The Week
16 - 20 December 2024
TABLE OF CONTENTS
IN-DEPTH:
A Tale of two States: the Court of Justice’s final Word on countervailing transnational Subsidies
Oscar Beghin
The Victims Directives as a whole? The case Burdene (C-126/23)
Jacopo della Torre
In the Shadow of the Charter: Article 19(1) TEU and effective judicial Protection as a Source of the Rights of Defence in Criminal Matters
Giulio Dipietro & Ilaria Gambardella
Sharp no more? The weakening of Protection against Unfair Commercial Practices now. Comments on Guldbrev (C379/23)
Dominik Dworniczak
Safe Countries of Origin: whose Margin of Appreciation? (Case C-406/22, CV) and its Impact on the Application of the Italy-Albania Protocol
Alessia Di Pascale
Is Predictive Policing prohibited in the EU? Yes, it should be
Francesca Palmiotto
Interpreting the LED Directive in Case C-80/23: the Processing of Sensitive Data for Law Enforcement
Benedetta Brambati
SYMPOSIUM COMPETITION CORNER: ARTICLE 102 EXCLUSIONARY GUIDELINES: CODIFICATION OR RESTATEMENT?
On the Article 102 TFEU Guidelines
Pablo Ibáñez Colomo
The effects-based Analysis of unilateral Conduct – why we need to redraft the draft Guidelines for the AEC-test in the Aftermath of Google Shopping (C-48/22 P) and Intel (C-240/22 P)
Eva Fischer
THE LONG READ
European Cybersecurity and AI Framework: Towards Proactive Regulation for a Secure Digital Future
Céline Gauthier-Maxence
Transposing NIS 2: A Blueprint for EU Cybersecurity Harmonisation
Elio Machado Neto
HIGHLIGHTS OF THE WEEK
IN-DEPT H
A Tale of two States: the Court of Justice’s final Word on countervailing transnational Subsidies
Oscar Beghin
A lot of attention has been paid to new unilateral instruments in the EU’s trade toolkit. But, as the Hengshi and Jushi judgment show, traditional trade defence instruments remain in vogue.
The Commission has made increasingly bold and expansive use of its anti-dumping and anti-subsidy instruments in a bid to protect the ‘level playing field’ from the perceived cross-border threat of Chinese state capitalism. In 2020, the Commission adopted an interpretation of the notion of subsidies under the Basic Anti-Subsidy Regulation 2016/1037 (“BASR”) to cover transnational subsidies. Transnational subsidies occur where public funds from one country flow to recipient firms located in another country. When these firms then engage in exports, the Commission became the first WTO investigating authority to exercise jurisdiction to impose countervailing duties on those subsidised exports.
After the first instance judgments left the issue on shaky legal foundations, the Court of Justice in its Hengshi and Jushi (C-269/23 and C-272/23) ruling has definitively settled the matter: the Commission may countervail transnational subsidies if it can show that the government of the recipient country played a role in the granting of the subsidies. The Court thereby sets aside the relevance of attributing state conduct of one WTO member to another.
This appeal could have presented an opportunity for a dialogue des juges between the Court of Justice and the WTO Appellate Body. But with radio silence coming from Geneva, the question remains unresolved at the WTO level. Luxembourg has instead granted more leeway to Brussels in the pursuit of its trade policy. The Hengshi and Jushi ruling marks yet another progression in the autonomy of the EU’s trade defence instruments from the WTO legal order.
Countervailing outbound investment under the Belt and Road Initiative
Hengshi and Jushi are two producers of glass fibre products established in Egypt. But these firms present two particularities. First, both are subsidiaries of a Chinese state-owned enterprise, which is itself controlled by the central SASAC agency of the Government of China (“GOC”). Second, the firms’ facilities are located in the Suez Economic and Trade Cooperation Zone, a special economic zone jointly set up by the Chinese and Egyptian governments as part of the Belt and Road Initiative.
Through Implementing Regulation 2020/870, the Commission imposed countervailing duties on imports from these firms to countervail, inter alia, preferential financing from Chinese financial institutions. Applying a novel interpretation – based on the International Law Commission Articles on State Responsibility – the Commission considered that funds originating from Chinese state-owned financial institutions could be attributed to the Government of Egypt (“GOE”), and countervailed as such.
Hengshi and Jushi challenged these measures before the General Court (T-480/20 and T-540/20), which instead ruled in favour of the Commission. The judgment commented here is an appeal of these first instance judgments.
Two grantors is better than one: an autonomous solution under EU Law
The legal question that the Court of Justice had to resolve is whether financial contributions originating in China could be considered as subsidies granted by the GOE.
Hengshi and Jushi argued that, under the BASR, a subsidy can only be granted by the country of origin or of export of the product under investigation (i.e. Egypt) and hence could not cover foreign direct investment from China (C-269/23 and C-272/23, paras. 46, 50).
The BASR defines the notion of a subsidy as a (i) financial contribution, (ii) by a government or public body, (iii) that confers a benefit (Art. 3). That subsidy can be countervailed only if it is (iv) specific (Art. 4). Importantly, the Court recalls that ratione personae, the financial contribution must be granted by the government of the country of origin or of export of the goods (para. 72).
The legal solution of the General Court was to attribute the financial contributions to the GOE, but it remained the GOC that granted them. This is different from the interpretation of the Court of Justice, which instead finds that the financial contributions were granted directly by the GOE by adopting a new functional definition of that term: “grant[ing]” is “conduct by which a person gives or allocates something to another person, whether by formally granting it or by allowing him or her in practice to benefit from it” (para. 73).
It follows that by establishing government cooperation in the Suez ETC Zone, the GOE enabled those firms, in practice, to benefit from those funds. This, despite the GOE not directly granting Hengshi and Jushi any preferential financing (para. 75). The Court points to the fact that the GOE was at liberty to consult with the GOC and to eliminate those subsidies (para. 87). The burden of proof is placed on the Commission to show that the conduct of the government of the recipient of the transnational subsidy played a role, “formally” or “in practice” (para. 82).
According to the Court, this interpretation is possible because nothing in the provisions of the BASR say it is not (paras. 76–77). But inferring this from a silence in the legislation is controversial.
Furthermore, the Court supports its interpretation by referring to the principles of the BASR. Article 1 BASR, incorporating a leitmotif in EU legislation, grants the Commission a mandate to “offset any subsidy granted,
directly or indirectly” (para. 80). But then the question is whether the Commission is not just countervailing indirect Chinese subsidisation, in which case it could no longer assert jurisdiction over exports from Egypt.
A new layer of insulation between EU and WTO legal orders
The Court’s approach to WTO law is quite subtle from the perspective of legal technique. Even without the flair of a Rusal Armenal (C-21/14 P), it marks no less of an important evolution in the case-law.
In first instance, the General Court applied Article 1 of the SCM Agreement directly. This provision defines subsidies as financial contributions by a government or any public body within the territory of ‘a’ (read: any) Member of the WTO. It held that that this wording does not preclude the possibility that a financial contribution granted by a third country (i.e. China) may be attributed to the government of the country of origin or of export (i.e. Egypt; T-480/20, para. 101).
Directly applying Article 1 of the SCM Agreement, the Court of Justice holds, constitutes an error of law (para. 64). The General Court misapplied the Nakajima doctrine.
According to the Nakajima doctrine, WTO rules can have direct effect in the EU legal order if, with an act of secondary EU legislation, the legislature intended to implement a ‘particular obligation’ assumed under WTO law.
The General Court considered that with Article 3 BASR, the EU legislature intended to implement Article 1 of the SCM Agreement because these provisions are in substance nearly identical. The Court of Justice instead holds that, while the EU legislature aimed to reflect the SCM Agreement in the BASR, it did not intend to make that agreement a standard by reference to which the legality of EU acts could be reviewed (para. 63).
The reader familiar with this line of case-law will note that the Hengshi and Jushi judgment marks a further step narrowing the Nakajima doctrine. Here, even a copy-paste of a WTO provision into EU law apparently does not suffice to demonstrate intent to implement a particular obligation. Arguably, the Nakajima doctrine is applied so restrictively that it has become irrelevant (and subsumed by the Fediol doctrine, i.e. the second exception cited by the Court at para. 59).
This does not mean that WTO rules as a whole are irrelevant, though. They constitute relevant rules to which EU courts must make reference under the principle of consistent interpretation (para. 65–67). The problem in Hengshi and Jushi is that WTO adjudicators have never before had to rule on the question of transnational subsidies.
The Court of Justice acknowledges that the logic of the SCM Agreement limits the scope of the legal notion of subsidies to financial contributions granted by the government of the country of origin or export (i.e. the GOE; para. 92). But, according to the Court, nothing precludes these financial contribution from finding their source in another government (i.e. the GOC; para. 94).
The Court adopts a teleological reading of the SCM Agreement to comfort its own interpretation of the BASR. In its view, the SCM Agreement is designed to prevent WTO members from indirectly causing distortive adverse effects to other members through the use of subsidies, which must take into account the increased internationalisation of trade, including transnational subsidies (paras. 94, 97, 98).
The SCM Agreement is designed to discipline both the way in which states grant subsidies and the way in which states resort to their countervailing duty laws to protect their domestic market against such subsidies. The SCM Agreement fundamentally aims to preserve the balance between offence and defence. Did the Court lose sight of the latter?
Conclusion
EU trade defence did not get its Illumina moment. With the Hengshi and Jushi ruling, the Court of Justice adds yet another layer of insulation between the EU and WTO legal orders. The new autonomous definition of ‘granting’ allows the Commission to countervail transnational subsidies even though the legislature did not expressly foresee the possibility in the BASR.
At the international level, in the absence of a clear signal from Geneva, investigating authorities in other jurisdictions may follow the Commission’s lead. And their domestic systems of judicial review may, also, grant leeway for administrative discretion.
Oscar Beghin is an Associate at an international law firm based in Brussels, specialised in international economic law and EU litigation. He is also a guest lecturer at Ghent University.
Beghin, O.; “A Tale of two States: the Court of Justice’s final Word on countervailing transnational Subsidies”, EU Law Live, 17/12/2024, https://eulawlive. com/a-tale-of-two-states-the-court-of-justices-final-word-on-countervailing-transnational-subsidies/
The Victims Directives as a whole? The case Burdene (C-126/23)
Jacopo della Torre
Introduction
On 7 November 2024, the Court of Justice delivered its judgment in Burdene (C-126/23), in reply to a request for a preliminary ruling submitted by the Tribunal of Venice, regarding the interpretation of Article 12(2) of Directive 2004/80 (Victims Compensation Directive). The case focused on the question of whether EU law precludes legislation of a Member State which, in the event of the insolvency of the perpetrator of a homicide, limits the number of family members who may benefit from the right to receive compensation from the State, using a predefined order of priority among them based solely on the nature of the family ties.
This judgment follows a series of decisions in which the Court has already had the opportunity both to rule on structural infringements and to clarify the scope of key provisions of that Directive. It is recalled that many of these judgments concerned Italy. On the one hand, Italy has twice been condemned for the incorrect transposition of Directive 2004/80 (C-601/14 and C-112/07). On the other hand, the Court of Justice had already ruled on a reference for a preliminary ruling from the Italian Court of Cassation, which concerned precisely the interpretation of Article 12(2) (C-129/19).
With the Burdene case, the Italian saga in this area took a significant step forward. Unlike its immediate predecessors, this judgment has a strong peculiarity: it used the general definition of ‘victim’, contained in Article 2 of Directive 2012/29, establishing minimum standards on the rights, support and protection of victims of crime, to clarify the scope of Article 12(2) of Directive 2004/80. In this way, these European acts have been the subject of a joint reading that must be greatly appreciated. Indeed, interpreting them as a ‘complementary whole’ may help to render victims’ rights more practical and effective.
Facts of the Case
The case concerned the conviction of a defendant to 30 years’ imprisonment for the homicide of his ex-partner and to the compensation for damages to each of the victim’s two children, to her father, mother and sister, and to her husband, from whom she had been separated for several years. However, as the perpetrator of the homicide had no assets, only a small sum was actually paid directly by the Italian State exclusively to the children and the husband of the deceased. This is due to the Italian compensation mechanism for violent intentional crimes, governed by Law No. 122/2016 implementing Directive 2004/80, which, in addition to setting limits on the sums that can be compensated, grants the right to compensation to the victim’s parents only in the absence of the victim’s surviving spouse and children, while brothers and sisters are entitled to compensation only in the absence of all the above-mentioned persons.
Taking this into account, the victim’s parents, sister and children approached the Tribunal of Venice claiming that Law 122/2016 violated Directive 2004/80. In their claims, the applicants, in addition to complaining about the very low amount received only by the victim’s children, argued that the Italian legislation led to the paradox of allowing compensation to the victim’s surviving husband, with whom she had practically no relationship, and not to other family members with whom she had stable contact.
In these circumstances, the Tribunal of Venice decided to ask the Court of Justice whether Article 12(2) of Directive 2004/80 must be interpreted as precluding legislation of a Member State which provides for a compensation scheme that, in the case of homicide, makes the right to compensation of the parents of the deceased person subject to the absence of a surviving spouse and children of that deceased person, and the right to compensation of the victim’s siblings subject to the absence of those parents.
General Overview of the Findings of the Court
To answer this question, the Court had to examine the scope of the concept of ‘victim’ within the meaning of Directive 2004/80. As regards this, the judgment started from the finding that the Victim Compensation Directive does not contain a definition of that concept. Nevertheless, the judges, after clarifying that the notion of victim would in any case now form part of an autonomous notion of Union law, stated that it should also refer to the family members of a victim of a homicide, for three reasons, linked, in particular, to (a) the everyday language; (b) the aims pursued by the European legislator; and (c) the context of European acts within which Directive 2004/80/EC is placed.
Regarding the first aspect, the judgment specified that the term ‘victim’ in everyday language must be understood as including both persons who have suffered a violent intentional crime, as direct victims, and their close family members, when the latter suffer the consequences of that crime, as indirect victims.
Second, the Court stated that an interpretation of the Victims Compensation Directive as applying only to direct victims could not be accepted, as it would deprive Article 12 of much of its practical effect, since it would oblige Member States to establish a national compensation scheme for violent intentional crimes only if the direct victim of that crime survives his or her injuries.
Lastly, the Court used as a decisive argument the definition of ‘victim’ in Article 2(1)(a) of Directive 2012/29, which also covers family members of a person whose death was directly caused by that offence. In this regard, the judgment held, more particularly, that the definition of the concept of ‘victim’ in Directive 2012/29 clarifies the scope of that concept as it results from Article 12(2) of Directive 2004/80.
It should be noted that the Court reached this conclusion on the basis that Directive 2012/29 establishes the horizontal framework for addressing the needs of all victims of crime. This conclusion was not affected by the fact that Directive 2012/29 follows on chronologically from the Victim Compensation Directive and that, for this reason, recital 5 of the latter cites Framework Decision 2001/220/JHA, which was precisely replaced by Directive
2012/29. In rejecting the Italian Government’s objection on this point, the Court reiterated that the purpose of Directive 2012/29 is to establish the general framework of EU law applicable to victims of crime.
At this point, the Court was able to assess the central question of whether a national ‘tiered’ compensation system, such as the Italian one, can be considered capable of guaranteeing ‘fair and appropriate’ compensation to victims.
In this regard, the Court recalled, first, that the compensation referred to in Article 12(2) is not necessarily required to ensure full reparation of the material and non-material harm suffered by the victim. Indeed, States enjoy a margin of discretion both as to the amount of compensation and as to the way that compensation is determined.
However, developing on what was already established in C-129/19, the judgment reiterated that this margin of appreciation is not unlimited. Since the compensation granted to such victims represents a contribution to the reparation of material and non-material losses suffered by them, such a contribution may be regarded as ‘fair and appropriate’ only if it compensates, to an appropriate extent, the suffering to which those victims have been exposed. Consequently, the compensation scheme must be sufficiently detailed to avoid the possibility that, considering the circumstances of a particular case, an amount of compensation provided for a particular type of crime proves to be manifestly insufficient.
After making these considerations, the Court acknowledged that the Member States may, in principle, within the margin of appreciation entrusted to them, decide to provide for a national system of compensation that limits the right to the close family members of the deceased, configuring a priority in favour of some of them. Once again, Directive 2012/29 was used to support this conclusion, insofar as its Article 2(2) allows Member States to establish procedures to limit the number of family members who may benefit from the rights set out in that directive.
In this regard as well, however, the Burdene judgment made an important clarification. Indeed, the Court stated that a national compensation scheme constructed in this way cannot automatically exclude certain family members from entitlement to full compensation merely because of the abstract presence of other family members, without it being possible to consider case-related considerations other than that order of succession. More specifically, the Court considers that, in order to comply with Article 12 of Directive 2004/80, Member States must always also consider the actual seriousness of the consequences of the crime for those persons, taking into account, inter alia, the material consequences for those family members of the murder of the person concerned, or the fact that those family members were dependent on the deceased person or lived with them.
It follows logically that, by making the compensation of the deceased’s parents subject only to the abstract condition of the absence of a surviving spouse and children, and that of siblings to the absence of parents, the relevant Italian legislation cannot be said to be in conformity with EU law.
Conclusion
The Burdene case deserves a special mention for its efforts to conceive the EU instruments for the protection of victims as a set of acts to be read in an integrated manner, orbiting around the general Directive 2012/29.
In this respect, it should first be noted that this is an approach that has strong points of contact with the one recently developed by the Council of Europe. Indeed, it is noteworthy that both the Recommendation No. CM/ Rec(2023)2 on victims of crime and the European Court of Human Rights in some cases (see Vanyo Todorov v. Bulgaria) have given central importance to the definition of ‘victim’ contained in Directive 2012/29, taking it as a model. This clearly shows how European instruments play a leading role even beyond the borders of the EU legal system.
Most importantly, however, the combined reading of the victims’ legislation developed in Burdene has the merit of at least partially overcoming the traditional reluctance of several EU countries to provide effective State-funded compensation to victims. It should be recalled that, as the European Commission pointed out in its report on the implementation of Directive 2004/80 (COM (2009) 170 final), the mechanism established by this EU act does not seem to have achieved the results hoped for by the EU legislator. On the other hand, the resistance that the Member States still show in this area is well reflected in the preparatory work currently underway for the adoption of an amending Directive 2012/29. As is well known, in its general approach (doc. 10255/24), the Council of the EU has completely deleted the innovative provisions that the Commission had proposed to introduce in its original position (COM(2023) 424 final) in the field of compensation for damages suffered because of crime.
