Lobbying Activity
Response to The EU Cybersecurity Act
10 Jun 2025
GMVV & Co. GmbH is a strategic think tank, registered with the Parliament of the European Union and the Commission in the EU Transparency Register under Section IV, specialized in research in the field of criminal law and justice in connection with the protection of human and civil rights. In April 2023, the European Commission presented a proposal to amend Regulation (EU) 2019/881 (Cybersecurity Act, CSA). The aim is to include Managed Security Services (MSS) within the scope of the European Cybersecurity Certification Framework (ECCF). Although the Commission itself does not foresee any significant impact on fundamental rights, this analysis evaluates not only the proposed amendments, but also adjustments that are necessary from a human rights perspective and provides corresponding recommendations. The basis for this approach lies in prior assessments and experience with the current legal framework, which raise serious concerns regarding compliance with the Charter of Fundamental Rights of the EU and the ECHR. Furthermore, the current version of the Cybersecurity Act, together with the proposed amendments, gives rise to substantial doubts about the adequacy of legal remedies in accordance with the rule of law. Cybersecurity and human rights have a complex relationship: On one hand, effective cybersecurity helps protect fundamental rights for example, by preventing unauthorized access to personal data or safeguarding the integrity of democratic information spaces. On the other hand, poorly regulated or overly security-focused measures can threaten basic rights such as privacy, freedom of expression, or equality. That's why its essential to assess any cybersecurity legislation not only from a technical and economic standpoint but also through a normative lens, taking human rights into account. We recommend: anchoring human rights more explicitly in the CSA by referencing the EU Charter of Fundamental Rights; involving a fundamental rights expert in the development of certification criteria; explicitly incorporating additional GDPR principles such as data minimization, purpose limitation, and transparency into the certification criteria; developing a mandatory certification framework, particularly for the high assurance level; establishing a systematic and recurring review of resource needs for ENISA. The European Commissions proposal from April 2023 to amend the 2019 Cybersecurity Act represents an important step toward expanding the European cybersecurity framework. The inclusion of MSS in the EU-wide certification scheme addresses real security risks and responds to market fragmentation tendencies within the Union. The newly introduced security objectives (Art. 51a) are to be welcomed as technically sound and privacy-conscious measures. At the same time, the amendment falls short in several key normative aspects. It misses the opportunity to systematically anchor fundamental rights within the CSA. In contrast to related EU legal instruments such as the GDPR or the AI Act, the revised CSA still lacks an explicit reference to the EU Charter of Fundamental Rights. Likewise, a human rights-based certification framework with clear lines of accountability, enforceable sanctions, and liability provisions is notably absent. The continued voluntary nature of certification even at high assurance levels poses a significant risk to fundamental rights, especially in the context of sensitive security services commissioned by public authorities. International models demonstrate that mandatory certification regimes are both legally enforceable and economically viable. Building a trustworthy European cybersecurity market requires not only technical standards but also a normative foundation. A gradual move toward mandatory certification combined with independent oversight and human rights expertise, would be a crucial step toward sustainably securing trust, safety, and freedom in the digital space.
Read full responseResponse to 2025 EU Justice Scoreboard
2 Dec 2024
The proliferation of anti-terror legislation worldwide created a precarious balance between ensuring national security and upholding universal human rights. While the urgency to combat terrorism is undeniable, the erosion of fundamental principles such as the right to a fair trial and the prohibition of torture raises critical legal and moral questions. Democracies risk undermining the values they aim to protect when security measures overshadow the rule of law. Anti-terror laws often result in the suspension or restriction of basic civil liberties, including due process and fair trials. This development not only undermines the presumption of innocence but also risks normalising practices that violate the inherent dignity of individuals. Particularly troubling is the cooperation with regimes that disregard fundamental human rights, leading to complicity in practices such as torture or arbitrary detention. Cross-border legal assistance has increasingly facilitated actions that contravene the rule of law, allowing for the freezing of assets based on requests from foreign authorities without assessing whether the requesting state meets basic standards of due process. Similar legislative frameworks across the EU enable the circumvention of rights guaranteed under instruments like the ECHR and the EU Charter of Fundamental Rights. Information sharing through bodies such as Europol and Financial Intelligence Units exacerbates this issue. These exchanges often occur without robust oversight or judicial scrutiny, particularly when sensitive data is transmitted to states lacking independent judiciaries. The consequences are severe: accused individuals are left vulnerable to unfair trials or politically motivated prosecutions. EU member states have adopted preventive measures that strain the rule of law. The preventive freezing of assets or detention, particularly targeting individuals with migration backgrounds, undermines the principle of equality before the law. These practices highlight a troubling shift towards pre-emptive action, where suspicion alone suffices to curtail fundamental freedoms. The reliance on preventive measures risks transforming rule-of-law states into preventive states, where individual rights are subordinate to state security. The argument that the end justifies the means imperils the principles of constitutional democracies, fostering a culture of arbitrary governance. This trajectory threatens to reduce citizens to mere security risks, subject to surveillance and state control without adequate legal recourse. Democratic societies must recommit to the protection of universal human rights, especially during crises. Legal frameworks for cross-border cooperation should mandate compliance with due process and human rights standards as prerequisites for assistance. This includes ensuring that requesting states adhere to the principles enshrined in the ECHR and related human rights instruments. The EU has a crucial role in safeguarding these values. By setting and enforcing clear standards for cross-border legal assistance, the EU can ensure that cooperation does not come at the cost of fundamental rights. A refusal to compromise on inalienable rights such as the prohibition of torture must remain non-negotiable. The fight against terrorism must not undermine the principles that underpin democratic societies. The rule of law and human dignity must be protected as non-derogable values, even in the face of securitythreats. Ensuring that legal measures respect human rights is not merely a moral imperative but a practical one, as it preserves the legitimacy and credibility of democratic governance. Democracies must stand firm against the erosion of these principles.
Read full responseResponse to Binding standards for equality bodies
14 Dec 2022
EU-Consultation GMVV & Co. GmbH Think Tank: Binding Standards for Equality Bodies The GMVV & Co. GmbH Think Tank welcomes the initiative to create binding standards for equality bodies. A particular focus here is on creating an equality and non-discriminatory reality in the EU labor market. Within the European Union, there is still a significant regulatory gap between socio-political issues and economic policy. Social policy is regulated according to the principle of subsidiarity and hence by the Member States. By contrast, much economic and financial policy has been primary legislation adopted by the Union to achieve economic objectives, including in the areas of company law and financial stability. In the European Union, since the creation of the Community Charter of the Fundamental Social Rights of Workers in 1989, social issues have been considered of equal importance with economic ones, at least in declaratory terms. The second recital in the preamble to the Charter states that combating unemployment and promoting employment are the primary economic and social objectives within the European common market. Equal pay for men and women was enshrined in the Treaty of Amsterdam, now Article 157 TFEU. The Treaty of Nice further defined the respective competencies of the European Union and Member States regarding social issues, without requiring actions by the Member States, now Article 151 TFEU. In fact, however, there is still no true gender equality in the EU labor market. Especially during the Covid-19 pandemic, the impact in the labor market was disproportionately more negative for women than for men. The World Economic Forums Gender Gap Report 2022 shows that the shutdown of childcare facilities and schools during the pandemic meant that childcare was predominantly the responsibility of mothers. Here, there was a clear reversion to traditional patterns of caregiving responsibility. The report states: The decade of austerity that followed the 2008 Global Financial Crisis constrained sectors that provide the core of social infrastructure, affecting outcomes for families and primary caregivers often women during the pandemic. Geopolitical conflict and climate change both impact women disproportionately. In addition, the projected deepening of the current cost-of-living crisis is also likely to impact women more severely than men, as women continue to earn and accumulate wealth at lower levels. Against this background, one focus of the equality bodies, which is reflected in the Proposal Directive of the Commission and the EU Parliament, must be that not only the principle of equal pay for equal work is strengthened, but also mechanisms must be created to establish, among other things, pay transparency. At the same time, the trade unions must be involved to establish the highest social standards throughout the EU in the long term. Finland and Sweden stand as beacons of gender equality among the EU Member States. Global progress at the current rate to close the gender gap would take about 132 years, according to current estimates by the World Economic Forum. The EU, with the involvement of the European Trade Union Confederation (ETUC), must anchor the equal treatment bodies in law in such a way that the goal of gender equality is implemented without social dumping between individual EU Member States, especially in the EU labor market. The GMVV & Co. GmbH Think Tank is open for further public consultation or individual interviews.
