Friday, 2 December 2022

EU foreign policy sanctions: extending and using EU criminal law powers to enforce them

 




Professor Steve Peers, University of Essex

Photo credit: Pierre Blaché, via Wikicommons

*This blog post draws upon research for the forthcoming 5th edition of EU Justice and Home Affairs Law (OUP, 2023)

On Monday this week, the EU Council adopted a decision to extend EU criminal law competence to cover EU foreign policy sanctions. Today, the EU Commission proposed a Directive that, if agreed, would use that competence to harmonize the criminal law of Member States on this issue. The following blog post analyses in turn the decision and the proposed Directive, in order to assess the potential impact.

The Decision extending competence

The legal context: criminal law

The context of the Decision is the Treaty framework on the EU’s power to harmonize substantive criminal law. That power is set out firstly in Article 83 of the Treaty on the Functioning of the European Union (TFEU), in particular Article 83(1), which reads as follows:

1. The European Parliament and the Council may, by means of directives adopted in accordance with the ordinary legislative procedure, establish minimum rules concerning the definition of criminal offences and sanctions in the areas of particularly serious crime with a cross-border dimension resulting from the nature or impact of such offences or from a special need to combat them on a common basis.

These areas of crime are the following: terrorism, trafficking in human beings and sexual exploitation of women and children, illicit drug trafficking, illicit arms trafficking, money laundering, corruption, counterfeiting of means of payment, computer crime and organised crime.

On the basis of developments in crime, the Council may adopt a decision identifying other areas of crime that meet the criteria specified in this paragraph. It shall act unanimously after obtaining the consent of the European Parliament.

As can be seen, the second sub-paragraph lists ten crimes (commonly referred to as ‘Eurocrimes’) which the EU has competence to harmonize. That competence involves not only the ‘definition of criminal offences’ but also ‘sanctions’, ie the length of jail terms and/or other sanctions that can be imposed as part of the criminal law. However, these are ‘minimum rules’ – meaning that Member States can add to them as part of their criminal law.

Since the Treaty of Lisbon entered into force in 2009, the EU has adopted Directives regarding most of the ten Eurocrimes, in most cases replacing older forms of EU law adopted before the Treaty of Lisbon entered into force. The exceptions are arms trafficking, corruption, and organized crime – although there are pre-Lisbon EU laws concerning the latter two crimes, and other EU legislation concerning firearms that falls short of adopting criminal sanctions for arms trafficking. In any event, as we shall see, some arms trafficking will fall within the scope of the new EU competence regarding criminal law and EU foreign policy sanctions.

Opt-outs apply to the new Decision: Denmark is entirely opted out of EU criminal law adopted after the Treaty of Lisbon, while Ireland chose to opt in. We can only speculate whether the UK would have chosen to opt in or not.

Since the Treaty of Lisbon, ordinary CJEU jurisdiction applies in this area – meaning that national courts can ask the CJEU questions about the validity and interpretation of EU Directives on substantive criminal law. (There have only been a few such references to the CJEU by national courts). The EU Commission can also bring infringement proceedings against Member States for late or inaccurate transposition of the Directives which the EU adopts.

Finally, the context of EU criminal law includes the other related competences of the EU. Article 83(2) provides for the EU to adopt criminal law harmonization Directives also in other areas of criminal law, where this ‘proves essential to ensure the effective implementation of a Union policy in an area which has been subject to harmonisation measures’. This has, for instance, been used to adopt a Directive on fraud against the EU’s financial interests. (It might be argued that foreign policy sanctions already fell within the scope of Article 83(2), so the recent decision extending the list of ‘Eurocrimes’ was unnecessary, but the EU thought otherwise)

Furthermore, Article 82(1) gives competence to adopt measures on mutual recognition in criminal matters, along with other forms of cooperation between criminal law authorities, while Article 82(2) gives competence to adopt harmonization measures on national criminal procedure – listing evidence, victims’ rights, and fair trials as areas where the EU can act. Article 84 gives limited powers regarding crime prevention; Article 85 gives powers relating to Eurojust, the EU agency on cooperation between prosecutors; and Article 86 provides for a European Public Prosecutor’s Office (EPPO) to be set up.

In practice regarding those other powers, since the Treaty of Lisbon, the EU has adopted a few mutual recognition measures, a law on victims’ rights, six Directives on fair trials, and Regulations on Eurojust and the EPPO. Most of these laws update pre-Lisbon legislation (except the fair trials Directives and the EPPO Regulation); and there is still an important batch of pre-Lisbon law on mutual recognition (most significantly, the European Arrest Warrant law). Some of this legislation generates CJEU case law – mostly regarding the European Arrest Warrant, but also there are judgments on most of the fair trials directives and most of the other mutual recognition measures.

The legal context: EU foreign policy sanctions

Unlike the other Eurocrimes listed in Article 83(1), there is a body of EU law already in this field. This has been built up on the basis of two related powers to act: first the EU’s powers to adopt Decisions on foreign policy sanctions (along with other foreign policy issues) on the basis of Article 29 of the Treaty of European Union (TEU). Secondly, Article 215 TFEU, which provides for most of those foreign policy sanctions to be paralleled in the form of ordinary EU law (in practice, Regulations):

1. Where a decision, adopted in accordance with Chapter 2 of Title V of the Treaty on European Union, provides for the interruption or reduction, in part or completely, of economic and financial relations with one or more third countries, the Council, acting by a qualified majority on a joint proposal from the High Representative of the Union for Foreign Affairs and Security Policy and the Commission, shall adopt the necessary measures. It shall inform the European Parliament thereof.

2. Where a decision adopted in accordance with Chapter 2 of Title V of the Treaty on European Union so provides, the Council may adopt restrictive measures under the procedure referred to in paragraph 1 against natural or legal persons and groups or non-State entities.

3. The acts referred to in this Article shall include necessary provisions on legal safeguards.

Although Article 215 provides for qualified majority voting of Member States in the Council, the effective rule is actually unanimity, for that is the rule which applies (with marginal exceptions) to the adoption of the EU foreign policy measures which the Article 215 legislation gives effect to.  The Commission proposed a few years ago to drop unanimity here, but Member States didn’t bite. (They would have to agree unanimously to change the voting rule).

Over the years, there have been a lot of EU foreign policy sanctions and a lot of litigation – mostly direct challenges to the validity of the sanctions measures by the persons or companies (or even the States) concerned by them in the EU General Court. That Court’s judgments can be appealed to the CJEU; and national courts have occasionally asked the CJEU about the interpretation or validity of sanctions decisions too. (Although in general the CJEU has no jurisdiction over EU foreign policy measures – an exception which the Court has been slowly nibbling away at for awhile – as an exception to the exception, the CJEU has its normal jurisdiction over foreign policy sanctions: see Article 275 TFEU).