In this political context, one can only hope that at least the Court of Justice will continue to try, with judgments such as the present one, to ensure that victims do not continue to suffer a double injustice, not only having to bear the negative effects of a crime, but also being deprived of the full exercise of the rights that the EU has struggled to grant them.
Jacopo della Torre is an Associate Professor of Criminal Procedure at the University of Genoa (Italy).
Della Torre, J.; “The Victims Directives as a whole? The case Burdene (C-126/23)”, EU Law Live, 18/12/2024, https://eulawlive.com/op-ed-the-victimsdirectives-as-a-whole-the-case-burdene-c-126-23/
In the Shadow of the Charter: Article 19(1) TEU and effective judicial Protection as a Source of the Rights of Defence in Criminal Matters
Giulio
Dipietro & Ilaria
Gambardella
In Accord entre le procureur et l´auteur d´une infraction (C-432/22 PT ), the Court of Justice has ruled on two preliminary questions referred by the Specialised Criminal Court of Bulgaria regarding the interpretation of Bulgarian criminal procedural law in light of EU law, in particular the second subparagraph of Article 19(1) TEU.
In this Op-Ed, we argue that the judgement rendered by the Third Chamber of the Court constitutes an important contribution in two main respects. First, it delineates the scope of the EU Charter in the field of (substantive and procedural) criminal law. Second, it further specifies the meaning of the second paragraph of Article 19(1) TEU, by making it a source of the right to a fair trial as part of the right to effective judicial protection. This interpretation is a novelty in the Court’s case law, as arguably for the first time the rights of the defence are applied only on the basis of the Treaties, in a case where the applicability for the Charter is ruled out.
The Questions Referred for a Preliminary Ruling
The Bulgarian court has doubts on the compatibility with EU law of the national legislation regarding agreements for settlement of a case in the pre-trial procedure. Such agreements allow an accused person to obtain the lessening of charges or a reduction of his/her sentence in exchange for a guilty plea.
According to Bulgarian criminal procedure, jurisdiction to rule on an agreement for settlement of the case is conferred to an ad hoc court – one distinct from the court responsible for the main case. Moreover, the approval of such an agreement is subject to the consent of all other defendants involved in the same proceedings. The Specialised Criminal Court wonders whether both elements of this mechanism are precluded by the second paragraph of Article 19(1) TEU, Article 47 of the Charter as well as Framework Decision 2004/757 and Framework Decision 2008/841, establishing minimum rules on substantive criminal offences in the field of drug trafficking and organised crime.
The Scope of Application of the Charter in Criminal Law Matters
As a point on admissibility, the Court examines the question of the applicability of the Charter. Pursuant to its Article 51(1), as interpreted by settled case law, the Charter is applicable to the Member States only when ‘they are implementing Union law’. Concretely, this presupposes ‘a certain degree of connection between an act of EU law and the national measure in question, above and beyond the matters covered being closely related or one of those matters having an indirect impact on the other’ (para. 35 referring to the landmark case Siragusa). In other
words, the link between EU law and the national measures must be sufficiently tight and the obligation imposed at the EU level sufficiently specific to trigger EU fundamental rights (see I. Gambardella, p. 217).
The Court rules that such a tight link is not present in the case at hand, for two main reasons. First, according to the Court, there is no sufficient connection between the EU legislation at stake, which covers rules of substantive criminal law, and the national provisions of Bulgarian law governing the agreement for resettlement which belong to procedural criminal law (para. 40). The provisions of EU law of which the national court seeks interpretation are indeed Article 5 of Framework Decision 2004/757 and Article 4 of Framework Decision 2008/841. Both these instruments were adopted on a legal basis which corresponds to the current Article 83(1) TFEU, which allows the EU to establish minimum rules concerning the definition of criminal offences in certain areas. In contrast, the national provisions whose compatibility with EU law is doubted by the national court are procedural in nature. When criminal procedure is concerned, the legal basis for EU harmonisation consists of Article 82 TFEU, and no EU secondary law has been adopted so far concerning plea-bargaining agreements (para. 39).
Second, EU law does not impose any specific obligations on the Member States with regard to such agreements. The provisions of the Framework Decisions do not specify detailed rules governing them and do not require the Member States to legislate in this area (para. 41). As a consequence, the applicability of the Charter is ruled out, insofar as the provisions of Bulgarian criminal procedure do not constitute implementation of Union law within the meaning of Article 51(1) Charter (para. 42).
It is worth mentioning, in limine, that this judgement sheds light on some dynamics specific to the interaction between EU criminal law and the application of the Charter (see S. Iglesias Sanchez). The Court’s reasoning appears consistent with the mandate of EU secondary law in this field, which only establishes minimum rules, and therefore excludes an intrusive intervention of the Union in national criminal systems. Nevertheless, it should also be noted that substantive criminal law legislation does have an impact on national criminal procedure. When the subject matter of an EU legislative act generally belongs to substantive criminal law, a significant relationship with national criminal procedure and therefore its reviewability under EU fundamental rights standard is not necessarily excluded. Therefore, the question of a clear delimitation between substantive and procedural criminal law, which is not new to national legal systems, has now gained relevance for Union law interpreters as well, who will need to address these challenges within the fast-developing network of Union criminal law principles and rules.
Article 19(1) TEU as a Source of the Right to a Fair Trial
Once the applicability of the Charter is excluded, the Court proceeds with its reasoning by examining Bulgarian criminal procedural law in the light of the second subparagraph of Article 19(1) TEU.
This part of the judgement proves once again the far-reaching scope and implications of the overarching principle of effective judicial protection enshrined in the TEU, for two reasons. Firstly, the Court uses Article 19(1) TEU as a yardstick of review of criminal procedural rules not harmonised at the Union level, and in fact not affected
whatsoever by EU legislative action. Secondly, the ruling further enriches the notion of effective judicial protection, adding to its substantive components the rights of the defence (also enshrined in Article 48 of the Charter).
The second subparagraph of Article 19 TEU requires the Member States to establish a system of legal remedies and procedures ensuring effective judicial review in Union matters (para. 44). As the scope of that provisions extends to ‘the fields covered by Union law’, irrespective of national implementation of EU law, effective judicial protection has to be complied with by ‘any national body which can rule, as a court or tribunal, on questions concerning the interpretation or application of EU law’ (para. 45, referring to the landmark case Portuguese Judges).
A Distinct Court for Plea-Bargaining Agreements: A Matter of Judicial Independence
The first preliminary question concerns the compatibility with Article 19 TEU of the provision of national law which confers on an ad hoc court, and not the court responsible for the main case, jurisdiction to rule on pleabargaining agreements.
This is, in the opinion of the Court, a matter of judicial independence, and more precisely its ‘internal aspect’, i.e. the impartiality of the national court (para. 55). In addition, the national court mentions the principle of immediacy of criminal proceedings, that could be to a certain extent subsumed under the impartiality requirement (paras. 60 and 61). Immediacy means that a court deciding on guilt or innocence should in principle hear witnesses in person to assess their credibility, which guarantees also the opportunity for the accused to confront them.
As the Court explains, both these elements of effective judicial protection are not impaired insofar as the requirement of an ad hoc court reinforces the impartiality of the court which will have to try the defendants who have not pleaded guilty, excluding any influence from the statements made by the one that did so (para. 62).
Up to this point, the case confirms the use of Article 19(1) TEU to assess compliance of national law with ‘obligations regarding their system of governance, especially judicial independence’ as opposed to ‘substantive rights in concrete situations’ (see Tridimas, p. 202). The far reaching implications of Article 19 TEU, in other words, are justified by the ‘structural, transversal’ nature of issues of judicial independence, which accordingly extends EU law standards of judicial protection to ‘cases which may not be within the scope of EU law in the traditional sense’ (see Bobek, p. 159).
Rights of Defence under Article 19(1) TEU
The second question concerns the compatibility with Article 19(1) TEU of the national rule that makes the approval of the agreement conditional to the consent of all other defendants that had participated in the same organised criminal group. According to the referring court, this rule could violate the right to a fair trial of the defendant who enters the agreement to obtain a reduced sentence. What does Article 19(1) TEU require in terms of individual rights of defence in criminal proceedings?
The Court considers that the right to a fair trial and the rights to the defence form an integral part of the fundamental principle of effective judicial protection (para. 70). Moreover, it further expands the scope of Article 19(1) TEU to include the adversarial principle, and a balancing with the rights of witnesses and victims, to finally reject the argument that this network of fair trial components is infringed by the consent requirement (para. 71).
This second part of the judgement can, if confirmed, represent a radical novelty for Union law. As a matter of fact, the Court uses Article 19(1) TEU to address individual rights in criminal proceedings, unraveling the potential of the ‘fundamental’ principle of effective judicial protection beyond transversal issues (such as judicial independence).
Additionally, it adds a significant piece to the expanding system of protection of fundamental procedural rights in the EU area of criminal justice. In addition to Title VI of the Charter, some of the rights of suspects and accused persons have been harmonised by means of Directives, adding to the general wording of the Charter a more detailed protection and stronger avenues of enforcement. With this judgement, the Court adds to this system the key element of Article 19(1) TEU, offering a flexible yet powerful consolidation of the Union’s due process standard in criminal proceedings.
Giulio Dipietro is a Teaching Assistant at the KU Leuven Institute for European Law and a Research Associate for the RESHUFFLE project (funded by the European Research Council, grant agreement n° 851621).
Ilaria Gambardella is a PhD researcher at the KU Leuven Institute for European Law and the Centre for European Law of the Université libre de Bruxelles. Her research is founded by the Research Foundation Flanders – FWO (grant agreement n° 11B7525N).
Dipietro, G. and Gambardella, I.; “In the Shadow of the Charter: Article 19(1) TEU and effective judicial Protection as a Source of the Rights of Defence in Criminal Matters”, EU Law Live, 19/12/2024, https://eulawlive.com/op-ed-in-the-shadow-of-the-charter-article-191-teu-and-effective-judicialprotection-as-a-source-of-the-rights-of-defence-in-criminal-matters/
Sharp no more? The weakening of
Protection against Unfair Commercial Practices now. Comments on Guldbrev (C-379/23)
Dominik Dworniczak
On 5 December 2024, the Court of Justice handed down its judgment in Guldbrev (C-379/23) answering a question referred by the Swedish Svea Court of Appeal, Patent and Market Court of Appeal (Svea hovrätt, Patent- och marknadsöverdomstolen). The judgment addressed the interpretation of Articles 2(c), (d), (i), and 3(1) of Directive 2005/29/EC of the European Parliament and of the Council (hereinafter: ‘UCPD’). The Court held that when a trader offers a valuation service as a precondition for purchasing goods from consumers, the valuation and purchase together qualify as a ‘product’ under the Directive. Consequently, all promotional practices linked to these transactions fall within the scope of the UCPD as commercial practices.
While the Court reaffirms its case law on the status of combined offers (such as VTB-VAB and Galatea and DerooBlanquart), the definition of ‘product,’ now established as an autonomous concept of EU law, can be called into question, reflecting the doubts of the referring court concerning the interpretation of EU law.
1. An Overview of the Facts of the Case and the Reasoning of the Referring Court
The claimant, Konsumentombudsmannen (hereinafter: KO), brought an action before the Swedish Patent and Market Court against Guldbrev, an internet-based gold valuation and purchase company. KO sought to prohibit Guldbrev from engaging in practices involving the promotion and advertisement of gold prices on its website, social media platforms and through direct mail. The claimant argued that this advertising constituted bait advertising and bait-and-switch. It was also alleged that Guldbrev failed to clearly identify its website as marketing material or disclose that it was the originator of the advertisements. Furthermore, KO contended that the highest advertised prices were unreasonable, unpredictable or impossible for consumers to achieve, as Guldbrev’s conditions impaired consumers’ ability to make informed decisions.
Guldbrev disputed the KO’s claims, arguing that neither the UCPD nor its transposition into Swedish law applied, as the practices in question pertained to purchasing services (where the trader purchases gold from the consumer). The first-instance court ruled against Guldbrev, prohibiting the company from continuing its promotional practices and ordering it to include specific information in its promotional materials. Guldbrev subsequently appealed to the referring court, which raised doubts about whether the trader’s offer in the case at hand related to a ‘product’ under the UCPD.
The referring court submitted two questions to the Court of Justice. The first question asked whether the valuation and purchase of gold from consumers constituted a ‘product’ (as a combined product) under the definitions in Articles 2(c), (d), (i), and Article 3(1) of the UCPD. The second question, to be addressed only if the first question
was answered negatively, asked whether the valuation of gold alone, in the circumstances of the case, constituted a ‘product’ under the UCPD.
2. The Reasoning of the Court
The Court observed that the case involved two combined commercial acts forming a single offer: the valuation of the goods and their subsequent purchase from the same consumer. The valuation determines the price and is imposed on the consumer as a prerequisite for completing the transaction (para. 24). The question was whether promotional practices regarding gold pricing could constitute a misleading commercial practice, given that they qualify as such only if the gold valuation and purchase services together form a ‘product’ (para. 26).
The Court considered what it means for a commercial practice to include any act, as defined in prior case law, that is directly connected with the promotion, sale or supply of a product to consumers (paras. 29 and 31). It determined that the valuation of gold (the valuation service) constitutes a product offered to consumers, while the purchase of gold is equivalent to a sale of goods by the consumer to the trader. Based on this, the Court concluded that promotional practices related to the sale of goods by consumers to traders can only be considered commercial practices under the UCPD when the valuation and purchase are treated as a single product. In other words, the promotional practices related solely to the sale of goods by consumers to traders would not qualify as a commercial practice within the meaning of the UCPD (para. 30). Thus, the combined offer must include both the valuation of gold and the trader’s purchase of gold from the consumer.
The Court further clarified that, since there is no reference to the laws of Member States, the concept of ‘product’ must be given an autonomous and uniform interpretation across the EU (para. 34). Drawing on a literal interpretation (para. 35), the broad ratione materiae of the UCPD (para. 36), the objective of achieving a high level of consumer protection (para. 37) and the specific goals of the UCPD to protect consumers in full against unfair commercial practices (para. 38), as well as the inseparable link between the gold valuation service and the subsequent purchase (para. 39), the Court concluded that both commercial acts together constitute a single product as part of a combined offer. Consequently, promotional practices related to the purchase of gold by the trader from the consumer shall be categorised as ‘commercial practices’ under Article 2(d) and Article 3(1) of the UCPD and therefore fall within its scope.
3. Product - Too Narrow for an Autonomous Concept?
The Court has established an autonomous concept of ‘product’ under the UCPD, similar to other concepts in private-law-related secondary law such as the ‘main subject-matter’ under Article 4(2) UCTD (see, for example, Kásler and Káslerné Rábai) or ‘material and non-material damages’ under Article 82(1) GDPR (see, for example, Österreichische Post). However, establishing an autonomous concept comes with the responsibility of ensuring not only its consistent and uniform interpretation across the EU but also that it effectively aligns with and furthers the objectives of the legislation in question.
In this context, the Court has validated the referring court’s concerns regarding the issue of a trader purchasing gold from a consumer not constituting a ‘product’ within the meaning of the UCPD. This interpretation aligns with the Commission Guidelines on the interpretation and application of Directive 2005/29/EC of the European Parliament and of the Council concerning unfair business-to-consumer commercial practices in the internal market (2021) cited by the referring court. They explicitly state that the sale of goods by a consumer to a trader does not fall under the Directive’s scope. This position was also supported in the AG’s Opinion (Opinion, points 35-38). However, the Guidelines further clarify that services linked with consumer-to-trader sales contracts, such as the valuation of the good or a trade-in service, together with the sales contract itself, constitute a ‘product’ under the UCPD. This results from the trader receiving remuneration for the service through the acquisition of the consumer’s good. Such a service from the trader to the consumer effectively ‘absorbs’ the sale of goods by the consumer to the trader, bringing it within the Directive’s scope.
Since the Court grounded its interpretation of ‘product’ in the literal wording of Article 2(c) UCPD, it is essential to examine this provision more closely. It defines a product as ‘any goods or service including immovable property, rights, and obligations.’ Notably, neither the Commission’s Guidelines, the preliminary reference ruling, the AG’s Opinion, nor the judgment itself explicitly address whether this definition encompasses goods and services offered by the trader in exchange (as a consideration) for goods and services of the consumer. This omission raises critical questions about the scope of ‘product’ under the UCPD.
In a sales contract where the consumer transfers ownership of a good to the trader and the trader agrees to pay for it, the trader’s obligation to pay the agreed price constitutes an obligation towards the consumer. The ownership of the sum of money (or simply the sum of money) exchanged in this transaction could potentially be classified as ‘goods’ under Article 2(b) UCPD. If this obligation – or, more specifically, the money (as the price for the good)– is considered a ‘product’, the promotional practices around this sales agreement would not be excluded from the scope of ‘commercial practices’ as defined in Article 2(d) UCPD. Consequently, all acts of commercial communication surrounding the sales contract (including the sum of money as consideration for goods purchased from consumers) could be categorised as commercial practices and thereby fall under the scope of the UCPD.
The classification of the sum of money as a ‘product’ could theoretically be challenged based on one of the provisions underlying the judgment, namely Article 2(i) UCPD. Nevertheless, this provision defines an ‘invitation to purchase’ in terms of the consumer acting as a buyer. It does not apply to situations where the trader makes a purchase and the good being purchased originates from the consumer.
A closer examination of another provision may lead to a different conclusion. Article 2(k) UCPD stipulates that a ‘transactional decision’ encompasses any decision to, among other things, exercise a contractual right in relation to the product, whether the consumer decides to act or to refrain from acting. The wording of this provision opens the possibility of considering scenarios where the consumer, as a vendor within the framework of a sales contract, exercises contractual rights against the trader, who is the purchaser. Importantly, nothing in the wording of Article 2(k) suggests that the price – or the trader’s obligation to pay it – should be excluded from the definition of
product under Article 2(c) UCPD. Furthermore, other provisions of the UCPD that reference the price, such as Articles 6(1)(d) and 7(4)(c), do not seem to contradict this interpretation. Instead, these provisions could be seen as reinforcing the broad scope of the UCPD, allowing for the inclusion of various aspects of the sales contract, including the trader’s obligation to pay the price.
