Text by Doctor of Law Eneken Tikk
EU regulations in the field of digitalization and cybersecurity have received much attention, a share of criticism and a fair amount of praise. The General Data Protection Regulation has affected personal data protection standards and practices across the world. The Digital Services Act is believed to create a watershed moment in the history of Internet regulation. Without doubt, the EU is the most thorough regional normative actor, able to provide incentives for higher standards of cybersecurity across sectors and communities. When it comes to sustaining positive change and contesting for global normative leadership, however, the EU’s regulatory strategies must build on and interact with a broader value and interest base, including industry and non-liberal regimes.
A Shift of Gears, not the Finish Line
The EU is developing a promising regulatory formula to balance between its economic prosperity and the comprehensive security. After a period of heavily cybersecurity-focused regulation, the Digital Decade is devoted to trust and resilience, balancing digitalization and cybersecurity. Thematically, there is hardly any technology-related development that the EU has not touched upon – everything from open data to fintech to 5G to AI. Several of these topics have been subject to extensive debate and consultations, demonstrating that the EU’s normative processes indeed are designed to build wider consensus and coherence of regulation. For most of the EU’s regulatory developments since 2016, however, their deep and enduring effect is still to be achieved.
For instance, in 2020, increased awareness and clearer rules were still the main effects listed in conjunction with the implementation of the GDPR. The achievement of NIS 2 framework inevitably points to deficiencies in the original NIS framework. Instruments that the public is currently hearing about – even the Cybersecurity Act, but also the Digital Markets Act and the Digital Services Act – are too new to determine whether and how they will deliver.
Elephants in Brussels
There are significant questions unanswered in the current regulatory strategy. Notable in the regulation adopted since 2016 are strong enforcement levers and obligation load on the private sector. While the GDPR and NIS govern both public and private sector stakeholders and demand national-level strategic cybersecurity preparedness, recent regulatory emphasis identifies the big tech as the main source of insecurity and lack of trust in digital markets and services. There are, however, several elephants in the room. Firstly, especially when it comes to foreign influence operations, online platforms are just a mirror image of the ever-tensioning international relations. Just as political differences give birth to state-on-state cyber operations, they also manifest in and as information operations. Secondly, digital literacy that would correspond to the sophistication of advanced (and heavily ICT-dependent) information societies, is still scarce not just among populations but also governments. Alongside elites and experts invested in the issue, parliaments, courts and many segments of population have little to no preparedness to adequately secure their own information environment. Thirdly, as eager as governments are to guide private cybersecurity obligations, they remain reluctant to curb their own operational space. Finally, not all regulatory initiatives have been inherent – the influence of the GDPR, for instance, on the US privacy regulation, would have been much more cumbersome without the contribution of Max Schrems. Thus, the long-term sustainability and effects of the EU regulation in the field of digitalization and cybersecurity are not necessarily guaranteed. The foreign policy backdrop of the EU’s regulatory posture is essential in this context.
The EU is establishing itself as a pole in a multipolar international system. Despite declared independence, the EU and the US have been broadly aligned on two key international cyber diplomacy positions: that no new binding international obligations will be negotiated when it comes to cybersecurity and that no international dialogue will be held on information security. Consequently, issues of foreign influence remain to be resolved at domestic level.
The 5G debate is a good illustration of how security policy can clash with market economy. The Schrems rulings further demonstrate how executive security solutions can be resolved where the balance of power is restored by judicial authority. In this context, the annulation of the Data Retention Directive in 2014 is still a valid reminder of the fallibility of the EU’s regulatory authorities. While the checks and balances of the European governance model provide avenues for various stakeholders to hold each other accountable, they also take time and occasion to materialize.
In reaction to Russia’s invasion of Ukraine, the European Union seems to have acquired an independent strong voice in international affairs. However, the EU cyber diplomacy toolbox and diplomatic engagement demonstrate close alignment with the United States whenever cyber operations are concerned. Assuming that the not-so-subtle EU-US political alignment and the resulting compromises in both the Brussel’s and Washington’s approaches to digitalization and cybersecurity will work for the EU, it is still hard to see how the EU’s take on digitalization and cybersecurity can inspire other states.
The Challenge Ahead
Many questions addressed in the recent EU regulations are global issues – for some states equally acute, for others right around the corner, and for still others, in the distant future. At the world level, the demographic and developmental imbalances, value transformations, shifting geostrategic and geoeconomics maps, combined with technological innovation and competition, will require major redesign of governance.
It is hard to tell where cybersecurity and digital issues begin or end, or whether the issues of trusted online environment and secure ICT infrastructure can be separated from the overall hyper-turbulent and super-complex international relations.
In a way, for the EU to be able to afford high digitalization and cybersecurity standards for its own purposes requires developing an interface for engaging with other actors, especially industry and governments with other values and principles different from those of the EU. At the world level, internet penetration rate is just above 62%, a very different reality of the generally like-minded liberal democracies 98%. There is no clear consensus as to whether wider digitalization is a uniformly shared goal for the international community and even if so, the world will face the same hesitations and fears about ICTs that the EU has acknowledged among its own constituencies.
For an internationally sustainable information society, it is essential to have as many stakeholders as possible inside, not outside, of the solution. The EU’s cyber diplomacy, to be constructively polar, could build on Kelsen’s note that peaceful international relations are much more important than choices between democracy and autocracy, or capitalism and socialism.
The EU faces several internal and external tensions that will determine how successful the latest regulatory reform in the technology and digital sector will be. Increased instability will keep manifesting in political risk that the industry and the civil society may not be able or willing to entirely absorb.
Cyber issues are hardly just cyber issues, and a global security governance regime is still in the making, with the EU and US having opted for damage control more often than leading.
In the meantime, not just technology but the society and international affairs overall become increasingly immeasurable, hard to reason and quantify.
Against this reality, better and more far-reaching decisions require cognition, modeling and deliberation, something that, in turn, demands deep and thorough understanding of the interaction of political and economic, human and technical, visible and invisible factors.
To require values from algorithms requires conditions where those values can be first demonstrated, observed and learned, both by machines and humans.
The current approach, therefore, is half-way to the direction, at best.
Doctor of Law Eneken Tikk
Eneken is a member of the Cyberwatch Finland advisory board. She has advised governments and corporations on regulatory and policy developments related to digitalization and cybersecurity. Her recent work focuses on countering foreign influence, the emergence of global data protection regimes and the feasibility of strategic partnerships between government and digital industry.
The video interview was recorded at the Cyber Security Nordic event in May 2022
 Kelsen, Peace through Law, 1944, page viii.
Read the magazine it´s worth your time!
We’re on social media and we’d love you to give us a follow! You can catch us on LinkedIn and Twitter by using hashtags #cyberwatchFI #CyberCatchFI