Given that the new Eurocrime refers back to a body of EU law, it is thematically very similar to the areas covered by the EU’s separate powers to harmonize criminal law to give effect to EU policies, as set out in Article 83(2) TFEU – for instance, see the proposed new Directive on environmental crime, which refers back to specific EU legislation. 

The details of the Decision

The main text of the Decision simply adds the breach of EU foreign policy sanctions to the list of Eurocrimes. Note that this is a breach of EU sanctions: the Decision does not give the EU power to harmonize criminal law as regards the breach of purely national foreign policy sanctions. (How much power Member States have to adopt national sanctions is an interesting question, but need not concern us further here, because of this distinction).  

On the other hand, the new competence is not limited to breach of EU foreign policy sanctions relating to the Russian invasion of Ukraine. Even though that event is obviously what led the EU to extend its competence, as acknowledged in the preamble to the Decision, there is nothing in the wording of the Decision to say that it only applies to sanctions against Russia. Indeed, the Commission proposal for the Decision noted that the EU has forty sanctions regimes, applying not only to countries but also ‘targeting proliferation and use of chemical weapons, cyberattacks, human rights violations and terrorism’. (For more details, see the Council website, especially its sanctions map). The anti-terrorism sanctions have been around for awhile, attracting high profile litigation such as cases involving Mr Kadi or Hamas; the human rights sanctions are fairly new, but will sometimes cross over with other sanctions – see, for instance, the sanctions against Putin’s alleged allies, the Wagner Group, for human rights breaches (along with links to other EU sanction measures).

In terms of the type of sanctions covered, the preamble also makes clear that this is broad, applying not only to economic sanctions such as restrictions on trade or financial relations, but to bans on entry into the territory (which are also already given effect to by listing the sanctioned people in the Schengen Information System) and to arms embargoes. 

Much of the preamble to the Decision justifies this new extension of EU competence on the basis of the criteria set out in Article 83(1) TFEU, which any extension of competence has to satisfy: ‘particularly serious crime with a cross-border dimension resulting from the nature or impact of such offences or from a special need to combat them on a common basis’. For instance, the preamble refers to the threats to international peace and security dealt with by sanctions as being ‘particularly serious’, as well as the cross-border scale of the offences.

The proposed Directive

Content of the proposal

The proposed Directive has similarities to other Directives in this area – see, for instance, the Directive on harmonization of criminal law as regards terrorism. But there are also some new elements compared to other Directives; and in any event, it is the EU’s first foray into adopting criminal law relating to EU foreign policy sanctions.

It should be stressed that (as the preamble to the Decision confirms) the Directive would not make breaches of EU foreign policy sanctions criminal for the first time in most Member States. Just as with issues like terrorism and drug trafficking, these were already crimes in most national laws before EU law came along. But the details of the national laws probably differed more before the EU got involved; the point of the EU’s involvement is to harmonize the national laws somewhat.  

Today’s proposal would require Member States to criminalize nine types of breach of EU sanctions, such as trading in goods or services covered by EU sanctions, providing financial services despite an EU law sanction, or even enabling the entry or transit of a person covered by an entry ban deriving from EU sanctions (in effect, an immigration law offence that might overlap with the pre-existing EU law on facilitation of illegal entry and residence in general – although the EU criminal law in that area is less detailed than today’s proposal). In every case, an intentional breach would have to be criminalized; and in most cases, ‘serious negligence’ resulting in the breach would have to be criminalized too. As with the Decision on competence, the Directive would not be limited just to sanctions against Russia, but would apply to EU foreign policy sanctions across the board.

There is a novel clause on the position of lawyers advising those accused of sanctions breaches:

Nothing in paragraph 2 [the list of crimes] shall be understood as imposing an obligation on legal professionals to report information which is obtained in strict connection with judicial, administrative or arbitral proceedings, whether before, during or after judicial proceedings, or in the course of ascertaining the legal position of a client. Legal advice in those circumstances shall be protected by professional secrecy, except where the legal professional is taking part in the violation of Union restrictive measures, the legal advice is provided for the purposes of violating Union restrictive measures, or the legal professional knows that the client is seeking legal advice for the purposes of violating Union restrictive measures.

There is also a specific guarantee for the right to silence, and exemptions for goods or services provided for daily use, failure to report, or humanitarian aid for those in need. Inchoate offences of incitement and (in most cases) attempts are also criminalized, as is aiding and abetting. As for penalties, Member States must provide for a maximum possible penalty of at least five years for most offences, and one year for the rest – subject to a threshold of €100,000 being involved (which can be satisfied by a linked series of offences). Otherwise, Member States are obliged to provide at least for the possibility of some imprisonment (for instance for sanctions with a lower value, or breach of an entry ban), and in all cases to provide for additional penalties, such as fines.

Legal persons are subject to liability, too, and must be subject to penalties such as shutting down the business or withdrawal of its licences. This is a longer list than usually provided for in EU criminal law Directives. Criminal liability must be aggravated in certain cases (such as organized crime, or breach of duty by a public official or a professional), and mitigated in others (where the offender ‘flips’ on his or her criminal associates).

Criminal jurisdiction would apply more widely than under most EU criminal law Directives, where it usually applies to acts committed on the territory (sometimes with further elaboration) or by nationals. Here it would apply also to habitual residents, and the territory is further defined as including a Member State’s airspace or any aircraft or vessel under its jurisdiction.

Unusually, there would be rules on limitation periods, ie when Member States would be out of time to bring a prosecution or enforce a sentence. In most cases the limitation period would be five years, with a possibility for derogation. Previously Member States have only agreed to regulate this issue via EU law as regards fraud against the EU budget (although the pending proposals on environmental crime and violence against women would also address it).

Finally, there would be links to other EU law (besides, obviously, the sanctions laws themselves). The proposal would link up with EU law on money laundering and confiscation, plus there is a novel link to the EU legislation on whistleblowers: that law must also apply to protect those in a company or organization who tip off the authorities about breaches of sanctions. Conversely, there is no proposed amendment of the law on the European Arrest Warrant – even though breach of EU foreign policy sanctions is not on the list of crimes where the dual criminality condition for extradition must be waived. However, prosecution or sentences for sanctions breaches will sometimes fall within areas where dual criminality has to be waived (like terrorism or organized crime); and the dual criminality condition is more likely to be met as a result of the harmonization Directive anyway (it may even be met already, simply by virtue of the foreign policy sanctions measures themselves). 

The legislative process

Opt-outs will apply to the proposed Directive: again, Denmark is entirely opted out of EU criminal law adopted after the Treaty of Lisbon, while Ireland can choose to opt in or not. Again, we can only speculate whether the UK would have chosen to opt in or out.

