Welcome to Euractiv’s Tech Brief, your weekly update on all things digital in the EU. You can subscribe to the newsletter here.
“‘Open-source software steward’ means any legal person who makes products with digital elements available on the market and whose purpose is to ensure the viability of one or more products with digital elements qualifying as free and open-source software.”
-Draft compromise text on the Cyber Resilience Act
Story of the week: According to compromise texts on the Cyber Resilience Act, seen by Euractiv, EU policymakers are approaching a compromise on two critical parts: how to regulate open source software and the definition of a support period throughout which manufacturers will guarantee security updates. For open source software, EU policymakers are mulling targeted obligations for the foundation or ‘stewards’ that intermediate the work of volunteer IT developers and commercial corporations. The issue of the support period has also been hashed out, re-introducing five years as the minimum timeframe through which manufacturers should ensure security patches unless the product lifetime is expected to be shorter. If confirmed, these parts of the text will likely be endorsed at the political level at the next trilogue session on 8 November.
What is not being touched at the technical level at the moment is the question of how and who should handle cyber threat reporting, including actively exploited vulnerabilities. As this is the most sensitive issue, it will have to be discussed at the political level, but the European Parliament is standing its ground on the involvement of ENISA, the EU’s cybersecurity agency. What the MEPs want to avoid is that a national computer emergency response team (CSIRT) could unilaterally decide to hold off information about a vulnerability without at least informing ENISA about it. Similarly, parliamentarians cannot accept that manufacturers that do not have a legal office in the EU can pick and choose their CSIRT of reference. In this case, referring to the EU cybersecurity agency would make more sense. On the list of critical products, some horse-trading is expected, but both sides are still to define their priorities. Read more.
Don’t miss: In a few years, most AI solutions will likely be built on a handful of foundation models. Some Big Tech companies are already leveraging their position in the cloud market to become dominant in the AI space, partnering up with leading AI companies and cutting more or less exclusive agreements for using their cloud infrastructure. The Digital Markets Act (DMA) was precisely meant to prevent the formation of new mono- and oligopolies, but, ironically, the platforms designated so far look back at markets that are already concentrated. While the DMA’s misstep in covering cloud services so far might be consequential in failing to prevent some abuses of market dominance that are already taking place, this brand-new legislative tool seems already falling short of preventing the entrenchment of Big Tech in the rapidly expanding AI market. A more targeted regulation might be envisaged, but in this fight against time, EU regulators are already one step behind. Read more.
Also this week:
- The White House issued a swooping executive order on AI as leaders met in London for the first international summit on Artificial Intelligence.
- Germany’s Information Security Office reported that the risks for cyber threats are higher than ever.
- The Spanish presidency outlined some possible concessions on the legal presumption of employment.
- France and Germany are increasingly drifting apart on the issue of sovereign cloud.
- Nude deepfakes are increasingly circulated on the internet, with law enforcement agencies facing an uphill battle in detecting them.
Before we start: If you just can’t get enough tech analysis, tune in on our weekly podcast.
Today’s edition is powered by Google
Find out how AI could boost the EU economy
Generative AI could increase the size of the EU economy by 1.2 trillion Euros and save the average worker over 70 hours a year. Google is committed to playing its part in helping the EU realize its digital and AI-driven future.
Find out more
Artificial Intelligence
An American AI landmark. On Monday, the White House published a landmark executive order on AI. The order touches upon important aspects of AI applications such as protecting privacy, civil rights, consumers and workers, and promoting innovation and competition. It also calls on extensive scrutiny from government offices on AI applications and monitoring fair competitiveness in the industry. While the executive order does not have the force of law, it might have a significant impact as it defines how federal agencies should purchase and use the technology and directs possible enforcement actions.
Bletchley Declaration on high-risk AI. On Wednesday, some 30 countries signed the United-Kingdom Bletchley Declaration, recognising that “many risks arising from AI are inherently international in nature, and so are best addressed through international cooperation”. Among the signatories are the UK, USA, China, Brazil, India, Indonesia, Japan, Kenya, Turkey, Rwanda, Singapore, six EU countries, among which are France and Germany, and the EU itself as an international organisation. After London, France will hold next year’s second AI Summit.