However, the discussion cannot be confined to the literal wording of the UCPD. It touches on the Directive’s overarching objective of offering consumers comprehensive safeguards against unfair commercial practices. This issue becomes even more compelling when considering that it has already been addressed in the literature. It has been argued that the purchase of goods by traders falls within the scope of the UCPD, meaning all promotional materials related to such transactions qualify as commercial practices. The term ‘business-to-consumer commercial practices’ (Article 2(d) UCPD) can be misleading, as it may imply that the Directive only applies to transactions where consumers purchase goods or services. However, it could also encompass transactions where consumers sell goods and traders act as buyers. This interpretation aligns with the principle of protecting consumers as the weaker party (Geraint Howells, Hans-W Micklitz and Thomas Wilhelmsson, European Fair Trading Law: The Unfair Commercial Practices Directive, Ashgate Publishing, 2006, pp. 66-67). This perspective finds additional support in national implementations, such as the Austrian transposition of the UCPD. According to Austrian doctrine, advertising related to sales contracts in which consumers act as vendors could also qualify as a commercial practice. This interpretation is supported by the Austrian Supreme Court’s case law concerning job advertisements, where the recruitment of employees was deemed to fall under the scope of commercial practices (Heidinger; Handig; Wiebe; Frauenberger; Burgstaller in Wiebe/Kodek, UWG online - Kommentar zum Gesetz gegen den unlauteren Wettbewerb, UWG § 1, Rn 43 (Stand 10.7.2024, rdb.at)). Such reasoning could analogously apply to promotional activities involving consumers as sellers.
To sum up, the reasoning behind the Court’s exclusion of consumer-to-trader sales contracts and the trader’s obligation (or the sum of money as a consideration for the consumer’s good) as a purchaser from the UCPD’s scope remains unclear in the discussed case. This exclusion does not find justification in the wording of Article 2(c) UCPD or in any other provisions of the Directive, which simply define ‘product’ as goods and services. Furthermore, it is unclear how this approach aligns with the goal of ensuring a higher level of consumer protection. Additionally, it is not evident why the promotional practices around certain consumer-to-business transactions cannot be considered commercial practices under Article 2(d) UCPD. Sales contracts involve reciprocal obligations, including the trader’s business-to-consumer obligation to pay the agreed-upon price. It is also easily conceivable that some traders might engage in misleading and aggressive promotional practices to incentivise consumers to enter into sales contracts where the consumer acts as the vendor and the trader as the purchaser, without providing any accompanying service (such as a valuation service). Such misleading and aggressive practices would fall outside the autonomous concept of ‘product’ as defined in Guldbrev and, consequently, beyond the scope of the UCPD. This is problematic because such practices may still ‘appreciably impair the consumer’s ability to make an informed decision, thereby causing the consumer to take a transactional decision that they would not have taken otherwise’ (Article 2(e) UCPD).
4. The Doubts Around the Interpretation of EU Law - On What Basis?
Another issue arises regarding the doubts around the interpretation of EU law. Relatively recently (2021) the Court reaffirmed the CILFIT doctrine (Consorzio Italian Management), obliging courts of last instance to refer a question to the Court of Justice if reasonable doubts exist about the interpretation of EU law (para. 33). These doubts may arise not only from comparing different language versions of the relevant provisions (paras. 4244) but also from divergent case law among the courts of a Member State or between the courts of different Member States (para. 49). In the case at hand, the referring court does not appear to have been a court of last instance. Nonetheless, the question referred was crucial for deciding the case at hand (para. 34), thereby justifying the referral. Interestingly, the primary doubts surrounding the interpretation of the concept of ‘product’ did not originate from the Court’s case law (at least the cases cited by the referring court), different language versions or divergent lines of case law (although the Austrian example suggests the opposite conclusion) but from the Commission’s non-binding guidelines.
The referring court did not explicitly note in its order of reference that the Commission’s Guidelines are not only non-binding but also lack authoritative weight, particularly when their conclusions cannot be directly derived from a literal interpretation of the relevant provisions of EU law. This is especially evident in the case of Article 2(c) UCPD. This raises an open-ended question: When considering a referral to the Court of Justice, do national courts consistently rely on case law from other jurisdictions and compare different language versions of the relevant provisions? Or do they instead place greater reliance on non-binding documents, such as the Commission’s guidelines? If the latter is indeed the case, it underscores the need for these guidelines to be drafted with greater precision, transparency and openness to public scrutiny.
5. Conclusions
In Guldbrev, the Court established a new autonomous concept of EU law: the notion of ‘product’ under Article 2(c) UCPD. It includes the purchase of goods by a trader from a consumer, provided the trader has first offered a valuation service for those goods. As a result, all promotional practices related to such purchases are brought within the UCPD’s framework when a valuation service is provided. In the case at hand, a high level of consumer protection was ensured, as the promotional practices surrounding Guldbrev’s gold purchasing activities must now be assessed under the legislation transposing the UCPD. However, the Court’s interpretation also appears to narrowly define the autonomous concept of ‘product’. It excludes other sales contracts where consumers act as vendors and traders as purchasers. This exclusion risks leaving certain groups of consumers vulnerable to misleading and aggressive commercial practices by traders.
What makes this even more intriguing is that the Court’s conclusions align with the Commission’s Guidelines on the interpretation of the UCPD. This raises critical questions: Are these non-binding documents always correctly aligned with the goal of ensuring a high level of consumer protection? And do they simultaneously create doubts about how to interpret EU law provisions, potentially requiring courts to refer more questions to the Court of Justice?
Dominik Dworniczak is a PhD Researcher in Law at the European University Institute (Florence, Italy). His research interests include European private law, consumer protection, contract law, tort law and legal history. E-mail: Dominik.Dworniczak@eui.eu.
Dworniczak, D.; “Sharp no more? The weakening of Protection against unfair commercial Practices now. Comments on Guldbrev (C-379/23)”, EU Law Live, 18/12/2024, https://eulawlive.com/op-ed-sharp-no-more-the-weakening-of-protection-against-unfair-commercial-practices-now-comments-onguldbrev-c-379-23/
Safe Countries of Origin: whose Margin
of Appreciation? (Case C-406/22, CV) and its Impact on the Application of the ItalyAlbania Protocol
Alessia Di Pascale
The judgment delivered by the Grand Chamber of the Court of Justice on 4 October, in the case CV v. Ministry of the Interior of the Czech Republic, has offered interpretative elements regarding the notion of ‘safe country of origin’ for the second time since its introduction into EU law. But the Court also ruled on the scope of judicial review in the case of an appeal against the denial of protection issued as a result of an accelerated procedure under Directive 2013/32/EU on common procedures for granting and withdrawing international protection.
The decision has had a wide resonance in Italy (it spent a week at the centre of the national media debate), affecting the implementation of the migration management model promoted by Italy through the Protocol concluded by Italy at the end of 2023 with Albania which provided for the creation of administrative detention centres under Italian management on Albanian territory. A Tale of two States
According to Art. 4, paragraph 3, of the Protocol, the Albanian authorities are to allow the entry and stay of migrants for the ‘sole purpose of carrying out border or return procedures’. The centres placed in Albania are equated to the Italian border areas, making the accelerated procedure applicable as established in Art. 28-bis of the Legislative Decree no. 25/2008 (implementing EU Directive 2013/32). The detention of migrants in the Albanian centres, however, is not only justified solely if the requirements for the application of the accelerated procedure for the assessment of his/her application for protection are met, but being a measure restricting personal liberty, it also requires validation by the judicial authority.
The first transfers were supposed to take place in October, but the Court’s ruling has in fact prevented their execution, being called upon by the judges competent to validate the detention orders. They have disapplied the national legislation defining safe countries of origin, considering that in light of the Court of Justice’s interpretation, the migrants’ countries of origin (Egypt and Bangladesh) could not be considered safe and that the conditions for the accelerated procedure were thus not met, which had the effect of causing an acrimonious clash between the government and the judiciary.
The case at the basis of the reference for a preliminary ruling originates from a completely different context. It stems from an application for international protection lodged in the Czech Republic in February 2022 by an applicant (‘CV’), a Moldovan national. The application was motivated by the fear of being exposed to serious reprisals having witnessed a fatal car accident in Moldova (an incident for which he had subsequently suffered assault and threats, as well as the burning down of his home), but also cited concerns about regional instability
following the conflict in Ukraine. The request had, however, been rejected in the first instance, the Ministry of the Interior having in particular considered that under current national legislation (see Article 2 of Decree no. 328/2015 implementing the Law on Asylum and the Law on the Temporary Protection of Foreign Nationals), the Republic of Moldova, with the exception of Transnistria, was considered a ‘safe country of origin’ despite certain shortcomings in the area of justice, and that CV had failed to demonstrate that this would not apply in his particular case, as he possibly belonged to one of the categories potentially exposed to persecution in the country. The applicant therefore lodged an appeal, which was granted suspensive effect, as his argument that in Moldova he would be exposed to the risk of suffering serious harm at the hands of individuals who had attacked him in the past was retained. However, the Brno Regional Court considered it appropriate to stay the proceedings and refer the case to the Court of Justice for a preliminary ruling, raising three questions relating to the qualification as a safe country of origin and the extent of the court’s scrutiny.
The debated concept of ‘safe countries of origin’, first evoked by the Council of Ministers responsible for immigration in November 1992, found legal recognition in Directive 2005/85/EC (the so-called first Procedure Directive), which allowed Member States to apply an accelerated procedure if the applicant came from a safe country of origin (Art. 23(4)(c)). The directive provided for the Council to adopt and, where necessary, amend a common list of safe countries of origin (Art. 29(1) and (2)), allowing Member States to maintain or introduce rules for the national designation of third countries other than those on the minimum common list, and also allowing the designation of part of a country as safe (Art. 30). Articles 29(1) and (2) had been the subject of a (successful) action for annulment brought by the European Parliament, and motivated by the provision for a special procedure for the establishment of the list, which gave the Parliament only an advisory role. The criteria for the identification of a third country as safe were outlined in Annex II to the Directive and expressly required consideration of the legal situation, the application of the law within a democratic system and the general political circumstances, in order to demonstrate that there was generally and consistently no persecution as defined in Article 9 of Directive 2004/83/EC (the so-called first Qualification Directive), no torture, inhuman or degrading treatment or punishment, and no threat of indiscriminate violence in situations of internal or international armed conflict. In order for the concept of ‘safe country of origin’ to apply, the applicant would have had to be a national of the country concerned (or a stateless person ordinarily resident there) and would have had to not invoke serious grounds for considering that country not to be a safe country of origin in his or her particular circumstances in light of their refugee status.
The concept of safe country of origin was taken up by Directive 2013/32/EU (the so-called second Procedure Directive) (Art. 36) in the same terms as regards the requirements, allowing Member States to provide that the procedure for examining applications for international protection be accelerated and/or carried out at the border or in transit zones if, inter alia, the applicant comes from a safe country of origin (Art. 31(8)(b)). Under the current regime, the designation of safe countries of origin is purely national, with provision for notification to the Commission of the list adopted, and there is no longer the possibility of designating only part of the territory as safe or maintaining designations based on less stringent standards. This situation is set to change
with the application (as of 12 June 2026) of the new Regulation 2024/1348, which reintroduces the possibility of designating a country as a safe country of origin with exceptions for certain parts of the territory or categories of clearly identifiable persons (Art. 61(2)), as well as the parallel designation at EU (Art. 62) and national level (Art. 64).
A first substantive issue concerns the cessation of the safe country of origin status in the event that the country in question invokes the right of derogation under Article 15 ECHR. Following the Russian invasion of Ukraine, Moldova had in fact informed the Council of Europe that it would temporarily suspend certain obligations under Article 15 of the Convention, including the right to freedom of expression. On this aspect, the Court clarified that Article 37 of Directive 2013/32/EU does not mean that the criteria for designation as a safe country of origin are automatically not met merely because the right to derogate from obligations under the ECHR has been invoked. However, the competent authorities of the Member State which made that designation must assess whether the conditions for implementing that right are such as to call that designation into question.
The questions that have attracted the most attention in Italy, however, concern the possibility for Member States to consider a country as safe only in part, i.e. with territorial exceptions, and the scope of judicial review under Article 46(3) of Directive 2013/32. As regards the first aspect, the Court carried out an articulate reasoning, in which it took account of the different wording between the first and second Procedure Directives concerning the possibility of introducing territorial exceptions, having regard also to the fact that the preparatory work shows that such a provision was voluntarily ruled out. But it also took into consideration the literal wording of the definition, where Annex I provides that the designation as a safe country of origin is subject to the possibility of demonstrating that there is, ‘generally and consistently’, no persecution within the meaning of Article 9 of Directive 2011/95, and that in the absence of the possibility of introducing territorial exceptions, it must be assumed that this requirement must be fulfilled throughout its territory. Moreover, by allowing that designation to subject applicants to a special examination regime, which is exceptional in nature, that provision must be interpreted restrictively (see para. 71 and the case-law cited therein). On this basis, the Court concluded that according to the framework currently in force and based on Art. 37 of Directive 2013/32, a third country is precluded from being designated as a safe country of origin where certain parts of its territory do not meet the material conditions for that designation, as set out in Annex I to that directive.
As regards the scope of judicial review, the Court affirmed the plenitude of that review where an action is brought against a decision rejecting an application for international protection, examined in the context of the special scheme applicable to applications lodged by applicants from third countries designated, in accordance with Article 37 of that directive, as safe countries of origin. It stated that that court or tribunal must, as part of the full and ex nunc examination required by Article 46(3) of that directive, raise, on the basis of the information in the file and the information brought to its attention during the proceedings before it, a failure to have regard to the material conditions for such designation, set out in Annex I to that directive, even if that failure is not expressly relied on in support of that action.
On the basis of this statement, the Italian courts inferred an obligation on the judge to make a full assessment of the actual safety of the country in question, regardless of its inclusion on the State’s list of safe countries of origin. It should be noted, however, that the conditions for the identification of a country as a safe country of origin had been controversial in Italy for some time and already in May the Court of Florence had made a reference to the Court of Justice in relation to the possibility of making exceptions for categories of persons (C-388/24 and C-389/24), while in July, the Court of Rome had asked the Court of Cassation to rule on whether or not in cases where the applicant contests the ‘safe’ nature of the country of origin, or even in the absence of a specific contention, there is a power/duty on the part of the judge to verify that nature in the light of updated information on the country of origin, regardless of whether or not that country is included in the Ministerial Decree on safe countries.
The government expressed its disappointment, accusing the judges of political activism for having rendered the recourse to the concept of safe country of origin useless in practice, where in the abstract there was a risk in a region or in relation to certain categories of persons. And at first it replaced the ministerial decree with a decree-law (an act having the force of law in the Italian system of sources and therefore superordinate with respect to the previous instrument), on the alleged assumption that this would have prevented its disapplication by the judges. But more generally, a heated diatribe was triggered between the government and the judiciary on the scope of the judges’ review. The Ministry of the Interior appealed against the order of the Court of Rome, requesting the clarifying intervention of the Court of Cassation, and then, with a legislative amendment at the beginning of December, removed the competence for validation from the judges of first instance to attribute it to the Courts of Appeal. On the other hand, the courts not only reiterated the non-application of the safe countries rules (extending its scope also for the purpose of assessing the applicability of the accelerated procedures in the national territory), even after the entry into force of the decree-law, but also proposed twelve referrals submitted by 4 different courts (Bologna, Roma e Palermo in addition to the two raised in May by the court of Florence mentioned above) under Article 267 TFEU to the EU Court of Justice, containing several questions concerning the modalities of identification of safe countries and the role of the national judge in the matter, the solution of which was considered prejudicial to the decision on the validation of detentions in the case of accelerated procedures.
The political consequences of the 4 October ruling in Italy, such as casting doubt on the government’s power to identify safe countries of origin, where a duty of the judge to carry out a full scrutiny on the basis of further sources was inferred, has evidently further highlighted the latent clash between the powers of the State (executive and judiciary). Already at the beginning of the year, in a not dissimilar manner, the power of the judges to assess the actual character of a safe country was questioned in the UK in the context of the agreement with Rwanda. The government introduced a bill (‘Safety of Rwanda Act 2024’) which stated in Section 2 that ‘Every decision-maker must conclusively treat the Republic of Rwanda as a safe country’ and ‘As a result..., a court or tribunal must not consider a review of, or an appeal against, a decision of the Secretary of State or an immigration officer relating to the removal of a person to the Republic of Rwanda to the extent that the review or appeal is brought on the grounds that the Republic of Rwanda is not a safe country’.
It is evident, as the Court of Rome noted when making the reference for a preliminary ruling, that ‘the use of the accelerated procedures from safe country of origin is at a moment of serious uncertainty in its application’ and that ‘this has consequences not only for Italy, but potentially also for other Member States’. The new decision of the Court of Justice, which will therefore better clarify the extent of the power of the government and judges to assess when a country of origin can be considered safe, is eagerly awaited by all those involved. The Court admitted two referrals, joining them (C-758/24 and C-759/24). The question submitted by the Court of Rome, which had referred to the existence of a “serious institutional crisis caused in Italy by the first decisions of the Courts not to validate detention orders in border procedures”, has been deemed to raise an issue concerning the relationship between EU law and the division of competences under the constitutional system of a Member State. Therefore , in accordance with article 105(1) of the Rules of Procedure, the Court has ordered the application of the accelerated procedure. The Court set a deadline of 3 January for the parties to file their briefs and the hearing has been scheduled on 25 February. Perhaps spring will bring some clarity. The possible corollary is that until the new Regulation 2024/1348 becomes applicable, the safe country of origin criterion is judged inapplicable in almost all cases.
Alessia Di Pascale is Professor of EU Law at the University of Milan
Di Pascale, A.; “Safe Countries of Origin: whose Margin of Appreciation? (Case C-406/22, CV) and its Impact on the Application of the Italy-Albania Protocol”, EU Law Live, 16/12/2024, https://eulawlive.com/op-ed-safe-countries-of-origin-whose-margin-of-appreciation-case-c-406-22-cv-and-itsimpact-on-the-application-of-the-italy-albania-protocol/
Is
Predictive Policing
prohibited in the EU? Yes, it should be
Francesca Palmiotto
Predictive policing systems aim to determine where a crime will occur and who will likely commit it. Defined by Walter Perry and others as ‘the use of analytical techniques to identify promising targets and forecast criminal activity’, these systems have been deployed by police worldwide. Critics have warned against the harmful effect that predictive policing can have on individuals and society. These systems may exacerbate structural injustices in the criminal justice system and have discriminatory and stigmatising effects (Eubanks, Council of Europe). From a human rights perspective, scholars have shown how predictive policing challenges the core of the right to be presumed innocent (for a US perspective, see Ferguson; for a European perspective, see Sachilidou). In light of these concerns, civil society organisations advocated banning predictive policing in the EU during the Artificial Intelligence Act (AI Act) legislative process.