Other Member States have a form of protection for their interests too. Although the ‘ordinary legislative procedure’ applies to the adoption of laws in this area (see the text of Article 83(1) above), which means only a qualified majority of Member States in the Council is necessary to adopt a law (along with agreement of the European Parliament), Article 83(3) TFEU provides that if a Member State believes that a Directive ‘would affect fundamental aspects of its criminal justice system’, it can effectively pull an ‘emergency brake’ and ask EU leaders to discuss the issue. If there’s no agreement at that level, if at least nine Member States still want to participate in the proposed law, they can trigger ‘enhanced cooperation’ to go ahead – without the objecting Member State(s) – on a fast-track basis. To date, Article 83(3) has not been used, although its mere existence may have meant that any concerns Member States have raised about their criminal justice systems received particular attention during negotiations.

Comments

It’s difficult to see what impact the extension of competence, in conjunction with the proposal to harmonize the law (if adopted), would have in practice, without more detail on what changes would be made to national law as a consequence of its adoption. One issue with criminal law – just as with non-criminal forms of regulation of conduct – is of course the resources and expertise necessary to investigate and bring prosecutions. On this point, the prospect of extending competence to the European Public Prosecutor’s Office to include breaches of EU foreign policy sanctions has been raised by the German and French justice ministers. This would certainly be a big development if it happens (extensions of EPPO competence need unanimous agreement of Member States, although some Member States have opted out of the EPPO; the Commission’s proposal to extend its competence to terrorism has not been agreed so far).

Is this extension of EU competence an example of the endless EU power-grabs so feared by the EU’s critics? On this, it’s notable that the extension came on the eve of the thirteenth anniversary of the Lisbon Treaty entering into force – and yet it’s the first such extension of competence in that whole time. By contrast, Member States have not yet agreed an earlier proposal to extend the list of Eurocrimes to cover hate speech and hate crimes. Nor, as noted above, have they agreed the proposal to drop unanimous voting for some foreign policy measures – or to drop unanimity in a number of other areas which the Commission proposed years ago.  

The extension of competence is better understood as part of the EU’s response to the Russian invasion of Ukraine – which has also prompted developments in the use of EU defence powers, and the first-ever use of the long-dormant temporary protection Directive. By itself, the extension of EU competence and the use of those new powers will not end the invasion – and, as noted already, it applies to other EU sanctions too. Nor does it address the criticism that that those sanctions are too little and too late. But it may make some contribution to the effective implementation of those sanctions which have been established to oppose the invasion, and in any event it sends a political message that the EU is stepping up their enforcement.

 

Tuesday, 29 November 2022

Provisional Agreement on the recast Reception Conditions Directive: Preventing ‘Asylum Shopping’ and ‘Secondary Movements’ as the Ultimate Goal?

 



Vasiliki Apatzidou, legal practitioner in the field of EU Asylum Law and PhD Student, Queen Mary University of London.

Photo credit: Rebecca Harms, via wikicommons

The current instruments of the Common European Asylum System (CEAS), which include the recast Reception Conditions Directive, are applicable since 2013, meaning for nearly a decade. However, already in 2015, the high number of arrivals of asylum-seekers in the European Union (EU) exposed a series of deficiencies, divergencies and gaps in the EU legislation on asylum matters. The harmonization objective lost much of its relevance in the context of the response to the refugee ‘crisis’.[i] The paradox is that the so-called ‘crisis’ happened just two years after the completion of the reform of the CEAS in the summer of 2013. Therefore, the Commission presented in 2015 a new European Agenda on Migration that included both short-term measures and proposals for the long-term.

In the long-term, the European Commission proposed in May and July 2016 a third package of legislation with the aim of strengthening protection for asylum-seekers and imposing greater uniformity in rules and procedures in different Member States. The Commission highlighted in 2016 that the prevention of ‘asylum shopping’ and ‘secondary movements’ was among the top priorities that it aimed to achieve through the reform of the CEAS. In 2016, the Commission presented the second package to reform the CEAS and one of these proposals was the 2016 proposal for a recast Reception Conditions Directive (RCD).[ii] The negotiations started in 2016, and a political agreement between the Council and the European Parliament was reached in 2018. Further attempts at the technical level were made during the Austrian Presidency, but the proposal, as of today, has not been adopted. Actually, none of the 2016 proposed instruments is adopted, to date (besides the EU Asylum Agency), and the negotiations were stalled.

Thus, the Commission in 2020 presented the new Pact on Migration and Asylum in order to boost the negotiations in the Council and propose a ‘fresh start’ on migration. As the recast RCD was one of the instruments where a provisional agreement was reached, the Commission did not amend at all this text through the proposed 2020 Pact on Migration and Asylum. As the Council is currently getting prepared to open again the discussions with the European Parliament on the recast RCD, this blogpost aims to examine the most important amendments of the recast RCD mainly regarding the proposed measures that aim to prevent ‘secondary movements’ and ‘asylum shopping’ which is at the epicenter of the proposed legislation.

To achieve this objective, on the one hand, measures that improve the dignity and integration prospects for asylum-seekers are proposed to ensure that a dignified standard of living is provided in all Member States, and secondly new measures to constrain autonomy and impose sanctions to asylum-seekers are proposed to ensure that the asylum applications will be examined in the ‘first country of asylum’ and ‘asylum shopping’ will be prevented. Specifically, in recital 13 of the recast RCD, it is explicitly mentioned that ‘applicants do not have the right to choose the Member State of application. An applicant must apply for international protection in accordance with the Dublin Regulation’. It is worth clarifying here that the Commission proposed in 2020 to replace the Dublin III Regulation with an Asylum and Migration Management Regulation, but as this has not yet been agreed, I will refer to the Dublin III Regulation for the scope of this blogpost.

Measures to enhance Integration Prospects

It is apparent in the provisional agreement that the aim of the proposed Directive is to enhance integration measures for asylum-seekers and ensure that there are inclusion prospects for them wherever they are required to apply for asylum. In this way, the Commission aims to ensure dignified standards and equal integration prospects in all Member States to ensure the prevention of ‘asylum shopping’ and ‘secondary movements’. For this reason, asylum-seekers will be allowed to work 6 months after requesting asylum, instead of the current 9-month framework (Art. 15). Moreover, it is required to enjoy equal treatment with the nationals as regards the terms of employment and other conditions (art.15 para.3). Asylum-seekers will also have access to vocational training and language courses from day one (art. 15a).  Moreover, those applying for international protection will be entitled to primary and secondary health care, including mental as well as sexual and reproductive health care (art.16). In addition, children should enter the school system no later than 2 months after arrival (Art.14), instead of the current framework that foresees 3 months. All the above-mentioned measures aim to enhance the integration prospects of asylum-seekers to ensure that they will not choose to illegally move to other countries in order to find job or access education. These measures are overall assessed as beneficial for those seeking international protection. However, integration is also dependent on actual employment opportunities, inclusion prospects and the economic situation in the responsible Member State, something that may also be influenced by large-scale arrivals of third-country nationals often witnessed in the EU external border countries.