France solo act over AI Act. The French Economy Minister Bruno Le Maire advised his counterparts that Artificial Intelligence should be left to “innovate before regulate”. Le Maire explained to Le Monde that he wishes to let European actors mastering AI technologies develop – and then regulate them later. The French government might be trying to protect its AI ecosystem, among which the French large-language models startups LightOn or MistralAI, which published a tribune in Les Echos in June, co-signed by former Digital Minister Cédric O, over the dangers of overregulation. Le Maire stated that France’s position diverged from the AI Act’s current approach to foundation models. Euractiv understands the criteria for designating ‘high impact’ foundation models will also be conceived to leave European companies out of this category.
Congress pushes back on US CoE approach. Seven members of the US Congress penned a letter to State Secretary Antony Blinken to push back on the fact that the US delegation to the Council of Europe’s (CoE) AI Convention pushed to exclude NGOs from the drafting process to cover its lobbying to exclude the private sector from the world’s first international treaty on AI. The letter referenced a Euractiv article that revealed the back-room manoeuvring. However, the possibility of watering down the AI treaty is still very much at risk, with a final decision expected in January.
AI developers get a code of conduct. Under the Hiroshima AI process, G7 leaders agreed on International Guiding Principles on AI and a voluntary Code of Conduct for AI developers to provide guiding principles. The Commission rushed the consultation process on the code of conduct to publish it before the UK summit. Still, at the moment, it is not even clear if there will be anyone to monitor that signatories are applying it.
Court dismissed. United States District Judge William H. Orrick dismissed most of the claims brought by visual artists in the US court case Andersen v. Stability AI. According to the judge, the artists could file an amended complaint against the companies. The companies’ systems utilise Stability AI’s text-to-image technology.
Sunak buddies up with Musk. During the UK’s AI Summit, Prime Minister Rishi Sunak interviewed Elon Musk, which Sky News reported as “40 minutes of softball questions of the Prime Minister” and a bonding experience over AI and “selling Britain”, instead of “a Prime Minister going toe to toe with a big political figure”.
Google rivals Amazon. Google is investing $2 billion in Anthropic, which aims to compete with OpenAI’s ChatGPT, backed by Microsoft. While Google is already an investor in the company, with the current deal, it rivals Amazon, who announced in September a funding of $4 billion for Anthropic.
Competition
Cut the Apple. Apple may be forced to cut back developers’ App Store fees after the Dutch Authority for Consumers and Markets (ACM) said that the commission on some apps’ subscriptions violates the bloc’s market power, Bloomberg reported on Tuesday. This is part of the Dutch watchdog’s long-running case against the US company. In 2021, the ACM fined Apple €50 million for not complying with rules in the App Store and said it violated EU antitrust laws. A year later, in the Netherlands, the tech giant cut commissions for dating app makers from 30% to 27%. The current decision is also limited to dating apps but could influence other markets in the future.
It’s a Match! Google and Match Group settled the app store case initiated in Match against Google. Match Group, the owner of several dating apps like Tinder, can now choose different payment systems other than only being able to do so via Google. Google and Match Group will still collaborate in other fields, such as Google Cloud and AI technologies by Google. Meanwhile, Google’s court case is still ongoing with Epic Games.
Cybersecurity
Germany’s cyber threats are higher than ever. Germany is experiencing a significant increase in cyber threats, with the risk of ransomware attacks considered exceptionally high, according to the latest report from the German Federal Office for Information Security. On Thursday, Germany’s Office for Information Security (BSI) presented its status report on IT and cybersecurity in the country, which covers the period from June 2022 to June 2023. “The BSI report on the state of IT security in Germany in 2023 proves that the threat situation in cyberspace remains tense,” said German Interior Minister Nancy Faeser. Read more.
CRA four-column update. EU policymakers are also making quick progress on other parts of the Cyber Resilience Act (CRA), based on a four-column dated 24 October seen by Euractiv. Some parts, such as the interplay with the AI Act, representative actions and regulatory sandboxes, have been closed relatively quickly. The definition of consumers excludes legal entities, even though there is some significant interplay between B2B and B2C relations, notably regarding open source software. Several references to funding of SMEs were introduced following the EU Parliament’s text. An important question remains on technical standards, which are unlikely to see the light before the CRA starts to apply, given the recurring delays of CEN/CENELEC. These delays might cause some enforcement problems but could be partially mitigated by the introduced references to international standards and mutual recognition agreements. Finally, wording was included that would allow the manufacturers to delay making public a fixed vulnerability in cases where users might need time to apply the patch.
