Jump directly to page content

Europe’s Third Way in Cyberspace

What Part Does the New EU Cybersecurity Act Play?

SWP Comment 2019/C 52, 19.12.2019, 8 Pages


Research Areas

Cybersecurity has become a key issue for Europe in the global digital transformation. The EU Cybersecurity Act lays down a legal framework whose aim is to achieve global reach. Embedded in a policy that combines digital sovereignty with strategic inter­dependence, the Act could represent the gateway to a third European pathway in cyber­space, something in between the US model of a liberal market economy and the Chinese model of authoritarian state capitalism. The Cybersecurity Act will be a bind­ing framework for action and provide a tailwind for German cybersecurity policy.

Cyber threats are a component of and, at the same time, the spearhead of global competition between liberal democracies and authoritarian systems. The different understanding of cybersecurity and infor­mation security between Western coun­tries, on the one hand, and states such as China and Russia, on the other, remains a key area of conflict in international politics. After more than ten years of unsuccessful negotiations against a backdrop of growing rivalry between the US and China, an agree­ment on global standards and regulations is still a long way off. The EU is trying to find a third way which circumvents this rivalry. This has become apparent in, among other things, the 5G debate. The Commission is inclined to allow the Chinese company, Huawei, to be involved in building Euro­pean 5G infrastructure, subject to tight controls and only if all market participants meet strict hardware and software certifi­cation criteria. The question of the trust­worthiness of Chinese telecommunications components is being shelved in favour of a market regulation solution. With its General Data Protection Regulation (GDPR), which Member States have been required to apply since May 2018, and its consistent approach to competition policy, the EU has taken on an effective and globally respected role as a regulatory power, achieving a balance between consumer protection and the competitiveness of the industry. The EU Cybersecurity Act further strengthens Europe’s regulatory power. However, the European cybersecurity certificate, defined with the entry into force of the Act in June 2019, will only be able to develop into a global model if it is flanked by a European strategy for the digital space. Regulation, competition and industrial policy, as well as support for innovation must relate to security and cyber foreign policy. The key question will be whether and how the EU can successfully strengthen European digi­tal sovereignty whilst preserving its liberal democratic traditions in the digital space and ensure the necessary strategic interde­pendence with other regions of the world.

Cybersecurity at the heart of global conflicts

The relevance of the current conflicts be­tween the US, China and the EU goes far beyond trade and investment policy issues. They are so contentious because digital technologies form the communicative infrastructure of highly developed infor­mation societies. Those who control the hardware and software also determine which innovations and business models are possible and who has access to what infor­mation. There is increasing coopera­tion between private technology companies and institutions that perform tasks of state responsibility, such as protecting critical infrastructure. This trend can be seen both in the EU and in the US, but much more so in China and Russia, whose governments regard cybersecurity to an even greater extent as the cornerstone of their striving for state control over cyberspace. The EU no longer treats companies working in China and Russia to expand social surveillance or cooperating with the NSA in the USA mere­ly as an apolitical, market-economy actor.

Conflict of values

Since Edward Snowden’s revelations and the use of digital technologies for state sur­veillance, the aspiration that the Internet will promote freedom and human rights everywhere is no longer completely plau­sible. It is evident that today’s Internet is a space in which conflicts of values and distributional conflicts occur and future modalities of individual and social self-determination are negotiated. The tech­nology of the network infrastructure and its associated applications are not value-neutral instruments, instead they are im­pacting on decisions and actions. They are instruments of value-related policies, as the dispute over Chinese technology company, Huawei, shows. The US administration views Huawei not only as a market par­tici­pant but, at the same time, as a Trojan horse from an unfriendly government. Bei­jing refutes these allegations and con­siders the exclusion of Huawei from the US mar­ket as a measure directed against China’s position in the global market as a whole.