The AI Act boldly bans certain AI practices, including ‘individual criminal risk assessment’ in Article 5(1) (d), potentially including predictive policing systems. However, the formulation of this provision leaves much uncertainty and raises critical interpretative questions. As Chapter II of the AI Act will soon be applicable (February 2, 2025), this Op-Ed aims to raise a debate on the interpretation of this provision and warn against the dangers of adopting the wrong one. After presenting two possible interpretations, I argue that Article 5(1)(d) establishes an outright ban on the prediction of criminal behaviour and design requirements for individual crime risk assessment.
Individual Crime Risk Assessment in the AI Act
The AI Act never mentions the term ‘predictive policing’. However, it refers to crime risk assessment in two provisions: 1) Article 5(1)(d) in the prohibited practices chapter and 2) Annex III (6)(d) for stand-alone high-risk AI systems. Therefore, it assigns different levels of risk (unacceptable or high) depending on the type of system.
Individual crime risk assessment poses unacceptable risks if the following cumulative requirements are fulfilled: 1) the activity constitutes placing on the market, putting into service for this specific purpose, or use of an AI system (defined in Art. 3(1) AI Act); 2) for making risk assessments of natural persons to assess or predict the risk of a natural person committing a criminal offence 3) based solely on the profiling of a natural person or on assessing their personality traits and characteristics.
At first sight, the effective reach of the provision appears limited. The reference to profiling (defined in Art. 3(4) GDPR) or personality assessment of ‘natural persons’ excludes location-based predictions, namely systems like Predpol (despite evidence of racial bias). The term ‘criminal offence’ further excludes the prediction of noncriminal conduct, such as administrative offences. Moreover, the provision explicitly excludes AI systems ‘used
to support the human assessment of the involvement of a person in a criminal activity, which is already based on objective and verifiable facts directly linked to a criminal activity’ (Article 5(1)(d) second sentence).
To clarify the scope of the prohibition, Article 5(1)(d) needs to be read in conjunction with Annex III Point 6, listing the stand-alone high-risk AI systems in law enforcement. The Annex classifies AI profiling systems, per se, as high risk (Annex III (6)(e)) and AI systems that assess personality traits and characteristics or past criminal behaviour of natural persons or groups, per se, as high risk (Annex III (6)(d)). Finally, with very similar wording to Article 5(1)(d), it considers AI systems that assess ‘the risk of a natural person offending or re-offending not solely based on the profiling of natural persons’ (Annex III (6)(d), emphasis added) as high risk.
This indicates that Article 5(1)(d) is a puzzle of elements that must be cumulatively present to qualify as a prohibition. Crucially, the dividing line between unacceptable and high risk posed by crime risk assessment relies on the notion of ‘solely’ based on the profiling or the assessment of personality traits. But how should ‘solely’ be interpreted?
The First Option: ‘Solely’ is a Human-in-the-Loop Requirement
The term ‘solely’ recalls another widely debated provision in EU law: the right not to be subject to a solely automated decision under Article 22 GDPR (and corresponding Article 11 LED). Indeed, the first option is to interpret Article 5(1)(d) as requiring a human-in-the-loop. In this vein, risk assessment could only support a human evaluation based on objective and verifiable facts (see also the critical analysis by Jessie Levano and Vahur Verte), as Recital 42 seems to suggest. I consider this interpretation extremely dangerous for fundamental rights protection and not viable from a legal perspective.
First and foremost, it does not offer sufficient legal certainty to providers, who are crucial subjects of the obligations under Chapter II. If the prohibition would be triggered only by the conduct of the deployer (who shall use the system only to support their assessment), what corresponding duty would providers have? And how would they determine whether they can develop such a system before placing it on the market or putting it into service?
One could argue that this provision only prohibits the use of criminal risk assessment. However, Article 5(1)(d) explicitly refers to their placing on the market and putting into service for a specific purpose by the provider. If this prohibition would only apply to deployers – as in the case of real-time remote biometric identification (see Article 5(1)(h) AI Act only mentioning ‘the use’) – then Article 5(1)(d) would not explicitly refer to the activities of the provider (the putting into service or placing on the market).
Secondly, simply requiring a ‘human-in-the-loop’ would be redundant and would not add much to the protection already afforded by Article 11 LED on the prohibition of solely automated decisions. The only limited effect it would have is to prevent any possible derogation to the general prohibition established through national legislation that shall, in any case, provide for the right to obtain human intervention (Article 11(1) LED). Furthermore, if the objective of the AI Act were to secure a human-in-the-loop, the status of ‘high-risk’ (as it was in the original proposal by the Commission) would have sufficed to trigger the requirement of human oversight in Article 14 of
the AI Act. The fact that during the trilogue negotiations, crime risk assessment was promoted to the category of unacceptable risk underscores the legislators’ intention to provide a higher level of protection.
Finally, and more importantly, predicting criminal behaviour based on aspects of individuals’ personality (e.g. postcode, number of cars, level of debt, gender, age) is inherently incompatible with the presumption of innocence. As Recital 42 recalls, ‘Natural persons in the Union should always be judged on their actual behaviour’. Whether done by an AI system, by a police officer, or by a combination of humans and machines, criminal behaviour cannot be predicted based on personality traits or personal data. In my view, this is the real core of the prohibition in Article 5(1)(d).
The Second Option: ‘Solely’ is a Design Requirement
In light of the right to be presumed innocent and bearing in mind the provision’s rationale, a new line of interpretation can be advanced.
Let us reconsider the formulation of the exclusion in Article 5(1)(d). It states: ‘This prohibition shall not apply to AI systems used to support the human assessment of the involvement of a person in a criminal activity, which is already based on objective and verifiable facts directly linked to a criminal activity’. Emphasis should not be given to the ‘human assessment’ but rather to the existence of a criminal activity in which an individual can be involved. In contrast, prohibition refers to AI systems that ‘assess or predict the risk of a natural person committing a criminal offence’, i.e., before engaging in any criminal conduct. Therefore, the dividing line between the ban and exclusion is whether a criminal activity has occurred already or not.
If a criminal activity has occurred, law enforcement authorities are allowed to use AI systems for investigative purposes, such as an AI system that compares fingerprints from the crime scene with those of a suspect or to identify potential suspects from the video of a crime scene through a post remote biometric system. While some of these systems would still be classified as high-risk, such as biometrics, they would not be prohibited. In other words, the exclusion refers to investigative AI tools but not crime risk assessments that predict criminal behaviour before a criminal activity occurs.
In the realm of crime risk assessment, however, the difference between the prohibition in Article 5(1)(d) and the corresponding high-risk AI system in Annex III (6)(d) still requires clarification. There are two notable differences in their formulation. First, the prohibition strictly refers to ‘criminal’ offences, whereas its sibling highrisk provision refers broadly to ‘offending or re-offending’. As mentioned above, the prohibition excludes systems that predict administrative offences, although they would still be classified as high-risk under Annex III (6)(d). Second, the prohibition only refers to predictions based solely on profiling or personality assessment. Unlike the first interpretation, my claim is that ‘solely’ must be interpreted as a specific design requirement for these systems. Article 5(1)(d) would then impose an obligation for providers and not just a duty of conduct on deployers.
Following this reasoning, a crime risk assessment can be placed on the market, put into service or used only if it is not exclusively based on profiling or an assessment of personality. Examples include systems that monitor
payment transactions and flag the user as suspicious for potential fraud. In this case, the system does not predict future criminal behaviour but assesses the risk of a specific conduct. Another illustrative example is the automated processing of travellers’ data in extra-EU flights to prevent, detect, investigate and prosecute terrorist offences and serious crimes. As clarified by the Court of Justice, such advanced assessment can only ‘target, specifically, individuals who might be reasonably suspected of involvement in terrorist offences or serious crime’ (C-817/19, para. 198). Finally, recidivism risk assessment, such as the famous COMPAS, would also fall under the high-risk category as long as they include variables in addition to the personality assessment. In this regard, it will be crucial to clarify whether ‘personality traits and characteristics’ include past criminal behaviour and family criminality.
What would be prohibited then are AI systems designed to make predictions using profiling or personality traits as the only variables for the prediction. This would be, in other words, the pure prediction of criminal behaviour without criminal or suspicious conduct. Crucially, the ban would cover AI systems used not only by police (or predictive policing) but also by other law enforcement authorities, prosecutors, and judges. An example is ProKid, a system used by the Dutch police since 2021. The system aims to predict future criminal behaviour of kids and adolescents using information about their living environment, age, gender, offending frequency, addresses and relationship with their parents. Following this line of argumentation, the development and use of such a system would be prohibited.
Conclusions
Article 5(1)(d) is a critical provision of the AI Act and for fundamental rights protection. Due to its formulation, however, it may lead to different interpretations that risk hampering its protective function. In this post, I argued against the ‘human-in-the-loop’ thesis and offered an alternative reading of the provision. I have claimed that Article 5(1)(d) prohibits criminal behaviour prediction with AI systems and imposes specific design requirements to develop admissible risk assessment tools. A summary of the argument is offered in the table below.
Provision
Examples
Art. 5(1)(d) first sentence Prediction of criminal behavior Prohibited ProKid
Annex III (6)(d) Risk assessment of offending or reoffending
Art. 5(1)(d) second sentence Investigative AI tools to assess the involvement in a criminal activity
High risk if not solely based on profiling or personality assessment (design requirement)
Admissible (some potentially classified as high risk)
Automated assessment of suspicious online transactions
Fingerprints matching and forensic AI
Francesca Palmiotto is Assistant Professor of Law at IE University, Madrid
Palmiotto, F.; “Is Predictive Policing prohibited in the EU? Yes, it should be”, EU Law Live, 19/12/2024, https://eulawlive.com/op-ed-is-predictivepolicing-prohibited-in-the-eu-yes-it-should-be/
Interpreting the LED Directive in Case C-80/23: the Processing of Sensitive Data for Law Enforcement
Benedetta Brambati
Introduction
On 28 November 2024, the Court of Justice (hereinafter, ‘the Court’) rendered its judgment in Ministerstvo na vatreshnite raboti (Enregistrement de données biométriques and génétiques II, C-80/23).
The ruling provides clarity on the requirements of the Law Enforcement Directive 2016/680 (hereinafter, ‘LED’ or ‘the directive’). Adopted in May 2016 alongside the GDPR (Regulation 2016/679), the directive is the first horizontal and legally binding instrument setting out the rules for both national and cross-border processing of personal data in the context of law enforcement. While the LED constitutes a milestone in the creation of a comprehensive data protection framework in the EU, several courts had been raising questions to the Court as to its concepts and its interplay with the GDPR.
Background
In the words of the Advocate General, ‘cross-jurisdictional dialogue does not always end after the first exchange’. This was notably the case in the reference for a preliminary ruling brought before the Court for the second time within the same dispute by the Sofia City Court (Bulgaria).
The references arose in the context of national criminal proceedings in which the Bulgarian police authorities had requested the accused person to cooperate in the creation of a police record, the collection of her dactyloscopic and photographic data to be entered into the record and the taking of a sample for the purposes of creating her DNA profile.
In the first case (C-205/21), the Court clarified that the processing of biometric and genetic data by law enforcement authorities can be deemed ‘authorised’ by national law within the meaning of Article 10(a) of the directive only if that law provides a clear and precise legal basis to authorise that processing. The Court also considered that, if the accused refuses to cooperate in the collection of sensitive data, criminal courts may order such collection, even if they lack the power to verify whether there are strong grounds for suspicion. However, national law must ensure a subsequent judicial review. Moreover, the Court ruled that the systematic collection of sensitive data would be incompatible with EU law unless the competent authorities are required to verify, first, that the collection is necessary to achieve the intended objectives, and second, that these objectives cannot be pursued by less invasive means.
In this context, the referring court expressed uncertainty over the clarity of the judgment and its ability to determine whether it must authorise the collection of the data of the accused. Specifically, it decided to refer two additional questions to the Court: first, whether the assessment of whether the processing of sensitive data is ‘strictly necessary’ under Article 10 of the LED can be carried out without having access to the entire case file; and second, if the Court answers the first question in the affirmative, whether, in such an assessment, it may also take into account whether there are reasonable grounds to suspect that the accused has committed the criminal offence specified in the accusation.
The Judgment
The Court reformulated the first question to clarify that the national court was essentially asking whether, in a situation where national law mandates the systematic collection of sensitive data without imposing an obligation on the competent authorities (e.g., the police) to assess its necessity, such an obligation could instead be fulfilled by the court seised by those authorities for the purpose of enforcing the collection.
In line with the Advocate General, the Court demonstrated that the national court’s query was based on an incorrect interpretation of the previous judgment.
First, the Court recalled the purpose of Article 10 of the LED, which is to guarantee enhanced protection of the right to respect for private life and the right to protection of personal data, as enshrined by Articles 7 and 8 of the Charter. As a consequence, the Court emphasised that a national law that provides for the systematic collection of sensitive data from any accused person without imposing the obligation on competent authorities to verify its strict necessity, is incompatible with EU law. Competent authorities, as established in Article 3(7) of the directive, are public authorities responsible for the prevention, investigation, and detection of public offences. It is therefore their responsibility to carry out such assessments.
On the other hand, the national court’s role is to verify whether national law can be interpreted in a manner consistent with EU law. It cannot take on the responsibility of assessing necessity, which belongs solely to the competent authorities. This is further emphasised by the fact that courts are only involved when the accused person refuses to consent to the processing of their data. When data subjects do consent, courts cannot ensure the protection of their rights, as consent itself removes the need for judicial intervention.
Concluding Remarks
This judgment contributes to the growing body of case law interpreting the requirements of the LED (Case C-118/22, Case C-205/21, Case C-180/21), shedding light on the complex balance between law enforcement effectiveness and the protection of fundamental rights. By emphasising the need for prior assessment by competent authorities, the Court underscores its commitment to ensuring robust protection of fundamental rights within the framework of law enforcement.
Benedetta Brambati is an Academic Assistant at the Department of European Legal Studies of the College of Europe in Bruges
Brambati, B.; “Interpreting the LED Directive in Case C-80/23: the processing of sensitive Data for Law Enforcement”, EU Law Live, 17/12/2024, https:// eulawlive.com/analysis-interpreting-the-led-directive-in-case-c-80-23-the-processing-of-sensitive-data-for-law-enforcement/
SYMPOSIUM
COMPETITION CORNER:
ARTICLE 102 EXCLUSIONARY GUIDELINES: CODIFICATION OR RESTATEMENT?
On the Article 102 TFEU Guidelines
Pablo Ibáñez Colomo
1. The three categories of practices make sense, but a fourth is missing
As evidenced by the many conversations it has initiated, the Draft Guidelines on exclusionary abuses issued back in the summer provide a good basis to think systematically about Article 102 TFEU and the evolution of the case law over the past couple of decades.
The Draft Guidelines are rich and offer a number of angles to take. It seemed to me that the obvious starting point is the tripartite categorisation of conduct, if only because much of the document (and many assumptions underpinning the analysis) revolves around it.
I assume every reader knows that the Commission identifies three broad families of potentially abusive practices: (i) so-called ‘naked restrictions’; (ii) those where the anticompetitive effects are presumed and (iii) those that require a case-by-case assessment of their impact.
The tripartite distinction makes sense and faithfully captures the essence of the case law. From an enforcement standpoint, it is consistent with the ambition of favouring the administrability of Article 102 TFEU.
That some practices are abusive by their very nature (whether we call them ‘naked restrictions’ or abuses by object) cannot be seriously disputed. It is an integral feature of the case law, and a useful one at that: if it did not exist today, the Court would create it.
By definition, conduct that cannot be explained other than as a means to restrict competition falls (and should fall) within the scope of Article 102 TFEU. There is no need for an authority or claimant to show any actual or potential anticompetitive effects in such instances.
My only suggestion about this first category is that predatory pricing within the meaning of AKZO, even though not qualified as such in the Draft, is emphatically a ‘naked restriction’. Arguably, it is the single most prominent example of the category.
It is sufficient to compare and contrast para 71 of AKZO and the definition of ‘naked restriction’ given by the Commission: the former is the direct inspiration of the latter. It would be illogical not to treat it as abusive by its very nature.
It is also difficult to dispute that the anticompetitive effects of some practices are presumed and thus that the creation of a specific category necessarily in relation to these practices is warranted.
Loyalty rebates (that is, rebates conditional upon exclusivity) feature prominently in this category. The Intel judgment of 2017 made a fundamental contribution to the case law in that it clarified that the presumption of anticompetitive effects underpinning Hoffmann-La Roche can be rebutted (it may be rebuttable, but it remains a presumption).
There is also a presumption of anticompetitive effects (and this is another good example in the Guidelines) where ‘margin squeeze’ conduct leads to negative spreads (that is, where the wholesale price the dominant firm charges to its downstream rivals is higher than the retail price it charges to end-users)
I would argue that the fundamental (and, I would add, necessary) contribution that the Draft Guidelines make to the above is that they acknowledge the difference between, respectively, ‘naked restrictions’ and Intel-type scenarios. The latter cannot be treated as ‘naked restrictions’, if only because they can be rationalised on procompetitive grounds.
It is no less valuable that the Commission clarifies that the bar would be relatively higher if a dominant undertaking were to argue that a ‘naked restriction’ should not be prohibited as abusive in a particular instance. The question of where exactly one should place the bar in relation to these practices is one that I will address in the second post of this series.
The main comment I would make about the tripartite distinction is that it is missing a fourth category, that of presumptively lawful conduct.
The case law is unequivocal about the existence of this family of practices. Acknowledging its existence in the final version of the Guidelines would not only complete the codification exercise but would also contribute to the declared goal of enhancing legal certainty.
It has been clear since Hoffmann-La Roche that the category of presumptively lawful conduct encompasses a rebate that is genuinely conditional on the volume supplied (that is, ‘a simple quantity rebate linked solely to the volume of purchases‘).
The scope of this category would be clarified in Post Danmark II, where the Court held that it comprises rebates that are granted ‘in respect of each individual order‘ and which therefore correspond ‘to the cost savings made by the supplier‘. It is admittedly a narrow range of practices, but a range nonetheless.
Following Post Danmark I, moreover, there should be little doubt that above cost unconditional prices are presumptively lawful. If anything, the Court went further in its judgment, as it suggested that unconditional prices are unlikely to have anticompetitive effects where they would allow to cover ‘the great bulk of the costs attributable to the supply of the goods or services in question‘.
