OpenLobby.EU
Explore

Business Software Alliance

BSA

The Business Software Alliance advocates for the global software industry on AI, privacy, cybersecurity, copyright, and digital economy policies.

Lobbying Activity

Business Software Alliance urges EU to simplify overlapping digital rules

14 Oct 2025
Topic — EU initiative to simplify digital regulations including data, AI, and cybersecurity laws.
Message — The organization requests consolidation of fragmented EU digital legislation through standardized definitions, unified reporting, and harmonized compliance requirements. They advocate for phased implementation aligned with product lifecycles and expanded exemptions for SMEs. They emphasize coordination across regulators to reduce contradictory enforcement.12345
Why — This would reduce audit multiplication and compliance costs exceeding €1 million per multinational operator.6
Read full response

Global Data Alliance Urges EU to Ease Data Flow Rules

17 Jul 2025
Topic — The European Commission is seeking feedback on streamlining international data sharing frameworks.
Message — The alliance requests policies that boost data access and usability for global innovation. They also suggest reducing regulatory complexity to allow for seamless cross-border data flows.12
Why — Standardized rules would lower costs for software companies operating across multiple jurisdictions.3
Impact — Supporters of regional protectionism may see their influence over data sovereignty diminished.4
Read full response

Software group BSA warns against new telecom network fees

11 Jul 2025
Topic — The EU is consulting on a Digital Networks Act to modernize connectivity.
Message — BSA recommends keeping cloud and telecom regulations separate while rejecting network fees. They also call for harmonized and streamlined reporting obligations across the EU.12
Why — This approach would prevent increased operational costs and redundant regulatory burdens for software companies.3
Impact — Large telecom companies lose the power to extract fees from tech firms.4
Read full response

BSA Warns EU Against Isolationist Sovereignty Rules for AI

2 Jul 2025
Topic — This consultation concerns a legislative proposal to expand EU cloud and AI capacity.
Message — The association urges the EU to maintain open strategic autonomy through cooperation with trusted global partners. They argue against applying restrictive sovereignty requirements uniformly across broad categories of data.12
Why — Global providers would avoid massive compliance costs and preserve their current European market position.3
Impact — European SMEs and public organizations face higher costs and fewer choices for advanced technology.45
Read full response

Meeting with Manuel Mateo Goyet (Acting Head of Unit Communications Networks, Content and Technology) and Microsoft Corporation and

26 Jun 2025 · Business Software Alliance and its members consultation on the EU’s upcoming Cloud and AI Development Act.

Meeting with Bernd Lange (Member of the European Parliament, Committee chair)

25 Jun 2025 · General exchange of views

Meeting with Ann-Sofie Ronnlund (Cabinet of Commissioner Ekaterina Zaharieva)

23 Jun 2025 · Intellectual property rights

Business Software Alliance urges EU to abandon cloud sovereignty requirements

10 Jun 2025
Topic — The European Commission is reviewing the Cybersecurity Act to update cloud certification frameworks.
Message — The Business Software Alliance urges the EU to avoid protectionist sovereignty requirements and maintain a technology-neutral certification framework. They advocate for cooperation with trusted international partners to support innovation and fair competition.12
Why — This would protect the market access and profitability of major international software providers.3
Impact — European organizations would face restricted choices and higher costs for cloud and cybersecurity services.4
Read full response

Response to Quantum Strategy of the EU

3 Jun 2025

This is a pivotal moment in the advancement and practical deployment of quantum computing. The Business Software Alliance congratulates the European Union for taking a proactive approach with a comprehensive quantum strategy, recognizing its potential to deliver substantial economic, scientific, and technological benefits. To support this effort, we offer a set of recommendations for inclusion in the EUs quantum strategy, detailed in the attached policy paper. These recommendations include: Appointment of a Quantum Technology Coordinator; Comprehensive Funding Strategy; Development of an EU-wide Quantum Strategic Plan; Support for Quantum Industry Innovators; Sector-Specific Quantum Technology Adoption; Securing Quantum Supply Chains; Post-Quantum Cryptography Pilot Initiatives; Workforce Preparation and Development; Joint Research and Supply Chain Initiatives; EU Representation in Global Quantum Dialogues.
Read full response

BSA Warns EU Against Protectionist AI Sovereignty Rules

27 May 2025
Topic — The European Commission initiative aims to accelerate industrial AI adoption and innovation.
Message — BSA urges the EU to avoid isolationist sovereignty requirements that restrict market access. They advocate for cooperation with trusted international partners instead of protectionist criteria.12
Why — Rejecting these rules avoids new compliance costs and preserves global market competitiveness.3
Impact — European businesses lose the ability to choose high-performance and cost-effective global technology.4
Read full response

Response to International Digital Strategy

20 May 2025

The Business Software Alliance (BSA) welcomes the opportunity to provide an answer to the European Commissions Call for Evidence on the EU International Digital Strategy. BSAis the global trade association of the enterprise software industry, representing companies that are leaders in artificial intelligence, cybersecurity, cloud computing, and other cutting-edge technologies. We work in over 20 markets in the US, Europe, and Asia, advocating for policies that build trust in technology so that every industry sector and the public can benefit from innovation. In a nutshell, BSA is aligned with the policy options laid out in the call for evidence, namely the one on leveraging digital cooperation with partner countries and reinforcing the existing network of Digital Partnerships and Alliances to boost the EUs tech competitiveness and sovereignty, in line with the objectives of the Competitiveness Compass. In that regard, BSA understands and appreciates the EUs goal of reducing technological dependence and developing European AI players, which is entirely legitimateprovided it is done in the context of strategic autonomy, through cooperation with trusted partners sharing common values, rather than through isolationism or protectionism. This kind of collaboration will ensure fair competition based on shared values and principles, ultimately fostering AI innovation and European technological competitivenessfor the benefit of European users, whether they are businesses or citizens. We attach a file below further detailing our position for your consideration.
Read full response

Meeting with Pablo Arias Echeverría (Member of the European Parliament)

14 May 2025 · Regulatory development of software and AI

Meeting with Axel Voss (Member of the European Parliament, Rapporteur) and Google and

6 May 2025 · Copyright and generative AI

Meeting with Gabriel Mato (Member of the European Parliament)

12 Feb 2025 · Meeting with BSA

Meeting with Ioan-Dragos Tudorache (Cabinet of Executive Vice-President Stéphane Séjourné)

6 Feb 2025 · Challenges for transatlantic cooperation and exchange on the Commission’s plans related to digital policies

Meeting with Dan Barna (Member of the European Parliament)

5 Feb 2025 · Current and upcoming files in INTA committee, the future of data flows and digital trade

Meeting with Kilian Gross (Head of Unit Communications Networks, Content and Technology)

4 Feb 2025 · AI Act Implementation

Meeting with Kosma Złotowski (Member of the European Parliament, Rapporteur for opinion)

4 Feb 2025 · Adapting non-contractual civil liability rules to artificial intelligence

Meeting with Ilhan Kyuchyuk (Member of the European Parliament)

22 Jan 2025 · Europe's digital Agenda

Meeting with Henrik Dahl (Member of the European Parliament, Shadow rapporteur for opinion)

11 Dec 2024 · AI Liability

Meeting with Verena Mertens (Member of the European Parliament) and Verband Deutscher Büchsenmacher und Waffenfachhändler

3 Dec 2024 · Introductory Meeting

Meeting with Andrea Wechsler (Member of the European Parliament) and QUALCOMM Incorporated

3 Dec 2024 · EU digital strategy

Meeting with Francisco Assis (Member of the European Parliament)

16 Oct 2024 · discuss the challenges and opportunities for software industry and its impact on European Competitiveness and businesses.