The conflict over Huawei marks a break with the purely market-based logic of global trade relations and expedites a growing digital mercantilism. Many see converging markets as no longer simply an opportunity to improve prosperity, but also as a danger to self-determination and public safety. They argue that digital products are suit­able for undermining value systems and subverting governmental control through technical backdoors. Terms such as “tech­nological sovereignty” and “economic vul­nerability” or “weaponized interdepend­ence” are an indication and legitimation of the growing willingness to restrict innovation and competition when it comes to digital products and services. However, new confrontations in the digital world are not limited to the relationship between the West and China. Conflicting values that are difficult to reconcile exist even today in trans­atlantic relations. The much vaunted transatlantic community of shared values reaches its limits where the idea of a free (digital) single market clashes with the re­quirement to protect personal data and informational self-determination, and with European competition law. The long-ignor­ed dominance of US Internet companies has forced Europe to embark on a course of digital self-assertiveness – from data pro­tection and competition law to taxation.

Cybersecurity conflict

Cyber attacks and defence are seriously challenging state sovereignty. While the complexity and interdependence of digital systems are rapidly increasing, the safety quality of the hardware and software used for these systems remains underdeveloped and lacks the necessary human resources to secure them. Cyberspace is constantly cre­ating new attack vectors and targets. The criminal exploitation of vulnerabilities, such as the use of ransomware to blackmail companies, and state cyber attacks aimed at eliciting information or causing destabili­sation, or as part of hybrid warfare, are mutually reinforcing. The most extreme example is North Korea which generates global revenue from global cyber opera­tions for the procurement of missile tech­nology. In five rounds of negotiations at UN level, a Group of Governmental Experts (GGEs) has been debating the international condemnation of and/or the placing of restric­tions on cyber attacks and setting up a cyber defence organisation under inter­national law – but without success. No short-term progress can be expected from the current sixth round of the GGE, nor from parallel negotiations initiated by Russia being conducted in an Open Ended Working Group (OEWG).

Trade conflict

The trade dispute between the US and China is essentially entangled with the development of markets in goods and services towards a greater emphasis on digital products and services. The digital transformation of global markets is not only accompanied by a growing economic interdependence, it has also increasingly reduced the ability of individual countries to control them. When US President Trump announces trade restrictions, he intends to regain control over the innovation-driven global competition the US is confronted with. At the same time, the products and services offered by US tech companies are an essential tool of state control and in­fluence for Washington. However, complex digital systems such as 5G network tech­nology could prove to be an almost un­controllable technology that has been built into a state’s infrastructure for decades and is ultimately under the control of an authori­tarian state. Network products are currently evolving the software-based tech­nology. The regular updates required for software bring functional improvements that the operator using it hardly notices. At the same time, the digital transformation is affecting all market segments, from agri­cul­tural products to medical technology and mechanical engineering. Trade issues mat­ter for digital sovereignty and vice versa.

The EU as a regulatory power

In order to assert regulatory power in this conflict-prone world without borders, it has committed itself to a very specific path that is fundamentally different from both Silicon Valley’s libertarian regulatory style and China’s authoritarian model. Europe’s regulatory power is based on the European Treaties and on the premise that individual freedom and social responsibility (Article 2 TEU) are equally important. Democratic decision-making is based on the rule of law and the market participant is involved as a regulatory addressee in formulating and im­plementing legal acts within EU comitol­ogy. In Articles 3 and 10 of the TEU, the EU em­phasises the individual self-determination of Europe’s citizens with its commitment to market freedoms and democracy. It in­volves various stakeholders and market par­ticipants in formal and informal EU pro­cedures, where they take a position, for exam­ple, on fundamental ethical issues. In recent years, the Council of Europe, the European Council, the European Parliament and the Commission have formulated a set of principles which reflect the idea of a digital society centred on the individual and the common good, at the same time. New technologies must, therefore, also be judged by whether they are conducive to democracy and whether their use respects human rights. Regulatory measures can make a decisive contribution to balancing the opportunities and risks of a technology with the interests of companies, consumers, the state and civil society. One impressive example of this regulatory approach is the EU Communication on Artificial Intelli­gence (AI). AI is not understood as an end in itself but as “a tool operating in the service of humanity and the public good”. The final report from an expert group set up by the Commission and published in April 2019 stresses the need to preserve human autonomy in the use of AI, to avoid harm­ing people and to generally respect the prin­ciples of fairness and comprehensibil­ity. Despite the general European consensus on the need for market freedom, data pro­tection and security to be closely linked and balanced in regulatory terms, there is still little agreement on how national security standards can be reconciled with the EU’s liberal market logic. This lack of agreement is particularly evident in the way it has dealt with the Chinese company Huawei.

Data protection and data security as an EU interest

The specifically European approach to digitisation can be found in the EU’s legis­lative acts on data protection and data security. The General Data Protection Regu­lation, which has been in force for all com­panies since May 2018, sets new standards in the task of finding a balance between protecting personal data and ensuring the free movement of data in the Single Market. Data protection and cybersecurity have so far been considered separately. However, the two topics are increasingly merging into one. This can be seen, for instance, in digi­tal energy meters (SmartMeter). Not only are they subject to the highest levels of safety and security standards, they also have the highest data protection requirements in order to ensure that third parties do not gain illegal access to data about users’ do­mes­tic habits. By establishing a comprehensive system of defining and certifying tech­nical cyber security, the EU is taking a major step towards further consolidating its role as a regulatory power, which it played so successfully with the GDPR.

The Cybersecurity Act

On 10 December 2018, the European Parlia­ment, the European Council and the Euro­pean Commission agreed on the policy terms of a Cybersecurity Act. The Regula­tion on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification (Cybersecurity Act) entered into force in June 2019. The Act contained two major reforms: The EU cybersecurity agency (European Union Agency for Network and Information Security, ENISA) will have a mandate beyond 2020 to assist Member States in dealing with cyber attacks. It intro­duces a cybersecurity certification framework for ICT products, services and pro­cesses (European certification framework). Certification is based on the idea that stand­ards and norms can create a balance between the need for consumer protection and the industry’s legitimate claim to com­petitiveness. Both are high European prin­ciples that need reconciling with one another. Consumer protection means pro­tecting consumers from negative consequences, such as unauthorised disclosure or use of their data, and generally providing them with reliable and high-quality prod­ucts. However, these objectives may conflict with the competitiveness of some providers. For example, companies often view high standards of privacy and data security as barriers to competition.

The Cybersecurity Act provides for a vol­untary “conformity assessment” of informa­tion and communication technology (ICT) products, i.e. an EU-wide European certifi­cation framework for the cybersecurity of products, services and processes. The pro­cedure for setting minimum standards and reviewing them has already been estab­lished in the regulations on general product safety. In this respect, the Regulation focuses on harmonising safety standards. The relevant national body should be able to verify that they comply with the estab­lished cybersecurity features of ICT prod­ucts, services and processes. In order for a product category to be deemed compliant it must meet a series of review criteria, referred to in the Regulation as a “European cybersecurity certification scheme”. The Euro­pean Commission, representatives of the Member States and stakeholders shall jointly determine the products for which such schemes are to be drawn up. ENISA shall prepare drafts for the schemes. As soon as European schemes for the product groups have been adopted, they will replace any national schemes.

ENISA will also specify assurance levels for ICT products and services. A European cybersecurity certification scheme may specify one or more assurance levels for ICT products and ICT services. In future, there will be three assurance levels: “basic”, “sub­stantial” or “high”, depending on how re­silient the products and services are against cyber attacks and the degree of trust that can be guaranteed to them. Manufacturers are free to decide whether or not to certify a product according to an existing scheme. Depending on the desired assurance level, cer­tification can be implemented by an inde­pendent assessment body or take the form of a manufacturer’s declaration. The aim is to boost confidence in company ICT prod­ucts through the implementation of various measures that are part of the certifi­cation process. Consequently, manufacturers must:

  • select secure default settings for their products;

  • provide end users with the tools to use their products in a safe and secure manner;

  • disclose security vulnerabilities;

  • inform end customers when support for an individually issued security guarantee ends.

Finally, ENISA will maintain and make publicly available checklists to pre-assess the cyber risk of each ICT product and service. It will also keep and continuously update a list of ICT products and services for which it considers cybersecurity certifi­cation to be a necessity (priority list).

