LEGAL MATTERS
High-level
Worldwide there exist multiple legal systems:
- Civil Law - rooted in Europe, the Roman Law, Code Napoleon, German Law ("cloned" by Japanese law),
France, Spain, Italy, Korea, Austrian, China, Latin America - the Civil Law approach is to take a general principle
of law, and to apply it to a specific case ("from the general to the specific"). It does not address areas such as commercial or criminal law.
- Common Law - rooted in British Commonwealth,
Canada, US, Singapore, Hong Kong, Australia and India - the Common Law takes the opposite approach, deducting a principle
commonly found in many cases, and applying it as general principle to a particular case ("from the specific to the general")
- Hybrids ... and of course there are hybrids and cross-overs.
- And then there is the Talmoed, the Sharia, ...
Furthermore, the UN established UNCITRAL, the United Nations Commission on International Trade Law. Their WG IV addresses
Electronic Commerce, which established their Model Law on Electronic Signatures as well as on Electronic Commerce. Their WG VI addresses Security.
A selective overview of EU IT-related law
Good introduction to many topics can be found in the European on-line bookstore
Monitoring legislation
Treaties/EUR-LEX/RSP
Presidency, 'Better Regulation'
- Directive 2009/140/EC - Better Regulation Directive - amending Dir 2002/21/EC (common regulatory framework), Dir 2002/19/EC (access and interconnection) and Dir 2002/20/EC (authorisation)
- Directive 2009/136/EC - Citizens' Rights Directive
Education
The implementation of the European Qualifications Framework (EQF) was based on the Recommendation on the European Qualifications Framework for lifelong learning.
Reflecting the success in implementing the 2008 recommendation, a revised and strengthened Recommendation on the EQF was adopted on 22nd May 2017 by the Education, Youth, Culture and Sport Council.
- EQF: Recommendation of European Parliament and the Council on 23 April 2008 on lifelong learning
- EQF revision: adopted 22nd May 2017 by the Education, Youth, Culture and Sport Council
Taxation
VAT
The application of VAT is decided by national tax authorities but there are some standard EU rules.
EU VAT legislation is based mainly on directives. A directive is binding upon each Member State to which it is addressed,
but leaves the choice of form and methods to the national authorities who transpose it into national legislation.
Binding implementing measures to ensure uniform application of the VAT Directive can be found in the VAT Implementing Regulation (EU 282/2011).
Those measures are directly applicable without transposition into national law.
- Directive 2001/115 amending Directive 77/388/EC with a view to simplifying, modernising and harmonising the conditions laid down for invoicing in respect of VAT
- VAT Directive 2006/112/EC: the foundational Directive, on the common system of value added tax and the rules on invoicing
- Directive 2006/79/EC : private consignments
- Directive 2007/74/EC : travellers' allowances
- Directive 2008/9/EC: VAT Refund EU business
- Directive 86/560/EEC : VAT Refund non-EU business
- Directive 2009/132/EC : VAT-free importation
- Directive 2010/45 amending VAT Directive 2006/112/EC on the common system of value added tax as regards the rules on invoicing
- authenticity of origin
- integrity of content
- business controls & reliable audit trail
- Explanatory notes on VAT invoicing rules
- VAT Implementing Regulation EU 282/2011: VAT Implementing Regulation
Supporting systems:
- Check the validity of VAT numbers: the EU wide VIES system
- National invoicing rules, VAT rates applied by EU countries, National VAT refund codes and features: the TIC system
- National rules applied in Member States for the use of the mini one-stop shop: MOSS system
- Basic information on taxes, including VAT, in each EU country: Taxes in Europe DB system
- Transaction Network Analysis against VAT carrousels
IPR
- Protection of computer programs: Directive of 14 May 1991 on the legal protection of computer programs (1991/250/EC)
- Protection of databases: Directive of 11 March 1996 on the legal protection of databases (1996/9/EC)
- Harmonisation of copyright: Directive of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights (2001/29/EC)
- Enforcement of IPR: Directive of 29 April 2004 on the enforcement of intellectual property rights (2004/48/EC)
EU Telecom law
Telecom package 2002
- Directive 2002/21/EC Framework Directive
- Directive 2002/20/EC Authorisation Directive
- Directive 2002/19/EC Access Directive
- Directive 2002/22/EC Universal Service Directive
- Directive 2002/58/EC Directive on privacy and electronic communications
Other
- Regulation 717/2007 Roaming Regulation
- Regulation 544/2009 Amending Roaming Regulation
- Recommendation 2007/879/EC Recommendation on relevant markets
- Recommendation 2009/396/EC Recommendation on termination rates
Telecom package 2009
- Revised EU rules on telecoms networks and services - 2009 - MEMO/09/491: these revised rules must be implemented into the national laws of the Member States
by two Directives that entered into force on 25th May 2011, and which amend 5 different existing EU Directives (Framework Directive, Access Directive, Authorisation Directive, Universal Service Directive and the e-Privacy Directive)
Telecom regulators:
- BEREC Regulation 1211/2009: Regulation setting up the European Body of Telecoms Regulators (BEREC), which was established in Riga in May 2010 (IP/10/641)
- Regulation 531/2012 on roaming on public mobile communications networks
RED - Radio Equipment Directive
- RED: Directive 2014/53/EU of the European Parliament and of the Council of 16 April 2014 on the harmonisation of the laws of the Member States relating to the making available on the market of radio equipment and repealing Directive 1999/5/EC
5G
EECC
- Directive 2018/1972 (EECC) - European Electronic Communications Code
- Covers networks and services resulting from the convergence of telecom, media and ICT services
- The regulations of such networks is separated from the regulation of content, the EECC focuses on networks
- Consists of 326 recitals, 127 articles and 12 annexes
- The articles address
- Part 1 Framework (general rules for the organisaton of the sector) - article 40 covers security
- Part 2 Networks
- Part 3 Services (including universal service obligation)
- Part 4 Final provisions
Health
Digital services and Data
Digital Services
- Digital Services Act (DSA) Directive (EU) 2019/770 of the European Parliament and of the Council of 20 May 2019 on certain aspects concerning contracts for the supply of digital content and digital services
- The purpose of this Directive is to contribute to the proper functioning of the internal market while providing for a high level of consumer protection, by laying down common rules on certain requirements concerning contracts between traders and consumers for the supply of digital content or digital services, in particular, rules on:
- the conformity of digital content or a digital service with the contract,
- remedies in the event of a lack of such conformity or a failure to supply, and the modalities for the exercise of those remedies, and
- the modification of digital content or a digital service.
- On 25 April 2023, the Commission adopted the first designation decisions under the DSA, designating 17 Very Large Online Platforms (VLOPs) and 2 Very Large Online Search Engines (VLOSEs) that reach at least 45 million monthly active users.