Meeting with Angelika Winzig (Member of the European Parliament)

16 Oct 2024 · Meeting with a representative of BSA

Meeting with Eero Heinäluoma (Member of the European Parliament) and Huawei Technologies and Investment Company Institute

3 Oct 2024 · Current Affairs

Meeting with Isabel Wiseler-Lima (Member of the European Parliament)

2 Oct 2024 · Challenges and opportunities for the software industry

Meeting with Laura Ballarín Cereza (Member of the European Parliament)

26 Sept 2024 · Digital priorities for the mandate 2024-2029

Response to Rules specifying the obligations laid down in Articles 21(5) and 23(11) of the NIS 2 Directive

25 Jul 2024

Dear Sir / Madam, Please find attached BSA | The Software Alliance's input to the European Commissions public consultation on the laying down rules for the application of Directive (EU) 2022/2555 as regards technical and methodological requirements of cybersecurity risk-management measures and further specification of the cases in which an incident is considered to be significant with regard to DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers. Best regards, Thomas Boué
Read full response

BSA urges EU to exclude cloud services from telecom rules

27 Jun 2024
Topic — A consultation on a White Paper regarding Europe's future digital infrastructure and connectivity needs.
Message — BSA recommends simplifying electronic communications rules by introducing the country-of-origin principle. They strongly oppose expanding telecom regulations to include cloud services or content delivery networks. Furthermore, they caution against any mechanisms that could impose network fees on content providers.123
Why — This approach would prevent new regulatory burdens and avoid increased costs for cloud services.4
Impact — Large telecom companies lose the ability to force big tech firms to pay network fees.5
Read full response

Meeting with Eva Maydell (Member of the European Parliament, Rapporteur)

9 Apr 2024 · AI Act

Meeting with Maurits-Jan Prinz (Cabinet of Commissioner Thierry Breton)

20 Mar 2024 · AI and Data policy

Meeting with Werner Stengg (Cabinet of Executive Vice-President Margrethe Vestager)

20 Mar 2024 · the intersection between Copyright and Artificial Intelligence

BSA Urges Improved GDPR Harmonization to Foster European Innovation

8 Feb 2024
Topic — The European Commission is reviewing the application of General Data Protection Regulation.
Message — BSA recommends improving the consistency mechanism to reduce legal fragmentation across EU Member States. They suggest strengthening international data transfer tools and ensuring privacy rules align with new AI regulations. The group also seeks clearer standards for business-to-business contractual relationships and data subject requests.123
Why — Uniform enforcement would reduce the burden of complying with varying national requirements.45
Impact — Individual citizens might face higher hurdles when exercising their personal data rights.6
Read full response

BSA urges tailored DSA templates for enterprise software providers

23 Jan 2024
Topic — This consultation establishes mandatory templates for transparency reports under the Digital Services Act.
Message — BSA recommends tailoring reporting templates to the specific category and size of online service providers. They argue for reducing administrative burdens and extending short implementation deadlines. They also request removing reporting categories exceeding the original scope of the Digital Services Act.123
Why — This would lower compliance costs and prevent unnecessary administrative burdens for enterprise software companies.45
Impact — Researchers and public agencies would receive less standardized and granular data for statistical analysis.6
Read full response

Response to Voluntary cybersecurity certification for ICT products, based on a Common Criteria set of security requirements

30 Oct 2023

BSA | The Software Alliance (BSA) welcomes the opportunity to provide input to the European Commissions public consultation on the Draft Implementing Act laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council as regards the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC). BSA is the leading advocate for the global software industry. BSA members are at the forefront of software-enabled innovation that is fueling global economic growth and digital transformation by helping enterprises in every sector of the economy operate more efficiently, securely and in a privacy-protective way. BSAs members are enterprise software companies that offer technology services that other organizations usesuch as cloud storage services, customer relationship management software, and workplace collaboration softwareto make their own operations more efficient, innovative, and successful. See our detailed comments in the attached paper.
Read full response

Meeting with Axel Voss (Member of the European Parliament, Shadow rapporteur)

11 Oct 2023 · AI Act

Meeting with Geneviève Tuts (Cabinet of Commissioner Didier Reynders), Lucrezia Busa (Cabinet of Commissioner Didier Reynders)

11 Oct 2023 · Data protection

Meeting with Dragoş Tudorache (Member of the European Parliament, Rapporteur) and Palo Alto Networks Inc.

10 Oct 2023 · Artificial Intelligence

Meeting with Maria-Manuel Leitão-Marques (Member of the European Parliament, Shadow rapporteur) and MedTech Europe and

20 Apr 2023 · Product Liability Directive

Meeting with Pascal Arimont (Member of the European Parliament, Rapporteur) and Cisco Systems Inc. and Workday

11 Apr 2023 · Revision of the Product Liability Directive

Meeting with René Repasi (Member of the European Parliament, Shadow rapporteur) and Orgalim – Europe's Technology Industries

5 Apr 2023 · Exchange of views on the Product Liability Directive/ Produkthaftungsrichtlinie (PLD) - Staff Level

Meeting with Krzysztof Hetman (Member of the European Parliament, Shadow rapporteur)

30 Mar 2023 · Exchange of views on Product Liability Directive (meeting delegated to parliamentary assistant)

Meeting with Brando Benifei (Member of the European Parliament, Rapporteur)

21 Feb 2023 · Meeting on the AI Act (meeting held by the Assistant responsible)

Meeting with Henna Virkkunen (Member of the European Parliament, Shadow rapporteur)

26 Jan 2023 · EU Cyber Resilience Act

Meeting with Anthony Whelan (Cabinet of President Ursula von der Leyen)

7 Dec 2022 · EU’s Digital package

Software Alliance Urges SaaS Exclusion and Extended Compliance Timelines

2 Dec 2022
Topic — New EU rules setting cybersecurity requirements for manufacturers of products with digital elements.
Message — The organization wants cloud services explicitly excluded to avoid redundant regulation with existing laws. They recommend extending the implementation transition period from two years to four years. Furthermore, they urge the use of international standards over unique European technical specifications.123
Why — This would reduce compliance costs and prevent regulatory conflicts with existing EU directives.45
Impact — Consumers lose immediate protection as mandatory security standards are delayed by two years.6
Read full response

Meeting with Alin Mituța (Member of the European Parliament, Shadow rapporteur) and International Road Transport Union Permanent Delegation to the EU