Read full responseResponse to 2023 EU Justice Scoreboard
14 Dec 2022
EU-Consultation GMVV & Co. GmbH Think Tank: 2023 EU Justice Scoreboard Call for Evidence The present initiative 2023 EU Justice Scoreboard for the efficient design of judicial systems and the strengthening of the rule of law within the EU requires, above all, a strengthening of the protection of fundamental rights pursuant to Art. 47 of the Charter of Fundamental Rights (CFR). Considering EU anti-money laundering legislation, especially since the 4th Anti-Money Laundering Directive (AMLD) came into force, an extensive catch-all approach of this legislation has de facto put money laundering, terrorist financing and tax evasion on the same level in the fight against crime. Combined with the increasing transfer of sovereign tasks to private actors and the inclusion of private databases such as World-Check in combatting money laundering, citizens are often left without an effective legal remedy. The guarantee of effective legal protection, which is guaranteed by Union law, is repeatedly suspended. Today, the EU promotes an on-going unbridled and unrestricted transfer of personal data to third-party countries by virtue of the AML framework, placing every citizen under a general criminal suspicion and carrying out investigations under this policy without grounds for reasonable suspicion, which is incompatible with the rights described in the ECHR and the Charter of Fundamental Rights. The amendment of the 4th AMLD that extends the powers of the FIUs should have been accompanied by a detailed review of the rights to privacy and data protection that citizens enjoy by virtue of the ECHR and the Charter. Ever since the Schrems I ruling, the question of how constitutional guarantees from third countries should look like when exchanging data to conform with legally guaranteed protections and fundamental rights for EU citizens is a pressing issue. There have to be legal, administrative and compliance-related practices in third countries that give individuals the right to a judicial remedy in the event of a violation of data privacy rights by the third country authorities. Art. 47 of the Charter should be a benchmark. Considering the multitude of data exchange agreements between FIUs and third countries that lack democratic forms of government or have underdeveloped constitutional structures, the question is how the EU can ensure the legal guarantees under the Charter in practice. The exchange of data within the Egmont Group, the largest FIU cooperation network worldwide with over 150 members, is not only opaque but largely free of democratic controls. Since the Egmont Group includes not only countries like Germany, the UK, and Switzerland, but states like Saudi Arabia, Uzbekistan, and Sudan, it is completely unclear which guarantees the latter could give that complied with the Charter. The cooperation between various EU law enforcement agencies, including the European Public Prosecutor Office (EPPO), Eurojust and Europol, has shown over the past two years, particularly in the EncroChat, Anom and Sky cases, that while there have been achievements in fighting crime, these achievements have lacked democratic control and constant monitoring to ensure compliance with fundamental rights. Wiretaps and surveillance were often conducted without judicial warrants. The raw data obtained was not provided to the courts or to the lawyers involved in the proceedings to guarantee the principles of a fair trial. This action by the EU law enforcement agencies is thus beyond democratic scrutiny.
Read full responseResponse to Administrative and technical aspects of the transfer of the e-CODEX system to eu-LISA and its maintenance
22 Nov 2022
EU-Consultation GMVV & Co. GmbH Think Tank: Judicial cooperation in civil and criminal matters e-CODEX system for data exchange (technical and administrative aspects) The currently presented draft of the Implementation Decision on the service level requirements for the activities to be carried out by eu-LISA concerning the e-CODEX system refers to Regulation (EU) 2022/850 of the European Parliament and of the Council of 30 May 2022 on a computerised system for the cross-border electronic exchange of data in the area of judicial cooperation in civil and criminal matters (e-CODEX system), amending Regulation (EU) 2018/1726. Recital (3) of Regulation (EU) 2022/850 refers to the need for a more efficient digital cooperation between judicial systems within the EU and for the simplification and acceleration of electronic cross-border exchange of case-related data. In addition, the Regulation states that citizens and companies should be enabled to provide and exchange documents and evidence in digital form to the judicial authorities or other authorities. Recital (4) of Regulation (EU) 2022/850 claims that the digitization of proceedings in civil and criminal matters is intended to strengthen the rule of law and fundamental rights guarantees. Yet, this goal is de facto largely disregarded in the present draft of the Commission Implementation Decision. Only 3.1.7. and 3.1.10 of the Annex to the Commission Implementing Decision refers to the compliance with the fundamental rights guarantees granted in Regulation (EU) 2022/850 recital (12) sentence 2, which, however, only has a declaratory character. The legal implementation of the e-CODEX system thus leaves completely open how compliance with rule-of-law guarantees is to be monitored and ensured. Digitization and the cross-border exchange of data, especially in criminal law, pose considerable risks to the preservation of the rights of the accused and, in principle, to compliance with fundamental rights. The recent controversial judicial cooperation between French investigative authorities, Europol and other law enforcement agencies of EU member states regarding EncroChat, SkyECC and Anom (Anom involved US authorities, including the FBI), which is currently being discussed throughout the EU, has significantly weakened confidence in the compliance of investigative authorities with constitutional principles. French authorities obtained data, which they transferred to other European countries via Europol without disclosing how they had obtained the data or disclosing the raw data that therefore could not be examined for reliability, as the French authorities classified the data and data acquisition as military secrets. On October 11, 2022, the French Court of Cassation ruled that data from the French Center for Combating Digital Crime (C3N), classified as military secrets by French investigative authorities, must be disclosed to the courts and defense lawyers to ensure a fair trial under the rule of law. Since 2020, in this pan-European police operation, thousands of unauthorized wiretaps have been conducted without court orders and reviews, and numerous arrests have been made. These measures de facto constituted a breach of the EU Charter of Fundamental Rights, including the right to a fair trial, the right to privacy, and the right to data protection, on the grounds of being able to fight crime more efficiently. Currently, the entire case has been referred to the European Court of Justice for a decision, among others by the Berlin Regional Court. Against this background, the present draft of the Implementation Decision on the service level requirements for the activities to be carried out by eu-LISA concerning the e-CODEX system together with the Annex must define and enshrine the guarantees of fundamental rights in a much more far-reaching and precise manner.
Read full response