EU Cybersecurity Proposal Makes Progress, Yet Must Steer Clear of Protectionist Measures

EU Cybersecurity Proposal Makes Progress, Yet Must Steer Clear of Protectionist Measures

The European Union (EU) is currently proposing updates to its government information security standards, which include a contentious requirement for sensitive non-classified (SNC) information to be stored and processed within the EU. This move, as outlined in Article 17(1)(c), is seen as a step towards problematic data localization.

Critics of this data localization requirement argue that it could lead to operational fragmentation, reduced efficiency, and increased costs in data handling and processing. By mandating that critical use cases be processed only by EU-based providers, they contend that this could create operational inefficiencies and add unnecessary costs.

Another concern is the potential impact on risk management and global competitiveness. By restricting data flows, firms, particularly those in the financial sector, may face diminished risk management capabilities and weakened global competitiveness. This is significant given that EU financial institutions already operate under comprehensive regulations like DORA and the Cyber Resilience Act.

Localization is also seen as a deterrent for foreign investment, making the EU market less attractive to global cloud and AI providers who prefer interoperable environments with free cross-border data flow. Furthermore, it could impose prohibitive compliance costs, raising the cost of market entry and operation for tech firms, which could stifle innovation and competition.

Critics also argue that localization measures can be discriminatory, restrict choices available to European users, and increase costs overall, potentially undermining the EU’s competitive stance in the global digital market. They suggest that the sufficiency of current regulations, such as those governing the financial sector, makes localization an unnecessary and burdensome addition.

Proponents of these measures, however, highlight digital sovereignty and protection against foreign interference as motivations for localization. Yet, opponents emphasize the significant negative business, economic, and innovation impacts, urging instead investments in education, research, infrastructure, and regulatory clarity to maintain EU competitiveness without resorting to restrictive data localization.

The EU's recent move aims to protect increasing amounts of information in the public sector. However, the impact of the Regulation will not be "limited" if it starts a snowball of distrust, potentially leading to devastating costs to cross-border trade.

The proposal for an EU-wide information security scheme includes inter-institution cooperation and governance, as well as a common approach to categorization of information and increased compatibility between systems. Despite the challenges posed by setting up data storage in the EU, paying to demonstrate compliance, and designing systems that can treat government data differently for foreign companies, the benefits of enabling cybersecurity best practices, benefiting from a global cybersecurity workforce, and continuing to cooperate with allies against cyber threats are clear.

References:

[1] European Commission. (2021). Proposal for a Regulation on European Union measures for a high common level of cybersecurity across the Union. Retrieved from https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12528-Proposal-for-a-Regulation-on-EU-measures-for-a-high-common-level-of-cybersecurity-across-the-Union

[2] European Data Protection Board. (2021). Opinion 06/2021 on the draft Regulation on European Union measures for a high common level of cybersecurity across the Union. Retrieved from https://edpb.europa.eu/our-work-docs/our-documents/opinions-recommendations/opinion-6-2021_en

[3] European Parliament. (2021). European Parliament resolution on the proposal for a Regulation on European Union measures for a high common level of cybersecurity across the Union. Retrieved from https://www.europarl.europa.eu/doceo/document/TA-9-2021-0423_EN.html

[4] European Union Agency for Cybersecurity. (2021). Opinion on the draft Regulation on European Union measures for a high common level of cybersecurity across the Union. Retrieved from https://www.enisa.europa.eu/publications/opinions/opinion-on-the-draft-regulation-on-european-union-measures-for-a-high-common-level-of-cybersecurity-across-the-union

1. Critics assert that the data localization requirement in the EU's updated government information security standards may pose challenges for artificial intelligence (AI) providers, as it could restrict free cross-border data flow and impose prohibitive compliance costs.
2. In the digital economy, the regulation of cybersecurity and data is of paramount importance, and discussions around digital economy politics often revolve around balancing the need for security with the costs of data localization.
3. The European Union's push for data localization within its borders could impact the global competitiveness of AI and tech firms, particularly those that rely on interoperable environments for efficient data handling and processing.
4. As the EU considers updates to its cybersecurity regulations, it's essential to carefully weigh the benefits of digital sovereignty against potential negative impacts on innovation, efficiency, and the attractiveness of the EU market to foreign investors.

Read also: