Navigating the nexus of Policy, Digital Technologies, and Futures (S1/E13)

S1/E13: Wrapping up

Here we are! All good things come to an end. Time to bid farewell…

This is the last instalment of Season 1 of this blog series that that tries and charts the rough waters of the European Union’s (EU) digital policies and legislation. I hope that you have enjoyed the journey. My objective was for you to become more knowledgeable upon each episode, only to have a better understanding of the scale of our ignorance in matters of legislation that impact the Software Industry. Only you, kind reader, may tell to what extent this objective was attained.

Looking back at Season 1

In the twelve episodes of this Season, I’ve detailed some of the digital policies initiatives taken by the European Commission (EC) in a time spanning a little more than the past decade. We started from the GDPR, with the proposal tabled by the end of 2011 and in force since 2018, and ended with AI-related legislation, some of which still in negotiations between the European co-legislators (Council and Parliament). All of these are enmeshed in very intricate ways and there are more nodes in the mesh.

For me at least, this was indeed a learning journey. As a consequence of my own researching for the posts, I’ve got a clearer view of the role that Member States’ self-interests, of which national security is the protagonist, but not the only actor, play on the development of EU legislation. They define areas in which the Member States don’t intend to share governance with the other members of the club and in which they don’t want to be constrained by either the European Commission or the European Parliament. National interests, subjectively, idiosyncratically, and opportunistically designed, determine the currents and tides of the EU waters.

Further to the policies and legislation explored in this Blog Season, I advise our readers to follow the results of the negotiations of the AI Act, as written in the past three episodes, and also of the Cybersecurity Resilience Act, which will have a very large impact on all devices falling under the broad definition of Internet of Things – from sensors to cars (trains? planes?) – and on all actors that are part of their supply chains, no matter where in the world. In addition, the very recent Digital Decade Policy Programme 2030 sets the scene for many more digital laws to be designed, in the framework of a EU Digital Sovereignty.

Next Seasons

As in video series, at the end of a Season one expects to see hints of the threads to be developed in future episodes. As said by other people, making predictions is hard, mainly about the future. But I do see two strong trends in this domain. Firstly, based on GDPR regulatory success, the European Commission is convinced that it can make the whole world Software Industry to play by EU rules, while creating business opportunities for EU players to enter this market. Secondly, the EC wants to underpin such a regulatory drive by the concept of Sovereignty, in this case, Digital Sovereignty. Both of these goals leverage to the greatest extent the size of the EU consumer market, as an incentive for compliance by global Big Tech and other global players.

My personal take on the above is one of caution, because there are many caveats that can be named concerning such a regulatory environment. As I wrote before, the more regulation there is, the larger the need of large legal divisions in a firm, which actually increases the barriers to entry a heavily but not precisely regulated market, where strict standards and enforcement are mainly lacking. Regulating software, which used to be an art and is invisible at usage time, isn’t like imposing rules on seat-belts or on food labelling, which are already extremely difficult to design and enforce.

Talking about enforcement, GDPR’s is built on many years of data protection enforcement at Member States level, including myriads of agencies that pre-existed the regulation. For the current digital laws, most, if not all, enforcement circuits must be created from scratch, including myriads of new agencies and their highly specialized staff.

Finally, Europe is no longer a colonial empire. The trouble with this is that, with only 7% of the world population and a tiny portion of existing natural resources, it’s difficult not to rely on global supply chains for most products that are consumed in the EU’s internal market. Trying to control the totality of actors in all those supply chains is a gargantuan task. At this point it’s unclear whether the EU institutions have the necessary capacities to achieve this, other than ideology.

Only time will tell. But in the meantime, people working on matters related to software are constrained by the EU legislation in the area. Old, new, and in the making. Worldwide. Be warned.

Farewell

This was a very nice personal experience. I’d like to warmly thank the SWForum.eu staff for the opportunity, in particular John Favaro, whose renewed feedback and insightful comments helped keep my motivation going.

As stated at each episode, this blog series was inspired by research work that is or was partially supported by the European research projects CyberSec4Europe (H2020 GA 830929), LeADS (H2020 GA 956562), and DUCA (Horizon Europe GA 101086308), and the CNRS International Research Network EU-CHECK. Evidently, I’m grateful to these funding agencies, but most of all, to all colleagues who shared and continue to share their knowledge and their time in the framework of these projects and beyond.

I wish all of you, kind readers, a great continuation in the Software design, development, and deployment business. The Digital Revolution is here to stay and we’re all part of it. Let’s enjoy it!

Afonso Ferreira

CNRS - France

Digital Skippers Europe (DS-Europe)