The European cybersecurity certificate scheme will acquire global relevance due to the sheer size of the European market. In addition, two complementary mechanisms ensure that adoption of the certification schemes will occur more swiftly under the Cybersecurity Regulation. In its IT security legislation on critical infrastructures and digital services (NIS Directive), the EU re­quires operators of such services to take “state-of-the-art” IT security measures. The operators themselves are responsible for meeting this undefined legal requirement. The use of certified products will make it easier for them to prove they have aligned themselves with the state of the art. In addi­tion, the Regulation limits the voluntary nature of certification by explicitly stating that EU law will require certification from another body, for example one in the rele­vant sector. It is likely that the Commission and Parliament will make use of this invita­tion to ensure that new technical applications comply with cybersecurity requirements.

The effectiveness of the new European cybersecurity certification will largely depend on the EU’s approach to developing these schemes. Some of the Commission’s statements suggest that it regards Internet of Things (IoT) products in the consumer market as a priority. Elsewhere, it advocates applying certification schemes in the field of industrial applications. Current certifica­tion schemes in the high security sector, which are mainly used for government applications, are to be transferred to the European system.

Germany is also expected to bring in national legislation to broaden certification. For example, the draft IT Security Act 2.0 includes a new system category for “Critical Infrastructure Core Components”. It refers to IT systems that are of particular impor­tance for the functioning of critical infra­structure. Certification should certainly become obligatory for such systems. The Federal Network Agency (Bundesnetzagentur), together with the Federal Office for Infor­mation Security (Bundesamt für Sicherheit in der Informationstechnik, BSI), intends to make initial use of the new provisions – in ac­cord­ance with the recently introduced safety catalogue – to mandate the certifi­cation of the core components of telecommunications networks. This move is a direct consequence of the debate over the lack of trust in Huawei products for 5G networks.

How might the strategy for a third way be designed?

As digital markets start to merge, different types of regulatory models have evolved globally. The Western model for liberal and open societies is increasingly interoperable with the Chinese model, which is similar to ones used in Russia, Iran and some Arab states, representing an authoritarian regi­mentation of the digital space with an equal claim to legitimacy on a global scale. Some EU Member States are already trying to pursue illiberal development paths. Given the conflicts described above, the burning questions are: what is the most appropriate stance to take in dealing with the digital space in other regions of the world? Should Europe stick to a consistent policy of digital sovereignty on this issue? Should it subsequently develop its own 6G mobile data networks with the aid of nation­al funding programmes, its own Google, its own WhatsApp and so on? As convincing as this idea may initially sound, the long-term consequences of a desire for digital strategic autonomy may be fraught with risk – both in terms of innovation policy and security policy.

Digital sovereignty and...

The term digital sovereignty refers to the ability of a subject of international law to control and regulate cyberspace. The EU’s certification schemes and data protection rules are instruments for exercising digital sovereignty, signalling that the Union reserves the right to determine how digital products and services are designed and used based on its constitutional principles and a democratically legitimate balance of inter­ests among market participants. This re­quire­ment, derived from the internal mar­ket principle, applies for as long as the EU’s regulatory power continues to have a real impact and where corresponding products and services are available. Nevertheless, crash barriers alone do not produce road­worthy vehicles. Exercising digital sover­eignty should also include promoting the European economy’s capability and, above all, its innovation policy in such a way that it can develop appropriate solutions. Key to this are (1) maintaining and enhancing global competitiveness, (2) rules on com­petition that are as fair as possible (3) in­vest­ment in digital infrastructures. The EU has its own set of values and good reasons for placing them at the heart of its internal market policy. It demonstrates its digital sovereignty by incorporating these values into its Regulations on digital products and how they are used, as well as in controlling and implementing innovations.

However, heading towards this model of digital sovereignty threatens to revive old patterns of confrontation because the con­cept is centred around risk prevention, terri­torial defence and protectionism. In an effort to be less vulnerable to external risks and threats, Europe should not make the mistake of promoting exactly what it in­tends to prevent. The means of choice for the EU must be measures that build trust and security based on its own assessment and control capabilities, and not protection­ism. Against this background, an appropri­ate objective would be to combine digital sovereignty with strategic interdependence.

