Unzufrieden mit der Kommission: EU-Abgeordnete erwägen zweiten Staatstrojaner-Ausschuss

Eigentlich sollte es in der Sitzung des EU-Innenausschusses (LIBE) Ende letzter Woche gar nicht um die EU-Kommission gehen, sondern um den Einsatz der Staatstrojaner Pegasus und Predator in Griechenland und die Angriffe gegen vietnamesische und russische Exil-Journalist:innen. Doch die Abgeordneten waren sichtlich verärgert von einem Schreiben der EU-Kommission, das wir veröffentlichen. Einige fordern sogar einen zweiten PEGA-Ausschuss.

Das Schreiben der Kommission ist eine Antwort, oder – wenn man die Abgeordnete Sophie In ’t Veld fragt – eine „Nicht-Antwort“ auf den Abschlussbericht des PEGA-Ausschusses. Die Kommission garantiere damit Straffreiheit für den Missbrauch von Spyware und die Verletzung von Exportregeln für Überwachungstechnologien. „Europa ist nun offiziell das Spyware-Paradies der Welt“, gratulierte die niederländische Politikerin sarkastisch. Die Renew-Abgeordnete kämpft seit längerem politisch gegen Staatstrojaner, zuletzt war sie auch im Digitalausschuss des Bundestags zu Gast. Der Frust ist jedoch fraktionsübergreifend: „Die Antwort der Kommission ist völlig nutzlos“, gab auch Jeroen Lenaers von der konservativen EPP zu Protokoll.

Die Forderungen des Ausschusses

Der PEGA-Ausschuss hatte in seinem Abschlussbericht die EU-Kommission zum Handeln aufgefordert. Zu den Forderungen gehörten unter anderem strengere Regeln für den Verkauf von sogenannter Spyware und gemeinsame Standards für den Einsatz innerhalb der EU. Aktuell könnten sich Unternehmen einfach den Mitgliedstaat aussuchen, der ihnen die Exportgenehmigung verschaffe, unterstrich im LIBE-Ausschuss auch der Chef des Amnesty Security Labs, Donncha Ó Cearbhaill. Die EU-Kommission soll den Stand der Umsetzung in einem öffentlichen Bericht bis zum 30. November dokumentieren.

Außerdem forderte das Parlament die Einrichtung eines „EU Tech Labs“. Dieses soll eine Anlaufstelle für Menschen werden, die befürchten, dass sie mit einem Staatstrojaner gehackt wurden. Die EU-Einrichtung wäre damit vergleichbar mit Amnesty Internationals Security Lab oder dem Citizen Lab der Universität Toronto.

Vage Sprache und Vertrösten

Die Antwort der EU-Kommission enthält keine neuen legislativen Vorschläge. Stattdessen sind an vielen Stellen Hinweise zu lesen, was die Kommission bereits heute unternimmt und weiterhin tun wird. So verweist die Kommission beim EU Tech Lab auf alle bisherigen EU-Einrichtungen, die schon zu Cybersicherheit arbeiten. „Die Einrichtung neuer Strukturen wie eines EU-Tech-Labors oder eines neuen speziellen Forschungsinstituts könnte jedoch im Hinblick auf den Ressourcen- und Zeitbedarf unverhältnismäßig sein“, schreibt die Kommission.

Zu den geforderten gemeinsamen Standards für Spyware schreibt die Kommission: Sie prüfe „die Möglichkeit, eine nicht-legislative Initiative vorzulegen“. Zudem beinhalte der vorgeschlagene European Media Freedom Act (EMFA) „starke Schutzvorkehrungen“ vor dem Spyware-Einsatz gegen Journalist:innen. Allerdings verhandeln Kommission, Parlament und die Mitgliedstaaten aktuell noch über diese Verordnung – und die Spyware-Frage gehört zu den umstrittensten Punkten. Während das Parlament den Einsatz von Staatstrojanern gegen Medienschaffende nur unter sehr begrenzten Voraussetzungen erlauben will, sieht der Rats-Vorschlag weite Ausnahmen vor.

Mehrere Abgeordnete kritisierten die vage Sprache des EU-Vorschlags. Auf die vielen Empfehlungen für eine einheitliche Gesetzgebung habe die Kommission nicht reagiert. „Die Kommission sagt, sie erwartet, dass die nationalen Behörden Vorwürfen nachgehen, aber sagt nicht, was sie tut, wenn das nicht geschieht“, erklärt Lenaers.

