European Union
Technology Policy Matrix
We are in a unique moment where governments around the globe seem to be trying to take on everything, everywhere, all at once – and in the process often missing the big picture of how policies interact with each other.
The U.S. Congress, states, the European Union (EU), and other countries all seem to be in a race to be the first to fix what they perceive as problems related to tech security, privacy, and innovation. This is especially true in the EU where they often attempt to address what they believe are problems one-by-one instead of holistically. We all want a technology ecosystem that is dynamic and competitive, and that protects security, safety and privacy. But in each domain, by looking too myopically, policymakers can end up attempting to fix one problem only to simultaneously create another – and in many cases undermining basic European values. One analysis found that for the digital sector in the EU (as of the fall of 2023), there were 72 applicable laws, 25 in negotiation, and another 9 planned initiatives. The analysis found: “There are countless overlaps and contradictions, both on the legislative and the enforcement level. This will create huge legal uncertainty and enormous compliance costs that will particularly affect smaller market players like SMEs and startups.”
For example, the EU’s Digital Markets Act (DMA) is trying to restructure the EU’s technology markets to aid competitors to existing players, but it does so by breaking critical security and privacy guardrails that the EU is trying to advance in other domains. While the DMA unintentionally breaks the mobile security ecosystem, preventing companies from delivering technology that is secure by design, by contrast, the pending European Cyber Resiliency Act (CRA) would require the opposite– that devices be secure by design. Legislation, whether intentionally or unintentionally, should not make security worse.
Reconciling and harmonizing these conflicts is made harder in two distinct ways:
- EU leaders have not made the major new investments in hiring to meet their stated goal of substantial increases in expert technical, legal, policy, and oversight personnel needed to implement what they have already passed, or what they are planning to pass.
- These new laws are also enforced by different sector regulators, and by different countries, making it exponentially harder to bring consistent and harmonized enforcement of conflicting and sometimes confusing regimes.
This visualization aims to illustrate key contradictions that currently exist in the European technology policy landscape, and highlights how these contradictions complicate efforts to build a more secure and trusted technology environment.
In an everything, anywhere, all at once scenario we need to ensure a policy environment where policymakers don’t just move fast and potentially break things, but move intelligently to fix things.