- Very Large Online Platforms: Alibaba AliExpress, Amazon Store, Apple AppStore, Booking.com, Facebook, Google Play, Google Maps, Google Shopping, Instagram, LinkedIn, Pinterest, Snapchat, TikTok, Twitter, Wikipedia, YouTube, Zalando
- Very Large Online Search Engines: Bing, Google Search
Data Act
- Data ActRegulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
Artificial Intelligence - AI
- EU AI Act - Wikipedia
- COM/2021/206 Proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence and amending certain union legislative acts
.eu regulation
- Regulation 733/2002 of the European Parliament and of the Council of 22 April 2002 on the implementation of the .eu Top Level Domain
- EC 874/2004 of 28 April 2004 laying down public policy rules concerning the implementation and functions of the .eu Top Level Domain and the principles governing registration
- Regulation 1137/2008 of the European Parliament and of the Council of 22 October 2008 adapting a number of instruments subject to the procedure laid down in Article 251 of the Treaty
- Regulation 516/2015 amended Regulation 874/2004 by introducing technical checks to prevent possible visual confusion between
registered .eu domain names, particularly considering the .eu Internationalised Domain Names (IDNs)
Data protection - DG Justice (formerly DG JSF)
Privacy directive 1995
- Directive on processing of personal data - 1995/46/EC: Directive of 24 October 1995 on the protection of individuals with regard
to the processing of personal data and on the movement of such data
- ePrivacy Directive - 2002/58/EC: Directive of 12 July 2002 concerning the processing of personal data and
the protection of privacy, introduced also the notion of data breach notification
- Data Protection - Directive 2009/136 amending 2002/22/EC (users rights), 2002/58/EC (processing of personnal data) and Regulation 2006/2004 (enforcement of consumer protection)
- Data Protection - proposed reform in 2012: Proposals for
- COM(2012)11 - Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM
- COM(2012)10 - Directive on the protection of individuals with regard to the processing of personal data by competent authorities (police and criminal justice sector) for the purposes of prevention, investigation, detection or
prosecution of criminal offences or the execution of criminal penalties
Regulation on processing of personal data by Community institutions
- Regulation (EC) No 45/2001 regulates the protection of individuals with regard to the processing of personal data by Community institutions and bodies.
The Regulation implements Article 286 of the Treaty establishing the European Communities which requires the application of data protection rules to Community institutions and bodies, as well as the establishment of an independent supervisory authority.
GDPR 2016
- Regulation EU 2016/679 (GDPR) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard
to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Enters into force on 24 May 2016 and shall apply from 25 May 2018.
- In Belgium: Kaderwet bescherming persoonsgegevens, 5/9/2018, State gazette 322888
- Directive EU 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.
Enters into force on 5 May 2016 and EU Member States have to transpose it into their national law by 6 May 2018.
- ETSI support for GDPR:
- TR 103 370 Guidance on standards for privacy and GDPR
- TS 103 485 Mechanisms for privacy assurance and verification of that assurance, can be used in meeting some of the obligations of GDPR
EU-US
EU-US Privacy Framework
- 2023 Adequacy Decision for EU-US Privacy Framework - C(2023) 4745 final: Commission Implementing Decision of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework
Data Governance
- Proposal for Regulation - EU Data Governance Act - COM(2020) 767
- Complements the Open Data Directive (EU) 2019/1024
- Making public sector data available for re-use, in situations where such data is subject to rights of others
- Sharing of data among businesses, against remuneration in any form
- Allowing personal data to be used with the help of a personal data-sharing intermediary, designed to help individuals
exercise their rights under the GDPR
- Allowing data use on altruistic grounds
Data retention
- Data Retention - Directive 2006/24/EC:
- Based on the Proposal COM (2005) 438 of 21 September 2005 for a Directive on the retention of data processed in connection
with the provision of public electronic communication services and amending Directive 2002/58/EC.
- By 2009 all EU Member States must provide for the retention of subscribe, traffic and location data generated through sending of emails, fax, fixed/mobile and internet communications.
- ECJ declared 2006/24 to be invalid in April 2014
Data - free flow
- Regulation EU 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the EU
Internal Market
Connecting Europe Facility (INEA)
- CEF Regulation: Regulation 1316/2013 establishing the Connecting Europe Facility
- CEF Guidelines: Regulation 283/2014 guidelines for trans-European networks in the area of telecommunications infrastructure
CEF Digital Services Infrastructures -
Sector-specific DSIs deliver trans-European online services for citizens, businesses and public administrations within one specific policy area, such as health or justice. These include eHealth, eJustice, eProcurement,
Online Dispute Resolution (ODR), Electronic Exchange of Social Security Information (EESSI), Business Registry, Business Mobility, Open Data, Europeana (providing access to European cultural heritage) and Safer Internet for Children.
Building block DSIs are basic DSIs to be re-used in other digital services, including eID & eSignature, eDelivery, Automated Translation, Cybersecurity and eIvoicing.
- Business registers (BRIS Directive on the interconnection of business registers): Directive 2012/17/EU of the European Parliament and of the Council of 13 June 2012 amending Council Directive 89/666/EEC and Directives 2005/56/EC and 2009/101/EC of the European Parliament and of the Council as regards the interconnection of central, commercial and companies registers (see also www.ebr.org)
- Implementing Regulation 2015/884 of 8 June 2015
- DG Justice on BRIS
- CEF on BRIS
e-Government
DG Internal Market (GROW)'s Single point of contact - Single Digital Gateway
- Single Digital Gateway (proposal): 2017/0086 (COD) Proposal for a Regulation of the EP anc Council on establishing a single digital gateway to provide information, procedures, assistance and problem solving services and amending Regulation (EU) No 1024/2012 (leading to Only Once)
- Single Digital Gateway: Regulation 2018/1724 establishing a single digital gateway to provide information, procedures, assistance and problem solving services
- CIR 2020/1121 - IA for SDG
- SDG Architecture
Environment and CIP (Critical infrastructure Protection)
- Seveso Directives on the prevention of major accidents involving dangerous substances:
- Seveso II Directive 96/82/EC
- Seveso III Directive 2012/18/EU
- CIP Identification Directive: Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection
e-Procurement
- e-Procurement: Communication from the Commission on an "Action Plan for the implementation of the legal framework for electronic public procurement (dd. 13 December 2004)
- e-Invoicing in public procurement: European Directive 2014/55/EU
Accounting and auditing
- Accounts: Proposal of 27 October 2004 for a Directive amending Directives 78/660/EEC and 83/349/EEC concerning the annual accounts ("Draft Corporate Governance Directive")
- Audit: Commission proposal COM (2004) 177 final for an EU Directive on statutory audit of annual accounts and consolidated
accounts and amending Directives 78/660/EEC and 83/349/EEC (Draft "Audit Directive")
- Audit: Directive 2006/43/EC on the audit of annual accounts (using IFRS)
Financial services - European System of Financial Supervision (ESFS)
The European system of financial supervision (ESFS) was introduced in 2010. It consists of:
- the European Systemic Risk Board (ESRB)
- 3 European supervisory authorities (ESAs):
- the European Banking Authority (EBA)
- the European Securities and Markets Authority (ESMA)
- the European Insurance and Occupational Pensions Authority (EIOPA)
Both the ESRB and the 3 ESAs started their operation in January 2011, following the adoption of a package of legislative acts.