By extension, a practice cannot be qualified as an abusive ‘margin squeeze’, where the margin between the wholesale and the retail prices would not force the downstream division of the dominant firm to sell at a loss (in the sense
that the spread between the former and the latter prices give the downstream division a sufficient margin to sell above cost).
The four categories in the case law are summarised in the table below.
Category
Presumptively lawful
Case-by-case analysis of effects
Anticompetitive effects presumed
Rationale
Expressions of ‘on the merits’ competition
Ambivalent effects on competition
Likely to have negative effects
‘Naked restrictions‘ Only explanation is exclusionary
2. ‘Naked restrictions’ (or ‘by object’ abuses)
Examples Case law
Prices x>ATC Volume rebates
Standard rebates Tying in tech
Loyalty rebates
Negative spread
Post Danmark I Post Danmark II
Post Danmark II Android
Intel TeliaSonera
Predatory pricing Sham litigation AKZO ITT Promedia
Let’s zoom into a sui generis category, which the Commission labels ‘naked restrictions’ in the Draft Guidelines. Practices falling within this group share two distinctive features. First, they lack redeeming virtues (that is, they can only be explained as a device to exclude actual or potential rivals). This feature is the one that makes them stand out from the rest.
Second, ‘naked restraints’ are prohibited as abusive without the need to consider their effects on competition
Contrary to what is true in the default scenarios, such effects can be safely presumed. Which makes sense. It is reasonable to expect that a practice that pursues no plausible purpose other than the restriction of competition is (at least) capable of exclusion.
‘Naked restrictions’ as a reality and a necessity
The first point to make about ‘naked restrictions’ is that they are both a reality and a necessity. That they are a reality need not be explained at length. There are concrete examples in the case law showing that these practices are an integral aspect of the legal landscape.
Predatory pricing within the meaning of AKZO is one mentioned last week, but not the only one. For instance, providing objectively misleading information to regulatory authorities, which was at issue in AstraZeneca (and is topical again in the context of the Teva decision) is also abusive by its very nature.
‘Naked restrictions’ are also a necessity. According to a well-established doctrine, a practice can be subject, either alternatively or cumulatively, to both Articles 101 and 102 TFEU.
If the behaviour under consideration is restrictive by object under Article 101(1) TFEU, it stands to reason that it is also prohibited without the need to show effects under Article 102 TFEU. Reverse payment settlements, which may amount to a ‘by object’ infringement and have been scrutinised under the two provisions (including in Generics), illustrate this point particularly eloquently.
‘Naked restrictions’ or ‘by object’ abuses?
The second point relates to the labelling of practices. While a relatively minor issue in a field that places substance above form, it makes sense to say a word about it.
The question, in essence, is whether to label these practices ‘naked restrictions’ or ‘by object’ abuses. It seems to me that the latter (‘by object’) is preferable (and the one that the final version of the Guidelines would ideally adopt).
This is so, to begin with, because it is the label that the Court has consistently used since Generics (and then Superleague, and then Google Shopping). The reiteration of the formula suggests that it is now part of the acquis on Article 102 TFEU.
A second reason why the ‘by object’ label would be preferable is that its scope of application is very similar, if not identical, to the scope of ‘by object’ infringements within the meaning of Article 101(1) TFEU.
The Court has reiterated since Generics (most recently in the Servier saga and Banco BPN), that an agreement is restrictive by object under Article 101(1) TFEU when it cannot be explained other than as a means to restrict competition.
As the Court put it in para 56 of Banco BPN: ‘[…] [A]n exchange of information which, although not formally presented as pursuing an anticompetitive object, cannot, in the light of its form and the context in which it occurred, be explained other than by the pursuit of an objective contrary to one of the constituent elements of the principle of free competition must be regarded as constituting a restriction by object‘.
It is sufficient to compare and contrast the Court’s position in Banco BPN with the definition of ‘naked restriction’ given in the Draft Guidelines (in turn borrowed from para 71 in AKZO) to realise that they both concern the same range of practices. The case law would be cleaner and easier to navigate if the same phenomenon were labelled identically irrespective of the provision.
Rebutting the presumption of anticompetitive effects: ‘real and concrete possibilities’
The third, related issue concerns the rebuttal of the presumption of anticompetitive effects underpinning the qualification of a ‘naked restriction’ as an abuse of dominance. The Draft Guidelines point out that it should only be possible to rebut this presumption in rare, if not exceptional circumstances.
It seems to me that this point of principle cannot be disputed. Where the Draft Guidelines could be more specific is in relation to the (exceptional) instances where the presumption can be rebutted.
The current version of the document helpfully (and rightly) mentions that the bar is significantly higher than in Intel-type scenarios. However, it does not elaborate much further and leaves a great deal of scope for speculation.
The most elegant solution, and the one that is wholly aligned with the existing body of judgments, would be to draw inspiration straight from the case law on restrictions by object under Article 101(1) TFEU. One should bear in mind, in this sense, that ‘Articles 101 and 102 TFEU must be interpreted consistently‘.
The recent Servier saga has helpfully clarified (in light with the preceding cases and with AG Kokott’s own analysis in her Opinion in Generics) that there is no restriction, whether by object or effect, where there is no actual or potential competition in the relevant economic and legal context (that is, where there are no ‘real and concrete possibilities‘ of entry).
There would be no ‘real and concrete possibilities’ of entry, for instance, where the regulatory regime prevents actual or potential competition (an example at stake in E.On Ruhrgas and cited with approval by AG Kokott in the abovementioned Opinion to make this very point). The same would be true where no other firm has the ability or incentive to enter the market (for instance, because none has not taken the requisite preparatory steps to place competitive pressure on actual competitors).
As far as ‘naked restrictions’ are concerned, it is submitted that the presumption of anticompetitive effects should only be rebuttable in these same (and very narrow) scenarios. These are, incidentally, the scenarios where (as in E.On Ruhrgas) the presumption of effects underpinning a ‘by object’ infringement has been successfully rebutted by the parties in Article 101(1) TFEU disputes.
As it happens, the case law on exclusionary abuses already provides scenarios where there were no ‘real and concrete possibilities‘ of entry (and thus no abuse). One of these scenarios is found in the BEH ruling, where the General Court found that the regulatory context precluded actual or potential competition. An example of the second scenario can be found in Qualcomm (exclusivity). In that case, the customers of the dominant undertaking had no realistic alternatives.
Refining the Guidelines to make it explicit that the presumption of anticompetitive effects underpinning a ‘naked restriction’ can only be rebutted where the dominant undertaking can show that there are no ‘real and concrete possibilities‘ of entry in the market affected by the practice and therefore no actual or potential competition would greatly contribute to the clarification of the existing law of exclusionary abuses.
3. What is an anticompetitive effect?
The case law of the past decade has very much emphasised the need to engage in a meaningful assessment of the effects of certain practices. It is now undeniable that some conduct is only caught by Article 102 TFEU where it can be shown to have an actual or potential impact on competition.
This so-called ‘effects-based approach’, now enshrined in the case law, is not a capricious hurdle aimed at making enforcement more difficult or less effective. It is rather the acknowledgement that many, if not most, practices do not necessarily pursue an exclusionary aim and, similarly, do not invariably deteriorate the competitive process (even when implemented by a dominant firm).
The (daunting) challenge, against this background, is to get the definition of anticompetitive effects right. Getting the definition right, in this context, means, first, providing the basis for a meaningful assessment (that is, one that is not merely a formality); and, second, making it possible to discern what an effect is and what it is not.
What an effect is not: lessons from the case law
Part of the difficulty that comes with fleshing out the concept is that the case law is far more illuminating about what an anticompetitive effect is not (as opposed to what it is). The issue, as the law stands, is best approached in a negative manner.
It is clear from the case law, to begin with, that an anticompetitive effect is not synonymous with harm to consumer welfare. Therefore, the former can be established without showing the latter (and, more importantly, without the latter necessarily occurring, whether actually or potentially).
Second, a mere competitive disadvantage and/or a limitation of a firm’s freedom of action do not amount, in and of themselves, to an anticompetitive effect within the meaning of Article 102 TFEU.
The latter point has long been clear. If anything, it has become even more difficult to dispute following Servizio Elettrico Nazionale and the appeal judgment in Google Shopping. As reminded in para 186 of the latter, the fact that a vertically-integrated dominant firm discriminates against its non-integrated rivals (which necessarily places them at a disadvantage) is not abusive in and of itself.
Similarly, the fact that a practice (say, a system of standardised rebates) limits the freedom of action of a dominant undertaking cannot, in and of itself, substantiate a finding of anticompetitive effects. The clarification of this point is arguably the most valuable contribution made by Post Danmark II to the body of case law.
The challenge, in theory and in practice, is to identify the point at which a competitive disadvantage and/or limitation of a firm’s freedom of action are significant enough to amount to anticompetitive effects.
Third, the fact that the rivals of a dominant undertaking lose customers as a result of the behaviour of the dominant firms does not necessarily mean that the said behaviour has actual or potential anticompetitive effects.
According to the case law, there will be no anticompetitive effects, whether actual or potential, for as long as rivals remain willing and able to compete Post Danmark I provide an ideal case study (if only because the Court unambiguously signalled the absence of effects in light of the facts of the case and the evolution of the relevant market).
The definition of anticompetitive effects in the Guidelines (and its practical consequences)
Capturing the essence of the case law is not an easy task. Crafting a definition that is operational (in the sense that its meaning can be grasped by national courts and authorities) is even more difficult.
The Commission could not avoid, alas, trying its hand at the challenge. In para 6 of the Draft Guidelines, it proposes to define the notion of anticompetitive effects as referring to:
‘any hindrance to actual or potential competitors’ ability or incentive to exercise a competitive constraint on the dominant undertaking, such as the full-fledged exclusion or marginalisation of competitors, an increase in barriers to entry or expansion, the hampering or elimination of effective access to markets or to parts thereof or the imposition of constraints on the potential growth of competitors‘.
The fundamental point to make in relation to this definition is that it does not fully shed light on what an effect is (and, indeed, what an effect is not).
More precisely, the definition enshrined in the Draft Guidelines could be reasonably interpreted as suggesting that virtually any competitive disadvantage amounts to an anticompetitive effect. According to the current drafting, any ‘hindrance’ to the exercise of a competitive constraint would be sufficient, in and of itself, to establish an abuse.
Such an approach may not be obvious to square with the case law described above. As rulings like Servizio Elettrico Nazionale and Google Shopping show, ‘hindering‘ rivals’ ability to exercise competitive pressure does not necessarily lead to actual or potential anticompetitive effects.
The practical consequences of such an expansive understanding of the notion of anticompetitive effects are arguably more significant than the tension with some aspects of the case law.
Accepting that any ‘hindrance‘ can amount to an anticompetitive effect means accepting that pretty much any strategy implemented by a dominant firm amounts to an abuse of a dominant position. With such a broad definition, one could always make a plausible case that the requisite threshold is met
The assessment of effects, in other words, would become a formality (actual or potential effects would always be shown to exist), rather than a meaningful one.
One can expect, in the same vein, actors in the system to exploit the expansive understanding of the notion of abuse before national courts (which, unlike competition authorities, lack the ability to prioritise cases).
If enforcement moves down this road, it may take a while before the Court of Justice is given the chance to refine the definition of effects and correct deviations from the case law. In the meantime, the legal community will have to learn to live with a significant degree of legal uncertainty around the meaning and scope of Article 102 TFEU.
A proposed definition of anticompetitive effects
One can think of a definition of anticompetitive effects that more faithfully reflects the essence of the case law and ensures, in the same vein, that the assessment remains meaningful. The notion can be construed, for instance, as follows:
‘Anticompetitive effects exist where the practice reduces rivals’ ability or incentive to compete to such an extent that the competitive pressure to which the dominant firm is subject is reduced as a result’
4. Adding order and structure to the analysis of effects
There are more aspects pertaining to the analysis of effects that could benefit from greater clarity. Over and over, we see the some issues that keep coming back, Sisyphean in their persistence, even though they should have long been behind us.
The Guidelines on which the Commission is working provide an ideal chance to address some of these common misconceptions around the issue of effects. I cannot think of a better forum to convey clarity, certainty and, above all, a clean, discernible analytical framework on which national courts and authorities can rely.
As far as the fundamental issues that could be addressed, I can think of the following:
Actual and potential effects are about the time dimension of the analysis
The distinction between actual and potential effects refers to the temporal dimension of the analysis. There should be little doubt, after the Court’s careful analysis in the Servier saga, that references to potential effects relate to instances in which the assessment is prospective (that is, about an effect that may materialise in the future).
Contrary to what is sometimes (read: often) suggested, ‘actual’ and ‘potential’ do not refer to different substantive thresholds (the former being more demanding than the latter). In fact, they are not really, or not exactly, about the substantive threshold (keep reading till the end for more on this).
Clarifying this point is key for a number of reasons. The most salient of these, I would say, is that it makes sense to use the vocabulary consistently across issues and provisions. Using the same words to mean different things is a recipe for opacity and confusion.
When we talk about actual or potential competitors, we refer unquestionably to the time dimension: a potential competitor is one that has not yet entered the market but may do so in the future. This is, by the way, the manner in which the concept is used in the Draft Guidelines.
It would make little sense to refer to ‘actual’ or ‘potential’ in a different way when talking about the analysis of effects.
Appreciability, de minimis and significant effects
The Court of Justice has held unambiguously that, in the context of Article 102 TFEU, it is not necessary to show that the effects on competition are significant or appreciable. In other words, there is no such thing as a de minimis doctrine when the concept of abuse is at stake.
I do not believe there is anything controversial in this position. Because the application of Article 102 TFEU presupposes a finding of dominance, there is by definition no scope for de minimis doctrine.
This is a point on which the final version of the Guidelines could be even more explicit (ideally with a reference to Völk, where the Court explained that the doctrine applies on account of the ‘weak position’ of the parties in the relevant market, and which is not mentioned in the Draft).
The fact that the de minimis doctrine has no role to play in the context of Article 102 TFEU does not mean (this is another major source of confusion and misunderstandings) that every practice implemented by a dominant firm and/or every competitive disadvantage it inflicts upon rivals necessarily has an anticompetitive effect
The rejection of the de minimis doctrine simply means that effects, when established, will necessarily be appreciable. But this fact does not dispense the authority or claimant from the need to establish these effects to the requisite legal standard in light of factors such as the coverage of the practice.
The substantive threshold of effects
An additional aspect on which the Draft Guidelines is silent, and about which a conversation is as necessary as it is indispensable, relates to the substantive threshold of effects. The issue is bound to be discussed sooner or later and it would be best if it were openly addressed by the Commission.
It has already been mentioned that effects may be potential. The Court of Justice has clarified, moreover, that the practice must be ‘capable’ of having such effects. These points do not say anything, however, about the requisite threshold of probability.
When the analysis is prospective, is it enough to show that the practice is a plausible source of anticompetitive effects? Is it necessary to show that it is likely to do so (that is, a probability of >50%)?
The case law is not unequivocal on this point and there is room for interpretation. One thing is clear: it is not necessary to show that the practice is certain to affect competition. I have always been of the Opinion that AG Kokott is on the money here and that the substantive threshold is one of likelihood (probability >50%).
As I say, the Draft Guidelines would be the right forum to address this matter once and for all. It would also be a great opportunity to make it clear (if only in a footnote) that the substantive threshold of effects is different from the standard of proof (even if both are expressed in probabilistic terms and even though they are, all too often, conflated).
Pablo Ibáñez Colomo is Professor of Law and Jean Monnet Chair in Competition and Regulation at the London School of Economics and Political Science. He is also a Visiting Professor at the College of Europe (Bruges), Joint General Editor of the Journal of European Competition Law & Practice (Oxford University Press) and co-editor of the Chillin’ Competition Blog.
* This Op-Ed has appeared previously in Chilling’ Competition in four different parts.
Ibáñez Colomo, P.; “On the Article 102 TFEU Guidelines”, EU Law Live, 19/12/2024, https://eulawlive.com/competition-corner/on-the-article-102tfeu-guidelines-by-pablo-ibanez-colomo/
The effects-based Analysis of unilateral Conduct – why we need to redraft the draft Guidelines for the AEC-test in the Aftermath of Google Shopping (C-48/22 P) and Intel (C-240/22 P)
Eva Fischer
On August 1 2024, the European Commission (hereinafter: EC) published its Draft Guidelines on exclusionary abuses, kicking off a rich debate on its need for improvement. One of the main goals of the Commission is – as with any other Guideline as well – to increase legal certainty to the benefit of consumers and businesses alike by way of clarifying the EC’s margin of discretion when enforcing competition law on unilateral conduct.
With regard to the ECs’ margin of discretion when applying the as-efficient-competitor-test (hereinafter: AECtest), however, the EC falls short of such expectations. This contribution aims to show that the cases Google Shopping and Intel provided the EC with large discretion that would require self-restraint by the EC to ensure a sufficient level of legal certainty on the market. The EC only mentions the AEC-test (not the AEC-principle, see below) in its para 73 of the Draft Guidelines. The AEC-test is generally recognized as a tool to prove foreclosure effects. Conducting the AEC-test is a resource intensive procedure that the Draft Guidelines mark as voluntarily, applied either by the EC or initiated by the undertakings. However, the EC would need to clarify in its para 73 when and how an undertaking can enable the AEC-test to be applied in its favor. This is especially true because the administrative procedure of the EC is in its discretion and the undertakings are left in the open of how to initiate the AEC-test.
The margin of discretion of the European Commission in Google Shopping and Intel
In the administrative procedure, the EC aims to establish an abuse of market power while the undertaking is eager to prove to have acted in accordance with competition on the merits. On both sides, the AEC-test can provide a useful analysis tool to prove or disprove foreclosure effects. This is opposed to the AEC principle that was established in literature (Akman, A Critical Inquiry into ‘Abuse’ in EU Competition Law, Oxford Journal of Legal Studies, Volume 44, Issue 2, Summer 2024, Pages 405–433) and has arguably neither been accepted by the recent case law in Google shopping and Intel as both cases do not refer to such principle nor is mentioned by the Guidelines of the Commission. The AEC principle cannot only serves as a tool to identify foreclosure effects but also established a deviation from competition on the merits thereby serving as a theory of harm to establish abuse. This contribution, however, refers to the AEC test as an analysis tool that is a case-law confirmed tool.