19 Sept 2022 · Data Act

Software Association BSA Urges Encryption Protection in CSAM Proposal

10 Sept 2022
Topic — The consultation addresses rules for detecting, reporting, and removing online child sexual abuse material.
Message — BSA recommends an 'Enterprise First' approach where business customers are the primary contacts for detection. They also urge protecting encryption standards and maintaining the right to perform voluntary scanning.123
Why — Business providers avoid impossible technical mandates while maintaining security for corporate communication channels.456
Impact — Authorities may struggle to investigate abuse occurring within business tools or involving new material.789
Read full response

Meeting with Maria da Graça Carvalho (Member of the European Parliament, Shadow rapporteur for opinion) and Orgalim – Europe's Technology Industries

31 Aug 2022 · Data Act

Software alliance urges narrower scope for new EU Data Act

13 May 2022
Topic — This consultation concerns the Data Act, a proposal to regulate fair data access and use.
Message — BSA requests narrowing the regulation's scope to raw data from connected devices. They want software processors excluded from the definition of data holders. They also recommend exempting trade secrets from mandatory sharing obligations.12
Why — Software firms would avoid costly compliance and protect their proprietary business models.3
Impact — Public authorities would have less power to access data outside of emergencies.45
Read full response

Meeting with Axel Voss (Member of the European Parliament)

15 Dec 2021 · Artificial Intelligence

Response to European Digital Identity (EUid)

2 Sept 2021

Please find attached a document detailing BSA's three recommendations for the eIDAS framework.
Read full response

Response to Requirements for Artificial Intelligence

6 Aug 2021

Please find attached our position paper commenting on the AI Act Regulation proposal
Read full response

Response to Liability rules for Artificial Intelligence – The Artificial Intelligence Liability Directive (AILD)

28 Jul 2021

BSA | The Software Alliance welcomes the opportunity to provide comments on the European Commission’s Inception Impact Assessment on adapting liability rules to the digital age and circular economy. Please find our submission attached.
Read full response

Response to Data Act (including the review of the Directive 96/9/EC on the legal protection of databases)

25 Jun 2021

BSA | The Software Alliance (“BSA”) welcomes this opportunity to offer these comments in response to the European Commission’s Inception Impact Assessment on a proposed Data Act (the “IIA”). Please find our comments attached. Thomas Boué
Read full response

Response to Revision of the NIS Directive

17 Mar 2021

BSA | The Software Alliance (BSA) welcomes the opportunity to comment on the Commission’s revised Directive on security of network and information systems (herewith “NIS 2.0 Directive”). BSA is the leading advocate for the global software industry. BSA members are at the forefront of software-enabled innovation that is fueling global economic growth and digital transformation by helping enterprises in every sector of the economy operate more efficiently, securely and in a privacy-protective way. The threat landscape has increased considerably since the adoption of the NIS Directive in 2016, and the objectives of the Directive are more relevant than ever. Today, cyber incidents rank among the most important business risk globally. BSA and its members support the overall objective and horizontal approach of the review to strengthen security and resilience in Europe. The emphasis on risk management is an important step forward in holistically addressing cyber risk, and the distinction between “essential” and “important” entities maintains a risk proportionate approach. BSA would like to offer comments on a non-exhaustive list of areas that could be improved to help better achieve the Directive’s objectives and incentivize a holistic, effective and responsible approach to cybersecurity. Our recommendations are detailed in the document attached.
Read full response

Response to Digital Services Act: deepening the Internal Market and clarifying responsibilities for digital services

15 Mar 2021

Please find attached BSA | The Software Alliance submission for the consultation
Read full response

Meeting with Penelope Papandropoulos (Cabinet of Executive Vice-President Margrethe Vestager), Werner Stengg (Cabinet of Executive Vice-President Margrethe Vestager)

25 Feb 2021 · E-commerce

Response to Digital Operational Resilience of Financial Services (DORFS) Act

15 Feb 2021

BSA | The Software Alliance (BSA) welcomes the opportunity to provide the attached feedback on the Commission’s proposed Regulation on digital operational resilience for the financial sector ("DORA").
Read full response

Meeting with Axel Voss (Member of the European Parliament)

3 Feb 2021 · AI for Euope

Response to Commission Implementing Decision on standard contractual clauses between controllers and processors located in the EU

10 Dec 2020

BSA | The Software Alliance (“BSA”), the leading advocate for the global software industry, welcomes the opportunity to provide feedback on the European Commission’s draft new standard contractual clauses (“Article 28 SCCs”) on the matters referred to in Article 28(3) and (4) of Regulation (EU) 2016/679. We respectfully submit the comments attached in response to the Commission’s consultation on the Article 28 SCCs to further achieve this objective and to make the application of these provisions as practical as possible, in particular in a cloud computing environment.
Read full response

Response to Commission Implementing Decision on standard contractual clauses for the transfer of personal data to third countries

10 Dec 2020

BSA | The Software Alliance (“BSA”), the leading advocate for the global software industry, welcomes the opportunity to provide feedback on the European Commission’s draft new standard contractual clauses (“SCCs”) for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679. We respectfully submit the comments attached in response to the Commission’s consultation on the New SCCs.
Read full response

Meeting with Werner Stengg (Cabinet of Executive Vice-President Margrethe Vestager)

1 Dec 2020 · Artificial Intelligence, Data Strategy, Digital sovereignty

Response to Requirements for Artificial Intelligence

10 Sept 2020

BSA would like to underline the need for the Commission to carry out an in-depth inventory of EU law, and its application to AI, before suggesting possible legislative actions. Consistent with the risk-based, context-specific approach of the White Paper, any proposed legislation should avoid one-size-fits-all mandates. Future proposals should focus on high-risk scenarios where the deployment of AI poses a threat to fundamental rights. The scope of any regulatory obligations should be a function of the degree of risk and the potential scope and severity of harm. BSA supports an incremental approach by limiting regulation to AI that is deployed in a high risk sector and used in a manner that significant risks are likely to arise. The Commission should extend this two-pronged approach to all possible high-risk scenarios, rather than identifying specific sectors where AI would be considered high-risk by default. Ensuring that the definition of high-risk is appropriately tailored will be critical, it is also crucial to provide a well-determined scope of application. Legal requirements for high-risk AI applications should be addressed to the actors best placed to address potential risks. In many cases developers may not know whether the technology is being deployed by an end-user in a manner that meets the definition of high-risk. Developers are better placed to describe the capabilities and limitations of an AI system, while disclosing the possible impact of AI use will typically be the responsibility of the deployer. The Commission should draw from existing concepts for establishing which entity is best placed to address potential risk, i.e. the entity that determines the purpose of the AI, similar to the concept of a controller under GDPR. In the context of AI, the AI controller will generally be the deployer. The processor/controller distinction provides organizations with a clear picture of their respective legal obligations, and helps ensure that data subjects rights are adequately protected. Ensuring that the definitions of the entities involved are the same in different sectors, founded in established practices, would entail a more harmonized approach to AI. The Commission should not establish pre-marketing conformity assessment for AI systems, as such obligations are liable to turn into barriers to enter the market, a more scalable approach would be self-attestation. BSA urges the Commission not to pursue a regulatory scheme based on prescriptive conformity assessment requirements. The risks that AI poses and the appropriate mitigation mechanisms are context-specific. The appropriate mechanisms and standards for training data, record keeping, transparency, accuracy, and human oversight vary depending on the nature and deployment of an AI system. The Commission should therefore avoid creating prescriptive, one-size-fits-all requirements around these categories. The Commission should articulate an impact assessment framework on high-risk AI for stakeholders, possibly on the basis of the HLEG ALTAI. The Commission should consider specific rules for the use of remote biometric identification systems, by the public sector in particular, given the heightened risks inherent in governmental use of this technology. BSA urges the Commission not to pursue the creation of a blanket voluntary labeling system for all no-high risk systems. Given the diverse range of AI products and services that will not be considered high risk, a one-size-fits-all labeling scheme would be unworkable. The benchmarks for evaluating whether AI systems are trustworthy are likely to be highly variable, driven in large part by system functionality and deployment context. A labelling system that could apply to all no-high risk AI would necessarily be very complex, and would limit customers understanding and engagement. Similarly, the governance of such a scheme would be exceedingly complex and would have to cover very diverse sectors and technologies.
Read full response