These comprise
- Regulation (EU) No 1092/2010 establishing the ESRB
- Regulation (EU) No 1096/2010 conferring specific tasks upon the European Central Bank concerning the functioning of the ESRB
- Regulation (EU) No 1093/2010 establishing the EBA
- Regulation (EU) No 1094/2010 establishing the EIOPA
- Regulation (EU) No 1095/2010 establishing the ESMA
- 'Omnibus' Directive 2010/78/EU amending existing financial services legislation so the new authorities can work effectively
- In 2011 the EU adopted a further Omnibus II directive to clarify the powers of the new authorities,
particularly in the insurance sector
ESAs= EBA, eIOPA and ESMA
The European Supervisory Authorities (ESAs) are EBA, EIOPA and ESMA.
- European Banking Authority (EBA), established on 1 January 2011 as part of the European System of Financial Supervision (ESFS) and took over all existing responsibilities and tasks of the Committee of European Banking Supervisors.
Its main task is to contribute, through the adoption of Binding Technical Standards (BTS) and Guidelines, to the creation of the European Single Rulebook in banking. The Single Rulebook aims at providing a single set of harmonised prudential rules for financial institutions throughout the EU, helping create a level playing field and providing high protection to depositors, investors and consumers.
EBA further publishes Regulatory Technical Standards (RTS) on many topics, including PSD2 and strong authentication. EBA also publishes Implementing Technical Standards (ITS).
- EBA: Supervisory Reporting
- EBA: Reporting frameworks
- reporting requirements
- ITS on supervisory reporting (FINREP, IFRS, COREP, AMM etc) and on benchmarking of internal plans, and reporting templates
- guidelines on funding plans
- validation rules
- DataPointModel (DPM) including datamodel, data dictionary, table layout and datapoint categorisation. Data items included in the relevant Technical Standards and Guidelines have been translated into a DPM. The DPM is a structured representation of the data, identifying all the business concepts and its relations, as well as validation rules. It contains all the relevant technical specifications necessary for developing an IT reporting solution.
- XBRL taxonomies and filing rules for data exchange. The XBRL Taxonomies presents the data items, business concepts, relations and validation rules described by the DPM in the technical format of an XBRL taxonomy. Although primarily intended for use in data transmission between competent authorities and the EBA, authorities may choose to use the proposed XBRL taxonomy or a similar one for collecting data from credit institutions and investment firms in Europe.
- EBA: COREP - Guidelines for Common Reporting
- guidelines are issued by EBA for Capital Requirements Directive (CRD) reporting
- covers credit risk, market risk, operational risk, own funds and capital adequacy ratio
- when trading each counterparty conducts its own reporting to its own supervisor
- EBA: FINREP - Guidelines for Financial Reporting
- EBA: Single Rulebook - the Interactive Single Rulebook is an on-line tool that provides a comprehensive compendium of the level 1 text
for the Capital Requirements Regulation (CRR) and the Capital Requirements Directive (CRD IV); Bank Recovery and Resolution Directive (BRRD); and, the Deposit Guarantee Schemes Directive (DGSD) the corresponding technical standards developed by the European Banking Authority (EBA) and adopted by the European Commission (RTS and ITS), as well as the EBA Guidelines and related Q&As.
- ESMA European Securities and Markets Authority (ESMA), established by regulation 1095/2010 of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority)
- ESMA ESEF - European Single Electronic Formaat
- the iXBRL reporting format for the Transparency Directive in which issuers should prepare their annual financial reports (AFRs) from 1 January 2020)
- based on an extension of the IFRS taxonomy
- European Insurance and Occupational Pensions Authority (EIOPA)
- Single Resolution mechanisms Regulation 806/2014 of the European Parliament and of the Council of 15 July 2014 establishing
uniform rules and a uniform procedure for the resolution of credit institutions and certain investment firms in the framework of a
Single Resolution Mechanism and a Single Resolution Fund and amending Regulation (EU) No 1093/2010
Financial services - Anti-fraud - DG JUST, DG FISMA and DG COMP (and FATF)
- Preventing fraud and counterfeiting: Commission Communication COM (2001) 11 final preventing fraud and counterfeiting of non-cash means of payment
- Directive 2005/60/EC: the Third Money Laundering Directive
- Directive 2006/70/EC: Implementation measures for 2005/60/EC
- 4AMLD: Directive EU 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing
- 5AMLD: COM(2016)0450 European Compromise text (October 28, 2016) introduces amendments to 4AMLD related to
use of electronic identification and trust services (as per eIDAS) for KYC on-boarding, accessing funds and/or tracing electronic transactions, and fight virtual currency frauds
- 5AMLD - procedure file with all 5AMLD texts
- 5AMLD: Directive EU 2016/0208/COD (AML5) contains only amendments on 4AMLD, was adopted 14/5/2018, must be transposed by 10 January 2020
- addresses a.o. money laundering and terrorist financing, anonymous prepaid cards
- eIDAS should be taken into account in the identification process
- addresses providers engaged in exchange services between virtual currencies and fiat currencies, and custodian wallet providers
- virtual currencies means a digital representation of value that is not issued or guaranteed by a central bank or a public authority,
is not necessarily attached to a legally established currency and does not possess a legal status of currency or money,
but is accepted by natural or legal persons as a means of exchange and which can be transferred, stored and traded electronically
- custodian wallet provider means an entity that provides services to safeguard private cryptographic keys on behalf of its customers,
to hold, store and transfer virtual currencies
- Member States shall ensure that providers of exchange services between virtual currencies and fiat currencies, and custodian wallet providers, are registered,
that currency exchange and cheque cashing offices, and trust or company service providers are licensed or registered,
and that providers of gambling services are regulated
Financial services - Supervision - DG FISMA
Financial services - global supervision
Banking supervision is globally driven by the Basel Committee on Banking Supervision (BCBS started by 'the group of 10' in 1974). The BCBS's secretariat is hosted by the Bank for International Settlements (BIS).