The AEC-test shows whether the conduct of a dominant undertaking has the potential to harm competition by excluding rivals who are just as efficient as the dominant firm itself. The AEC-test elevates from case law (Servizio Elettrico Nationale C-37//20), para. 79), and has been put in the spotlight recently in the cases Google Shopping
and Intel. Therein, the Court of Justice clarified that the AEC-test is not a mandatory tool when establishing abuse under Art. 102 TFEU (Google shopping, paras 264 and 269; less obvious and up to interpretation the Intel case, para 181. It could be argued that the CJEU requires the AEC-test to be used as “a general rule” at least in rebate cases. However, the CJEU also states in the same paragraph that the AEC-test is just one of the instruments to determine foreclosure effects. I therefore argue for the Intel and Google shopping jurisprudence to be in line with each other). Rather, the Commission or the undertaking can bring forward evidence that triggers the application of the AEC-test in the administrative procedure upon discretion of the EC. There are two relevant remarks on this:
Limited judicial review justified
First, if the AEC-test is applied in the administrative procedure upon the initiative of either of the parties, it is also subject to judicial review (Intel, paras 144 et seqq.). This, however, creates the potential to always overturn the Commission’s decision by presenting new data in the court proceedings, with the court then dismissing the Commission’s decision in the administrative procedure as inadequately reasoned due to the failure to consider all relevant market data. Here, the Court of Justice clarified that judicial review only takes into account market data, available already during the administrative procedure (Intel, para 145). How new evidence is included in judicial review remains to be dealt with outside of the scope of the AEC-test. The Commission, therefore, can safely ground its decision in an analysis of abusive behavior according to the AEC-test without having to fear to be overturned by new evidence. Here, the guidelines do not need any redraft.
Limitation of the EC’s discretion required in the Guidelines
Second, as stated elsewhere (see “Discriminatory Leveraging Plus – The Standard for Independent SelfPreferencing Abuses after Google Shopping (C-48/22 P)”, Fischer, Hornkohl, Imgarten (forthcoming)) neither the case law in Google Shopping and Intel nor the Guidelines clarify how the undertaking can safely bring forward arguments in such way as to engage the AEC-test. If this remains unclarified, the EC has discretion to evaluate if the presented evidence is sufficient for the EC to apply the AEC test.
For one, some leeway for the EC seems justified. The AEC-test requires the EC to prove that the undertaking produces different effects on the competition on the relevant market, namely producing foreclosure effects proven by actual or potential economic data that show “a strategy aiming to exclude competitors that are at least as efficient” (Google Shopping para 265). To prove the existence of such strategy requires resources spent on behalf of the EC. How to derogate resources in vain of the enforcement of competition law, however, should be up to the Commission. It, therefore, seems fair to argue that if the EC considers engaging the AEC-test, it should be up to its discretion to invest the required resources to prove a “strategy” behind the market behaviour (Google Shopping para 265). In this scenario, the EC should not be obliged to acquire data to test its assumption of foreclosure effects.
For another, the situation is different if the undertaking wants to engage the AEC-test in order to prove the lack of foreclosure effects of its behavior. This can also prevent over-enforcement if such effects are, in fact, lacking. It is thus preferable if such application of the AEC-test is not entirely at the discretion of the EC and it is sufficiently clear how the undertaking has to proceed.
The insufficient clarification in para 73 of the Guidelines
However, the alternative case of application of the AEC-test in which the undertaking wants to prove the lack of foreclosure effects via the AEC-test is not sufficiently laid out. The case law (f. ex. Google Shopping, para 266; Intel para 181) requires that if the undertaking brings forward sufficient evidence for a lack of foreclosure effects, the EC has to engage the AEC-test. This is at least true for specific types of conduct such as rebates but can most probably be understood in a general manner (Intel, para 180 and 181; contrarily, Zelger/Kapusta seem to deduce from this, that for such types of conduct the AEC-test has to be applied, meaning that the discretion of the EC is reduced independently of whether the undertaking has broad forward sufficient evidence). It remains unclear though how the undertaking can bring forward evidence to safely engage the AEC-test.
If the AEC test is according to the judgement of Intel and Google Shopping a tool of the undertakings to prove that they are not creating foreclosure effects than the commission should further state when it sees it fit that the undertaking has brought forward enough to show that AEC would be tested by Commission. This is lacking in the current version of the Draft Guidelines. In its Recital 73, the Guidelines only lay out that the AEC-test is not mandatorily applied by the EC. The EC does not guide the undertakings in how to present evidence and to what aim. In order to prevent over-enforcement and to enable the undertakings to sufficiently prepare their evidence for the AEC-test, the EC should clarify its intended application of the AEC-test in light of the recent case law. This would further provide legal safety and improve law enforcement through better-informed decision-making. Such informed decision-making in the administrative procedure is even more important because the judicial review process cannot reassess the AEC test. The Courts can only rely “on the nature of that test” (Intel, para 165) and, thus, ensure its correct application. As far as case law states, the Courts cannot reassess. Therefore, in cases where the potential effects of unilateral conduct are at issue, the AEC test should be used as a tool to strengthen law enforcement.
Eva Fischer is a PhD Candidate at LMU Munich.
Fischer, E.; “The effects-based Analysis of unilateral Conduct – why we need to redraft the draft Guidelines for the AEC-test in the Aftermath of Google Shopping (C-48/22 P) and Intel (C-240/22 P)”, EU Law Live, 16/12/2024, https://eulawlive.com/competition-corner/the-effects-based-analysis-ofunilateral-conduct-why-we-need-to-redraft-the-draft-guidelines-for-the-aec-test-in-the-aftermath-of-google-shopping-c-48-22-p-and-intel-c-240-22/
THE LONG READ
European Cybersecurity and AI Framework: Towards Proactive Regulation for a Secure Digital Future
Céline Gauthier-Maxence 1
Introduction
Today, we evolve in a society where the number of connected devices is growing exponentially, reaching 1.8 billion in Europe.2 In correlation, cybersecurity risks are multiplying. Since 2015, the annual global cost of cybercrime is estimated to have doubled, reaching €5.5 trillion by 2020.3 The global market for artificial intelligence (AI) is already worth over $196 billion. And some experts in the field predict that the value of AI is set to increase 13-fold over the next 7 years, topping $1.81 trillion by 2030. Artificial intelligence is therefore expected to grow by 38.1% between 2022 and 2030.4 In view of these facts, the legislative framework for cybersecurity and AI is essential to secure the data used in these fields and prevent potential abuses.5 In this sense, European directives and regulations on cybersecurity and artificial intelligence play a crucial role in securing digital infrastructures and overseeing the use of emerging technologies (I). The rise of new digital technologies and the use of AI in ever wider fields means that the issues at stake are not only current, but will continue to be so in the future. It is vital to anticipate these challenges in both the short and long term (II).
I. Cybersecurity and AI: The State of European Regulation
The European Union has introduced a number of legislative texts aimed at strengthening cybersecurity, including the Cybersecurity Act, the NIS Directive and the forthcoming NIS 2 Directive, as well as the REC Directive, the DORA Regulation, and the Digital Services Act and Digital Markets Act (A). The AI Act extends regulation to AI technologies and the services and organisations that use them (B).
A. European Cybersecurity Regulations
The European Union has developed a robust regulatory framework to enhance cybersecurity, operational resilience, and digital market governance across critical sectors. Three pivotal components have to be examined:
1. Céline Gauthier-Maxence is a PhD student in law, specialising in health law and digital law, Université Jean Moulin Lyon 3, Ifross, CRDMS, a research engineer, CNRS, and a teaching assistant, Université Panthéon-Assas, Paris 2.
2. ‘Le monde de l’Internet des objets : des dynamiques à maîtriser’, Assessment of the environmental impact of digital technology in France and prospective analysis, study carried out by French ADEME (Agence de la transition écologique) & ARCEP (Autorité de régulation des communications électroniques, des postes et de la distribution de la presse), February 2022.
3. Virginie Bensoussan-Brulé et al, Le Data Protection Officer, 3e ed., Larcier, 2020.
4. ‘Les chiffres clés de l’IA en 2024 : Tendances et statistiques’, Vision IA by ITDM Group, 12 April 2024.
5. Céline Gauthier-Maxence, ‘Défis juridiques du droit de la santé à l’ère du numérique et de l’IA’, 2024, hal-04624585.
the Cybersecurity Act, which establishes a certification framework for ICT products and services (1), the NIS and NIS2 Directives, which strengthen security measures for essential services and critical entities (2), and the DORA Regulation alongside the Digital Acts, which bolster digital resilience in the financial sector and regulate large online platforms (3). Together, these initiatives aim to secure digital ecosystems, protect vital services, and promote fair competition within the EU.
1. Cybersecurity Act
Regulation (EU) 2019/881 (Cybersecurity Act)6 establishes a European certification framework for ICT (Information and Communication Technology) products. The European Union Cybersecurity Agency (ENISA) is responsible for implementing this framework and evaluating its effectiveness every five years. Implementing Regulation (EU) 2024/482, adopted in January 2024,7 clarifies standards for the assessment and certification of ICT products according to ‘substantial’ or ‘high’ levels of assurance. More specifically, this regulation is aimed at companies that design, develop and sell information and communication technologies (ICT). This includes hardware manufacturers, software publishers and ICT service providers. Member States must designate national certification bodies to assess and monitor ICT products, in line with the European Cybersecurity Certification Framework. The Cybersecurity Act establishes a European certification framework for ICT products. This framework is mainly voluntary, but some certification schemes may become mandatory for certain critical sectors or products. For example, ICT products used in sectors such as critical infrastructure (transport, energy) may be subject to more stringent requirements. ICT products can be certified to different levels of assurance (low, substantial, high) depending on the risks associated with their use. Companies must therefore ensure that their products meet the specific requirements of these levels. The regulation has been in force since 27 June 2019, but certain provisions concerning certification became applicable from 28 June 2021. The first certification system (EUCC) will be mandatory from 27 February 2025.
2. The NIS and NIS 2 Directives and their Supplements
Directive (EU) 2016/1148 (NIS Directive) 8 requires Member States to improve the security of networks and information systems for essential services such as energy, transport, and banking. In 2022, the NIS2 Directive9 was introduced to strengthen and harmonise security standards within the EU. For the time being, the NIS
6. Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (European Union Agency for cybersecurity) and on cybersecurity certification of information and communication technologies and repealing Regulation (EU) No 526/2013 (Cybersecurity Regulation).
7. Commission Implementing Regulation (EU) 2024/482 of 31 January 2024 laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council as regards the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC).
8. Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.
9. Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive).
Directive concerns operators of essential services, i.e. companies in critical sectors such as banking, transport infrastructure, energy and healthcare, as well as digital service providers, i.e. online platforms, search engines and cloud computing services. Companies must implement technical and organisational measures to secure their networks and information systems. They must also report significant security incidents to the competent national authorities. Member States must designate national authorities to monitor compliance with the directive and take action in the event of non-compliance. Companies that fail to comply with the requirements of the NIS or NIS2 Directives are liable to penalties, which vary according to national regulations. The NIS2 Directive, adopted in 2022, strengthens these obligations by imposing enhanced security and stricter incident reporting. The NIS Directive has been in force since May 2018. The NIS2 Directive, adopted in 2022, is expected to come into force gradually, with compliance required by 2024 for most sectors. NIS2 consolidates its predecessor by targeting companies in critical sectors such as energy, transport, healthcare and digital infrastructure. However, it introduces a distinction between essential entities (EE), such as energy suppliers, and important entities (IE), such as postal services or agri-food companies. Covered entities must strengthen their cybersecurity measures, including supply chain risk governance. They are also required to promptly report any major cybersecurity incident to national authorities10.
The BER Directive11 is aimed at companies and infrastructures that provide services essential to maintaining the vital functions of society, such as energy, transport and healthcare. This includes critical entities of national and European importance. Critical entities will have to draw up plans to strengthen resilience in the face of physical and cyber threats. This includes setting up infrastructure protection systems, risk management protocols, and regular stress tests. The REC Directive is being implemented in coordination with the NIS2 Directive, ensuring that physical and cyber security are strengthened consistently across the EU. Member States must designate critical entities and transpose the directive into their legislation by October 2024.
3. The DORA Regulation and the Digital Acts
The DORA (Digital Operational Resilience Act) Regulation is also a central piece of digital resilience regulation in the EU. DORA applies primarily to entities in the financial sector, including banks, insurance companies, asset management companies, financial services providers, and crypto-asset companies. Providers of services critical to these entities, such as cloud services, software or infrastructure services, are also covered. The DORA Regulation aims to ensure that EU financial institutions can withstand and respond to IT disruptions, cyber-attacks, and other digital risks. It sets harmonised standards across the EU for ICT risk management. Financial entities must put in place systems to manage ICT-related operational risks, including risk monitoring and mitigation procedures, business continuity plans, and resilience testing. DORA requires financial entities to closely monitor
10. For more informations: Elio Machado Neto, “Transposing NIS 2: A Blueprint for EU Cybersecurity Harmonisation”, published alongside the present article.
11. Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC.
services provided by external providers, such as cloud services. Contractualization and verification obligations are in place to ensure that external providers comply with the same security standards. Companies must report any major incident affecting ICT to the relevant authorities within a defined timeframe. These incidents must be documented and rigorously followed up. DORA was published in the EU’s Official Journal in December 2022, and should be applicable from January 2025. Financial entities therefore have time to adapt their systems and procedures before digital resilience obligations are fully implemented. DORA is part of a broader set of measures to strengthen the digital operational resilience of financial institutions, complementing other cybersecurity frameworks such as NIS2. It focuses primarily on ICT risk management and the monitoring of third-party suppliers.
The Digital Services Act (DSA)12 and the Digital Markets Act (DMA) are also noteworthy. The DSA applies to large online platforms (social networks, online marketplaces, etc.) and aims to regulate digital services. The DMA targets large digital companies, known as gatekeepers, such as major technology platforms. The DSA imposes strict obligations to protect users against illicit content and enhance the transparency of algorithms, in addition to making platforms responsible for content moderation. As for the DMA, it limits the power of the major platforms by imposing rules to guarantee fair competition and prevent abuse of dominant position. The DSA has applied since February 2024, and the DMA has been in force since 2022, but the first obligations are being applied gradually.
B. European AI Regulations
When it comes to AI, European regulation has recently been structured around Regulation (EU) 2024/1689, also known as the ‘AI Act’13, which came into force on 1 August 2024. It is aimed at companies developing, deploying or using artificial intelligence systems in the European Union. It concerns large companies as well as start-ups and SMEs. Companies that integrate or use AI systems in their operations (e.g. AI for recruitment, medical care) are also concerned. The text is the world’s first comprehensive legal framework governing AI and is based on a risk-based approach, classified into four categories. AIs that threaten fundamental rights, such as social rating systems, are totally prohibited, as they fall under ‘unacceptable risk’. AI systems used in critical sectors (recruitment, medical diagnostics, security) are subject to strict requirements for transparency, human supervision and risk management, and fall under ‘high risk’. Systems such as chatbots, falling under ‘specific transparency risk’, must inform users that they are interacting with AI. Finally, low-risk AIs, such as video games or spam filters, are not subject to any obligation, but voluntary codes of conduct may be adopted, insofar as they fall under ‘minimal risk’. The regulation is accompanied by the establishment of a European AI Office, responsible for overseeing general-purpose AI models, in coordination with competent national authorities. The regulatory framework also includes measures to foster innovation while protecting the fundamental rights of European citizens.
12.Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act).
13.Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act).
Although it came into force on 1 August 2024, not all its provisions are immediately applicable. Indeed, several deadlines are foreseen depending on the type of risk that AI systems may represent. For example, bans on certain AI systems deemed of ‘unacceptable risk’ are applicable within six months, while specific obligations for general purpose systems (GPAI) will come into force in 12 months. Other obligations, notably those concerning ‘highrisk’ systems, will be phased in over a period of up to 36 months.14 It should also be remembered that, as a regulation, the AI Act applies directly in all Member States without the need for formal transposition into national law, but competent national authorities will need to be designated to oversee its implementation. These authorities will work in coordination with the European Commission’s AI Office to ensure compliance with the regulation and manage market surveillance.15
These directives and regulations add to existing measures such as the GDPR16 and complete the European framework for cybersecurity and AI, digital risk management, and critical infrastructure protection. These texts impose strict compliance deadlines and concern a variety of sectors within the EU, with a gradual entry into force until 2025, under penalty of sanctions for States late in transposition or application (Commission v Belgium, Case C-543/1717; Commission v Republic of Austria, Case C-549/1818; Commission v Germany, Case C-270/0719). This consideration of European regulations and future technological developments therefore implies short- and longterm challenges for Member States and organisations subject to these future constraints.
II. Regulatory Developments in Cybersecurity and AI: Immediate and Future Challenges
In the face of rapidly evolving cybersecurity and artificial intelligence regulations, organisations are facing major challenges. We’ll look first at the issues looming a year or so ahead (A), then at the outlook for the next ten years and beyond (B), before exploring the example of a practical solution such as ‘by-design’ to comply with current standards while anticipating the future (C).
A. Challenges Over the Next Year: An Imminent Evolution
EU Member States must transpose the NIS 2 Directive into national law by 17 October 2024. Organisations must also prepare for new risk management and incident reporting obligations. Companies will need to step up staff training and awareness of cyber threats to comply with the enhanced standards. After national transposition, organisations will need to be fully compliant, or face sanctions. This includes implementing robust technical and
14. Directorate-General for Communication, ‘AI Act enters into force’, 1 August 2024.
15. Mia Hoffmann, ‘The Finalized EU Artificial Intelligence Act: Implications and Insights’, CSET, 1 August 2024.
16. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
17. Judgment of the Court of Justice of 8 July 2019, European Commission v Kingdom of Belgium, C 543/17.
18. Judgment of the Court of Justice of 16 July 2020, European Commission v Romania, C 549/18.
19. Judgment of the Court of Justice of 19 March 2009, Commission of the European Communities v Federal Republic of Germany, C 270/07.
organisational measures. Indeed, in addition to Member States, the Court of Justice of the European Union has no hesitation in directly sanctioning companies and organisations that fail to comply with European standards (Fashion ID, Case C-40/1720; Planet49, Case C-673/1721). Financial entities will also have to draw up plans to comply with the DORA, which will be applicable from 17 January 2025. On that date, the regulation will require a strengthening of digital operational resilience and ICT risk management.