Response to Revision of the NIS Directive

13 Aug 2020

BSA | The Software Alliance (BSA) welcomes the opportunity to provide input to the Commission’s evaluation roadmap/ Inception Impact Assessment on the NIS Directive. BSA is the leading advocate for the global software industry. Our members are at the forefront of software-enabled innovation that is fueling global economic growth by helping enterprises in every sector of the economy operate more efficiently. BSA supports the development of relevant policy instruments and smart regulation that strengthen cybersecurity in Europe. In this respect, we acknowledge the positive role that the NIS directive has played in setting common minimum capabilities across the Union and the introduction of security requirements and of incident reporting procedures. Further harmonization of these elements should be considered in the review, accounting of the technological (i.e. the evolution of multi-cloud deployment) and legal (i.e. contractual obligations of technology providers vis-à-vis their regulated customers) evolutions. The general spirit of the existing provisions should be kept, but with a better level of harmonization and implementation, in particular with regard to service definitions, thresholds, reporting modalities, and on the categories of (sub)sectors recognised as OESs and DSPs across the Union. In accordance with the current requirements, the provisions for operators of essential services (OESs) and digital service providers (DSPs) should remain risk proportionate and the differentiation between the requirements for critical operators, whose disruption could lead to a significant economic and/ or societal impact, and the more flexible approach that applies to DSPs, should be upheld. This model has demonstrated its efficiency as it not only helps Member States to naturally triage their incident response when assisting affected organisations, it also helps OESs as their incident reporting is being handled appropriately. Ultimately, this approach lowers reporting congestions and strengthens the overall resilience of the critical infrastructures. As an example, the COVID-19 outbreak has shown the importance of prioritizing sector-specific requirements for the segments that are critical to society. Notwithstanding the above, we believe that for cases where a provider is considered as both a DSP and an OES, further clarity should be provided as to its status and responsibilities at Union level. Finally, a special attention should be paid to the architectural specificities of some services or sectors, which could face additional reporting complexity, e.g. due to the cross-border nature of these operators. If the scope were to be expanded to additional sectors, this would require extensive research, supported by empirical data and evidence and input from the security community. Addressing the disparities related to the types of (sub)sectors recognised as OESs or DSPs across the EU would help achieve a better level of harmonisation. With regards the call to expand the scope to software products, we would also like to underline that the sector is already covered within the Cloud services’ inclusion in Annex III, notably through the Software As A Service principle. For the very limited cases where a software would not be delivered or serviced through the cloud (i.e. when embedded), the incident reporting obligations would be irrelevant, as the manufacturer would not have the visibility of the incident affecting that specific piece of software. In addition, we believe that liability exemptions or safe harbours for reporting incidents are necessary and should be maintained in consistency with Articles 14(3) and 16(3) of the NIS Directive. Additional considerations include the necessity to provide clearer information to OESs and DSPs, including a one-stop-shop portal for information which can be useful when providers are cross-border in nature, and a stronger industry role with the NIS Cooperation Group and CSIRT Network.
Read full response

Response to Legislative framework for the governance of common European data spaces

31 Jul 2020

Common European Data Spaces need to be accessible to all market participants and enable an ecosystem where all can use and access data in a trusted, safe and secure environment. A regulatory framework for data governance should lay out high-level rules for open, transparent and structured stakeholder involvement and decision-making processes. Horizontal legislation on data governance should not be prescriptive and focus on setting high-level rules aimed at addressing compatibility and participation issues. Specific vertical data spaces may need adapted holistic data governance rules to ensure that innovation is not constrained. The scope should clearly identify what types of data will feed into the data spaces. This will require participation from all stakeholders and placing all trusted and responsible market players who comply with EU law on equal footing. Sound data policies should ensure that any non-sensitive government-generated data is made freely available to the public in machine-readable formats. Governments should avoid service agreements that grant exclusive access or use rights to government datasets to any single private entity. Governments contracting third-party vendors services should ensure that any statistical data created or maintained on their behalf is not subject to access or use restrictions. Data provided to governments as part of procurement contracts should be treated like any other government data asset and made freely accessible for public use. BSA supports the Open Data Directive and the efforts to make specific high-value public datasets available, where appropriate. The development and adoption of data spaces can and should be implemented in phases. It can begin with creating open data environments, including government data released under open data licenses, to develop a culture of data sharing and free exchange. Targeting open data first will enable the development of the data governance practices, standards, and data licensing infrastructure needed to establish robust data sharing environments without the complexity of managing dueling commercial interests. It is key to support the development, availability and adoption of tools and best practices that make it easier and less expensive to share data consistently with rigorous privacy expectations. Technical tools, such as APIs, can facilitate data exchanges. Any standards developed should be market-led, developed in cooperation with industry, and recognize the specificities of sectors and use cases and build upon the existing standards. The Commission should promote the development and use of standardized data licensing models, for example the Linux Community Data License Agreement and the Open Use Data Agreement. Privacy-enhancing technologies and data governance structures can enable value-added uses of data without compromising the confidentiality or security. Innovative data governance structures – such as data trusts, data cooperatives, and data commons – facilitate public and private sharing of data, preserve privacy and enable participants to benefit from the analysis of potentially sensitive data. A more uniform interpretation and application of GDPR would foster the data economy and enable data spaces, also through targeted EDPB guidelines. A standardized industry approach which includes a risk-based view to the anonymization of data is a key factor to incentivize more data sharing and usage. Policies that artificially increase the costs for acquiring data increase the costs of innovative technologies for customers and decrease the incentive to develop and use new technology. Policies that facilitate the B2B exchange of data include: -Ensuring companies can enter enforceable contracts that create data sharing arrangements -Avoiding the creation of new rights in business data that could add unnecessary transaction costs -Allowing companies to freely perform data analytics, including TDM, on any content to which they have lawful access
Read full response

Response to Digital Services Act: deepening the Internal Market and clarifying responsibilities for digital services