Sanctions for being present on the territory of a ‘non-responsible’ Member State

The most striking example that proves that the main aim of the recast RCD is the prevention of ‘asylum shopping’ and ‘secondary movements’ can be found in the proposed article 17a which explicitly states that where an applicant is present in another Member State from the one that he or she is required to be present, the applicant should not be entitled to material reception conditions, access to labour marker, language courses and vocational training from the moment a transfer decision has been notified to this person. Thus, the reception conditions may actually be reduced or withdrawn with the notice of the transfer decision even if the transfer in reality is taking place later, in some cases even months after the notification of the decision. The only guarantee here is that the withdrawal of the reception conditions should be without prejudice to the need to ensure ‘a dignified standard of living’ including access to necessary health care something which has been reaffirmed from the European Court of Justice. However, how this can be achieved in practice remains controversial.

Furthermore, the possibility of reducing or withdrawing the material reception conditions in case the applicant is required to be present in a specific Member State according to the Dublin Regulation, can be found in the new paragraph 1 of article 19 that concerns the reduction or withdrawal of material reception conditions. Thus, once again it is stated that if the asylum-seeker has ‘illegally’ left the ‘first country of asylum’ and moved to another Member State, she or he may be sanctioned with even the full withdrawal of reception conditions, on the basis of the above-mentioned provision. It becomes evident that the applicant of international protection will be subject to the full benefits and guarantees envisaged in the recast RCD only when she or he is present on the territory of the Member State that the Dublin Regulation defines. In this way, the Commission hopes to discourage ‘secondary movements’ to other Member States as asylum-seekers can enjoy the full sets of rights provided in the recast RCD when they are in the ‘responsible’ Member State in accordance with the Dublin Regulation.

Restrictions on the Freedom of Movement: Prevention of ‘absconding’

Except of the proposed sanctions for the applicants that are required to be present in other Member States on the basis of the Dublin Regulation, the Commission proposes to allow states to have the possibility to decide that an applicant is only allowed to reside in a specific place that is adapted for housing applicants, where the is a risk of absconding, in particular when it concerns a) applicants who are required to be present in another Member State and b) applicants who have been transferred to the Member State where they are required to be present in accordance with the Dublin Regulation after having absconded to another Member State (Art.7). Thus, we notice that a restriction of freedom of movement is allowed to prevent ‘absconding’ and subsequently preventing asylum-seekers from illegally moving to another Member State, even in cases where there is a ‘risk’ of absconding. To add to this, in the definitions envisaged in the proposed Directive, the ‘absconding’ and ‘risk of absconding’ are defined for the first time in the asylum acquis (art.2 (10) and (11)) as until now the ‘risk of absconding’ was defined in the Return Directive. Not only restriction of movement, but even detention may be allowed in accordance with the Dublin Regulation (art.8g).

It is worth mentioning here that the proposal does not only provide for punishments for applicants who are subject to a Dublin transfer, but in the recast RDC, we witness that there are different kinds of residence restrictions that are regulated (see new proposed articles 6a and 6b), which is a novelty in comparison to the current Directive, but the analysis of these restrictions fall outside the scope of this blogpost and have been extensively examined here.

Conclusion

Although in the provisional agreement for a recast RCD, the guarantees are enhanced, and even a ‘dignified living’ shall be ensured in every case, even when the asylum applicant is present in the territory of a ‘non-responsible’ Member State, the possibility of reducing material reception conditions and integration prospects to prevent ‘secondary movements’ should not be underestimated. In the EU asylum policy debate, it is well known that external border countries such as Greece, Italy and Spain insist on more solidarity, mentioning that they cannot shoulder the burden without adequate support, while northern European countries such as Germany or the Netherlands insist on enhancing measures to prevent secondary movements. This was also apparent in the negotiations for the proposed Reception Conditions Directive. However, now that the 2020 asylum and migration instruments are under negotiations, it is important to realise that there should not be a dichotomy between ‘less secondary movements’ or ‘more solidarity’. The discussions over less secondary movements should take place in conjunction with discussions over more solidarity. In the context of enhanced solidarity, the negotiations over the recast Reception Conditions Directive should take place, if the Council decides to open again the consultations, before finally adopting the Directive which contains overall positive amendments that enhance integration prospects, safeguard a dignified standard of living and increase procedural guarantees for applicants with special reception needs.

Endnotes



[i] Giulia Vicini, ‘The EU Refugee Crisis and the ‘Third-Phase’ Asylum Legislation: The End of the Harmisation Approach or Its Revival’ in Valsamis Mitsilegas, Violeta Moreno-Lax and Niovi Vavoula (eds.) Securitising Asylum Flows: Deflection, Criminalisation and Challenges for Human Rights (Brill 2020)

[ii] Jens Vedsted-Hansen, ‘Reception Conditions as Human Rights: Pan-European Standard or Systemic Deficiencies’ in Vincent Chetail, Philippe De Bruycker and Fransesco Maiani (Eds.) Reforming the Common European Asylum System: The New European Refugee Law (Brill Nijhoff 2016).

 

 

Monday, 21 November 2022

The EU Commission’s proposal on Media Freedom Regulation


 


Lorna Woods, Professor of Internet Law, University of Essex

 

Photo credit: Bin im Garten, via Wikimedia Commons

 

In her 2021 State of the Union address, EU Commission President von der Leyen stated:

 

Media companies cannot be treated as just another business. Their independence is essential. Europe needs a law that safeguards this independence – and the Commission will deliver a Media Freedom Act in the next year.

 

The resulting Proposal sits against a network of existing rules – notably the long-standing Audiovisual Media Services Directive (AVMSD) and the e-Commerce Directive as well as the recently agreed Digital Services Act (DSA) and Digital Markets Act (DMA).  It will be accompanied by a Recommendation. The Proposal is a significant step; the Commission is entering new regulatory terrain here. This move indicates concerns not just about the state of the media but about public discourse more generally, but how has the Commission sought to transfer this high level concern into specific rules?

 

Outline of the Proposal

 

The Proposal can be said to be divided into roughly five elements (in addition to the definitions and scope), reflecting the fact that the concerns around media freedom have different aspects and need a response that itself is multifaceted. 

 

1 Media Freedoms

 

The first is about media freedom (and the recommendation is relevant for this issue too as it focuses on internal safeguards for editorial independence and ownership transparency). The Proposal introduces rights and obligations on media service providers in Chapter II. Specifically, it provides them the right to exercise their “economic activities in the internal market without restrictions other than those allowed under [EU] law” (Article 4(1)).  Article 4(2) then provides more detail. It specifies that Member States are prohibited from:

 

-          interfering with editorial policies and decisions by media service providers (Article 4(2)(a));

 

-          detaining, sanctioning, intercepting, subjecting to surveillance or search and seizure or inspecting media service providers, their employees, their families or their premises “on the ground that they refuse to disclose information on their sources, unless this is justified by an overriding requirement in the public interest” (Article 4(2)(b)); and

 

-          deploying spyware in any device or machine used by media service providers, their employees or their families other than in certain narrowly-defined circumstances (Article 4(2)(c)).