PEGA, zweiter Teil

Sophie in ’t Veld bringt nun einen zweiten Untersuchungsausschuss ins Spiel. Dieser solle die EU-Kommission weiter unter Druck setzen, zu handeln und neue Entwicklungen zu untersuchen, sagte sie Euractiv. Laut dem Medium unterstützt auch die deutsche Abgeordnete Katarina Barley den Vorschlag. Die Kommission müsse einen Gesetzvorschlag machen, um eindeutige rechtliche Rahmenbedingungen für Spyware zu schaffen.

Andere Stimmen wie der EPP-Abgeordnete Lenaers oder der Vorsitzende des LIBE-Ausschusses Juan Fernandez López Aguilar (PSOE) lehnen den Vorschlag ab. Priorität müsse sein, die Empfehlungen des PEGA-Ausschusses umzusetzen.

Der „Untersuchungsausschuss zum Einsatz von Pegasus und ähnlicher Überwachungs- und Spähsoftware“ – oder auf EU-Englisch „PEGA-Committee“ – untersuchte von April 2022 bis Mai 2023 den Einsatz von Spyware in der EU. Anstoß waren die „Pegasus Project“-Recherchen. Im Zuge dieser Recherchen, an denen aus Deutschland Die Zeit, die Süddeutsche Zeitung sowie NDR und WDR beteiligt waren, kam ans Licht, wie Regierungen – auch in Europa – mit Staatstrojanern Journalist:innen, Rechtsanwält:innen und Oppositionelle überwachten. Zu den Erkenntnissen des PEGA-Ausschusses gehörte, dass Pegasus zwischenzeitlich in 14 Mitgliedstaaten von 22 Behörden eingesetzt wurde. Weltweit wird etwa alle vierzig Minuten ein Gerät mit Pegasus gehackt.

Hier die Antwort der EU-Kommission:

Follow up to the European Parliament non-legislative resolution on the investigation of alleged contraventions and maladministration in the application of Union law in relation to the use of Pegasus and equivalent surveillance spyware

1. Resolution tabled pursuant to Rule 208 (12) of the European Parliament’s Rules of procedure.
2. Reference numbers: 2023/2500 (RSP) / B9-0260/2023 / TA-9-2023-0244
3. Date of adoption of the resolution: 15 June 2023
4. Competent Parliamentary Committee: Committee of Inquiry to investigate the use of the Pegasus and equivalent surveillance spyware (PEGA).
5. Brief analysis/assessment of the resolution and requests made in it:

In July 2021, Amnesty International, and a group of investigative journalists, uncovered that several governments across the world had deployed a particularly intrusive spyware, known as ‘Pegasus’. In the EU, targets included journalists, lawyers, national politicians, and MEPs. As a result, in March 2022, the European Parliament set up a Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware (PEGA Committee). The main mission of PEGA Committee was to investigate alleged infringement or maladministration in application of EU law in relation to the use of Pegasus and equivalent spyware surveillance software. The Recommendation of the European Parliament was adopted on by plenary on 15 June by large majority of votes.

The Recommendation contain various calls on the Member States, the Commission, the European External Action Service (EEAS), the Council and other EU agencies, and bodies.

The European Parliament concluded that major contraventions and maladministration in the implementation of Union law have taken place in Poland and Hungary. Contraventions and maladministration in the implementation of Union law were flagged for Greece. The European Parliament concluded that overall, the regulatory framework in Spain is in line with the requirements set by the Treaties, however, points out that some reforms are needed, and the implementation in practice must be fully in line with fundamental rights and ensure the protection of public participation. The European Parliament calls on the Member States to urgently take measures, notably to restore sufficient institutional and legal safeguards.

The key recommendations for the Commission include calls for: the sale and use of spyware in the EU to be subject to verifiable conditions (the European Parliament calls on the Commission to assess the fulfilment of these conditions by 30 November 2023, with the results published in a public report); common EU standards to regulate the use of spyware, while respecting national security competences; the repeal of export licences which are not in conformity with the EU legislation and amendments to the Dual-Use Regulation; better implementation and enforcement of EU law; a definition of national security; an EU Tech Lab that could help with research and investigations; investment in Zero Day Vulnerabilities; a link with Telecom Networks and e-Privacy; and an enhanced role for the Rule of Law report. Other recommendations touch upon the external dimension, including EU development aid and international cooperation to protect citizens, including with the US, and EU research programmes. The European Parliament finally called on the Commission to come forward with legislative proposals based on its recommendations.