30 Jun 2020

BSA | The Software Alliance (BSA) welcomes the opportunity to provide input to the Commission’s evaluation roadmap/inception Impact Assessment on the Digital Services Act. BSA is the leading advocate for the global software industry. Our members are at the forefront of software-enabled innovation that is fueling global economic growth by helping enterprises in every sector of the economy operate more efficiently. As an organization, BSA supports the development of relevant policy instruments and smart regulation that strengthen the Digital Single Market in Europe. In this respect, we acknowledge the importance that the E-Commerce Directive has played for the DSM, and of the necessity to account for the technological evolution of the ICT sector over the past twenty years, accounting of the different features and layers of the technology industry. BSA invites the Commission to ensure that the diversity of the digital services ecosystem is recognized in the future legislation: not all digital services have the same societal impact or the same risk profile when it comes to illegal content, therefore the DSA should clearly spell out services not intended to be in scope of the proposed measures. A one-size-fits-all approach that would impose the same rules on all digital services would create disproportionate burden for many businesses that do not have the ability to access and moderate content, or do not disseminate content to the public such as enterprise cloud services. Such an approach would limit the uptake of cloud technologies across businesses and damage the broader data economy. BSA welcomes the Commission’s assertions that the key principles of liability enshrined in the e-commerce directive will be maintained. As a general principle to be upheld from the e-commerce directive, liability should fall on the entity best positioned to mitigate the risk. Regarding the “Know Your Business Customer” (KYBC) provision, which is listed among the potential regulatory approaches, BSA also recommends addressing any existing shortcomings through a tailored approach. BSA strongly supports rules that will protect consumers by preventing dishonest businesses selling illegal products online, but such rules should avoid applying inappropriate constraints on business-to-business services. Setting stronger consumer protection rules should first take into account the role of digital services that are an active party in the provision of a business-to-consumer good or service, while balancing the need to safeguard the smoothness and speed of online business operations. As an example, digital services which are directed primarily at consumers, which act as the intermediary between the trader and the consumer or which provide the trading interface/platform for the online sale of consumer goods, could be considered as relevant parties. On the other hand, the provision of core services to regulated sectors such as operators of essential services entirely depends on the ability to provide robust cloud solutions that are neither designed nor intended to/directed at consumers. Moreover, enterprise cloud-based solutions are largely offered on a “Pay as You Go” principle, contributing to the success of the cloud. Software suppliers possess a variety of due diligence tools (i.e. contractual obligations in their service contracts) that set strong safeguards. Additional and disproportionate requirements may not only raise privacy and/or business confidentiality concerns, but it could discourage companies, particularly SMEs and start-ups, from moving to the cloud. Consequently, the DSA should seek to clarify which consumer-facing services, sectors or activities require specific transparency criteria with the objective of strengthening consumer protection standards and exclude B2B services which provide the backend infrastructure or that store content or data as part of a service provided to a company or another entity other than a natural person.
Read full response

Meeting with Kerstin Jorna (Director-General Internal Market, Industry, Entrepreneurship and SMEs)

11 May 2020 · Introductory phone discussion on BSA concerns about privacy, security and IPR in the future

Response to Report on the application of the General Data Protection Regulation

29 Apr 2020

BSA | The Software Alliance, the leading advocate for the global software industry, welcomes the opportunity to provide feedback on the EU General Data Protection Regulation (GDPR). Please find our feedback in attached document.
Read full response

Meeting with Roberto Viola (Director-General Communications Networks, Content and Technology)

4 Mar 2020 · AI White paper and the European Data Strategy

Meeting with Věra Jourová (Commissioner), Věra Jourová (Commissioner) and

27 Jun 2019 · Privacy Shield

Meeting with Fredrik Beckvid Tranchell (Cabinet of Vice-President Cecilia Malmström)

26 Jun 2019 · Digital Trade Agenda

Meeting with Kevin O'Connell (Cabinet of Commissioner Věra Jourová)

21 Mar 2019 · e-evidence

Response to Measures to further improve the effectiveness of the fight against illegal content online

21 Nov 2018

BSA|The Software Alliance (“BSA”),the leading advocate for the global software industry,welcomes the continued efforts of the European Commission to tackle illegal content online and recognises that online platforms have important responsibilities to improve the effectiveness of the fight against terrorist content online,a laudable objective,shared by BSA. The recent legislative proposal,however,raises numerous concerns for the software industry;in particular,we are concerned about the “one-size-fits-all” approach contained in the provision governing the scope of this draft legislation,which covers a wide range of different services.Such an approach does not recognize the reality that different types of services may require individual responses. The draft Regulation applies to “hosting service providers” (“HSPs”) without drawing a distinction between the existence of different types of service providers in today’s marketplace.The broad definition currently includes cloud services,E-mail services, social media, app-stores,instant messenger services,web-hosting services, professional networks,news websites with comment functions and software development services. Furthermore,the reference to HSPs making content available to “third parties” (rather than,for example,to “the public”),and the fact that the conduct can be passive,suggests that a wide range of providers will be caught by the draft Regulation,including all cloud infrastructure providers.Consequently,providers offering enterprise cloud services or privately shared cloud services will fall within the scope of the draft Regulation, even though they are generally not used to disseminate content to the public. Many of these services raise significantly different risk profiles with regard to the dissemination of terrorist content and it is our understanding that they were not intended to be covered by the future legislative framework. BSA therefore encourages the co-legislators to limit the scope of the draft Regulation to exclude providers of business-to-business hosting services for four central reasons: 1. Technical Limitations: Business-to-business cloud providers are not in a position to identify which of the enterprise customer's users is associated with objectionable content posted online. Therefore, the cloud service provider would have no other option than to shut down the entire customer's website. 2. Data Access: Enterprise cloud providers do not have unfettered access to the data stored in their cloud infrastructure by enterprise customers in a way which would allow them to monitor or filter illegal content and control the data that may be made public; 3. Risk Assessment: As the content stored by business-to-business HSPs is often not accessible to the public, there is limited risk of wide-spread dissemination of terrorist content online, making it unnecessary for such service providers to set up the infrastructure and monitoring obligations required by this draft Regulation. 4. Privacy Considerations: The right to privacy and data protection must be carefully balanced against the danger of dissemination of terrorist content online. It is important for the majority of users to protect the right to privacy when sharing material on a cloud service, particularly for those services which are designed to have limited or no access for the public.The scope of the proposed draft Regulation should thus exclude those providers whose services are not accessible to the general public. While BSA supports the objectives of this draft Regulation,the future legal framework should be tailored and limited in scope to avoid capturing all types of HSPs irrespective of how they function or how they are used.Such an approach would allow for competent authorities to focus on those services where the dissemination of terrorist content represents a true threat to society,while simultaneously avoiding placing burdensome costs on business-to-business software entities.
Read full response

Response to Proposal to create a cybersecurity competence network with a European Cybersecurity Research and Competence Centre

