It may sound far-fetched, but American tech firms could be excused for wondering if the European Union is using consumer-oriented legislation as a form of protectionism for its smaller industry against foreign giants. For example, while it is difficult to criticize the purpose of the General Data Protection Regulation (GDPR) in protecting citizens’ privacy, it is the large American tech firms that are clearly targeted, seem to have been primarily selected by the various European regulators, and certainly have the most to lose.
Last week, Europe’s new Cybersecurity Act came into force. The primary purpose is to convert ENISA (the European network security agency) from its previous position as a rolling temporary agency into a permanent body with improved resources. ENISA, now known as the European Union Agency for Cybersecurity, has a more formalized purpose and has one major new function — to develop a European security certification framework.
Certification will initially be voluntary, but the European Commission has already stated that it may introduce legislation to make it mandatory in the future. This is a standard political process used in many nations: “Here’s what we would like you to do, but since we’re not satisfied with your response, here’s the legislation to make you do it.”
Governments can only enforce their own laws in their own jurisdictions (unless supported by international treaties). The effect of those laws in foreign countries is an unknown quantity. For this reason, SecurityWeek approached ENISA with one particular question: “How will future European product certification benefit U.S. manufacturers?”
Udo Helmbrecht, the agency’s executive director, has replied. He starts, “In an average European office, the ICT software and hardware that are in use today are generally built and developed in Asia and the USA. Where Europe once led the world in the deployment of initially analogue and then mobile digital technology such as GSM, Europe is now debating the appropriateness of the supply of 5G technology from non-European suppliers. Traditional EU mobile handset manufacturers are struggling to compete with major Asian and US suppliers. Moreover, successful European businesses have been or are often acquired by larger companies from the USA and Asia.”
It is, perhaps, interesting that he starts by discussing the weak state of the European industry rather than the advantages of certification to cybersecurity users.
“The European ICT industry,” he continues, “is falling behind in the global competition race in certain markets. It needs to fight for its digital sovereignty and leverage the huge potential of Member States that are ahead in the digital economy.”
He continues, “The fact that EU member states publicly voice different positions on 5G, weakens the EUís geopolitical and trade positioning and influence in the medium-long term.”
He is still discussing the state of European industry. But then he adds, “The recently adopted regulation on ICT certification provides not only a aid on this issue (certify the technology), but also demonstrates the EUís capability to respond to the complex challenges of new and emerging technologies. Cybersecurity certification will be a very strong tool that will benefit European industry and consumers alike.”
There is little comment on the effect of certification on foreign manufacturers. He does, however, obliquely refer to the current debate in Europe over Huawei and 5G. He seems to be suggesting that if Huawei obtains certification, or equally if it fails to obtain certification, the debate is over throughout Europe.
Now, if or when the European Commission makes certification compulsory (so that, without it, the product cannot be sold within Europe), certification could become a tool to delay the introduction of U.S. or Asian product into the European market. Meanwhile, the indigenous industry will have time to develop its own alternatives. The European internal industry will be bolstered at the expense of foreign industries.
“The recently adopted regulation on ICT certification provides not only a aid on this issue (certify the technology), but also demonstrates the EUís capability to respond to the complex challenges of new and emerging technologies,” he adds. “Cybersecurity certification will be a very strong tool that will benefit European industry and consumers alike.”
He has made no mention on the effect of required certification on foreign product; but it is not likely that European manufacturers will be required to certify while foreign manufacturers are not.
Helmbrecht’s final comment is here in full. Again, he describes the reasoning and effect of certification on the European market, with no reference to American or Asian providers.
“ENISA is currently working with the European Commission and with the Member States on the priorities of the EU cybersecurity certification framework; ENISA is preparing and looking forward to receive a request for its services in the area of cybersecurity certification schemes,” he said. “The framework is also designed to achieve that all ICT products, services and processes are secure by design and by default. Embedding security and privacy requirements at the design phase of software and hardware can greatly help towards bringing both security and data protection to consumers. ENISA hopes that this new EU framework will be as successful as the GDPR and will become a cornerstone of the Digital Single Market.”
At this time, it would be improper to accuse Europe of being engaged in a conscious plan to weaken the American grip on global technology. It would, however, be entirely proper and reasonable for Europe to promote its own technology. Whether these combined effects are a conscious intent of current cyber legislation, or just an interesting side-effect, can only be conjecture.