6. Response to the requests and overview of the action taken, or intended to be taken, by the Commission:

The Commission welcomes the Recommendation adopted by the European Parliament on 15 June 2023, which the Commission has studied carefully.

The Commission reiterates its position that it condemns any illegal interference in personal communications. This is contrary to democratic values and undermines fundamental rights in the EU. We expect that national competent authorities and courts make full use of their powers to thoroughly investigate allegations regarding any unlawful surveillance activities. This is essential to restore citizens’ trust

Concerning the calls for the adoption of conditions for the legal use, sale, acquisition and transfer of spyware and the assessment of these conditions by the Commission (paragraphs 28 and 29), the Commission points out that for export licences for cyber surveillance items the Dual-Use Regulation contains conditions, as Article 5 lists relevant considerations to be taken into account, i.e. whether those items are or may be intended for use in connection with internal repression and/or the commission of serious violations of human rights and international humanitarian law. Article 15 stipulates that Member States shall take into account considerations about intended end-use when deciding whether or not to grant an authorisation. The regulation does not plan a review by the Commission of decisions taken by the Member States beyond the general task of the Commission of ensuring the correct application by Member States of EU legislation.

As regards a possible role for Europol (the European Union Agency for Law Enforcement Cooperation) to support the Member States in investigations into allegations of illegitimate use of spyware, this falls within the scope of its objectives and tasks, as set out in Articles 3 and 4 of the Europol Regulation. This means, for example, that it can provide support to combat serious crime affecting two or more Member States, such as terrorism and forms of crime which affect a common interest covered by a Union policy, as listed in Annex I of the Europol Regulation. Within Article 6, and as per the established working practice to date, Europol will continue to contact the competent authorities of (a) concerned Member State(s) and approach Eurojust or the European Public Prosecutor’s Office (EPPO) as relevant, with a view to ascertaining whether relevant information is available including at the national level and can be shared with Europol, verifying that no criminal investigation under national law is ongoing, and exploring whether Europol can provide support in agreement with the Member State(s) concerned, in line with its objectives, tasks and forms of crime as stipulated in the amended Europol Regulation. Moreover, Europol’s competencies in the amended Europol Regulation are subject to the overall requirements of Article 88(3) of the Treaty on the Functioning of the European Union (TFEU). Any operational action by Europol must be carried out in liaison and in agreement with the authorities of the Member State concerned, with the application of coercive measures being the exclusive responsibility of the competent national authorities. Moreover, internal national security remains the sole responsibility of Member States, according to Article 4 of the TFEU (1).

Concerning the need for common EU standards regulating the use of spyware by Member States bodies (paragraph 32), as well as the need for boundaries of national security (paragraph 42), the Commission is exploring the possibility of presenting a non-legislative initiative clarifying the boundaries and the interplay between EU law, in particular the data protection and privacy acquis, and national security.

It is also important to note that Article 4 of the proposed European Media Freedom Act (based on Article 114 TFEU – an internal market legal basis) includes strong safeguards against the use of spyware against media, journalists, and their families (2).

Concerning the shortcomings in national legal frameworks and the necessity for better enforcement of existing Union legislation (paragraphs 52 and 53), the Commission will continue its work to ensure that the Data Protection Law Enforcement Directive is effectively transposed and will take appropriate actions where there is evidence that national transposition affects the scope of application of the Directive.

On the Whistleblower Directive, the Commission has carried out an intensive enforcement action, starting, already in February 2022, with the launch of infringement proceedings against 24 Member States for non-transposition by the deadline of December 2021. The result so far is that, in addition to the three initial Member States who transposed the Directive on time, 21 Member States have notified complete transposition. Only three Member States have still not fully transposed the directive.

With regard to the calls in relation to the Dual-Use Regulation:

(Paragraph 57) The Commission monitors the implementation of the Dual-Use Regulation and requests information from Member States’ competent authorities in this respect. It should be noted that the risk assessment underlying the case-by-case decision to authorise or deny a specific transaction is the responsibility of competent authorities of the Member States and involves foreign and security policy considerations, including consideration of national security policy. The Commission cannot act as a substitute for the Member States’ competent authorities in this regard.

