Answer given by Executive Vice-President Vestager on behalf of the European Commission
3.9.2024
1. The Commission rejects Microsoft’s accusation. Microsoft’s comments appear to relate to a unilateral public undertaking it made in July 2009 about interoperability with certain products, including Windows. While the Commission welcomed the initiative at the time, the unilateral undertaking in question was informal vis-à-vis the Commission. More importantly, the Commission stresses that Microsoft remains free to decide on its business model and to adapt its security infrastructure to respond to threats, provided this is done in line with EU competition and cybersecurity law.
2. The Commission is committed to doing its part to ensure that all EU citizens and businesses are well protected against cybersecurity risks. The NIS2 Directive[1] now being transposed by Member States, raises the level of ambition on cybersecurity in a future-proof way, through a wider scope, clearer rules and stronger supervision tools. Furthermore, the upcoming Cyber Resilience Act[2] will further strengthen supply chain security by introducing cybersecurity requirements for all hardware and software made available in the EU. Additionally, the Commission continues to be engaged in mapping dependencies that can pose cybersecurity risks.
3. The Commission considers that competition law does not impede on IT security. In the application of competition law, the Commission seeks to ensure that companies compete on equal terms across Member States, while at the same time incentivising them to offer the best products at the lowest price. When justified, the Commission takes into account in its assessment objective justifications put forward by companies (which can include IT security issues), following the principles developed in the case-law of the Union courts.
- [1] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive).
- [2] Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020.