12 Nov 2018

BSA | The Software Alliance (“BSA”), the leading advocate for the global software industry, welcomes the continued efforts of the Commission to strengthen the EU’s cyber resilience and shares its desire to advance cybersecurity research in Europe. The recent proposal to create an EU Cybersecurity Competence Network coupled with a European Cybersecurity Research and Competence Centre has many commendable goals. However, there are a few concerning elements; in particular, the provisions governing funding, procurement, and participation by both the public and private sector. The draft Regulation should clarify that all companies and experts, regardless of regardless of their size, origin or where they are established would be eligible to participate in the Cybersecurity Competence Community and potentially receive funding, provided they agree to share the knowledge and development within the Union. Furthermore, to the extent the new Competence Centre will determine how Member States shall define their public procurement practices, we believe that participation should not be limited to companies on the basis of their geographical origins but should instead seek the most effective outcomes to develop and procure sound cybersecurity solutions. Excellence in cybersecurity cannot be achieved solely at a local level. In pursuing security innovation, European and non-European stakeholders should work together, irrespective of country of origin, and use a technology-neutral approach to increase cybersecurity across the Internet ecosystem. Global companies look forward to actively contributing to this process and we respectfully request that all stakeholders, regardless of their nationality, be allowed the opportunity to participate in future discussions and research. Coordination and collaboration between governments and the private sector from around the globe are key elements in achieving an effective approach to cybersecurity. All Member States, European and non-European stakeholders should work together to pursue security innovation. The supply chain for cybersecurity products and services as well as the cybersecurity talent pool are global and should remain global. With regards to the governance of the Competence Centre, the draft legislation foresees that the decision- making process of the Governance Board shall be equally divided between the European Commission (holding 50% of the voting rights), and Member States who financially contribute to the Competence Centre. EU bodies and Member States who do not contribute financially to the Competence Centre will have no voting rights. It thus appears that not all Member States will have oversight responsibilities. It would instead grant only a handful of Member States the authority to shape funding, procurement, research and development decisions across the EU. This is particularly problematic as technology development and government grant life cycles take several years. As the Competence Centre envisions funding National Coordination Centres, we fear that precluding certain Member States from receiving voting rights would mean that those Member States would be forced to implement requirements developed by only a fraction of Member States. Also, it is unclear why the option referred to in the Impact Assessment to use an existing agency, (ENISA, REA or INEA) was not pursued as all of these agencies would be able to cover the aims and actions of the new Competence Centre. If ENISA was chosen to run this new Competence Centre through a new administrative structure or unit, every Member State would enjoy equal voting rights. Lastly, there should be an emphasis for both the Competence Centre, and the National Coordination Centres to elevate a focus on international standards, which encourages development towards global best practices and has the added benefit of elevating European innovation to compete not just in the EU, but globally.
Read full response

Meeting with Manuel Mateo Goyet (Cabinet of Commissioner Mariya Gabriel)

17 Oct 2018 · Copyright

Meeting with Andrus Ansip (Vice-President) and

20 Sept 2018 · GDPR, privacy shield, e-privacy

Response to Improving cross-border access to electronic evidence in criminal matters

18 Jul 2018

BSA | The Software Alliance (“BSA”) , the leading advocate for the global software industry, welcomes the opportunity to provide its views to the European Commission’s proposal for a Regulation on European Production and Preservation Orders for electronic evidence in criminal matters (“e-Evidence Regulation”). Our members support the efforts of the European Commission to address the challenges facing cross-border law enforcement requests for e-Evidence. We share the desire to achieve greater harmonisation and legal certainty for national authorities, service providers and citizens. To ensure that the proposed e-Evidence Regulation creates a harmonised set of rules that are necessary, proportionate, and in full respect of European fundamental rights, we encourage the co-legislators to consider the following issues when reviewing the proposed draft Regulation: 1. Recipient of European Production Orders (“EPOs”) – The co-legislators should endorse the principle that where an EPO targets the data of an enterprise, the data should be sought in the first instance from that enterprise itself (i.e. the data controller). An EPO should only be directed to a service provider (i.e. the data processor) when seeking data directly from the enterprise would jeopardise a criminal investigation. 2. Stored Data vs. Real-Time Interception – The scope of the future legal framework should be strictly limited to stored data. The co-legislators should not expand the scope of the instrument to cover real-time interception, direct access or data stored at a future point in time. 3. Timeline for Responding to an EPO – The timeline for service providers to respond to EPOs should be extended to allow service providers to properly review each EPO Certificate (“EPOC”) to ensure that it is valid and respects all relevant safeguards set forth in the draft Regulation. The clarity of the EPOC and time to review is needed to protect European fundamental rights. 4. Comity Procedure Timeline – The co-legislators should extend the time period for consultation with third-country central authorities in cases where a suspected conflict of law exists. Member State courts should require compliance with an EPO only where third-country authorities affirmatively confirm there is no conflict. The lack of a timely response from a third-country does not mean that no conflict of law exists. 5. Grounds for Challenging an EPO – Law enforcement authorities should be required to disclose additional information in each EPOC in order to ensure that service providers have the necessary information to determine whether an EPO violates the European Charter of Fundamental Rights. The draft Regulation should also recognise that the U.S. Electronic Communications Privacy Act falls within the meaning of Article 15. 6. Encrypted Data – The co-legislators should seek to strengthen the principle regarding encrypted data found in Recital 19 and transcribe these obligations into the operative provisions of the text. Service providers should be under no obligation to decrypt data, if they do not have the encryption key, before disclosing it in response to an EPO, regardless of national law. 7. Dual Criminality – The draft Regulation should ensure that EPOCs can only be issued where the matter under investigation is a crime in both the Member State of the issuing authority and the Member State of the legal representative of the service provider. 8. Good Faith Compliance – In accordance with international best practices, the co-legislators should include a “safe harbour” provision that would protect service providers from any liability under both Union and Member State law for any actions taken in good faith to respond to or comply with an EPO under the draft Regulation. Attached you can find a position paper setting out the views of BSA in further detail.
Read full response

Meeting with Rodrigo Ballester (Cabinet of Commissioner Tibor Navracsics)

13 Jun 2018 · Victoria Espinel would like to engage with senior EU policy makers on AI, the privacy shield review, data flows in trade agreements and e-evidence

Meeting with Julie Ruff (Cabinet of Commissioner Julian King)

13 Jun 2018 · Cybersecurity

Meeting with Vivian Loonela (Cabinet of Vice-President Andrus Ansip)

1 Feb 2018 · Cybersecurity

Meeting with Andrus Ansip (Vice-President) and

30 Jan 2018 · GDPR, e-privacy

Response to Review of ENISA Regulation and laying down a EU ICT security certification and labelling