 

According to the Q&A document, this is to “protect them from unjustified, disproportionate and discriminatory national measures”.  There are provisions dealing specifically with “public service media providers”, reflecting their “societal role as a public good” (Recital 14) but also their “institutional proximity to the State, which puts them at peculiar risk of interference (Recital 18): they are obliged to provide “in an impartial manner a plurality of information and opinions to their audiences, in accordance with their public service mission” (Article 5(1)), although what “plurality” means for these purposes is not defined. It seems that public service media cannot be self-declared as such – the definition of “public service media provider” requires the media service either to be “entrusted with a public service mission under national law” or receives national funding for the fulfilment of such a mission (Art 2(3)). 

 

There are some ownership transparency obligations on media service providers who “provid[e] news and current affairs content”. They must provide the provider’s name and contact details, and details relating to certain shareholders and beneficial owners (Article 6(1)). They must also “take measures that they deem appropriate with a view to guaranteeing the independence of individual editorial decisions” (Article 6(2)).

 

The proposal also sets out the right of the audience (“recipients of media services”) the right to “receive a plurality of news and current affairs content, produced with respect for editorial freedom of media service providers, to the benefit of the public discourse” (Article 3(1)). Recital 11, however, clarifies that this right “does not entail any correspondent obligation on any given media service provider to adhere to standards not set out explicitly by law.”

 

2. VLOPS

 

Secondly, there are obligations on Very Large Online Platforms (VLOPs), which are in addition to those in the DSA. These provide additional rights to media service providers on VLOPs. Specifically, VLOPs must provide certain mechanisms to deal with the media (including applications of the requirements of the Platform to Business Regulation – see Article 17 MFA, and Articles 11 P2B Regulation).

 

3. Media Regulation and Institutions

 

A third element concerns the institutional set up of media regulation. There are provisions around cooperation of national regulators. The Proposal expands the scope of the existing European Regulators Group for Audiovisual Media Services (ERGA), replacing it with the European Board for Media Services (EBMS) which - with the European Commission - is to ensure the consistent application of the MFA and the wider EU media law framework (perhaps in a similar fashion to the EDPB in relation to the GDPR). Specifically, the EBMS will

 

-          advise the Commission on the implementation of the Regulation, for example, providing expertise on regulatory, technical, or practical aspects concerning the identification of audiovisual media services of general interest under Article 7a of the AVMSD;

-          mediate between the regulatory bodies of the Member States;

-          assess areas of interest such as the functioning of media markets and the potential impact of national measures; and

-          take a position if the functioning of the internal market appears to be affected.

 

4. Media markets

 

A fourth element deals with the market and includes requirements for Member States to put in place rules for assessing media market concentrations (Articles 20-22). In addition for setting rules for when concentrations must be notified, Member States should also set out criteria for assessing the impact of a concentration on media pluralism and editorial independence, an assessment which is distinct from that under competition law.

 

5. Resources and Audience measurement

 

Finally, there are rules relating to measurements of audience and to criteria for allocating resources to media outlets. The Commission notes that ‘opaque and unfair allocation of economic resources’ contribute not only to an uneven playing field but also to internal market barriers. The “opacity of and biases inherent to proprietary systems of audience measurement skew advertising revenue flows”, and the way state advertising revenue is allocated is also problematic. The Proposal therefore mandates transparent, non-discriminatory and objective measures and allocation of resources.

 

Comment

 

Competence

 

The Proposal builds on the Commission’s Rule of Law Report 2020 and the European Democracy Action Plan, and seems to aim at some worthy objectives. Despite this, the Proposal is not framed as directly protecting democracy.   The Proposal frames issues as media companies facing

 

“obstacles hindering their operation and impacting investment conditions in the internal market such as different national rules and procedures related to media freedom and pluralism”.

 

This would seem to be aimed at tackling concerns around competence and the fact that culture is typically for Member States, not the EU. To be sure, there are often special ownership and merger regimes for media undertakings, but these are often based on not on economic considerations but on non-market concerns. The emphasis on the impact that disparate rules have on media undertakings is used to justify the use of Article 114 TFEU as the legal basis for the proposal. This re-emphasises that this in not a specific piece of media policy, fields in which the EU has limited competence and has no competence to harmonise (Article 167 TFEU), but market regulation.  The Commission has pushed the extent of its harmonising powers before; while the AVMSD may have started off dealing with restrictions on cross-border advertising, it has also got a distinct cultural aspect (eg EU quotas). In this proposal, it is not clear how the measures listed actually map on to addressing the internal market problems identified in the Explanatory Memorandum. The extent to which a harmonising measure has to deal directly with the eradication of barriers to trade and the degree to which it may be directed at other policy issues has been the subject of a certain amount of jurisprudence, as the examples of Titanium Dioxide case (Case 300/89), Tobacco Advertising I (Case C-376/98), Swedish Match (Case C-210/03) and Vodafone (Case C-58/08) illustrate, and a cottage industry in legal commentary. On first glance, this proposal lies quite close to the boundary.  It is noteworthy that the justification given in recital 6 – that the audience should be able to receive cross boarder information flows – is linked to the satisfaction of the requirement in Article 11 of the Charter on Fundamental Rights. Yet, the Charter in itself is not a legal base for harmonising legislation. It is likely that this issue of competence may lead to legal challenge in the measure is enacted.

 

Place in the Digital Regulation Landscape

 

There will be a question of the interplay between this measure and others impacting on publicly available content. The measure is to a large part aware of this and cross refers to some of these relevant measures. It replicates some definitions from the AVMSD, albeit slightly tweaked. For instance the definition of ‘programme’ is in its base element the same that in the ADMSD (Art 1(b)) but excludes the reference in the AVMSD to “including feature-length films, video clips, sports events, situation comedies, documentaries, children's programmes and original drama”.  It is also notable that the definition of “media service” moves the focus of the service on to the provision  of programmes or press publications (Article 2(1), emphasis added); traditionally publications might have been thought to be goods! The definition of audiovisual media service remains the same as in the AVMSD. The terms “editorial decision” (Art 2(8)) and “editorial responsibility” (art 2(9)) seem to be aimed at drawing the boundary of these terms in the same place as the analogous terms in the AVMSD, though the language has been revised to reflect the broader scope of the Proposal.

