCAA will be mandatory for any drone with a MTOM over 0.25kg and specific conditions are imposed for a drone with a MTOM less than or equal to 25kg to fly without a flight authorisation document.
A market emerges
The drone industry is growing fast and every week we see press releases on what new areas drones are being used for. Today, drones are used in some sectors that once were reserved for helicopters and aeroplanes because they are easily available and are faster than traditional aeronautical transportation.
The present uses for drones are currently in various economical fields: exploration, precision farming, security, media, aerial inspection, energy exploration, delivery, oil rig delivery, but there are new drone uses which are still in the experimental and research stages. Without doubt, we will also see many hundreds of new uses for drones in the coming years.
Although Romania has a few well recognised manufacturers, the direct impact on drone service providers is insignificant. Once the new regulation will enter into force, this domain will witness an exponential growth. But for the time being, the national regulation framework is perceived as restrictive by the Romanian drone owners.
But not only the economy and the existing aviation systems need to adapt to this disruptive technology. Along with its many uses, there are sensible areas on which drones’ impact is also disruptive, such as privacy, data protection and competition. We will see in the coming years how these areas will be affected and what rules a drone operator/ owner should follow.