Hackers also like dating apps. New research by Cisco’s threat intelligence team found that Gaza-based espionage group Arid Viper, which back in 2019 used fake Facebook and Instagram profiles, has now switched to a dating app from a German developer (Skipped) to target mainly Arabic-speaking Android users.
Boeing under attack. A Russian-linked hacker group called LockBit attacked the US aerospace company, Boeing. It blackmailed Boing to release sensitive data by the end of this week. Boeing is also known for manufacturing, next to commercial aeroplanes, defence products.
Data & Privacy
GDPR updates. During a meeting of the Multistakeholder Group on the application of the General Data Protection Regulation (GDPR), the Commission provided an overview of the progress on new adequacy decisions, especially regarding Brazil and international organisations. Still, it did not provide a specific timeline regarding their finalisation. The Commission will also publish a report on the review of adequacy decisions adopted before the GDPR and will open a call for evidence by the end of the year or early 2024. The Council is also expected to publish its report on GDPR application by December. Meanwhile, members of the Multistakeholder Group have until 18 November to share written feedback to the Commission. The European Data Protection Board or the Data Protection Authorities should publish their report by the end of the year, too. A practical guide on applying Standard Contractual Clauses concerning ASEAN countries is also expected to be published during the first half of 2024.
Five pleas against the Data Privacy Framework. As previously reported by Euractiv, the EU-US data transfer agreement, the Data Privacy Framework, is being challenged in front of the Court of the European Union (CJEU). On Monday, the CJEU published the action brought by the French MP and Member of the board of the French privacy authority (CNIL). It consists of five pleas concerning infringement on a language regulation and several infringements of the Charter of Fundamental Rights of the EU and the General Data Protection Regulation. Latombe notably targets the “bulk” collection of personal data, questions the independence of the US tribunal set up by Biden’s executive order, the absence of safeguards against automated decision-making and points towards conflict of laws between the US and the GDPR regarding data transfers.
EU-Japan data alliance. With an eye on the title for the world’s largest digital economies, the EU and Japan concluded a deal on cross-border data flows. The deal is expected to lower bureaucratic burden and cumbersome administrative requirements for companies. Negotiations with Korea and Singapore are on the way in the near future.
Digital Services Act
Don’t forget about porn (again). Several civil society organisations have urged the European Commission to designate major porn websites as “very large online platforms” that have to follow a strict regime under the Digital Services Act (DSA), according to a letter seen by Euractiv. The Commission is expected to announce its second batch of systemic platforms before the end of the year, and NGOs want to make sure that porn websites are not forgotten again. Read more.
New admin agreement. The Commission signed an administrative arrangement with the Italian media regulator (AGCOM) on Monday to support the Commission’s enforcement of the DSA. For Italy, AGCOM was appointed as the Digital Services Coordinator, making it part of the Board for Digital Services once it is established in February of next year.
Gig economy
Legal presumption battle ahead. EU institutions are preparing for confrontation over the functioning of the legal presumption of employment, the most sensitive aspect of the Platform Workers Directive, in a trilogue next Thursday. In its COREPER mandate, seen by Euractiv, the Spanish presidency proposed to remove part of the discretion of national authorities in assessing the application of the rebuttable presumption, at least when they concluded it is a case of bogus self-employment. Another concession to the MEPs would consist of letting trade unionists launch presumption proceedings. Read more.
WeRaised, WeWorked, and WeCrashed. WeWork, the most well-known company offering flexible memberships and turnkey offices, valued at $47 billion in January 2019, is planning to file for bankruptcy next week, as the Wall Street Journal reported on Tuesday.