(Paragraph 59) The Commission would like to clarify that enforcement is primarily a national competence of the relevant law enforcement agencies of the Member States, the modernised Dual-Use Regulation that entered into force in September 2021, however, introduces dedicated provisions on enforcement as part of the overall goal of a more effective EU export control system. Under the terms of the Dual-Use Regulation, in 2022 the Commission set up an „Enforcement Coordination Mechanism“ which is mandated with the preparation of concrete actions, such as enhancing information exchange between licensing and enforcement agencies.

(Paragraph 60) The Commission takes note of the European Parliament’s recommendation calling on the Commission to ensure sufficient staff capacity for the units responsible for the oversight and enforcement of the Dual-Use Regulation.

(Paragraph 62) The Commission takes note of the recommendation calling for changes to the Dual-Use Regulation. It will feed into the evaluation of Article 5 that the Commission will carry out after 10 September 2024, as established in Article 26.4 of the regulation.

(Paragraph 63) The Commission has worked closely with Member States to extend their reporting obligations on cyber-surveillance items, to cover decisions to authorise their export in addition to decisions to deny them. This reflects the requirements for greater transparency of the modernised Dual-Use Regulation of 2021 and is in view of the publication of the annual report on export controls. The Commission is also developing the necessary IT tools to make such information exchange possible.

(Paragraph 64) The requirement on Member States to provide appropriate information to the Commission for the preparation of the annual report includes considerations of commercial sensitivity, defence and foreign policy or national security reasons. While it should not be abused to hamper the objective of higher transparency as set out in the regulation, the requirement in Article 26.3 of the Dual-Use Regulation forms part of the EU’s approach to transparency and is necessary to protect our security, preserve innovation capacity and provide a level-playing field among EU companies. The Dual-Use Regulation sets transparency standards at a higher level than most, if not all, our partners and third countries around the world.

Paragraph 65) Article 2(20) of the modernised EU Dual-Use Regulation strengthens the controls of exports of cyber-surveillance items in connection with human rights and provides for a definition of cyber-surveillance items. The Commission does not consider that this new definition of cyber-surveillance items needs to be revised. The Commission is, in the coming months, finalising guidelines for exporters to clarify the scope of cyber-surveillance items that, on the one hand, fall within the definition of cyber-surveillance pursuant to Article 2(20), and on the other hand, can be intended for use in connection with internal repression and/ or the commission of serious violations of human rights and international humanitarian law.

(Paragraph 66) Article 5 of the modernised EU Dual-Use Regulation strengthens the controls of exports of cyber-surveillance items in connection with human rights and highlights the importance of due diligence. It applies to the exports of cyber-surveillance items that are not listed in Annex I of the regulation (for example, those not already subject to control) and that are, or may be intended, in their entirety or in part, for use in connection with internal repression and/or the commission of serious violations of human rights and international humanitarian law. The determination on whether cyber-surveillance items are or may be used for the purposes mentioned above is to be based on the due diligence findings carried out by the exporter.

As regards international cooperation to protect citizens (paragraphs 67 and 68), the Commission notes that under the Export Control Working Group (DUWG) within the EU-US Trade and Technology Council (TTC), the EU and the US have exchanged views on the development of EU guidelines for the application of controls of non-listed cyber-surveillance items that are or may be used in connection with internal repression and/or the commission of serious violations of human rights and international humanitarian law. Under the TTC, the EU and the US organise joint stakeholder outreach events, where stakeholders are invited to participate in discussions on export controls. Stakeholders are invited to participate by registering in the Futurium platform.

Concerning the calls for talks to be launched with other countries, in particular Israel (paragraph 69), established dialogue channels are being used to raise the more general issue of export and abusive use of spyware in our human rights dialogue with Israel, and are also being used to remind Israel of the need to implement legislation that prevents this. This issue has for example been discussed at the EU-Israel subcommittee for trade. On this occasion, the EU called on Israel to implement and enforce legislation and safeguards to protect people from any possible unlawful or unnecessary surveillance based on Israeli technology, such as effective export controls.