Basel II uses a "three pillars" concept:
- Pillar I minimum capital requirement
- Tier 1: core capital which consists primarily of common stock and disclosed reserves (or retained earnings), but may also include non-redeemable non-cumulative preferred stock
- Tier 2: general provisions (with limitations to percentages of and of Risk Weighted Assets), revaluation reserves, undisclosed reserves (may or may not be permitted by supervisor), subordinate debt (and Tier 2 is limited to 100% of Tier 1 capital)
- Tier 3: includes short-term subordinated loans
- Pillar II supervisory review
- Pillar III market discipline
Short recap of Basel guidelines:
- Pré Basel: no standardised rules on capital adequacy for banks
- 1988 Basel sets rules for credit risk only
- 1996 Market risk amendement, standardised approach and internal model approach for market risk introduced
- 2004 Revised Basel II framework on credit and market risk
- 2009 Basel 2.5 changes to market risk and securisations, rules for credit, market and operational risk
- 2010 Basel III revised definition of capital, a leverage ratio requirement and new liquidity standards
- Basel IV changes the approach for calculation of Risk Weighted Assets, regardless whether standardised or internal model approach is used
- Common equity tier 1 capital: introduction of capital floors which will be raised from 50% to 72.5% in 2027
- Additional tier 1 capital and tier 2 capital no significant changes
- Credit risk and counterparty risk: revised standardised approach, constraints on use of internal models, introduction of standardised approach for CVA, new standardised approach for calculation of EAD for derivative exposure
- Market risk updates such as revised boundary of trading book
- Operational risk updates such as replacement of existing approaches by standardised approach, use of unadjusted business indicator (based on historical loss data)
Financial services - European supervision
The Directorate-General for Financial Stability, Financial Services and Capital Markets Union
(DG FISMA)
is the Commission department responsible for
EU policy on banking and finance. DG FISMA develops and carries out the Commission's policies on
- Banking and financial services
- Capital markets union
- Company reporting and auditing
The global Basel III guidelines are implemented in Europe by CRD IV and CRR, plus EBA Technical Standards en EC Delegated Acts. European legal framework starts from Article 127.6 TFUE, and the Single Supervisory Mechanism (SSM) Regulation
(EU 1024/2013, conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions).
- CR Capital Requirements (2013)
- CRR Capital Requirements Regulation EU 575/2013 - prudential requirements for institutions
- Article 100 mandates EBA to develop reporting templates for all forms of asset encumbrance and that this information should be included in the
COREP and FINREP ITS (Regulation 680/2014 ITS on supervisory reporting of the institutions)
- Regulation 680/2014 has been amended by CIR 2015/79
- CRR II Regulation 2019/876 amends EU 575/2013 and EU 648/2012
- CRD III Capital Requirements Directive, CRD III (Directive 2010/76/EU) - legacy
- CRD IV: Capital Requirements Directive 2013/36/EU on rules on governance and supervision of institutions
(amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC)
- CRD V Directive 2019/878 amending Directive 2013/36/EU as regards exempted entities, financial holding companies, mixed financial holding
companies, remuneration, supervisory measures and powers and capital conservation measures
- FINREP (Financial Reporting), designed for application by credit institutions when preparing their consolidated supervisory financial returns under IAS/IFRS as and when required by the national supervisory authority.
The scope of consolidation of FINREP may be defined with reference either to IAS/IFRS or the CRD 2006/48/EC, as the national supervisory authority considers appropriate.
IAS/IFRS do not prescribe the order or format in which financial information is to be presented. Hence they offer a certain number of presentational choices. FINREP represents a common standardised reporting framework with the objective to increase comparability of financial information.
- COREP (Common Reporting), designed for prudential reporting, addressing capital adequacy, credit and counterparty risk, solvency, market risk, operational risk
- Solvency II: Solvency II reviews the prudential regime for insurance and reinsurance undertakings in the European Union
- BRRD (competition), the Bank recovery and Resolution Directive, Directive 2014/59 of the EP and Council of 15 May November 2014 on Banking Recovery and Resolution Directive (Single Resolution Mechanism, Single Resolution Board)
- BRRD update Directive 2019/879 of the EP and Council of 20 May 2019 amending
Directive 2014/59/EU as regards the loss-absorbing and recapitalisation capacity of credit institutions and investment firms and
Directive 98/26/EC
Financial services - Credit risk
- AnaCredit: Regulation 2016/867 of ECB of 18 May 2016 on the collection of granular credit and credit risk data defining reporting requirements for resident credit institutions and resident foreign branches of credit institutions
Collection of statistics: Regulation (EU) No 1011/2012, as amended by Regulation (EU) 2016/1384, concerns the collection of Statistics on Holdings of Securities (SHS)
- BIRD: Banks' Integrated Reporting Dictionary - initiative of the ESCBs Statistics Committee (European System of Central Banks)
Financial services - Markets - DG FISMA
- Prospectus: Directive 2003/71/EC of the EP and of the Council of 4 November 2003 on the prospectus to be published when securities
are offered to the public or admitted to trading and amending Directive 2001/34/EC (with a series of implementing acts)
MIFID and MIFID II increase transparency across the EU financial markets and standardise the regulatory disclosure requirements
- MIFID: Directive 2004/39/EC on Markets In Financial Instruments (MIFID 1)
- addresses investment firms (not public bodies), markets, and their authorisations
- covers shares, bonds, derivatives and structured products
- initial capital endowment, trading processes, relations with third countries, on-going supervision
- obligations such as market integrity, transaction reporting, record keeping
- services and instruments are listed in appendix
- MIFID implementation: MIFID 1 Implementing Directive 2006/73
- MIFID implementation: MIFID 1 Commission Regulation 1287/2006
- MIFID II: Directive 2014/65/EU, a revision of MIFID
EMIR and MiFIR govern clearing activities. EMIR provides that certain classes of Over The Counter (OTC) derivative transactions have to be cleared through Central Counterparties (CCPs),
and that risk mitigation techniques have be be applied for other OTC transactions. MiFIR extends the clearing obligation by CCPs to regulated marketes for exchange-traded derivatives.
- EMIR: Regulation 648/2012 on OTC Derivatives, Central Counterparties and Trade Repositories ("EMIR" - European Market Infrastructure Regulation)
- EMIR introduced a set of organisational, business conduct and prudential requirements for clearing service providers.
Central Counter Parties (CCPs) interpose themselves between counterparties to a derivative contract,
becoming the buyer to every seller and the seller to every buyer.
- In doing so, CCPs become the focal point for derivative transactions thus increasing market transparency and
reducing the risks inherent in derivatives markets.
- Firms wanting to offer CCP services in the EU must seek authorisation under EMIR:
- National securities regulators are responsible for the authorisation of EU-based CCPs.
- CCPs based outside the EU who want to offer clearing services within the EU, need to be recognised by ESMA.
- in addition, all derivatives need to be reported to Trade Repositories
- complemented by a series of implementing regulations and technical standards
- MIFIR: Regulation 600/2014 on Markets in Financial Investments Regulation (go-live January 2018)
- Furthermore there are technical standards (RTS) under Directive 2004/39/EC (MiFID I), Directive 2014/65/EU (MiFID II) and Regulation (EU) No 600/2014 (MiFIR)
CSDR and SFD govern settlement activities. CSDR harmonises aspects of the settlement cycle, and provides common requirements for Central Securities Depositories (CSDs), operating securities settlement systems.
SFD aims at reducing the systemic risk associated with payment and securities settlement systems, particularly the insolvency risk.
- CSDR: Regulation 909/2014 on settlement and central securties depositories (entry into force: 17 September 2014)
- SFD: Settlement Finality Directive 98/26/EC (amended on multiple occasions)
- EEAP: EU 2016/1437 of 19 May 2016 supplementing Directive 2004/109/EC on regulatory technical standards on access to regulated information
- EMIR Refit: Regulation 2019/834 amending the EMIR Regulation (648/2012) as regards the clearing obligation,
the suspension of the clearing obligation, the reporting requirements, the risk-mitigation techniques for OTC derivative contracts not cleared by a central counterparty, the registration and supervision of trade repositories and the requirements for trade repositories
Transparency
- Directive 2004/109 on the harmonisation of transparency requirements in relation to information about issuers whose
securities are admitted to trading on a regulated market and amending Directive 2001/34/EC ("Transparency Directive")
- Commission Proposal COM(2011) 1279 amending Directive 2004/109
- Commission Delegated Regulation 2016/1437 supplementing Directive 2004/109/EC with regard to regulatory technical standards on access to regulated information
at Union level
- Eurofiling portal - XBRL, data point model
- EFTG portal
- EFTG portal API doc
Financial services - DORA
- Digital Operational Resilience Act (Regulation (EU) 2022/2554)
- Before DORA, financial institutions managed the main categories of operational risk mainly with the allocation of capital, but they did not manage all components of operational resilience.
- After DORA, they must also follow rules for the protection, detection, containment, recovery and repair capabilities against ICT-related incidents. DORA explicitly refers to ICT risk and sets rules on ICT risk-management, incident reporting, operational resilience testing and ICT third-party risk monitoring. This Regulation acknowledges that ICT incidents and a lack of operational resilience have the possibility to jeopardise the soundness of the entire financial system, even if there is "adequate" capital for the traditional risk categories.
Financial services - crypto assets and DLT
- Crypto assets market (proposal) - COM(2020) 593/32020/0265 (COD)Proposal for a Regulation on Markets in Crypto-assets, and amending Directive (EU) 2019/1937 {SWD(2020)380} -{SWD(2020)381
- DLT (proposal) - Proposal for a Regulation on a pilot regime for market infrastructures based on distributed ledger technology {SWD(2020)201} -{SWD(2020)202
Interesting
- Dodd-Frank Act - Wall Street Reform and Consumer Protection Act after the 2008 financial crisis
- United States federal law that was enacted on July 21, 2010
- ISDA - International Swaps and Derivatives Association
- created the ISDA Master Agreement and related documentation materials, to help ensure the enforceability of
netting and collateral provisions, to reduce credit and legal risk.
- created the ISDA Common Domain Model
Financial services - Payments
- Internal market payments: Commission Communication COM (2003) 718 final concerning a new legal framework for payments in the Internal Market
- E-payments: Commission Recommendation of 30 July 1997 concerning transactions by e-payment instruments and in particular
the relationship between issuer and holder (97/489/EC)
- Payment Services Directive (PSD): Directive 2007/64/EC of 13 November 2007 on payment services in the internal market amending Directives 97/7/EC, 2002/65/EC, 2005/60/EC
and 2006/48/EC and repealing Directive 97/5/EC
- Proposal for PSD2: Proposal COM 2013/0264 for a Directive on payment services in the internal market and amending Directives 2002/65/EC, 2013/36/EU and 2009/110/EC and repealing Directive 2007/64/EC (adopted by EP on 8 Oct 2015)
- Proposal complementing PSD2: Proposal COD 2013/0265 Regulation on interchange fees for card-based payment transactions
- PSD2: Directive EU 2015/2366 of the EP and Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC
- RTS for strong customer authentication : Commission Delegated Regulation 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication
- MIF Regulation: EU Regulation 2015/751 - on Interchange Fees for Card-Based Payment Transactions
Sundry
- Distance marketing: Directive of 23 September 2002 concerning the distance marketing of consumer financial services (2002/65/EC)
DG CONNECT - NIS - Network and Information Security
- Preparatory:
- Proposal COM(2001) 298: Network and Information Security: proposal for a European Policy Approach "
- Action plan: Council Resolution of 30 May 2001 on the "eEurope Action Plan: Information and Network Security"
- Approach and actions: Council Resolution of 28 January 2002 on a common approach and specific actions in the area of network and information security
- Culture of Network and Information Security: Council Resolution of 18 February 2003 on a European approach towards a culture of network and information security
- Proposed NIS Directive - COM(2013) 48 - Proposal for a Directive of the EP and of the Council concerning measures to ensure a high common level of network and information security across the Union -
(main author: Giuseppe Abbamonte, EP rapporteur: Andreas Schwab)
- Directive 2013/40/EU of the EP and Council of 12 Aug 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA (compliance required by 4 September 2015)
- NIS Directive 2016/1148 Directive of the EP and Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union, see https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016L1148&qid=1697017083432
- Article 1 Subject matter and scope
- This Directive lays down measures with a view to achieving a high common level of security of network and information systems within the Union so as to improve the functioning of the internal market.
- To that end, this Directive:
- lays down obligations for all Member States to adopt a national strategy on the security of network and information systems;
- creates a Cooperation Group in order to support and facilitate strategic cooperation and the exchange of information among Member States and to develop trust and confidence amongst them;
- creates a computer security incident response teams network (CSIRTs network) in order to contribute to the development of trust and confidence between Member States and to promote swift and effective operational cooperation;
- establishes security and notification requirements for operators of essential services and for digital service providers;
- lays down obligations for Member States to designate national competent authorities, single points of contact and CSIRTs with tasks related to the security of network and information systems.
- NIS Commission Implementing Regulation (EU) 2018/151 laying down rules for application of Directive (EU) 2016/1148 of the European Parliament and of the Council as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact
- Subject matter: the elements to be taken into account by service providers when identifying and taking measures to ensure a level of security of network and information systems which they use in the context of their service offering (as per EU 2016/1148 Annex III) and the parameters to be taken into account to determine whether an incident has a substantial impact on the provision of those services
- Security elements: security of systems and facilities referred to means the security of network and information systems and of their physical environment and shall include the following elements ...
- Parameters to be taken into account to determine whether the impact of an incident is substantial (number of affected persons/users, duration, spread, impact on availability, authenticity, integrity or confidentiality of data or related services, losses, ...
- Definition of substantial impact of an incident
- ENISA NIS Directive implementation guidance
- NIS cooperation group including publications
- ETSI provides guidance on NIS in ETSI TR 103 456 see e.g.ETSI
- NIS2 Proposal Jan 2021
- NIS2 Directive (EU 2022/2555) of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU)
No 910/2014 (eIDAS) and Directive (EU) 2018/1972 (EECC), and repealing Directive (EU) 2016/1148 (NIS)
- as it is a Directive, it needs to be transposed by the MS
- see NIS2 in the OJ
- entered into force on 16 January 2023
- NIS2 IAs are expected by 2024-10
ECCG - European Cybersecurity Certification Group
The ECCG is composed of representatives of national cybersecurity certification authorities or representatives of other relevant national authorities. A member of the ECCG cannot represent more than two Member States. Stakeholders and relevant third parties may be invited to attend meetings of the ECCG and to participate in its work.