... strategic interdependence

Strategic interdependence is a strategy that recognises that, in the context of globalisa­tion and digitisation, the reliance on re­source security, production chains and mar­ket open­­ness are only a few drivers of com­plexity. In this perspective, security is not achieved by political self-reference, but as the result of a process of economic and po­liti­cal integra­tion and increasing inter­de­pendence by default. Cooperative inter­face management, such as mutually recog­nising product safety certifications, replaces con­fron­tational bounda­ries. European inte­gra­tion is the best example of how inter­depend­­ence has brought peace and stability to Europe.

There are those who call this European approach naïve and fear that the EU’s high standards in data protection and data secu­rity will put it at a competitive disadvant­ages and that the EU will fall even further behind the US and China. They suggest that consumers are not prepared to pay for higher standards. As was the case with data protection, the problem of the relevance and enforceability of European guidelines also rears its ugly head with cybersecurity: Does Europe first have to become a global technology leader in order to be able to afford ambitious local standards? A closer look at the argument quickly reveals that its premises are implausible. According to the first assumption, Europe is not in a position to set its own standards since standards are not set in the Single Market, but in the world market. However, accord­ing to the second assumption, in this case the US and China would dominate for as long as they develop better performing products. This supremacy of performance is further cemented, according to the third assumption, in that consumers are un­willing to recognise ethical standards as performance features and pay more for them accordingly.

However, none of the three assumptions holds up under closer scrutiny. The General Data Protection Regulation has clearly shown that Europe is in a position to in­dependently set demanding standards and to ensure they are applied throughout Europe. European standards even have an impact far beyond the EU. Japan aligns it­self with European law, as does India and, from 2020, so will Brazil. For many globally active corporations it makes more sense to apply the demanding EU regulations every­where than to operate with different stand­ards in different markets. Facebook is now calling for global regulation modelled on the GDPR. European standards also have good prospects in third markets outside Europe (and outside the US, China and Russia). Ultimately, the same logic observed in EU product regulation also applies to global product regulation. The “Brussels effect” ensures that high standards displace low standards when they are legally bind­ing in relevant submarkets. This also fal­sifies the third assumption that consumers are not prepared to pay for high ethical standards. The high quality of European standards and their mutual recognition, from machine safety to food purity, is an integral part of the success story of Euro­pean integration and a key competitive advantage over other regions. There is no reason to assume that this logic cannot be applied to digital products and cybersecurity, and perhaps in the future to components of artificial intelligence as well.

Europe’s digital sovereignty can be rec­on­ciled with the structural openness and global connectivity of the digital single mar­ket if these goods are strategically linked with one another:

1. Europe should define core areas of digital technology and infrastructure that require assessment and accountability. For example, network technology and cloud services must certainly be trustworthy.

2. The uptake of European cybersecurity certification in these areas needs to be swift and consistent. It needs to get a political agenda. Germany could press ahead with this during its forthcoming Council Presi­dency.

3. System interoperability and platform openness must become the fundamental principles of European digital services and infrastructures. Even greater attention should be paid to these principles in up­coming national and European regulatory projects in the digital sector.

4. European infrastructure investments need to be channelled into services with the corresponding European certification. This applies equally to energy networks, digital mobility and healthcare.

5. The ability to assess and control the work of foreign technologies in defined core areas must be regularly reviewed. The corresponding approvals should be granted for a limited time period. As with 5G, Euro­pean Risk Assessments should also be devel­oped for other technology areas.

6. Cyber foreign policy should be massively intensified in order to gradually ease current concerns through bilateral and multi­lateral security and confidence-build­ing measures based on the principle of reciprocity. Insights into the trustworthiness of manufacturers – such as in 5G – need to be politically assessed and agreed at EU level. Doubts cannot be eliminated through the technology.

Dr Annegret Bendiek is a Senior Associate in the EU / Europe Research Division. Martin Schallbruch is Deputy Director of the Digital Society Institute at the ESMT Berlin.

© Stiftung Wissenschaft und Politik, 2019


Stiftung Wissenschaft und Politik

ISSN 1861-1761

(English version of SWP‑Aktuell 60/2019)