Foreword
When Washington discusses new regulations, it always considers security. When the European Union ponders similar new regulations, it almost never does. This gap, while understandable, is unfortunate.
The European Union is not a military alliance. It leaves national security priorities to NATO and its 27 national member states. EU regulations have historically been enacted without proper security vetting.
CEPA’s series of Injecting Security into European Tech Policy highlights and details these risks, which are becoming more dangerous as the EU moves ahead with a broad range of significant tech regulations. It has imposed drastic restrictions on the largest US tech companies, limiting what businesses and activities they can pursue. It is on the verge of imposing protectionist new cybersecurity rules that could eject US cloud companies from the continent. And now, it is adopting new rules to restrain the rise of artificial intelligence.
The regulatory offensive coincides with a critical time in transatlantic relations. Russia’s full-scale invasion of Ukraine highlights the importance of technology on the battlefield — and in protecting critical infrastructure. China’s aggressive rise threatens Western technological leadership.
In response, both the EU and the US are bolstering domestic production of semiconductors and tightening sanctions and export controls. While positive, these moves need to be coordinated. Instead, protectionism and a quest for “digital sovereignty” on both sides of the Atlantic threaten transatlantic cooperation.
The US, for its part, has ceded much tech policy leadership to the EU. There is still no US federal privacy law. There are still no new federal rules for dealing with disinformation and illegal online content. There is an antitrust push against large US tech companies, but courts are pushing back. And the US has provided no effective opposition to potentially threatening European regulations.
Transatlantic relations suffer. US and European views converge in pushing back against Russian aggression and Chinese authoritarianism. We need to build on this alignment when it comes to a democratic vision for tech policy that puts innovation and competitiveness first. This means working together, not unilaterally. It means addressing, not ignoring, our differences over digital regulation. Above all, it means realizing that technology is central to our joint security.
Dr. Alina Polyakova
President and CEO
Center for European Policy Analysis
Executive Summary
It’s been a dramatic one-two punch. Russia invaded Ukraine. China ramped up its authoritarian ambitions. On both sides of the Atlantic, these national security crises and challenges spotlight policies governing digital technology, from cybersecurity and export controls to semiconductor production and artificial intelligence.
The transatlantic alliance depends on deep coordination on the rules governing tech — and yet, unfortunately, the US and EU find themselves moving in different, contrary directions. Injecting Security into European Tech Policy is a series of policy papers examining the increasing distance in five areas — competition policy, cybersecurity, semiconductor subsidies, artificial intelligence, and export controls.
Europe and the US enjoy complimentary instincts. Both want to bolster domestic protection of key technologies. Both want to limit Russian and Chinese access to the same key technologies. Both even use the same vocabulary to describe their goal vis-à-vis China — de-risking, not de-coupling. And yet, differing priorities and political systems often lead to divergent and conflictual policies, preventing effective coordination.
Start with cybersecurity. As Janna Brancolini recounts in “Europe Upgrades its Cybersecurity Arsenal — Frightening the US,” Russia’s invasion of Ukraine created a cybersecurity crisis. European leaders feared that Russian hacking would bring down Ukraine’s infrastructure. This catastrophe was averted. Ukraine’s banks kept operating. Trains continued to run. Although cruise missiles hit the Ukrainian government’s data center, Microsoft, VMware, and other Western companies protected the data by dispersing it outside of the country.
Ukraine’s success depended on strong private-public partnerships and a willingness to put aside counterproductive ideas about data localization and digital sovereignty. Instead of learning these lessons, Brancolini writes that European policymakers are focusing on an arbitrary crusade against private tech companies. They are preparing to impose a certification scheme on cloud computing companies that will make it difficult for the three biggest providers, Amazon, Microsoft, and Google, to do business on the continent simply because they are American.
Like the EU, the US is making cybersecurity a priority. Russian and Chinese hackers have launched numerous cyberattacks on US infrastructure and even the email accounts of US Secretary of Commerce Gina Raimondo. The Biden Administration has responded with a new National Cybersecurity Strategy, setting concrete timelines and goals for the defense of critical infrastructure. But the US plan omits specifics around data privacy, digital identity, and cloud risk. Fundament changes require congressional approval, unlikely with a paralyzed House of Representatives.
Europe Upgrades its Cybersecurity Arsenal — Frightening the US
The EU’s emphasis on privacy in its mission to advance cybersecurity could drive a wedge between public and private partners.
A similar story is playing out with semiconductors. As Christopher Cytera writes in “Confronting China and Catching Up on Chips,” the EU and the US are aligned on the security risks of an unstable semiconductor supply chain. Both are responding by supporting domestic industries. They need to coordinate — or risk competing against each other rather than against China.
Success is far from certain. Timelines differ. The US raced ahead of the EU in approving its legislative proposal and spending billions of dollars on subsidies. Critics fear overlap and that the funding could be spent on white elephant projects. Instead of building giant new chip manufacturing foundries, Cytera concludes that the funds should be used on overcoming “choke points.” The EU should concentrate on its competitive advantage in chip design, optics, and chemicals. The US should emphasize its software strengths.
Competition policy poses less discussed but perhaps equally important security risks. Both the EU and the US are concerned about the potential excessive power of the largest tech platforms. The Biden Administration has launched a series of antitrust cases against Google, Microsoft, and Amazon. But courts have pushed back and blocked much of this aggressive antitrust enforcement.