ENISA Cybersecurity
- Regulation EC 460/2004 of 10 March 2004 establishing ENISA
- Regulation EC 526/2013 of 21 May 2013 defining the new mandate for ENISA
- COM(2017)477 Proposal for a Regulation on ENISA, the "EU Cybersecurity Agency", and repealing Regulation (EU) 526/2013 - introducing a cybersecurity certification scheme
- COM(2006) 251: A strategy for a secure Information Society - dialogue, partnership and empowerment
- Cybersecurity
- Cybersecurity Act Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013
- The EU Cybersecurity Act (CSA) establishes a new mandate for ENISA, the EU Agency for Cybersecurity, and a European cybersecurity certification framework.
- I General provisions
- Article 1 Subject matter and scope
- Article 2 Definitions
- II ENISA
- Chapter I Mandate and objectives
- Article 3 Mandate
- Article 4 Objectives
- Chapter II Tasks
- Article 5 Development and implementation of Union policy and law
- Article 6 Capacity-building
- Article 7 Operational cooperation at Union level
- Article 8 Market, cybersecurity certification, and standardisation
- Article 9 Knowledge and information
- Article 10 Awareness-raising and education
- Article 11 Research and innovation
- Article 12 International cooperation
- Chapter III Organisation of ENISA
- Article 13 Structure of ENISA
- Article 14 Composition of the Management Board
- Article 15-20 Functioning, management meetings, Executive Board, ...
- Article 21-23 ENISA Advisory Group, Certification, National Liaison
- Article 24 Single programming document
- Article 25- Interests, transparency, confidentiality, access to documents
- Chapter IV Establishment and structure of ENISAs budget
- Chapter V Staff
- Chapter VI General provisions concerning ENISA
- III Cybersecurity Certification Framework - EUCC
- IV Final provisions
- EUCC v1.1.1 - Common Criteria based European candidate cybersecurity certification scheme - the first candidate scheme proposed under EU 2019/881 for cybersecurity product certification
- As a consequence of the CSA, the EUCC scheme was created by ENISA as a successor to the existing schemes operating under the SOG-IS MRA (Senior Officials Group Information Systems Security Mutual Recognition Agreement).
- The scheme looks into the certification of ICT products cybersecurity, based on the Common Criteria, the Common Methodology for Information Technology Security Evaluation, and corresponding standards, respectively, ISO/IEC 15408 and ISO/IEC 18045.
- Offers 2 security assurance levels, substantial and high.
- Cybersecurity Competence Centre May 2021 Regulation 2021/887 establishing the European Cybersecurity Industrial, Technology and Research Competence Centre and the Network of National Coordination Centres
- The seat of the Competence Centre is in Bucharest.
European Council, Commission and related (Euratom) Security
- Council decision 2001/264/EC of 19 March 2001 adopting the Council's security regulations
- Commission Decision 2001/844/EC of 29 November 2001 amending its internal Rules of Procedure. Annex with Commission provisions on security. Referring to Council Decision 2001/264/EC of 19 Marc 2001
- Council decision 2001/264/EC of 19 March 2001 adopting the Council's security regulations
- Commission Decision of 16 August 2006 C(2006) 3602 concerning the security of information systems used by the European Commission (repealed)
- Comission Decision 2011/292/EU on EUCI of 31 March 2011 on the security rules for protecting EU classified info
- Commission Decision (EU, Euratom) 2017/46 on the security of communication and information systems in the European Commission (replaces Commission Decision C(2006) 3602)
- Council Decision 2013/488/EU on EUCI of 23 September 2013 on the security rules for protecting EU classified information (Scope: EU information, 4 levels of classification (EU Top Secret, EU Secret, EU Confidential, EU Restricted), Competent Authority shall ensure classification, Information Assurance Authorities (Tempest, Crypto, ...)
Security Accreditation Authority, Operational Authority, ... "
- Commission Decision (EU, Euratom) 2015/443 of 13 March 2015 on Security in the Commission
- Commission Decision (EU, Euratom) 2015/444 of 13 March 2015 on the security rules for protecting EU classified information (includes 4 levels of classification)
- Consilium policy on classified information (includes 4 levels of classification)
-
- Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission
- Commission Decision C(2017) 8841 of 13.12.2017 laying down implementing rules for Articles 3, 5, 7, 8, 9, 10, 11, 12, 14, 15 of Decision 2017/46 on the security of communication and information systems in the Commission
Copernicus
- Regulation 377/2014 of the EP and Council (transition from GMES to Copernicus): of 3 April 2014 establishing the Copernicus Programme and repealing Regulation 911/2010 (which established 'Global Monitoring for
Environment and Security (GMES) in 2010
- Regulation 1159/2013 of the EP and Council (on licensing and access criteria): Commission delegated Regulation (EU) No 1159/2013 of 12 July 2013
supplementing Regulation (EU) No 911/2010 (repealed by 377/2014) of the European Parliament and of the Council on the European Earth monitoring programme (GMES) by establishing registration and
licensing conditions for GMES users and defining criteria for restricting access to GMES dedicated data and GMES service information
- Regulation 911/2010 of the EP and Council (repealed)
Galileo
Terrorism and crime
Terrorism
- Prüm convention: Council Decision 2008/615/JHA of 23 June 2008 on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime
Cybercrime
- Cybercrime convention: Convention on Cyber-crime of the Council of Europe of 23 November 2001
- Attacks:
- Proposal for a council framework decision on attacks against information systems (2002/86/CNS)
- Council Framework Decision of 17 January 2005 on attacks against information systems
Corporate governance
- Plan: Commission Communication COM (2003) 284 final modernising company law and enhancing corporate governance in the EU - A plan to move forward
- Proposal for Directiveto further expand and upgrade the use of digital tools and processes in company law
Supply chain
- Due diligence: Regulation (EU) 2017/821 of the European Parliament and of the Council of 17 May 2017 laying down supply chain due diligence obligations for Union importers of tin, tantalum and tungsten, their ores, and gold originating from conflict-affected and high-risk areas/li>
- Sustainability taxonomyRegulation (EU) 2020/852 of the European Parliament and of the Council of 18 June 2020 On the establishment of a framework to facilitate sustainable investment,
and amending Regulation (EU) 2019/2088
Technical standards/transparency
- Provision of information in technical standards: Directive of 22 June 1998 on the provision of information in the field
of technical standards (1998/34/EC)
- SOG-IS: was produced in response to the EU Council Decision of March 31st 1992 (92/242/EEC) in the field of security of information systems, and the subsequent Council recommendation of April 7th (1995/144/EC) on common information technology security evaluation criteria. The agreement was updated in January 2010.