As regards Union export rules and their enforcement (paragraph 71) the Commission is fully committed to ensuring that the modernised Dual-Use Regulation of 2021 delivers on its expectations in terms of transparency, implementation, and enforcement. Accordingly, the Commission is working closely with Member States’ competent authorities to ensure an effective implementation and enforcement of the regulation.

Concerning Zero-day vulnerabilities (paragraph 72), the Cyber Resilience Act (CRA) proposal, with an internal market legal basis (Article 114 TFEU), aims to establish cybersecurity requirements for hardware and software accessing the European market. It also sets out corresponding obligations for the manufacturers of these products which include vulnerability handling obligations, as well as obligations for manufacturers to report actively exploited vulnerabilities in such products. The CRA would regulate „discovery, sharing, patching and exploitation of vulnerabilities, as well as disclosure procedures“ in so far as manufacturers of hardware and software products are concerned.

With regard to the e-Privacy Directive (paragraphs 88-90), the Commission agrees that the e-Privacy Regulation is urgently needed, as it will modernise the current directive and provide more legal certainty for both businesses and EU citizens. The Commission is supporting the European Parliament and the Council in the legislative negotiations on the e-Privacy Regulation, and it is also investigating complaints.

Concerning the calls for more rigorous control mechanisms of Union development aid (paragraph 96), the Commission provides continuous support to democratic governance, which is an important priority for the EU in all its external action. The Commission will continue to give special attention to human rights across the board, including the respect for the privacy standards that stem from existing guidelines and procedures to uphold these principles.

In addition, the Financial Regulation contains detailed rules on financing agreements with partner countries, specifying that these agreements shall clearly define the responsibilities and obligations of the partner country when implementing in indirect management. Financing agreements with third countries contain provisions that allow for the Commission to suspend the financing agreements if the partner country fails to observe the principles of democracy, the rule of law or good governance, or respect for human rights. The Commission may subsequently terminate the financing agreement if the issues which led to suspension have not been resolved. Furthermore, both the Financial Regulation and the financing agreements contain provisions allowing the Commission, the European Anti-Fraud Office (OLAF), and the Court of Auditors to conduct checks and verifications.

On the calls on the Commission and the EEAS to include in every human and fundamental rights impact assessment a monitoring procedure on the potential abuse of surveillance and to report on the abuse of spyware (paragraphs 97 and 98), the EEAS points out that in line with the current Action Plan on Human Rights and Democracy (2020-2024), the EU stands by the principle that human rights apply online and offline. The EU regularly calls on States in its bilateral engagement and in multilateral fora, including in human rights dialogues, to implement legislation and safeguards to protect people from unlawful or unnecessary surveillance, including arbitrary or mass surveillance.

The EU will continue to use opportunities such as human rights and political dialogues to call on States that have allegedly misused Pegasus to carry out independent investigations, and to ensure that the victims of unlawful surveillance have access to remedies and that those responsible are held to account.

Since 2021, the Annual Report on Human Rights and Democracy has had a specific chapter on digital and human rights as well as a chapter on human rights defenders. The 2022 Annual Report was published in July 2023.

Regarding respect for human rights by the financial sector (paragraph 99), the Commission submitted its proposal for a Corporate Sustainability Due Diligence Directive in February 2022. The proposal sets out companies’ obligations to mitigate human rights and environmental adverse impacts, including those that arise in their value chains, and covers the financial sector. The proposal considers relevant international voluntary frameworks, including the United Nations’ Guiding Principles on Business and Human Rights. The European Parliament and the Council have both now adopted their negotiating positions and interinstitutional discussions are currently ongoing, including on the scope of the Directive and the obligations for financial sector companies.

Concerning the calls on the Commission to present a proposal for a Union security clearance procedure for all office holders in the Union (paragraph 109), the Commission may only present a proposal for a legislative initiative in a policy area which falls within the Union’s competences, as per the relevant articles of the Treaty on the Functioning of the European Union.

Security clearance is one of the requirements for access to EU classified information, which is information that must be protected as its unauthorised disclosure could cause varying degrees of prejudice to the interests of one or more Member States or of the EU. Therefore, the entire process of security clearance is inherently part of ensuring national security which, as indicated in Article 4 of the Treaty on the European Union, falls within the exclusive competence of Member States.