As far as AI is concerned, the AI Act is already in force, and is being applied progressively according to the degree of risk presented by each AI system. The current challenge is therefore to identify the AI systems in use and assess the associated risks, in order to provide a framework for potential future requirements, firstly under the AI Act, and secondly under future AI regulations. Depending on the AI systems they use, organisations therefore have a transition period to comply, ranging from 0 to 36 months from 1 August 2024. They must therefore prepare or directly apply strategies to meet the requirements in terms of transparency, data governance and risk management. This requires engagement with stakeholders. Organisations should already be working with suppliers, customers and regulators to understand the future implications of the regulation and align practices22 For organisations using high-risk AI systems, adaptation time is minimal or non-existent. It was necessary to anticipate by preparing the processes that would enable the required certifications to be obtained rapidly, and to set up auditing and ongoing compliance mechanisms. Cross-functional issues can be identified, impacting cybersecurity and AI systems. The coming months are crucial for organisations as they navigate a rapidly changing regulatory landscape. A proactive approach is essential to ensure compliance, minimise risks and take advantage of the opportunities offered by new technologies, while complying with European directives and regulations. In the near future, this means strengthening risk management frameworks to incorporate new regulatory requirements for cybersecurity and AI. It’s also about striking a balance between technological innovation and regulatory compliance to maintain competitiveness while respecting ethical and security standards.23 Finally, it’s a question of investing in the human and technological resources needed to meet the challenges, including recruiting specialist talent and upgrading infrastructures. What’s more, the regulations to come are not only the result of a desire to regulate the management and conventional use of IT and AI systems, but also of a rise in potential cyber-attacks in the years to come.
B. Challenges for the Next 10 Years and Beyond: Long-Term Developments
Within the next 5 years, cyberattacks are likely to become more sophisticated, exploiting emerging technologies such as AI to bypass defences. Indeed, a 2024 study by Deloitte in collaboration with NASCIO (National
20. Judgment of the Court of Justice of 29 July 2019, Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV, C 40/17.
21. Judgment of the Court of Justice of 1 October 2019, Bundesverband der Verbraucherzentralen und Verbraucherverbände — Verbraucherzentrale Bundesverband eV v Planet49 GmbH, C 673/17.
22. Christina Montgomery and Jean-Marc Leclerc, ‘The EU AI Act Is About to Hit the Books: Compliance Steps You Need to Know’, IBM, 30 May 2024.
23. Amanda Lawson, ‘The EU AI Act Explained: Tracking Developments for Responsible AI’, Responsible artificial intelligence institute, 20 December 2022.
Association of State Chief Information Officers) highlights the growing risks of AI-powered cyberattacks.24 Experts note that AI-enabled attacks are rapidly becoming more sophisticated, notably through the creation of falsified content, the automation of information gathering, and real-time adaptation thanks to reinforcement algorithms. These advances are making attacks more complex to detect and outperforming conventional defences. The report also points out that many cybersecurity managers are struggling to keep up with the speed at which these threats are evolving, and only 35% say they are ready to effectively counter AI-enabled attacks in the next five years.25 This study joins the findings of other analyses, such as Keeper Security’s, which reveals that a large majority of cybersecurity professionals (84%) perceive an increase in AI-driven phishing and smishing attacks, making training campaigns and detection tools increasingly crucial to counter these threats.26
Companies will therefore need to invest in advanced security solutions and adopt a proactive approach to risk management. While compliance with the NIS 2 Directive and DORA Regulation will have to be fully achieved for all organisations subject to them, the continuous monitoring of critical infrastructures and increased operational resilience imposed by these directives and regulations will be all the more beneficial to organisations, in a context of increased cyber threats.27 In addition, new directives could extend cybersecurity obligations to other sectors, including small and medium-sized enterprises (SMEs), increasing the scope of compliance. Looking even further ahead, to around 8 years from now, the massive integration of the Internet of Things (IoT), 5G and 6G will increase the attack surface, requiring adapted regulatory frameworks to secure these technologies. Logic would dictate that the EU work more closely with other international jurisdictions to harmonise cybersecurity standards, leading to adjustments for companies operating on a global scale. The focus would then be on the resilience of systems as a whole, not just on the individual protection of organisations. It’s easy to imagine that, within 10 years, cybercriminals’ use of AI could automate large-scale attacks, requiring AI-based defences and regulations to frame these new threats. A fortiori, regulatory frameworks will need to be more dynamic to keep pace with the rapid pace of technological innovation, requiring companies to keep a constant regulatory watch and be more flexible.28
In terms of AI, within 5 years, the AI Act should also be finalised and adopted. Companies will also have to comply with requirements for AI systems, including transparency, data management and bias prevention. It would also be legitimate for the EU to introduce additional guidelines to ensure the ethical use of AI, obliging organisations to integrate ethical considerations into the development and deployment of their systems. Furthermore, with the development of general AI or strong AI, new regulations could emerge to manage the risks associated with these powerful technologies. Stricter legal frameworks concerning liability for damage caused by AI systems could therefore be put in place, impacting insurance and corporate obligations. Within 10 years, the regulation of AI systems capable of fully autonomous decision-making will become critical, with specific laws to guarantee the
24. Cam Sivesind, ‘Deloitte-NASCIO Study: AI and Cyber Threats Reshape the Landscape’, SecureWorld, 2 October 2024.
25. Dilki Rathnayake, ‘Cybersecurity in the Age of AI: Exploring AI-Generated Cyber Attacks’, FORTRA, 11 March 2024.
26.Mike Vizard, ‘Survey sees cyberattacks gaining AI sophistication’, Barracuda, 15 October 2024.
27. Simon Toepper, ‘NIS 2 vs. DORA: Why there are two regulations for IT security in the EU’, IB Academy, 18 October 2024.
28. ‘NIS 2, AI Act, and more: How the EU’s digital strategy is driving the data-driven economy’, Device Insight, October 17, 2024.
safety and ethics of these systems.29 Intuitively, the EU should then strengthen individuals’ rights regarding their data and the impact of AI on their privacy, forcing companies to adopt increasingly stringent data protection measures. Companies will have to innovate while integrating security and compliance principles (‘Security by Design’ and ‘Compliance by Design’) right from the design stage.
C. Compliance in Practice: The Example of ‘By-Design’, Between Complying with Current Regulations and Anticipating the Future
The concept of ‘by-design’ refers to the principle of ‘compliance by design’, which encompasses two notions relating to privacy and security. The GDPR already devotes a specific article to ‘privacy-by-design’ (GDPR, Art. 25, para. 1). To effectively protect privacy, the European text provides for a non-exhaustive list of mandatory technical and organisational measures to secure personal data right from the processing design stage (GDPR, Art. 32). Technical measures include the pseudonymisation and encryption of data, the principle of minimisation, which limits the amount of data collected according to the purpose of the processing, and the implementation of control procedures to assess the security of the processing, such as penetration tests to identify any security breaches. Organisational measures must also make it possible to limit access to data and to the results obtained by crosschecking data within the company or institution. It is essential to train staff in the challenges of personal data protection and to involve the Data Protection Officer as early as possible in the design of a project. Furthermore, the data controller is obliged to carry out Privacy Impact Assessments in order to map the risks (GDPR, Art. 35). These are all obligations for the company, non-compliance with which exposes it to heavy fines of up to 10 million euros or 2% of the company’s worldwide annual sales (GDPR Art. 83, para. 5). This concept of ‘by-design’ is becoming increasingly popular, and will become an essential standard within the next 5 to 10 years.30
Conclusion
Ultimately, the rapid evolution of digital technologies and artificial intelligence means that regulatory frameworks need to be constantly adapted to guarantee security, ethics and data protection. European directives and regulations such as NIS 2, DORA and the AI Act are crucial steps in framing these developments, but their effective implementation will depend on the proactivity of organisations and Member States. The adoption of ‘by-design’ as a fundamental principle illustrates the need to integrate compliance and security right from the design stage. As we approach an era where AI and ubiquitous connectivity will redefine our societies, it becomes essential not only to comply with current regulations, but also to anticipate future challenges. This raises a fundamental question: are we ready to rethink our traditional approaches to building a digital future that combines innovation, security and ethical responsibility?
29. Vlerë Hyseni, ‘Securing Europe’s Digital Future: DORA and NIS 2 Directive’, PECB, 25 April 2024.
30. Christiane Féral-Schuhl, ‘Privacy-by-design, security-by-design, quand la compliance découle du code’, CIO, 27 September 2023.
Transposing NIS 2: A Blueprint for EU Cybersecurity Harmonisation
Elio Machado Neto 31
As the October 2024 deadline for the transposition of the NIS 2 Directive has come to an end, only a few countries have fully incorporated the directive into national law, despite the urgency of harmonising cybersecurity measures across the Union. The slow progress risks not only financial and legal consequences but also undermines the goal of creating a unified cybersecurity framework to protect critical infrastructure from evolving cyber threats.
NIS 2: Expanded Scope and New Requirements
The original NIS Directive (Directive 2016/1148)32 set the foundation for improving the cybersecurity position of essential services like energy, transport, and healthcare at the EU level. However, cyberattacks have become more frequent and complex, as seen in the ENISA 2024 Threat Landscape (ETL) report that confirms this growing trend of incident numbers and their consequences within a context of geopolitical escalation and hack-activism.33 This situation, coupled with inconsistency shown by Member States’ approaches, made apparent the need for an EU Cybersecurity Strategy34, in which NIS 2 (Directive 2022/2555)35, DORA (Regulation 2022/2554)36 and CER (Directive 2022/2557)37 are key elements. The NIS 2 Directive, which came into force in January 2023, aims to harmonise cybersecurity measures across Member States, ensuring that essential services and critical sectors are adequately protected from increasingly sophisticated attacks.
Building upon the original NIS Directive, the NIS 2 framework expands the sectors covered, enhances risk management measures, strengthens incident reporting obligations, and imposes stricter penalties. In addition to sectors like energy and transport, NIS 2 now covers other vital areas such as food supply, digital infrastructure, and waste management, totalling eighteen sectors (Annexes I and II) and critical entities identified by the CER Directive benchmark. However, it is up to Member States to determine which entities fall within the scope of
31. Elio Machado Neto is a European Master in Law, Data and Artificial Intelligence (EMILDAI) graduate.
32. Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.
33. ENISA Threat Landscape 2024, European Union Agency for Cybersecurity (ENISA), September 2024
34. ‘The Cybersecurity Strategy’, European Commission.
35. Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148.
36. Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011.
37. Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC.
the new obligations. The deadline for providing a concrete list of essential and important entities, which can encompass private and public organisations, is the 17th April 2025 (Article 3).
Senior management of included entities will now have a direct role in overseeing cybersecurity measures, ensuring a culture of compliance by approving risk management strategies (Articles 20 and 21). To guarantee that management bodies are well-versed in the best practices regarding cybersecurity risk assessment and management, the directive stipulates that senior management be required to undertake specialised training, which can also be offered to other employees.
To demonstrate that their cybersecurity strategies are adequate, entities can rely on European Cybersecurity certification schemes adopted under the Cybersecurity Act38 (Article 24). Additionally, the use of European and international standards, for example, the well-known ISO/IEC 27001, and technical specifications is encouraged to strengthen network and information system security (Article 25). Although the use of certification schemes and recognised standards is encouraged, Member States cannot impose or discriminate in favour of the use of a particular type of technology. Thus, the NIS 2 Directive is neutral to ensure that the best current standards and practices are followed by the concerned entities.
The incident reporting mechanism established in Article 23 is one of the key features of the NIS 2 Directive and arguably the most critical obligation imposed on essential and important organisations. Under this obligation, entities must notify significant incidents to their respective Computer Security Incident Response Teams (CSIRT) or competent authorities within 24 hours. Incidents are understood as significant when they provoke serious operational disruption to the attacked entity, including financial loss, as well as causing considerable material or non-material damage to users and businesses, which in this case shall also be notified in the name of transparency. In October 2024, the European Commission released the first implementing act regarding digital service entities, providing detailed guidelines for the definition of significant incidents. These incidents may include incidents causing a loss of over half a million euros or 5% of the entity’s total turnover, death or considerable health damage, recurring incidents and exfiltration of trade secrets, amongst others.39 Furthermore, in line with the GDPR40, cyber incidents entailing a personal data breach must be reported to the competent National Data Protection Authority under penalty of a fine (Article 35).
38. Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013.
39. Commission Implementing Regulation (EU) 2024/715 …/... laying down rules for the application of Directive (EU) 2022/2555 as regards technical and methodological requirements of cybersecurity risk-management measures and further specification of the cases in which an incident is considered to be significant with regard to DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers.
40. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
Within 72 hours after the attack, the affected entity must submit an initial assessment of the cyber incident, indicating its severity and impact. The incident reporting obligation extends up to one month after the initial incident report. By this time, entities must submit a final report compiling a detailed description of the incident, its root cause, applied mitigation measures, and a cross-border impact assessment, if relevant. However, if, due to the nature of the incident, it cannot be resolved in a month, a progress report is required, and the final report is expected to be submitted no later than one month after the incident is finally addressed.
A significant innovation presented by NIS 2 is the possibility of personal liability of members of management bodies in entities who demonstrate negligence in complying with the cybersecurity requirements and risk management strategies. The directive also established harsher fines in case of non-compliance with Article 21 or 23, going up to €10m or 2% of essential organisations’ annual global turnover, and €7m or 1.4%, for important entities (Article 34). Beyond financial measures, cybersecurity authorities can issue warnings about infringements of the directive’s obligations by the entities concerned, which can negatively affect the company’s credibility.
Another noteworthy feature of NIS 2 is the extraterritoriality measures found in Article 2. Entities based outside the EU that provide digital services or carry out digital activities within the single market shall designate a representative in the Union (Article 26).
With a deadline of October 2024, the directive established that the EU Member States must transpose its provisions into national law, ensuring uniformity throughout the single market in addressing cyber threats. The effectiveness of the cybersecurity framework created by the NIS 2 Directive depends on how well Member States transpose it into national law. Despite the guidelines, several countries have yet to fully transpose the directive.
The Transposition Process
According to EU law, directives must be transposed into national law by Member States. The process allows tailored measures to adapt the NIS Directive 2 to their national legal frameworks and political contexts while maintaining a minimum EU-wide consistency and without affecting the application of sector-specific EU legal acts (Articles 4 and 5). Each EU Member State had until the 17th October 2024 to implement the directive into their legal frameworks. Given the vast scope and complexity of the directive, which intersects with other EU laws, this process involves significant adjustments for national governments, regulatory bodies, and organisations.
The transposition process involves revising existing laws and introducing new ones to meet the requirements of the NIS 2 Directive, which can be affected by national political struggles. Additionally, the different levels of cybersecurity maturity41 throughout the EU may also be an influencing factor, demanding greater cybersecurity investments while still meeting budget constraints.
41.‘Global Cybersecurity Index 2024 (5th Edition)’, International Telecommunication Union.
The directive dictates that Member States must adopt national cybersecurity strategies requiring coordination between multiple regulatory bodies to create the necessary infrastructure for enforcing compliance and processing incident reports, which may include expanding their national cybersecurity agencies or creating new reporting portals for each national authority sector (Article 7).
Such national cybersecurity strategies should be assessed regularly, or at least every 5 years. The strategies’ policies will cover cybersecurity in the supply chain for ICT products and services, technology development to implement state-of-the-art cybersecurity risk-management measures, training and education, and support for academic and research institutions. In other words, the policies will focus on providing foundations for cyber protection and hygiene, protecting network and information system infrastructures, which include hardware, software and online application security, and business or end-user data (Recital 49).
Progress of Transposition
Despite the EU’s push for timely transposition, most Member States lag in the process. Only Belgium, Croatia, Hungary, Italy, Latvia, and Lithuania have adopted laws incorporating the NIS 2 Directive into their national framework within the established deadline. Moreover, only Belgium and Italy have notified full transposition, according to the European Commission.1
Member States are at different levels of the transposition process according to their own national legislative procedures, meaning that many transposition laws will enter into force possibly next year, thereby failing to comply with the directive’s deadline. In countries like Austria, Finland, Germany, Luxembourg, Ireland, and the Netherlands, draft laws have been published and are undergoing consultation processes or parliamentary scrutiny. The French draft law was only published by the Conseil des Ministres two days before the deadline and has a long legislative procedure to trail.2 On the other hand, little progress is shown by Malta, Bulgaria, Spain, and Estonia, a country known for its innovative digital policies.
Failure to transpose NIS 2 by the October 2024 deadline can have legal and financial implications for Member States. The European Commission, through an infringement procedure, can bring the matter under the scrutiny of the Court of Justice of the EU. The lack of initiative by Member States toward the NIS 2 Directive is not something new. It is a problem acknowledged by the EU, monitored yearly through the Transposition Scoreboard, which measures the transposition deficit (the gap between the number of Single Market directives adopted by the EU and the number of directives transposed by each Member State) and the conformity deficit (the percentage of those directives transposed incorrectly).3
1. Ryan Browne, ‘A tough new EU cyber law is off to a messy start with many countries failing to adopt the rules’, CNBC, 17 October 2024.
2. Gabriel Thierry, ‘Directive NIS 2: avec sa présentation en conseil des ministres, le chantier de la transposition s’accélère enfin’, ZDNET, 16 October 2024.
3. Single Marker Scoreboard (Transposition), European Union.
From a business perspective, organisations in non-compliant countries may face difficulties integrating into the EU’s broader cybersecurity framework, leading to a patchwork of cybersecurity standards across the EU and undermining the directive’s goal of harmonisation. The transposition delay by most countries has a high chance of affecting another crucial deadline, the 17th April 2025, when Member States must publish the concrete list of essential and important entities.
In this context, organisations under the listed sectors and within the directive’s scope should adopt a proactive approach to prepare their risk management strategy to ensure a smooth transition under the new rules. Compliance with the directive should not be seen as a way to avoid penalties but as a crucial effort to build robust and resilient network and information system infrastructures. It will be necessary to adapt supply chain due diligence, incident reporting procedures and overall business plans to align themselves to recognised standards and guidelines, in addition to training senior management and employees. Attention has to be paid to the fine print of the transposition laws since the NIS 2 Directive adopts a minimal harmonisation approach, which does not prevent Member States from adopting more stringent obligations. However, on average, the transposed laws and draft bills released adhere to the NIS 2 overall standards.
The transposition of the NIS 2 Directive is a critical moment for Europe’s cybersecurity landscape and another step towards cyber capacity building and proactive risk management to strengthen Europe’s overall cybersecurity position. The directive presents an opportunity for Member States and essential entities to create a more resilient and secure digital infrastructure that can withstand the growing threat of cyberattacks.