 

The Proposal also notes the currently limited scope for the ERGA to take action; currently it is limited to audio-visual media services only.   The development of EBMS, however, follows the approaches taken in the DSA and also found in the EU’s approach to disinformation. Extending ERGA’s remit beyond audiovisual media services brings into question the historic difference in approach between broadcasting (and subsequently video on demand) and the print media, even in their online formats. It has long been accepted that regulation of broadcast entities is legitimate (even if different justifications might be given for that regulation) whereas the press has typically been subject to self-regulation. Giving ERGA (or the EBMS as it would become under the Proposal) a role starts to challenge that settlement.  It is worth reminding ourselves that the national regulatory bodies making up ERGA must meet certain independence requirements (and ERGA itself emphasises the importance of independence – as well as adequate resources!) – these independent bodies might start to have oversight over the press (in the areas covered by the proposal).  Again, this is a sensitive topic.

 

Media Independence

 

The Proposal does contain some important provisions that should benefit the maintenance of media independence – though of course the inclusion of these provisions recognises the distinctive nature of the media and the important role they play in an informed, democratic society. There are specific provisions on editorial independence and for public service media providers Member States will be under an obligation to ensure they have “have adequate and stable financial resources to fulfill their public service remit. These resources shall be such that editorial independence is preserved.” (Article 5).

 

This requirement for sufficient funding brings into law a principle long found in the Council of Europe recommendations on this area. Indeed, EU state aid law has also long recognised the need for State support (and the definition for public service media to a large extent reflects the position under Article 106(2) TFEU). How this is to be calculated or assessed however is not specified in the Proposal (the Recitals merely noting that a multi- year funding model is desirable – see Recital 18) and may cause tensions given the different levels of resources available and funding models used across the various Member States.  The Recitals are anxious to emphasise that this obligation does “not affect the competence of Member States to provide for the funding of public service media”, though it would seem that there is a shift from the permissive regime envisaged by Protocol 29 and the mandatory rule envisaged here. Currently Member States may provide such funding (subject to competition law and state aid rules in particular); this Proposal suggests that in future Member States must do so.

 

Moreover the Proposal introduces obligations so that the senior management is to be appointed according to transparent, non-discriminatory and objective procedures. They will also have term limits and can only be dismissed if it is determined that they are no longer fulfilling their legal duties. The rules around non-dismissal are commonly found to ensure institutional independence in regulators but are here extended to the media (though the Commission has noted that concerns remain regarding the independence of some regulators - Rule of Law Report (3.3) despite the provisions introduced by the 2018 amendments to the AVMSD). 

 

The specific obligations in Article 4(2) follow the lines set doewn in standard freedom of expression case law concerning journalists – notably the protection of journalists sources, and the importance of journalists’ communications remaining confidential, as noted in Recital 16. In this, the prohibition of spyware in Article 4(2)(c) seems to be a specific response to recent scandals showing the use of these technologies.

 

Transparency

 

The lack of transparency in media ownership has been seen as an issue specifically in relation to assessing plurality of the media as well as for users to make assessments as to likely bias in the information and opinions published by a media outlet, a point recognised in Recital 19. This was an issue on which there was little action in the individual Member States. The Commission’s Rule of Law report also noted “The transparency of media ownership continues to present on average a medium risk across Member States, due to a lack of effectiveness of legal provisions and to the fact that information is provided only to public bodies, but not to the public” (3.3). Against this background, the requirements to give information to the public is a step forward; it might be questioned how effective it will be, however, in the case of highly complex corporate structures. Moreover, the transparency obligations are limited in to those providing news and current affairs content.  This term, however, is not defined in the proposal – nor is it defined in the AVMSD.  There is a question as to whether the rules apply only to those whose purpose is to provide news and current affairs, or whether it includes providers whose offering includes news and current affairs. If so, how big a proportion of the offering should news and current affairs constitute to trigger the obligation? This of course assumes we know what news and current affairs comprises; but does this term encompass, for example, celebrity gossip? Broader aspects are contained in the recommendation and are therefore not binding.

 

Rules on VLOPs

 

It is unclear what the obligations on VLOPs add to the the obligations in the Platform to Business Regulation (“P2B Regulation”) – which could apply to VLOPs anyway – indeed, may apply much more broadly than to VLOPs or how the relationship between the two measures might be managed. 

 

VLOPs are likely to satisfy the definition of “online intermediation service providers” within the meaning of the P2B Regulation and therefore owe certain obligations to “business users”. It seems also likely that media service providers using VLOPs (or other platforms) to reach their audiences would constitute such “business users”, though perhaps some citizen journalists might fall outside this definition.  Having said that, would “citizen journalists” fall within the definition of media service for the purpose of the Proposal; ‘services’ within the TFEU are limited to economic activity – as Recital 7 to the Proposal recognises. It specifically notes that

 

[t]his definition should exclude user-generated content uploaded to an online platform unless it constitutes a professional activity normally provided for consideration (be it of financial or of other nature).

 

This might adversely affect charitable foundations and the like by contrast with influencers. Note, however, that the recital specifically excludes ‘[c]orporate communication and distribution of informational or promotional materials for public or private entities”.

 

Article 17(3) deals with complaints lodged by media organisations “with priority” and “without undue delay”, yet Article 11 of P2B requires online intermediation service providers to handle complaints “swiftly and effectively”. It is hard to see what added benefit is from the requirement in Article 17 regarding “undue delay” adds – indeed, it might be seen to be a lower standard than “swiftly”. The obligation to give media entities priority does seem to suggest that their complaints be dealt with in some sort of differentiated way.  This could be justified by the public interest in news and its perishable nature; however, it seems less good if such claims – no matter their merit - are automatically dealt with over other serious claims. While there might be specified time limits for dealing with certain sorts of content (notably terrorism), prioritising journalism leaves the victim of revenge porn, for example, relatively unprotected. This may of course be the nature of a legislative measure dealing with one type of content; specifying time scales that are not comparative in nature (implicitly ‘with priority’ is whereas ‘swiftly’, for example, is not) could avoid that problem.  Insofar as the Proposal envisages a separate mechanism for media entities, there is a risk of confusion as to which mechanisms for dispute resolution – whether those in the DSA or those envisaged here – should be used.

 

There is also a concern about the definition of media services which receive the benefit of this special treatment as it covers what have been termed ‘self-declared media’. This recalls the debates in the DSA’s legislative process to create a media exemption, but which was ultimately rejected.  The concern is that a wide range of actors could self declare as media entities for the purpose of this clause – perhaps benefitting those who spread disinformation. 

 

VLOPs are also required to allow their users to customise the audiovisual media offer (subject to Art 7a AVMSD) (Article 19). It is not clear the extent to which this overlaps with Article 27 DSA, which provides for recommender system transparency, and Article 38 to allow recommender systems not based on profiling.