Industrial strategy
France and Germany drifting apart on sovereign cloud. The recent announcement of “a new, independent cloud for Europe” by Amazon Web Services (AWS) has underlined the growing divergence between the positions of Paris and Berlin regarding digital sovereignty in the cloud sector. BSI’s Director General Claudia Plattner said she was “very pleased to constructively accompany the local development of an AWS cloud, which will also contribute to European sovereignty in terms of security” and advertised that the AWS cloud received the German C5 certification. The ANSSI, the BSI’s French counterpart and the French Digital Ministry did not issue a comment for the time being. Yet, pressure is mounting for an official statement as French MP and member of the board of the French data protection authority Philippe Latombe and MP and rapporteur of the French digital space bill on cloud topics Catherine Morin-Desailly issued two formal questions to Digital Minister Jean-Noël Barrot. Read more.
Oracle is now part of the EU multi-cloud. US cloud service Oracle advertised on Monday that the European Commission decided to include Oracle Cloud Infrastructure services into its offerings, raising consistency questions with its proposed cloud security schemes. The EU executive has selected Oracle Cloud Infrastructure for a six-year overarching framework agreement that allows the US-based company to offer cloud services to the EU institutions, bodies and agencies. However, the decision of the Commission to include the American Oracle in its cloud service offerings available to the EU administration seems at odds with its boasted drive toward technological sovereignty. Read more.
A “one-sided” report. Experts have criticised a new report by the European Innovation Council on emerging deep technologies, breakthrough innovations, and early-stage research projects, calling into question its approach to quantum computing and semiconductors. Read more.
Law enforcement
Deepfakes flood the internet. Deepfakes, a term used to refer to synthesised visual content designed to swap or alter the identities of people depicted, can be created with many purposes, from entertainment to disinformation. However, nude deepfakes, including those of minors, are becoming increasingly common online as the tools to create them become more accessible. While circulating pornographic content with minors is illegal, introducing the features of a minor into a pornographic image made by consenting adults is a grey legal area that puts the flexibility of national criminal codes to the test. Law enforcement agencies are also facing an uphill battle in detecting the suspect content among the billions of images and videos shared online daily. Read more.
Fight against CSAM. Ahead of the UK’s AI Summit, TikTok, Snapchat, OnlyFans, and more have signed a declaration, published on Monday, vowing to work together against the risks posed by AI in the fight against child sexual abuse material (CSAM) on existing forums. The signatories also include the governments of the United Kingdom, Germany, Italy, Australia, and the United States.
Media
Crimes against journalists. The media freedom association Committee to Protect Journalists (CPJ), released its annual Impunity Index ahead of the UN’s International Day to End Impunity for Crimes Against Journalists on Thursday. Full justice has been achieved in fewer than 5% of murders of journalists since 1992, with four unsolved cases in the EU, the CPJ found. Read more.
Czech media tycoon expands in France. Czech billionaire Daniel Křetínský was authorised on Tuesday to buy the second-largest French editing company, Editis, on a side deal imposed by the Commission, which demanded Vivendi sell Editis when acquiring the Lagardère group. Křetínský now owns 25% of the French Fnac-Darty distributor group, multiple French media and has been reported to have views on acquiring part of the French technology service company Atos and the supermarket chain Casino.
Platforms
Free but won’t always be. Facebook and Instagram will offer a subscription to European users in November so they can avoid advertisements on the social media platforms, Meta announced on Monday. “To comply with evolving European regulations, we are introducing a new subscription option in the EU, EEA and Switzerland,” the post reads. “While people are subscribed, their information will not be used for ads,” Facebook confirmed in the same post. Depending on where someone subscribes, the purchase will cost “€9.99/month on the web or €12.99/month on iOS and Android” and apply to “all linked Facebook and Instagram accounts in a user’s Accounts Center”. This transition to a subscription model follows a series of data protection decisions ruling Meta’s legal basis for processing personal data for advertising purposes illegal. The Irish Data Protection Commission is still to approve Meta’s move. Still, many continental data protection authorities have been sceptical of an approach requiring users to either pay or give up their personal data to access a service.
What else we’re reading this week:
Existential risk? Regulatory capture? AI for one and all? A look at what’s going on with AI in the UK (TechCrunch)
How a tiny Pacific Island became the global capital of cybercrime (MIT Technology Review)
Smartphone Photos Are Getting Faker. Uh-Oh? (The New York Times)
Alina Clasen and Théophane Hartmann contributed to the reporting.
[Edited by Nathalie Weatherald]