Confronting China and Catching Up on Chips
The US and the EU are gearing up to spend large amounts of public funds to boost domestic semiconductor production. Success is far from certain.
Europe has gone much further, passing a potentially revolutionary new law, the Digital Markets Act. As Bjorn Lundqvist writes in “Reining in the Gatekeepers and Opening the Door to Security Risks,” the new rules target the world’s largest digital platforms, almost all American, from Alphabet, Amazon, and Apple to Meta and Microsoft.
The restrictions are far-reaching. As an example, Apple must unlock its App Store, and Google must no longer collect data from Maps and YouTube and combine it with Google Search data without users’ specific consent. Meta must allow its WhatsApp messaging service to accept calls from competitors such as Signal and Telegram. Violators face penalties of up to 20% of their global revenue for repeated violations.
These requirements and restrictions hold potentially far-reaching dangers. Gatekeepers must give away data — potentially to enemies. They can no longer vet their operating systems and app stores for security. Almost anyone — even Russian and China — can obtain access. When gatekeeper messaging apps — Skype, WhatsApp, and iMessage — open up their interfaces to other messaging services to provide interoperability, their own services risk becoming disarmed against security breaches.
While the US tech leaders rush to comply with the Digital Markets Act, they are also rushing to adopt artificial intelligence. The emergence of ChatGPT which can explain complex concepts in a flicker, has catapulted the technology to the front page. The EU is responding with broad, sweeping legislation, now in its final negotiations, while the US is enacting only voluntary commitments.
Reining in the Gatekeepers and Opening the Door to Security Risks
The EU should not accept every request from digital gatekeepers to avoid regulation, but it should be careful before dismissing legitimate security concerns.
The disconnect is dangerous, write Ylli Bajraktari and Lauren Naniche in “Transatlantic Community Must Unite to Address AI Risks and Opportunities.” If the US and EU don’t work together, China will win, the authors warn. The EU’s go-it-alone prescriptive approach will prove difficult to enforce and, faced with a fast-evolving technology, could soon be outdated. Perhaps worse, it threatens to divide the allies, burying hopes for a united democratic approach to AI.
Export controls are perhaps the issue most directly concerned with security. The US and EU agreed on tough sanctions against Russia in response to the invasion of Ukraine. They also agree on “de-risking” from China, working together to limit the exports of the most advanced semiconductors and manufacturing equipment.
Transatlantic Community Must Unite to Address AI Risks and Opportunities
It is time for Europe, hand in hand with the United States and other democratic allies, to enforce AI regulatory frameworks that support democratic values and innovation.
But the two sides struggle to coordinate, writes Matthew Eitel in “Export Controls — The Keys to Forging a Transatlantic Tech Shield.” The US enjoys well-established regulations to protect its ‘economic security.’ It imposes controls quickly and unilaterally. In contrast, the EU must forge a consensus among its 27 member states, each of which insists on pursuing its own national prerogatives and sovereignty.
EU and US political priorities also differ. The US now places national security concerns at the center of its international economic agenda, willing to sacrifice trade in the name of protecting US security. While the EU has hardened its view of economic engagement with China, key member states such as Germany remain skeptical of the trade-offs required to closely align their approach with that of the US.
While perhaps the most pressing, the issues addressed in this series are far from exhaustive. The transatlantic alliance faces other key tech-related security challenges. Among them: How to draw Europe away from Chinese telecom infrastructure and how to allow Europe’s desire for increased data sharing without allowing our enemies to take advantage?
Despite persistent American pressure, the EU, particularly Germany, continues to allow China’s Huawei to build its crucial mobile phone infrastructure. At the same time, the EU remains skeptical about an innovative, inexpensive mobile phone operating system called Open RAN — even though Open RAN contains no Chinese parts. Once again, the culprit seems to be Europe’s misguided quest for digital sovereignty. Asian and American companies lead in the development of Open RAN. The new way of building mobile phone systems threatens European tech heavyweights Ericsson and Nokia.
Export Controls — The Keys to Forging a Transatlantic Tech Shield
A transatlantic tech shield requires a new, united vision for export controls and enacting the reforms necessary to make it a reality.
Data is becoming another key area of divergence. The EU just passed a new Data Act. On the surface, the idea sounds promising and noble — the digital equivalent to the Schengen Area, within which EU citizens are allowed to move and work without restriction. Just as the EU has promoted free travel, it now envisions a series of measures to facilitate data open sharing. But free personal travel looks much less dangerous to achieve than free data transfers. Policymakers did not even consider how the Data Act could leak crucial information, including to Russian and Chinese companies.
Both European and US companies lobbied hard against the Data Act, arguing it jeopardized their own competitiveness as well as national security. European policymakers in Brussels did not listen. The natural venue for transatlantic discussions, the Trade and Transatlantic Council, never was consulted. EU officials, led by EU Commissioner Thierry Breton, say European domestic regulations are not negotiable.
That’s a mistake. Both Europe and the US must stop avoiding their differences in tech policies. They must work together, not against each other. Nothing should be off the table when it comes to transatlantic security — including tech policy.
Bill Echikson
Senior Fellow, Digital Innovation Initiative
Center for European Policy Analysis