6 Dec 2017

BSA | The Software Alliance (BSA), the leading advocate for the global software industry, welcomes the opportunity to provide its views on the European Commission’s proposal for Regulation on ICT Cybersecurity Certification. We commend the continued efforts of the European Commission to strengthen the EU’s cyber resilience and share the desire to continue building trust in the Digital Single Market. BSA believes that the future EU legislation must centre on outcome-focused, risk-based, technology-neutral, and adaptable certification frameworks. To ensure that the proposed EU cybersecurity certification framework for ICT products and services set out in the Cybersecurity Act advances this objective, we encourage the co-legislators to consider the following issues when reviewing the proposed Regulation: 1. Scope of certification schemes – The co-legislators should seek to provide further information on what is precisely covered by the voluntary certification frameworks and clarify the scope in the Articles of the draft Regulation. The scope of the framework should focus on “processes and systems” rather than “products and services” to ensure proper alignment with existing international standards. 2. Updates should not trigger re-certification – Re-certification as a consequence of a software update must be approached in a proportionate manner. The Regulation should introduce a longer maximum certificate lifetime, a clear minimum certificate lifetime and a light touch renewal option. 3. Stakeholder involvement in scheme creation request – Stakeholders should be given the opportunity to provide meaningful input into the proposal of EU certification schemes. The European Commission should seek to create a clear “roadmap” and procedure to formalise consultation with stakeholders prior to the issuing a request to ENISA to begin working on candidate schemes. 4. Greater emphasis on alignment with existing (international) standards – The value of an EU certificate to entities seeking to do business both within and outside the EU hinges on equivalent, internationally-accepted standards. To avoid creating market barriers that will ultimately undermine cybersecurity in the EU, any new scheme should rely on existing international standards. 5. Freedom of choice of conformity assessment body – The Regulation should expressly state that manufacturers of ICT products or services may submit an application for certification to a Conformity Assessment Body (“CAB”) in a different Member State to that in which the manufacturer is established. 6. Self-certification for “low-risk” technologies – The Regulation should explicitly call out self-certification and self-declaration as viable options. We encourage the co-legislators to introduce into the text a tiered approached, based on risk profile, whereby there would be an option for self-assessment for technologies deemed as low-risk. 7. Acceptance of EU certificates by national authorities – The Regulation should set out in more detail how EU certificates can be used at the national level and make clear that any reference to local schemes should be read as referring to the replacement EU certification scheme. 8. Clear and effective means of enforcement and redress – The Regulation should set out a clear cause of action allowing certificate holders to obtain judicial redress, or powers for the national certification supervisory authority to issue decisions to rectify the failure to recognise an EU certificate. 9. Determining whether a national certification scheme is “covered” by an EU scheme – The Regulation should provide further clarity on how a national scheme or process will be deemed as “covered” by an EU scheme. There should be a process whereby stakeholders can seek determination from either the European Commission or ENISA as to whether as scheme “covers” the requirements of a national framework.
Read full response

Meeting with Kaius Kristian Hedberg (Cabinet of Commissioner Elżbieta Bieńkowska), Tomasz Husak (Cabinet of Commissioner Elżbieta Bieńkowska) and The German Marshall Fund of the United States - The Transatlantic Foundation

17 Oct 2017 · Transatlantic Digital Policy . Other participants: 4 Members of US Congress and their Congressional Staff

Response to Commission Implementing Regulation pursuant Art 16(8) of NIS Directive

11 Oct 2017

BSA | The Software Alliance (BSA) , welcomes the opportunity to comment on the Commission’s draft Implementing Regulation (IR) laying down rules for the application of Directive (EU) 2016/1148 with regards to security and incident notification requirements for digital service providers (DSPs). As the Commission continues to refine its future secondary legislation, we wish to provide the following comments: With regard to “Article 2 – Security Elements”, we caution the Commission against the introduction of a mandatory documentation requirement (Article 2(6)). Such an obligation would run counter to the “light touch” approach and does not reflect the requirements of the Directive as ex-ante audits are not required for DSPs. As entities may choose to utilise third-party auditors to comply with Article 16(1)(d) of the Directive, DSPs should be provided with additional flexibility to demonstrate compliance using any suitable means in consideration of the risk and costs involved. They should be encouraged, but not strictly required to produce documentation. As the Commission further refines the security elements set out in Article 2 of the draft IR, we believe the final IR would benefit from additional clarity. While the security elements should have definitional character, we encourage the Commission to clarify that they are not binding requirements on DSPs. Although many of the measures in the draft IR are drawn from ISO 27001, a direct obligation to include all elements set out in Article 2 would not respect the “light touch” approach of the Directive and exceed its stated policy objective which is the continuity of services. With respect to “Article 3 – Parameters to be taken into account to determine whether the impact of an incident is substantial”, BSA encourages the Commission to reaffirm in the final IR that the focus of incident reporting should be on the “continuity” of the service as outlined in Article 16(2) of the Directive. BSA cautions against the introduction of “confidentiality” and “integrity” as these aspects are both sufficiently covered by the General Data Protection Regulation (GDPR). The Directive should seek to ensure that DSPs only report “significant incidents” while avoiding the creation of reporting overlaps with other legislation. When considering “Article 4 – Substantial impact of an incident”, we stress that incident reporting should focus on those incidents which are truly “significant” so that both DSPs and competent authorities are not overburdened with the reporting of minor incidents. To achieve this objective, the future IR should avoid being overly prescriptive and we caution against the introduction of low quantitative thresholds. BSA questions whether the thresholds proposed in the draft IR, specifically Article 4(1)(a), would achieve the stated objective of the Directive that only “significant incidents” are reported to the competent authority. BSA interprets a threshold of 5 million user hours to equate to a 1-hour loss of service for 83,300 users. The significance of such a loss of service will likely depend on the number of users serviced by a DSP. A percentage of active licensed users impacted (e.g. 40%) may be a better approach. Furthermore, with regard to Article 4(1)(e), BSA cautions against the introduction of a geographical threshold into the final IR. DSPs typically track incidents based on the area covered by a given data centre rather than by national jurisdictional boundaries. An exact determination of impacted jurisdictions is often difficult as many users access service via remote gateways, extraterritorial virtual private networks and other proxies that may be difficult to geo-locate, whether for technical reasons or, more importantly, due to privacy law prohibitions. Even if such a determination could be made, such a threshold would mean that any incident affecting one or more users in two or more Member States would constitute a reportable incident.
Read full response

Response to Improving cross-border access to electronic evidence in criminal matters

30 Aug 2017

BSA | The Software Alliance (BSA), the leading advocate for the global software industry, welcomes the opportunity to comment on the Commission’s inception impact assessment on ‘Improving cross-border access to electronic evidence in criminal matters.’ BSA supports the efforts of the Commission to address the challenges facing cross-border access requests for electronic evidence (e-Evidence) and shares the desire to achieve greater harmonisation and legal certainty. As the Commission evaluates possible legislation, we wish to provide the following comments: BSA believes that the principle of mutual recognition should constitute the foundation of any legal instrument and supports the Commission in its selection of Art. 82 TFEU as the necessary legal basis for any future legislation. We encourage the Commission to ensure that the draft law reflects the principles of the EIO whereby a law enforcement agency must effectively demonstrate that the investigative measure and evidence being sought ensure full respect for the Charter of Fundamental Rights (CFREU). Any limitation of such rights would need to meet the strict proportionality and necessity requirements of Art 52. CFREU. When considering the investigative measures outlined in “Option 1”, we believe there should be a clear distinction between a possible legal framework built around “production requests” and “production orders”. While the former largely reflects today’s legal framework, the latter would constitute a departure from current practice. This would particularly be the case should service providers be compelled to disclose content data outside of the MLAT framework. Should the Commission decide to introduce a mandatory direct disclosure regime, it will have to be based on a proper impact assessment and clear evidence that current voluntary practices are no longer sufficient. On the issue of direct access, we would caution the Commission against pursuing such a legislative option as set out in “Option 2”. A framework providing Member States with the ability to directly obtain e-Evidence through a seized device or information system, without any involvement of a service provider, would lead to an erosion of trust amongst citizens. Such a framework, if envisaged, must include clear judicial oversight, fully respect fundamental rights and avoid placing an obligation on service providers to weaken cybersecurity standards. Any investigative measure should avoid creating conflicts of law and BSA welcomes the recognition by the Commission of this important objective in its roadmap. Regarding “Option 3”, we encourage the Commission to limit the scope of the investigative measure to data from EU subscribers or data stored by a service provider within the EU. Only entities acting as ‘data controllers’ should be the recipients of an investigative measure as they are legally responsible for the management of their data. Demands to service providers acting as ‘data processors’ for access to customer data should occur only under exceptional and clearly defined circumstances. Moreover, any extra-territorial application of a future legislative instrument should be avoided. Instead, the Commission should seek to ensure that the framework does not create conflicts of law and finds common reciprocal solutions with international partners so that service providers operating across numerous jurisdictions are not faced with conflicting legal obligations. With respect to “Option 4”, we believe that a dedicated dialogue with third countries should be immediately pursued. An intra-EU framework must be complemented with durable international frameworks. When considering the trans-Atlantic context, we believe the recent introduction of the International Communications Privacy Act in the US provides a unique opportunity for the creation of a EU-US framework supplementing the more laborious MLAT process. BSA stands ready to work with the EU to achieve this ambitious objective.
Read full response