In this context, the requirements for conducting the security vetting and for issuing security clearances remain within the remit of the Member States and respond to their national security interests. It is beyond the Union’s remit to harmonise these requirements.

As regards the Union research programmes and calls for the implementation of more rigorous and effective control mechanisms (paragraph 111), the Commission notes that EU-funded security research takes full account of the protection of civil liberties and fundamental rights, including privacy. Independent experts conduct an ethical screening, before the decision is taken to fund a project proposal. Even if a proposal is suitable for funding, the grant agreement will include ethics provisions. In this respect, the breaching of ethical standards constitutes a breach of the grant agreement contract. During implementation, EU project officers monitor the respect for the above ethical obligations and can call for further checks. The ethics review places ethics as an indispensable element, which empowers researchers to act in line with EU values and fundamental rights.

The public has guaranteed online access to:

• information about the project and its procedures,
• data collected, and
• final results of the research projects.

There are limits applied to public access when it is necessary to protect commercially sensitive information, or security sensitive information that could put at risk the safety and security of citizens (for example, some results of security research dealing with homemade explosives or cybersecurity of hospitals) and which cannot be fully publicised. Nevertheless, the Commission promotes transparency to the maximum extent possible by making publicly available results that would not fall under these categories.

The current framework programme for research and innovation, Horizon Europe, funds projects that aim to develop solutions and guidance for police authorities to increase security in public places, while not affecting fundamental freedoms such as privacy and protection of personal data. In this regard, the GATHERINGS project is developing capacity-building tools and new standards in the field of local surveillance. More specifically, the project will develop common standards to maximize privacy and data protection in surveillance practices, set up an international network of surveillance professionals, administrations, experts, policy makers and citizens, and develop an awareness-raising programme for surveillance professionals.

Regarding the call that EU funding for research, such as the Horizon Europe agreements with non-EU countries, must not be used to contribute to the development of spyware and equivalent technologies (paragraph 112), the Commission notes that EU civil security research aims to increase the level of security and protection, in full respect of fundamental rights and with the ethics regimes described above. Research into detecting and reducing vulnerabilities in information systems aims at increasing cybersecurity and resilience. This is complementary with legal provisions on vulnerability disclosure enshrined in the Directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive) and with the principles of the proposed Cyber Resilience Act.

The Commission takes note of the European Parliaments’ call to set up a dedicated research institute and the EU Tech Lab (paragraphs 113 and 116). The Commission would like to stress that several EU agencies and bodies such as the European Union Agency for Cybersecurity (ENISA), Europol’s Cyber Crime Centre (and the innovation lab linked to it), and more recently the European Cybersecurity Competence Centre (still in the process of being established following the adoption of its founding Regulation in June 2021) deal with cybersecurity. Existing EU funding programs (notably Horizon Europe and DIGITAL Europe), currently managed by the Commission and in future by the European Cybersecurity Competence Centre, could plan calls for proposals on aspects related to those mentioned in the European Parliament’s opinion, while ENISA or Europol could be requested to analyse and report on the status of relevant policy, market, and technology aspects. However, setting up new structures such as an EU Tech Lab or a new dedicated research institute may be disproportionate in terms of resource impact and time needed. The matter raised by the European Parliament is out of scope of the CERT-EU (3) mandate.

Regarding effective implementation of the Rule of Law toolbox (paragraph 121): the rule of law, democracy and fundamental rights are at the foundations of the EU. The Commission is committed to making use of all tools at its disposal to protect and uphold the rule of law, including the annual Rule of Law Report, infringement, and Article 7 proceedings.

The Rule of Law Report covers:

• the independence, quality, and efficiency of justice systems,
• anti-corruption frameworks,
• media freedom and pluralism,
• and other institutional checks and balances.

As underlined in the 2023 Rule of Law report, even where the use of spyware surveillance software, such as Pegasus, is linked to national security, there is a need for national checks and balances to ensure that safeguards are in place. Recourse to such tools by Member States’ security services needs to be subject to sufficient checks and to fully respect EU law. In this regard, where relevant, the country chapters have included the functioning of national checks and balances for concerns over investigations into the use of spyware surveillance software.