 

Media Concentration

 

In the Commission’s Rule of Law Report, it notes that the media market is at risk from high levels of concentration. This seems to be a consequence of the dominance of online platforms in digital advertising and the adverse impact that has had on the financial stability of many media entities, a situation worsened during COVID. Against this background some controls on media concentration are required – though that then leaves the question of how the media entities are expected to survive in an environment dominated by clickbait content especially when the market dominance of the platforms and similar services are taken into account. This Proposal does not include those services into account. While the DMA provides some controls, it is not clear how the two sets of provisions will work together and whether there would be gaps (think for example of a cross media merger involving a platform and a content provider).  Finally, these questions seem to be dealt with at national level; rules may differ between Member States. The EBMS and the Commission are envisaged as having advisory roles. While this may respect divisions of competence, there are question about equality of enforcement – it remains to be seen (in the light of the experience of the GDPR) how well the co-operation provisions (Article 13, Article 14) work.

 

Resources

 

The final section relates to the measuring of audiences (indirectly affecting resources) and the allocation of State advertising – which is an important source of revenue in many places. Recital 29 notes that state advertising can be used as a form of covert public subsidy. Article 2(15) defines “State advertising” to mean the “placement, publication or dissemination … of a promotional or self-promotional message, normally in return for payment of for any other consideration, for or on behalf or any national or regional public authority” – this includes state-owned enterprises or other state-controlled entities.  This is a broad definition although there are limits on those subject to the obligation. For example, there is a de minimis threshold of local authorities with less than 1 million inhabitants. Recital 10 excludes “emergency messages by public authorities which are necessary, for example, in cases of natural or sanitary disasters, accidents or other sudden incidents that can cause harm to individuals”.  Although the Proposal envisages that the reporting on advertising spend should be monitored, it does not specify by which body.

 

Enforcement

 

One final point to note is that the Proposal does not include a specific mechanism for enforcement; the presumption seems to be that national mechanisms should be relied on (see eg Article 4(3)) (and the Q&A doc notes that any claimed breaches can be brought before national courts since the proposal – as a regulation – is directly applicable). This may, for example, give a route to relief for those subject to spyware – though the route to CJEU itself through the national courts – especially when those courts form part of the regime deploying the spyware and therefore may be unlikely to provide adequate relief themselves - may be long. It is also unclear what the precise role of the EBMS is in ensuring the consistent application of the Proposal.

 

Conclusion

 

In conclusion, the Proposal marks a significant shift in the current status quo and attempts the important job of safeguarding media independence – independence which has come under increasing threat in recent years. In so doing, however, pushes at the edges of EU competence. Moreover, some of the measures proposed may prove controversial as they seek to support the media against authoritarian regimes seeking to control them, not least with some Member States. The passage of this proposal is unlikely therefore to be smooth or easy; whether it achieves its stated aims is yet another question.





Friday, 18 November 2022

The Cyber Resilience Act in the context of the Internet of Things

 



Mattis van ’t Schip, PhD candidate, Radboud University

Image credit: Grafiker61, via Wikicommons Media

 

In our homes and across industries, the use of Internet of Things (IoT) devices is increasing. These devices integrate hardware and software elements (e.g., a ‘smart’ watch, a WiFi-connected security camera). The cybersecurity of these connected devices is a growing issue. In the ‘Mirai botnet’, hackers accessed thousands of devices and, together, used them to bring down websites and companies, while other attackers accessed the cash registers of Target supermarkets by hacking into their network-connected air-conditioning systems. As evident from the Target hack, attackers can easily access these devices as they are always connected, through WiFi or BlueTooth. Companies and consumers now use billions of IoT devices, which thus creates an expanding cybersecurity threat. The European legislator struggled with this cybersecurity issue for a long time, as existing legislation (e.g., product safety law) did not sufficiently cover the cybersecurity of IoT devices. A recent legislative proposal, however, now intends to address this legal gap.

On 15 September 2022, the European Commission published the proposal for the Cyber Resilience Act (CRA). The Cyber Resilience Act intends to protect the European Union’s market from insecure products. The Act addresses four central themes, according to Article 1:

1) rules for placing products with digital elements on the European Union’s market to ensure the cybersecurity of such products;

2) essential requirements for the design, development, and production of products with digital elements;

3) requirements for vulnerability handling processes by manufacturers to ensure cybersecurity throughout the whole lifecycle of products with digital elements; and

4) market surveillance and enforcement.

This blog post gives a short overview of the new rules on the cybersecurity of products with digital elements (points 1-3). First, I address the framework of the Act by focusing on its scope and cybersecurity provisions. Second, I shortly examine how the Act fits within and adapts the existing regulatory landscape for the cybersecurity of products with digital elements, especially Internet of Things devices.

Products with digital elements

The Cyber Resilience Act will apply to ‘products with digital elements’. Article 3(1) clarifies that such products can be software, hardware, and remote data processing solutions. The Act does thus not only apply to software applications, but also applies to certain hardware objects that are not traditionally digital (e.g., routers, microcontrollers). A connected security camera is an example of a product with digital elements. The camera integrates a traditional camera system (the hardware) with software that, for instance, allows users to access the device’s camera from anywhere in the world.

The European Commission mainly hints at IoT devices as the main focus of the Act, but these devices are not the only products in scope. The Commission includes two additional categories of products with digital elements. These categories are based on the ‘criticality’ of the products. All ‘critical products with digital elements’ are listed in Annex III and mainly include products which have privileged access to networks or security. For example, Annex III includes password managers, identity management software, and network monitoring systems. Such critical systems present a cybersecurity risk, according to Article 3(3), and therefore must adhere to stricter cybersecurity requirements, which I discuss below. An additional category exists for ‘highly critical products with digital elements’, which present even more serious cybersecurity risks (e.g., network management software used by energy providers).

The Commission can amend the list of critical and highly critical products based on the cybersecurity risks those products pose, according to Article 6(2) and 6(5). Criteria for the assessment of those risks include whether the products have privileged access, control access to data, or perform critical trust-based functions in networks or security. The Commission uses additional criteria for highly critical products (e.g., the use of the product within critical sectors). (See also the NIS2 proposal for the cybersecurity requirements of devices employed in those sectors: Proposal for a Directive for a high common level of cybersecurity, which is about to be adopted)

Cybersecurity requirements

For all products with digital elements, the Cyber Resilience Act prescribes baseline cybersecurity requirements. Only products with digital elements that adhere to those requirements can be placed on the European market, similar to earlier IoT related product rules, such as the Radio Equipment Directive.

The cybersecurity requirements are listed in Annex I Section 1. The requirements must be met on the condition that devices are properly installed, maintained, used, and updated, according to Article 5(1). The provision is not clear on who should actually ensure these pre-conditions. The responsibility could shift between the manufacturer and user based on the action; for example, proper use is most likely a condition for the user, while proper maintenance is a condition for the manufacturer. Article 10(10) seems to indicate that the manufacturer must document the conditions under which the user can ensure proper installation, operation, and use. In a broader sense, these conditions could also indicate that the user, for instance as part of proper installation, should change the default password of their device before using it.