Response to Review of ENISA Regulation and laying down a EU ICT security certification and labelling

4 Aug 2017

BSA | The Software Alliance (BSA), the leading advocate for the global software industry, welcomes the opportunity to comment on the European Commission’s inception impact assessment on the ‘Proposal for a Regulation revising the ENISA Regulation (No 526/2013) and laying down a European ICT security certification and labelling framework.’ BSA commends the Commission for the steps it has taken to strengthen the EU’s cyber resilience and shares the desire to continue building trust in the Digital Single Market. As the Commission further develops possible policy options related to both the review of ENISA’s mandate and the potential creation of a European ICT security certification and labelling framework, we wish to provide the following comments: BSA is a strong supporter of ENISA and believes the agency has played a central role in strengthening the capability of Member States and industry in preventing, detecting and responding to cyber threats and incidents. We encourage the Commission to renew the mandate of ENISA and support “Option 2 – Enhanced ENISA”, ensuring that ENISA plays a central role in facilitating the exchange of cross-sectoral best practices, particularly when it comes to adoption of baseline ‘cyber-hygiene’ techniques. Moreover, ENISA should have a larger role in developing cooperation with third countries as the cyber threat landscape is global in nature and thus requires international solutions. While we support the work of ENISA, we would caution against “Option 3” as we see no need for ENISA to obtain full operational capability, particularly when it comes to the development of EU wide standards or the implementation of potential security certification and labelling frameworks. Incident mitigation and response should remain the competence of national CSIRTs. Instead, ENISA should focus on further supporting CSIRTs through cyber exercises aimed at increasing cross-border cooperation for responding to large scale cyber incidents. On the issue of certification and labelling, we encourage the Commission to pursue “Option 1”, with a strict focus on voluntary, consensus-based, and industry-led initiatives including self-assessment schemes. BSA believes that such a process should rely upon international standards and welcomes the recognition by the Commission of this important facet in its roadmap. Moreover, BSA members would be open to the contribution of ENISA’s technical expertise in the development of any technical specifications and standards, in the context of on-going international efforts. However, relying upon a voluntary, consensus-based, and industry-led standard setting process cannot be an effective approach unless the approach is adopted on a wide scale. Market-driven incentives for adopting any future standards are preferable to other alternatives - requiring adoption through legislation or using adoption to shape insurance markets and legal liability may have the unintended result of impeding flexible, outcome-oriented standards. Instead, industry and the Commission must collaborate to develop incentives for adoption. This will require any future certification schemes to emphasize security development lifecycle processes to be flexible and outcome orientated. There must also be an alignment amongst approaches as a proliferation of different initiatives will serve to confuse rather than inform end-users. We also support the Commission in encouraging more Member States to join SOG-IS. However, we caution against pursuing this through a legislative proposal making Member State participation mandatory as SOG-IS participation is closely linked to available Member State resources. Instead, it should be encouraged with an emphasis placed on resource and capacity building. Furthermore, we note that SOG-IS cannot become a ‘catch-all’ solution as it is specifically tailored towards ‘Common Criteria’ and this approach cannot apply to most software products.
Read full response

Meeting with Julian King (Commissioner)

19 Jun 2017 · Cybersecurity and encryption

Meeting with Juhan Lepassaar (Cabinet of Vice-President Andrus Ansip)

13 Jun 2017 · Digital Transformation of the DSM, Free Flow of Data

Meeting with Andrus Ansip (Vice-President) and

24 May 2017 · GDPR Implementation and Privacy Shield

Meeting with Andrus Ansip (Vice-President) and

19 Dec 2016 · Discussion with industry on general data protection regulation implementation

Meeting with Laure Chapuis-Kombos (Cabinet of Vice-President Andrus Ansip), Maximilian Strotmann (Cabinet of Vice-President Andrus Ansip)

8 Dec 2016 · Free flow of data, data protection

Meeting with Kevin O'Connell (Cabinet of Commissioner Věra Jourová)

7 Dec 2016 · Privacy Shield

Meeting with Pauline Rouch (Cabinet of President Jean-Claude Juncker)

6 Dec 2016 · Digital Single Market

Meeting with Michael Hager (Digital Economy) and DIGITALEUROPE and

27 Sept 2016 · DSM

Meeting with Maximilian Strotmann (Cabinet of Vice-President Andrus Ansip)

20 Sept 2016 · startups, data, international

Meeting with Andrus Ansip (Vice-President) and

30 Jun 2016 · Privacy shield, data protection

Meeting with Michael Hager (Digital Economy) and DIGITALEUROPE and

3 May 2016 · DSM

Meeting with Věra Jourová (Commissioner) and

25 Feb 2016 · EU-US Privacy Shield

Meeting with Michael Hager (Digital Economy) and DIGITALEUROPE and

23 Feb 2016 · DSM

Meeting with Andrus Ansip (Vice-President) and

8 Feb 2016 · EU-US Privacy Shield

Meeting with Andrus Ansip (Vice-President) and

14 Oct 2015 · Meeting with tech businesses after Safe Harbour ruling

Meeting with Michael Hager (Digital Economy) and DIGITALEUROPE and

14 Jul 2015 · DSM

Meeting with Pauline Rouch (Cabinet of President Jean-Claude Juncker)

11 May 2015 · Digital Single Market

Meeting with Laure Chapuis-Kombos (Cabinet of Vice-President Andrus Ansip)

24 Mar 2015 · DSM action plan, cybersecurity, data flows and intellectual property rights

Meeting with Robert Madelin (Director-General Communications Networks, Content and Technology)

24 Mar 2015 · WEF, DSM

Meeting with Laure Chapuis-Kombos (Cabinet of Vice-President Andrus Ansip)

24 Mar 2015 · DSM action plan, cybersecurity, data flows and intellectual rights

Meeting with Michael Hager (Digital Economy) and DIGITALEUROPE and

20 Jan 2015 · Digital Agenda