Disclaimer: Since the submission of the text, Greece completed the transposition procedure in 28th November 2024 and Denmark partially implemented measures for some ICT providers into the financial sector. Meanwhile, Portugal published its draft and submitted it to public consultation in November.
HIGHLIGHT F THE WEEK S O
EU maritime safety and environmental protection: updates to port state control, flag state compliance, and ship-source pollution penalties
Monday 16 December
Official publication was made of Directive (EU) 2024/3099 of the European Parliament and of the Council of 27 November 2024 amending Directive 2009/16/EC on port State control, Directive (EU) 2024/3100 of the European Parliament and of the Council of 27 November 2024 amending Directive 2009/21/EC on compliance with flag State requirements, and Directive (EU) 2024/3101 of the European Parliament and of the Council of 27 November 2024 amending Directive 2005/35/EC as regards ship-source pollution and on the introduction of administrative penalties for infringements.
Read on EU Law Live
Commission Implementing Regulation on definitive anti-dumping duty imposed on optical fibre cables imports from India, published in OJ
Monday 16 December
Official publication was made of Commission Implementing Regulation (EU) 2024/3014 of 13 December 2024 imposing a definitive anti-dumping duty and definitively collecting the provisional duty imposed on imports of optical fibre cables originating in India.
Read on EU Law Live
Action against ECB’s decision suspending voting rights of Diplomat Pay in Addiko Bank, published in OJ
Monday 16 December
Diplomat Pay’s action against the decision of the European Central Bank, with the reference ECB-SSM-2024-AT-4, of 13 August 2024 was published in the OJ: Diplomat Pay v ECB (T-527/24).
Read on EU Law Live
Banque Havilland challenges ECB over license withdrawal
Monday 16 December
Banque Havilland SA, a Luxembourg-based financial institution, initiated legal proceedings against the European Central Bank (ECB) following the withdrawal of its authorisation as a credit institution.
Read on EU Law Live
Action against Commission’s decision authorising Slovenian funding of public healthcare services, officially published
Monday 16 December
Official publication was made of an action seeking the annulment of the decision of the European Commission C(2024) 3755 final of 10 June 2024 in Case SA.45844 (2016/FC) concerning alleged state aid to Slovenian Public Healthcare Institutes (PHI).
Read on EU Law Live
EU adopts 15th sanctions package to undermine Russia’s war effort against Ukraine
Monday 16 December
The European Union introduced its 15th package of restrictive measures targeting Russia, aiming to weaken its capacity to continue its unprovoked war against Ukraine.
Read on EU Law Live
Council adopts a directive expanding and upgrading the use of digital tools and processes in company law
Monday 16 December
The Council adopted a new directive to enhance the use of digital tools in company law, aiming to improve accessibility, trust, and efficiency across the Member States.
Read on EU Law Live
Regulation on the reduction of packaging waste, formally adopted by Council
Monday 16 December
The Council formally adopted a regulation on packaging and packaging waste, the aim of which is to reduce the generation of packaging waste by setting binding re-use targets, restricting certain types of single-use packaging and requiring economic operators to minimise the packaging used.
Read on EU Law Live
Croatian court refers excise duty dispute to General Court in first preliminary reference case
Monday 16 December
The Upravni sud u Osijeku (Administrative Court in Osijek, Croatia) referred Case C-534/24 to the Court of Justice of the European Union, marking a significant milestone as it is the first preliminary reference to be transferred to the newly empowered General Court, under the expanded jurisdiction.
Read on EU Law Live
Council adopts new rules to facilitate legitimate trade of firearms
Monday 16 December
The Council adopted updated EU rules on the import, export, and transit of firearms, the goal of which is to close loopholes exploited for firearms trafficking, while facilitating legitimate trade.
Read on EU Law Live
Commission maintains budgetary measures against Hungary over rule of law breaches
Tuesday 17 December
The European Commission decided to uphold measures against Hungary under the EU’s budget conditionality mechanism, citing insufficient progress in addressing rule of law breaches.
Read on EU Law Live
Commission refers UK to Court of Justice for violations of EU law on BITs and free movement
Tuesday 17 December
The European Commission referred the United Kingdom to the Court of Justice of the European Union (CJEU) over two separate issues: its failure to terminate Bilateral Investment Treaties (BITs) with six EU Member States and its noncompliance with EU free movement laws affecting the Withdrawal Agreement.
Read on EU Law Live
Preliminary ruling request concerning compatibility with EU law of various provisions of Spanish Organic Law on amnesty in Catalonia, published in OJ
Tuesday 17 December
The Tribunal de Cuentas (Spain) submitted a request for a preliminary ruling to the Court of Justice of the European Union (CJEU) concerning the compatibility of various provisions of Ley Orgánica 1/2024, de 10 de junio, de amnistía para la normalización institucional, política y social en Cataluña (Organic Law No 1/2024 of 10 June 2024 on amnesty for institutional, political and social normalisation in Catalonia) (the LOA) with EU law: Sociedad Civil Catalana (Case C-523/24).
Read on EU Law Live
Preliminary reference on the interpretation of Commission Regulation on de minimis aid in the agricultural sector
Tuesday 17 December
Official publication was made of a preliminary ruling request from the Corte suprema di cassazione (Italy), concerning the interpretation of Articles 3 and 6 of Commission Regulation (EU) 1408/2013 of 18 December 2013 on the application of Articles 107 and 108 TFEU to de minimis aid in the agriculture sector: Ambito territoriale di caccia Ancona 2 (C-615/24).
Read on EU Law Live
Preliminary ruling request concerning quantitative restrictions on marketing of medicinal products from unauthorised pharmacy, published in OJ
Tuesday 17 December
A preliminary reference from the Hoge Raad der Nederlanden (Netherlands), on 11 September 2024, in a dispute concerning the claim of a pharmaceutical company that two pharmacies should be prohibited from supplying patients with a medicine prepared by pharmacies without a licence.has been officially published: Almirall (C-589/24).
Read on EU Law Live
Council approves conclusions on enlargement covering the six Western Balkans partners, Türkiye, Ukraine, the Republic of Moldova, and Georgia
Tuesday 17 December
The General Affairs Council emphasized the EU’s commitment to enlargement as a geo-strategic priority, fostering peace, stability, and prosperity in Europe.
Read on EU Law Live
Commission initiates formal proceedings against TikTok for suspected breach of DSA obligations to mitigate risks to elections
Tuesday 17 December
The Commission announced the opening of formal proceedings against TikTok for a suspected breach of the Digital Services Act (DSA) in relation to the obligation to assess and mitigate systemic risks to election integrity, particularly in the context of the recent Romanian presidential elections on 24 November.
Read on EU Law Live
Parliament elects Teresa Anjinho as new European Ombudsman
Tuesday 17 December
In accordance with Article 228 of the TFEU, the European Parliament elected Teresa Anjinho, a former Deputy Portuguese Ombudsman, as the European Ombudsman for the new parliamentary term.
Read on EU Law Live
Regulation (EU) 2024/3011 on the transfer of proceedings in criminal matters, published in OJ
Wednesday 18 December
Official publication was made of Regulation (EU) 2024/3011 of the European Parliament and of the Council of 27 November 2024 on the transfer of proceedings in criminal matters.
Read on EU Law Live
European Court of Auditors (ECA) releases report assessing the European Commission’s enforcement of EU law
Wednesday 18 December
The European Court of Auditors (ECA) released a report assessing the European Commission’s enforcement of EU law, focusing on the management and resolution of infringement cases: “Special report 28/2024: Enforcing EU law – The Commission has improved its management of infringement cases, but closing them still takes too long”.
Read on EU Law Live
Regulation repealing existing rules on the marketing of construction products: published in OJ
Wednesday 18 December
Official publication was made of Regulation EU) 2024/3110 of the European Parliament and of the Council of 27 November 2024 laying down harmonised rules for the marketing of construction products and repealing Regulation (EU) 305/2011.
Read on EU Law Live
General Court: EU procurement exclusion requires individual assessment
Wednesday 18 December
The General Court delivered its judgment in case TP v Commission (T-776/22) concerning the exclusion of TP, a company involved in an EU-funded public works project, from participating in EU public procurement and grant award procedures.
Read on EU Law Live
Council and Parliament reach provisional agreement on new reporting requirements in the financial services sector
Wednesday 18 December
The Council and Parliament reached a provisional agreement to simplify certain reporting requirements in the field of financial services and investment support (better data sharing).
Read on EU Law Live
General Court rejects Deripaska’s challenge to EU sanctions
Wednesday 18 December
The General Court delivered its judgment in Deripaska v Council (T-732/22) concerning Oleg Vladimirovich Deripaska, a Russian national, who challenged several restrictive measures imposed by the European Union (EU) due to his alleged involvement in actions compromising Ukraine’s sovereignty and territorial integrity.
Read on EU Law Live
General Court upholds Commission’s decision on Portuguese regional aid to the Madeira Free Trade Zone
Wednesday 18 December
The Fifth Chamber of the General Court has delivered today its judgment concerning seven cases concerning, in essence, the annulment of Articles 1 and 4 of Commission Decision (EU) 2022/1414 on State aid implemented by Portugal in favour of the free zone of Madeira (Zona Franca da Madeira - ZFM), the so-called ‘Scheme III’: TA v Commission (T-702/22) et seq.
Read on EU Law Live
General Court rejects applications against Council’s restrictive measures on actions destabilising Moldova
Wednesday 18 December
The General Court handed down its judgment in two cases concerning actions against the Union’s restrictive measures adopted in response to actions destabilising Moldova, in the context of the war of aggression waged by Russia against Ukraine: Mironovich Shor v Council (T-489/23) and Tauber v Council (T-493/23).
Read on EU Law Live
General Court rejects applications against Council’s restrictive measures on actions destabilising Moldova
Wednesday 18 December
The General Court handed down its judgment in two cases concerning actions against the Union’s restrictive measures adopted in response to actions destabilising Moldova, in the context of the war of aggression waged by Russia against Ukraine: Mironovich Shor v Council (T-489/23) and Tauber v Council (T-493/23).
Read on EU Law Live
Italian aid scheme to foster production of electricity from renewable sources, greenlighted by Commission
Wednesday 18 December
The European Commission approved, under the Temporary Crisis and Transition Framework (TCTF), an estimated €9.7 billion Italian scheme to support electricity production from renewable energy sources to foster the transition towards a netzero economy.
Read on EU Law Live
A Member State cannot exclude, from family allowance benefits, a third-country national who cannot prove that his foreign-born children entered the country lawfully
Thursday 19 December
The Court of Justice handed down judgment in Caisse d’allocations familiales des Hauts-de-Seine (C-664/23), a request for a preliminary ruling from the Court of Appeal, Versailles (France) in the context of a dispute regarding an Armenian national who had entered France unlawfully alongside his wife and his two children.
Read on EU Law Live
A Member State which has granted temporary protection, under the Ukraine scheme, to categories of persons beyond those required by Union law, can revoke that protection before the EU scheme comes to an end
Thursday 19 December
The Court of Justice handed down judgment in Kaduna and Abkez (C-244/24 and C-290/24). The judgment follows two requests for a preliminary ruling from the Council of State and the District Court of The Hague, both in the Netherlands, concerning the temporary protection scheme for displaced persons from Ukraine, established through Council Implementing Decision 2022/382.
Read on EU Law Live
Member States may prohibit purely financial investors from holding shares in a law firm
Thursday 19 December
The Court of Justice handed down judgment in Halmer Rechtsanwaltsgesellschaft (C-295/23), a request for a preliminary ruling from the Bavarian Higher Lawyers’ Court (Germany), in the context of the Munich Bar Association prohibiting an Austrian company which is not authorised to provide legal advice services from acquiring part of the share capital of a law firm operating in Germany.
Read on EU Law Live
Court of Justice clarifies supplementary protection certificates (SPCs) for medicinal products in case of combination of active ingredients
Thursday 19 December
The Court of Justice delivered its judgment in joined cases Teva and Teva Finland (C-119/22) and Merck Sharp & Dohme (C-149/22), addressing questions about supplementary protection certificates under Regulation (EC) No 469/2009.
Read on EU Law Live
Dublin III Regulation: A Member State’s unilateral suspension of the transfer of asylum seekers does not in itself justify the finding of ‘systemic flaws’
Thursday 19 December
The Court of Justice handed down judgment in Tudmur (C-185/24 and C-189/24), a request for a preliminary ruling from the Higher Administrative Court, North Rhine-Westphalia (Germany) concerning the interpretation of the Dublin III Regulation (Regulation 604/2013).
Read on EU Law Live
EU law does not preclude national rules under which a court hears, at last instance, a case in which that court is the defendant in an action for State liability
Thursday 19 December
The Court of Justice handed down judgment in Vivacom Bulgaria (C-369/23), a request for a preliminary ruling in a dispute concerning the compatibility with Articles 19(1) TEU and 47 CFR of national provisions providing for the jurisdiction of a court of last instance to hear actions based on breaches of EU law attributable to that court.
Read on EU Law Live
Member States may prohibit purely financial investors from holding shares in a law firm
Thursday 19 December
The Court of Justice handed down judgment in Halmer Rechtsanwaltsgesellschaft (C-295/23), a request for a preliminary ruling from the Bavarian Higher Lawyers’ Court (Germany), in the context of the Munich Bar Association prohibiting an Austrian company which is not authorised to provide legal advice services from acquiring part of the share capital of a law firm operating in Germany.
Read on EU Law Live
Court of Justice clarifies supplementary protection certificates (SPCs) for medicinal products in case of combination of active ingredients
Thursday 19 December
The Court of Justice delivered its judgment in joined cases Teva and Teva Finland (C-119/22) and Merck Sharp & Dohme (C-149/22), addressing questions about supplementary protection certificates under Regulation (EC) No 469/2009.
Read on EU Law Live
Dublin III Regulation: A Member State’s unilateral suspension of the transfer of asylum seekers does not in itself justify the finding of ‘systemic flaws’
Thursday 19 December
The Court of Justice handed down judgment in Tudmur (C-185/24 and C-189/24), a request for a preliminary ruling from the Higher Administrative Court, North Rhine-Westphalia (Germany) concerning the interpretation of the Dublin III Regulation (Regulation 604/2013).
Read on EU Law Live
EU law does not preclude national rules under which a court hears, at last instance, a case in which that court is the defendant in an action for State liability
Thursday 19 December
The Court of Justice handed down judgment in Vivacom Bulgaria (C-369/23), a request for a preliminary ruling from the Supreme Administrative Court (Bulgaria), in the context of a dispute concerning the compatibility with Articles 19(1) TEU and 47 CFR of national provisions providing for the jurisdiction of a court of last instance to hear actions based on breaches of EU law attributable to that court.
Read on EU Law Live
Denmark’s VAT on media license fees for public broadcasting upheld by Court of Justice
Thursday 19 December
The Court of Justice delivered its judgment in Foreningen C and Others (C-573/22) concerning the interpretation of specific provisions under the EU’s Value Added Tax (VAT) Directive (2006/112/EC), particularly Article 370 and Annex X, Part A, Point 2.
Read on EU Law Live
Commission notice on safeguard investigation on manganese and silicon-based alloying elements
Thursday 19 December
Official publication was made of a notice of initiation of a safeguard investigation on imports of manganese and silicon-based alloying elements, following the Commission’s receipt of a request containing information showcasing sufficient evidence calling for the adoption of such measures.
Read on EU Law Live
Court of Justice clarifies customs sanctions and confiscation rules
Thursday 19 December
The Court of Justice delivered its judgment in two joined cases Sistem Lux and Teritorialna direktsia Mitnitsa Burgas (C717/22 and C-372/23) concerning the interpretation of Article 15 and Article 42(1) of Regulation (EU) No. 952/2013, of the European Parliament and the Council of October 9, 2013, establishing the Union Customs Code (UCC).
Read on EU Law Live
Four notices of anti-dumping measures on imports from the People’s Republic of China, Republic of Korea and Taiwan, officially published in OJ
Thursday 19 December
Four Commission notices of anti-dumping measures applicable to imports of ceramic tableware and kitchenware, candles, tapers, valine, and Acrylonitrile-Butadiene-Styrene Resins from the People’s Republic of China, as well as the Republic of Korea and Taiwan, were published in the OJ.
Read on EU Law Live
Commission opens investigation on Polish aid to nuclear plant in Lubiatowo-Kopalino
Thursday 19 December
The Commission initiated an in-depth investigation on whether public support that Poland plans to grant for a nuclear power plant in Lubiatowo-Kopalino is in compliance with EU State aid rules.
Read on EU Law Live
Court of Justice clarifies concept of ‘producer’ under Directive on liability for defective products
Thursday 19 December
The Court of Justice delivered its judgment today in a case concerning the interpretation of the definition of the concept of ‘producer’ given by the Directive on liability for defective products: Ford Italia (C-157/23).
Read on EU Law Live
Court of Justice clarifies concept of ‘producer’ under Directive on liability for defective products
Thursday 19 December
The Court of Justice delivered its judgment today in a case concerning the interpretation of the definition of the concept of ‘producer’ given by the Directive on liability for defective products: Ford Italia (C-157/23).
Read on EU Law Live
Interim Agreement on trade between the EU and Chile and Council Decision (EU) 2024/3016 on the conclusion of the Interim Agreement on Trade between the EU and Chile, published in OJ
Friday 20 December
Official publication was made of the Interim Agreement on trade between the European Union and the Republic of Chile and the Council Decision (EU) 2024/3016 of 18 March 2024 on the conclusion, on behalf of the European Union, of the Interim Agreement on Trade between the European Union and the Republic of Chile.
Read on EU Law Live
Commission Implementing Regulation on definitive anti-dumping duty on imports of seamless pipes and tubes from Russia
Friday 20 December
Official publication was made of Commission Implementing Regulation (EU) 2024/3193 of 19 December 2024 imposing a definitive anti-dumping duty on imports of seamless pipes and tubes originating in Russia.
Read on EU Law Live
Notice of initiation of anti-dumping proceedings on imports of barium carbonate from the People’s Republic of China and India
Friday 20 December
A Commission’s notice of initiation of an anti-dumping proceeding concerning imports of barium carbonate originating in the People’s Republic of China and India was published in OJ.
Read on EU Law Live
Commission Notice – Guidelines on the use of simplified cost options within the Funds covered by Regulation (EU) 2021/1060 (Common Provisions Regulation), published in OJ
Friday 20 December
Official publication was made of Commission Notice – Guidelines on the use of simplified cost options within the Funds covered by Regulation (EU) 2021/1060 (Common Provisions Regulation).
Read on EU Law Live