As regards the support to civil society in order to strengthen resilience against spyware attacks (paragraph 119), the Commission underlines that civil society organisations are essential to bring life to and protect the values and rights enshrined in the Treaty on European Union and the Charter of Fundamental Rights. Recognising the essential role that the civil society organisations play in fostering rule of law, democracy and fundamental rights on the ground, the Commission dedicated the 2022 Annual Report on the application of the Charter of Fundamental Rights to the topic of civic space (4). Moreover, civil society remains a key partner in the preparation of the annual Rule of Law report. The Commission receives many written contributions from Civil Society Organisations (CSOs) and invites them to meetings as part of the country visits. The Commission has also organised cross-cutting meetings with several key civic networks.

Furthermore, CSOs have an important role to play for awareness-rising and effective prevention in the area of cybersecurity at international level. An Operational Human Rights Guidance for EU external cooperation actions addressing Terrorism, Organised Crime and Cybersecurity has been developed in order to integrate the human rights-based approach. It is a fundamental platform for project design and actions are evaluated against its recommendations. The Guidance is designed to be used across EU funding addressing terrorism, cybersecurity, or organized crime.

Based on the 5G toolbox, the Commission has developed a cybersecurity assessment tool which will be shared with partner countries and CSOs after an initial testing phase. Additionally, regional cybersecurity programmes in Sub-Saharan Africa (SSA) with a strong focus on capacity-building, as well as the reinforced cybercrime project in Latin America and the Caribbean (LAC), will provide additional support to strengthen resilience against spyware attacks. Regional and bilateral TAIEX events also involving CSOs have been organised in the SSA and LAC regions to share expert views and approaches to the increased cybersecurity challenges.

Regarding the calls for the establishment of a Union Litigation Fund (paragraph 122), the Commission recalls that under the Citizens, Equality, Rights and Values (CERV) programme, the Call for proposals to promote civil society organisations’ awareness, capacity building and implementation of the EU Charter of Fundamental Rights dedicates its priorities to building the capacity and raising awareness of the EU Charter of Fundamental Rights as well as to supporting strategic litigation in cases of violation of the rights enshrined in the Charter. Projects are funded which, through training, knowledge sharing and exchange of good practices, strengthen the knowledge and ability of civil society organisations as well as of practitioners, legal professionals, and independent human rights bodies to effectively engage in litigation at national and European level, and to improve access to justice and enforcement of rights under EU law.

Concerning the inquiry into all allegations and suspicions of the use of spyware against officials of the Commission (paragraph 124): following the Forbidden Stories and Amnesty International revelations, on 19 July 2021 a dedicated Commission team of in-house experts launched an internal investigation, as in any suspected case of spyware infection. In terms of cooperation with Member States, and particularly the Belgian police, there is a close and regular coordination amongst the respective cyber security teams.

With regard to the calls for protection of the 2024 European elections (paragraph 125), as part of a general effort to protect free and fair elections in the EU, the Commission supports Member States’ cooperation in the framework of the European Cooperation Network on Elections. It brings together representatives of Member States’ authorities with competence in electoral matters, including electoral authorities. It allows for concrete and practical exchanges on a range of topics relevant to ensuring free and fair elections, including cyber-security. This network will continue supporting cooperation among Member States’ authorities in the run-up to the 2024 European elections.

Delivering on the Commission’s European Democracy Action Plan (EDAP) since January 2022, the Commission offers a joint mechanism on election resilience to Member States as a capacity-building tool to support the exchange of expertise in areas such as cybersecurity. The Commission is also preparing a set of initiatives on the “Defence of Democracy” to help address specific threats to democracy and encourage citizen participation in our democracies.

Concerning the calls for the EU to sign up to Convention 108+ (paragraph 134), the amending Protocol introduces the possibility for the Union to become a Party to the (modernised) Convention. Therefore, the EU will be able to join Convention 108+ once it has entered into force. The EU actively promotes the signature and ratification of Convention 108+ not only by EU Member States but also by third countries.

(1) Judgment of 21 July 2021, B. K., Case C‑742/19, para. 40
(2) This article has been the object of a Common Approach adopted by the Council on 21 June 2023 and it corresponds in substance to the Commission proposal set out in September 2022
(3) The Computer Emergency Response Team for the EU institutions, bodies, and agencies
(4) https://commission.europa.eu/aid-development-cooperation-fundamental-rights/your-rights-eu/eu-charter-fundamental-rights/application-charter/annual-reports-application-charter_en