Next to the cybersecurity requirements, manufacturers must comply with certain vulnerability handling requirements, listed in Annex I Section 2. These vulnerability handling requirements address the large number of devices which do not receive sufficient updates during their lifecycle. Without sufficient updates, devices become security threats, as the manufacturers do not ‘patch’ the latest security issues.

Manufacturers must now provide regular security updates which address any vulnerabilities in their products. This obligation exists for the expected lifetime of the product, or up to five years, according to Article 10(6). In addition, the vulnerability handling processes are meant to ensure transparency about the vulnerabilities that manufacturers discover and patch. Here, the Commission aims to solve two problems: a lack of security updates for devices that manufacturers disregard (e.g., because they brought a newer device to the market) and a lack of transparency on any vulnerabilities the manufacturer or third parties find in their products. The latter can put devices from other manufacturers at risk. For example, if company Eppla finds a vulnerability in their BlueTooth protocol and patch it, this patch could help other companies, such as Geeglo, who use the same protocol. If Eppla is not transparent about the vulnerability, they might put Geeglo at risk of security breaches too.

Through the cybersecurity requirements and vulnerability handling processes, the Cyber Resilience Act thus addresses quite a broad range of cybersecurity related issues.

Economic operators

The Cyber Resilience Act introduces product requirements to protect the European Union’s market. Therefore, most of its rules apply to manufacturers that bring devices to the Union’s market. In addition, the rules apply to any other actors, including importers and distributors, that place a product with digital elements on the market with their name or trademark on it, or if they carry out a substantial modification of a product which is already on the market (Article 15). The same condition of a substantial modification applies to any natural or legal person (Article 16). The scope of the Act is thus broad: any entity that brings the product to the market or modifies a product on the market to the extent that it can be considered a ‘new’ product, falls within the scope of the Act.

The rules of the Cyber Resilience Act mostly apply to manufacturers. Article 10 lists several of the most important obligations for the manufacturers. Most of these obligations also apply to importers and distributors. Manufacturers must primarily ensure security-by-design (Article 10(2)). They must ensure this secure design by conducting a risk assessment for their device. Subsequently, the manufacturers must implement the results of that assessment throughout the entire production process of the device, from planning to delivery and maintenance. Manufacturers must include certain information in the technical documentation, including this risk assessment (Article 10(3)). The rules for technical documentation are part of a set of obligations for manufacturers to provide clear and intelligible information to users about different aspects of the device (Article 10(10)).

Finally, Article 10(14) includes an obligation for manufacturers to notify market surveillance authorities (a type of regulatory agencies) and users of their product when they cease operations. This obligation might help mitigate a problem in the IoT industry where manufacturers who, for instance, go bankrupt or sell their company to a competitor, disregard their existing devices on the market. As a result, consumers are left with devices that no longer receive regular updates or stop working entirely. In some cases, consumers are not aware of this problem. This new obligation can help mitigate this problem as manufacturers must inform market surveillance authorities and users of this situation, which can lead to a more secure end of service for existing devices on the market.

A new approach

The Cyber Resilience Act will contain the most important cybersecurity requirements for Internet of Things devices. Existing legislation does apply to the cybersecurity of Internet of Things, but only through particular criteria.

The closest piece of legislation to the Act is the Radio Equipment Directive (RED), a type of product safety legislation. The Directive establishes requirements for radio equipment before it can be placed on the Union’s market. The approach is thus quite similar to the Cyber Resilience Act: economic operators must comply with specific requirements before they can place their products on the market of the EU.

In terms of cybersecurity requirements, the Radio Equipment Directive, however, is much more limited than the Cyber Resilience Act. The Directive contains two main cybersecurity requirements in Article 3(3): 1) radio equipment must ‘not harm the network or its functioning nor misuse network resources’ (3(3)(d)); and 2) radio equipment must contain safeguards to protect the personal data and privacy of its users (3(3)(e)). These cybersecurity requirements also apply to Internet of Things devices, pursuant to a recent Delegated Act from the Commission. These general cybersecurity requirements are much more limited than the list of requirements in the Cyber Resilience Act, which, crucially, also includes requirements for vulnerability handling processes. Recital 15 of the Act notes on these differences: ‘The essential requirements laid down by [the Cyber Resilience Act] include all the elements of the essential requirements referred to in [the Radio Equipment Directive].’ The Cyber Resilience Act, therefore, will be much more in the forefront concerning cybersecurity requirements for Internet of Things devices than the Radio Equipment Directive.

The Radio Equipment Directive is quite similar in its product safety provisions; it includes, for example, rules on technical documentation. However, the Cyber Resilience Act includes broader obligations for the manufacturer that focus on cybersecurity, for instance with the requirement to notify the market surveillance authorities when they cease their operations. While, from the outset, the Directive might seem partially redundant due to its similarities with the Act, the approach of both pieces of legislation is different. The Radio Equipment Directive focuses on rules that ensure radio equipment is safe, broadly speaking, when placed on the European Union’s market. These safety requirements are different from cybersecurity requirements. For instance, the Radio Equipment Directive requires devices to ensure access to emergency services, to facilitate users with certain disabilities, and to work with commonly used chargers. The Cyber Resilience Act, instead, fully focuses on the cybersecurity of devices.

The foundation of the Cyber Resilience Act also differs from the General Data Protection Regulation, another relevant piece of legislation in the context of cybersecurity for Internet of Things devices. The GDPR applies to processing of personal data, which only partially covers the security requirements of the Act. The GDPR, foundationally, focuses on protecting people against misuse of their personal data. The Cyber Resilience Act, therefore, as with the Radio Equipment Directive, supports the aim of the GDPR with its cybersecurity requirements. The Cyber Resilience Act notes, in Recital 17, that ‘the essential cybersecurity requirements laid down in this Regulation, are also to contribute to enhancing the protection of personal data and privacy of individuals.’

The Cyber Resilience Act will provide a comprehensive framework for cybersecurity requirements, which supports the aims of similar legislation, such as the Radio Equipment Directive and the General Data Protection Regulation. Therefore, the Act gives substance to the growing number of cybersecurity requirements for Internet of Things devices in currently scattered pieces of legislation.

Conclusion

The Cyber Resilience Act offers a more comprehensive set of cybersecurity requirements for Internet of Things devices than existing legislation. Furthermore, its rules offer answers to many lingering questions on the security of IoT, such as what should happen when manufacturers cease their operations or when new vulnerabilities require updates from the manufacturer.

In relation to existing legislation, the Cyber Resilience Act will provide a comprehensive overview of cybersecurity requirements. Existing cybersecurity-related legislation often contained open norms and required specific operations (e.g., personal data processing in the General Data Protection Regulation). The Cyber Resilience Act will support the aims of this related set of legislation, while offering the primary set of cybersecurity requirements modern software and hardware must adhere to.