Cryptography
- Dual-use: Council Regulation of 22 June 2000 setting up a Community regime for the control of dual-use goods - amended by
- Council Regulation 2452/2001
- Council Regulation 149/2003/EC
Electronic identity, signatures and related
- 2003 European Council decision (Thessaloniki Declaration) on a coherent approach to biometric identifiers and biometric data for all EU citizensŽ passports,
for non-EU / European Economic Area (EEA) nationals and for the back office information system
- ePassports 2252/2004 Council Regulation on the roadmap for EU Member State issued passports and travel documents security features and biometrics
- Since June 2006 all 27 EU-MS have switched to eMRtds and issued only passports with an embedded security microcontroller, ISO/IEC 14443 contactless interface and Facial Image on chip.
These data are protected by the Basic Access Control (BAC) and Extended Access Control (EAC) security protocols defined by International Civil Aviation Organization (ICAO) and Brussels Interoperability Group (BIG).
Some countries were quick to also store fingerprint images in the chip (e.g. Latvia and Germany).
- Regulation 444/2009 amended 2252/2004 making FI and 2 FPs mandatory. The original deadline for implementation of two fingerprint images by all EU-MS in passports was June, 28th, 2009.
- Regulation 13502/2/07 on the Residence Permits for TCNs (third country nationals) was published on March, 7th, 2008 (ref infra)
- eSignature Directive 1999/93: Directive of 13 December 1999 on a community framework for electronic signatures (1999/93/EC)
- Reference numbers for eSignature products:Commission Decision 2003/511/EC of 14.7.03 on the publication of reference numbers of generally recognised standards for electronic signature products in accordance with Directive 1999/93/EC of the European Parliament and of the Council
- Criteria when designating bodies:Commission Decision 2000/709/EC of 6.11.00 on the minimum criteria to be taken into account by Member States when designating bodies in accordance with Article 3(4) of Directive 1999/93/EC of the European Parliament and Council on a Community framework for electronic signatures.
- Points of Single Contact: Commission Decision 2009/767/EC of 16.12.09 setting out measures facilitating the use of procedures by electronic means through the points of single contact under Directive 2006/123/EC of the European Parliament and of the Council on services in the internal market.
- Trusted Lists: established by Decision 2009/767/EC as regards the establishment, maintenance and publication of trusted lists of certification service providers supervised/accredited by Member States, amended by Decisions 2010/425/EU and 2013/662/EU, and supported by ETSI TS 119 612
- Cross-border processing: Commission Decision 2011/130/EU of 25.2.11 establishing minimum requirements for the cross-border processing of documents signed electronically by public administrations under Directive 2006/123/EC of the European Parliament and of the Council on services in the internal market
- Proposal COM(2012) 238: Proposed Regulation on electronic identity and trust services (eIDAS)
- Trusted Lists - 2013/662/EU:Commission Implementing Decision of 14 October 2013 amending Decision 2009/767/EC as regards the establishment, maintenance and publication of trusted lists of certification service providers supervised/accredited by Member States
- Identification and Trust Services 910/2014: Regulation 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC
- Implementation of EU 910/2014 for electronic identification:
- Commission Implementing Decision (EU) 2015/296 of 24 February 2015 on procedural arrangements for MS cooperation on eID
- Commission Implementing Regulation (EU) 2015/1501 of 8 September 2015 on the interoperability framework
- Commission Implementing Regulation (EU) 2015/1501 Corrigendum C(2015)8550 (on the use of the correct notification template from 2015/1984)
- Commission Implementing Regulation (EU) 2015/1502 of 8 September 2015 on setting out minimum technical specifications and procedures for assurance levels for electronic identification means
- Commission Implementing Decision (EU) 2015/1984 of 3 November 2015 defining the circumstances, formats and procedures of notification:
- Implementation of EU 910/2014 for trust services:
- Commission Implementing Regulation (EU) 2015/806 of 22 May 2015 on the form of the EU Trust Mark for Qualified Trust Services
- Commission Implementing Decision (EU) 2015/1505 of 8 September 2015 laying down technical specifications and formats relating to trusted lists
- Commission Implementing Decision (EU) 2015/1506 of 8 September 2015 laying down specifications relating to formats of advanced electronic signatures and advanced seals to be recognised by public sector bodies
- Commission Implementing Decision (EU) 2016/650 of 25 April 2016 laying down standards for the security assessment of qualified signature and seal creation devices
- at that time, there were no standards for QSCDs managed by TSPs on behalf of the signatory (but there were Protection Profiles defined for QSCD and QTSP, ETSI 419 221-5 and 241-2
- neither were there standards or supervision criteria for the supervision of such [Q]TSPs
- hence this CID is a candidate to be amended in order to provide guidance regarding QSCD certification and QTSP supervision, including the audit thereof
- Directive (EU) 2015/1535 imposes an obligation upon the Member States to notify to the Commission all the draft technical regulations concerning products and Information Society Services before they are adopted in national law (replacing Directive 98/34/EC without any substantial changes).
- Blog with link to eIDAS Implementing Acts
- Online eIDAS Participatory Platform
Related: Directive (EU) No. 2019/1151 digitization of company law and electronic notaries using QES
Related: Regulation (EU) 2019/1157 of the European Parliament and of the Council to strengthen the security of identity cards with enhanced security features by August 2021. Member States should consider the feasibility of notifying them under electronic identification schemes to extend the cross-border availability of electronic identification means.
EUDI/EU.id
Evaluation of eIDAS
- COM(2021) 290 Commission Staff Working Document - Evaluation of eIDAS
EUDI proposal
Basics:
- Decision making procedure: ordinary legislative procedure (COD)
- Reference: COM(2021)281 EN
- Additional COM-numbers: SEC(2021)228; SWD(2021)124; SWD(2021)125
- Procedure number (interinstitutional): 2021/0136(COD)
- CELEX number: 52021PC0281
Texts - drafts preparing the way for eIDAS 2
- COM(2021) 281 Final Proposal for a Regulation of the EP and of the Council amending Regulation (EU) 910/2014 as regards establishing a framework for a European Digital Identity - EC proposal
- European Parliament legislative resolution of 29 February 2024 on the proposal for a regulation of the European Parliament and of the Council amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity (COM(2021)0281 – C9-0200/2021 – 2021/0136(COD)) - Industry, Research and Energy Committee (ITRE) - EP resolution
EUDI implementation
- C(2021) 3968 - Commission Recommendation of 3/6/2021 on a common Union Toolbox for a coordinated approach towards a European Digital Identity Framework
- Futurium ARF document of 20/2/2022 -Architecture Reference Framework
- EUDI wallet implementation with Large Scale Pilots
- EWC - EUDI wallet consortium - consists of representatives of all 27 Member States and also includes partners from other countries. Such a wide representation provides a unique capacity to issue Person Identification Data (PID) for both natural persons and legal entities.
eIDAS 2
Final text is published as Regulation 910/2014 amended by Regulation 2024/1183 of the EP and European Council of 11 April 2024 ('amending Regulation (EU) No 910/2014 as regards establishing the European Digital Identity Framework')
- Consolidated text: Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC - Document 02014R0910-20240520
See also local files:
Digital Europe - successor to CEF
Blockchain
Third Country Nationals entering the EU - VISAs
The Visa Information System (VIS) allows Schengen States to exchange visa data, in particular data on decisions relating to short-stay visa applications. Furthermore,
States may grant long-stay visas and residence permits.
- Council Regulation (EC) No 539/2001 of 15 March 2001 listing the third countries whose nationals must be in possession of visas when crossing the external borders and those whose nationals are exempt from that requirement
Smart Borders
- Proposal 2016/0106 (COD) for a regulation of the EP and Council establishing an Entry/Exit System (EES) to register entry and exit data and refusal of
entry data of third country nationals amending Regulation (EC) No 767/2008 and Regulation (EU) No 1077/2011
- Proposal 2017/0351/COD: COM (2017) 793:Proposal for a Regulation of the EP and Council on establishing a
framework for interoperability between EU information systems (borders and visa) and amending Council Decision 2004/512/EC, Regulation (EC) No 767/2008,Council Decision 2008/633/JHA,
Regulation (EU) 2016/399 and Regulation (EU) 2017/2226
- Proposal 2017/3052/COD: COM (2017) 794:Proposal for a Regulation of the EP and Council on establishing a framework for interoperability between EU information systems
(police and judicial cooperation, asylum and migration)
European Border and Coast Guard
- Proposal for a Regulation of the European Parliament and of the Council on the European Border and Coast Guard
and repealing Regulation (EC) No 2007/2004, Regulation (EC) No 863/2007 and Council Decision 2005/267/EC
Visa
- EC 2252/2004 : Council Regulation on security features and biometrics in passports and travel documents: such documents shall include a storage medium which shall contain a facial image and fingerprints in interoperable formats
- EC 1683/95 : Council Regulation laying down a uniform format for visas
Residence permit
- Regulation 13502/2/07 on the Residence Permits for TCNs (third country nationals) was published on March, 7th, 2008 (ref infra)
- EC 380/2008: amendment of EC 1030/2002 - introduction of the requirement to use a photograph and two fingerprints taken flat and digitally captured
- EC 1030/2002 on Electronic Residence Permits : Council Regulation (EC) No 1030/2002 of 13 June 2002 laying down a uniform format for residence permits for third-country nationals
Passports
- ICAO 9303 defines machine readable travel documents. From a security perspective, PA, MRZ comparison, AA, BAC and SAC are specified in ICAO 9303 Part 1 Vol 2 (and supplements).
EAC and encryption are left to the implementing States. Generations of e-passports are commonly referred to as: first generation (facial image protected by BAC),
second generation (facial image protected by BAC and 2 fingerprints and/or iris, protected by EAC), third generation (replacement of BAC by SAC).
and third generation ()
- Part 1 MRP Machine Readable Passports
- Volume 1 MRTD with OCR
- Volume 2 Specifications for electronically enabled passports with biometric identification capability
- Part 2 MRV Machine Readable Visas
- Part 3 Machine Readable Official Travel Documents
- Volume 1 MROTD with OCR
- Volume 2 Specifications for electronically enabled MROTD with biometric identification capability
- Commission Decision C(2006) 2909 : lays down the technical specifications on the standards for security features and biometrics in passports and travel documents issued by Member States
- Commission Decision C(2011) 5499: amends Commission Decision C(2006) 2909 and replacing BAC by SAC (Supplemental Access Control), see also COM decision of 30/09/2013
Schengen
Basics
- The Schengen Borders Code (SBC) governs the crossing of the EU external border
- The Schengen Information System (SIS, migrated to SIS II) allows Schengen States to exchange data on suspected criminals, on people who may not have the right to enter into or stay in the EU, on missing persons and on stolen, misappropriated or lost property
- Council Decision 2007/533/JHA of 12 June 2007 on the establishment, operation and use of the second generation Schengen Information System (SIS II)
SBC (applies to any person crossing the internal * or external * borders of a European Union (EU) country)
- Regulation EC 562/2006 of 15 March 2006 establishing a Community Code on the rules governing the movement of persons across borders (Schengen Borders Code)
- amended by EC 296/2008, EC 81/2009, EC 810/2009, EU 265/2010
- Regulation EU 2016/399 on a Union Code on the rules governing the movement of persons across borders (SBC)
- An amendment to EU 2016/319 has been proposed as 2016/0105
EuroDAC
- The EuroDAC system allows fingerprint identification for undocumented persons
Eurosur
- Regulation 1052/2013 : of 22 October 2013 establishing the European Border Surveillance System (Eurosur)
Transport and roadpricing
Electronic vehicle registration
- 1999/37/EC : Council Directive 1999/37/EC on the registration documents for vehicles
- 2003/127/EC : Commission Directive 2003/127/EC of 23 December 2003 amending Council Directive 1999/37/EC on the registration documents for vehicles
- 2006/103/EC: Council Directive 2006/103/EC of 20 November 2006 adapting certain Directives in the field of transport policy, by reason of the accession of Bulgaria and Romania
European Electronic Toll Service - EETS
Digital Tachograph
Analogue tachograph
- EC Regulation 561/2006 social regulation
- EC Directive 2002/15/EC - on organisation of working time of mobile road transport activities
- EC Regulation 3820/85 definitions and principles
- EC Regulation 3821/85 analogue tachographs
- EC Regulation 561/2006 amending 3821/85 and repealing 3820/85
- EC Directive 2006/22 minimum conditions for implementation
- EC Regulation 1266/2009 - amending 3821/85 for technical progress
- CD 2009/4 - counter measures
First generation of digital tachograph
- EC Regulation 2135/1998 introduction of digital tachograph, the tachograph and card are specified in Annex 1B
- EC Regulation 1360/2002 adjustments to 2135/98, and a replacement of Annex 1B
- Commission Recommendation 2010/19/EU on Tachonet
Second generation of digital tachograph
- EC Regulation 165/2014 - mandates manufacturers of tachographs and cards to make devices, approved according
to the new regulation, available by April 2019 - 48 articles, annexes I and II
- CIR 2016/799 on implementing Regulation 165/2014 - 6 articles, extensive annex 1C, 16 appendices
- CIR 2018/502 amending Implementing Regulation (EU) 2016/799 laying down the requirements
for the construction, testing, installation, operation and repair of tachographs and their components (particularly amending annex 1C)
Tachonet
- IR 2016/68 on common procedures and specifications necessary for the interconnection of electronic registers of driver cards - obligatory connection of Member States to TACHOnet by 2 March 2018
- EC Regulation 2017/1503 on TACHOnet