EU Cybersecurity Proposal Moves Forward, Yet Needs to Steer Clear of Protectionist Measures

EU Cybersecurity Proposal Moves Forward, Yet Needs to Steer Clear of Protectionist Measures

In the ever-evolving digital landscape, the European Union (EU) is grappling with the implications of data localization, a move towards storing and processing sensitive non-classified information within the Union's borders. This decision, while aimed at enhancing data privacy and security, poses challenges to economic efficiency and innovation.

The potential drawbacks of this policy are manifold. For businesses, increased complexity and costs are a significant concern, as are impediments to cross-border data flows and potential slowing of economic growth and innovation. These regulations can act as non-tariff barriers, disproportionately disadvantaging smaller companies that may lack the resources to comply with strict local storage mandates.

Moreover, protectionist and security-driven data rules risk fragmenting the digital economy by creating diverging governance models that hinder trade and cooperation beyond the EU. High fines for non-compliance, such as the €530 million levied on TikTok and €1.2 billion on Meta, create a strong deterrent but also increase operational risks and uncertainty for companies handling EU data.

However, alternatives to strict data localization are emerging. Implementing robust data protection and encryption standards allows data to be stored and processed securely across borders without mandatory physical localization. Compliance frameworks and certifications can assure data security and privacy without requiring data to be confined within EU borders, enabling cross-border operations while respecting EU data protection laws. Hybrid models, where sensitive data conclusions or processing occur locally, but backups or less sensitive data is stored externally under strict controls, offer another solution. Increasing harmonization and mutual recognition of data protection standards internationally can also reduce the need for localization as a protective measure, ensuring compliance with EU privacy and security rules.

The EU's threat landscape is vast, with institutions, bodies, agencies, and offices spread across 27 countries. The EU's failure to build an in-house cloud infrastructure in the past is noted. The EU's proposal recognizes its cybersecurity exposure and the risks faced by its government offices, but requiring data localization could be a costly mistake. Forcing all data to be stored in an EU hub creates a single point of failure.

Eliminating the data localization requirement would allow the EU to enable cybersecurity best practices, benefit from a global cybersecurity workforce, and continue cooperating with allies against cyber threats. The EU should focus on mitigating risks through appropriate administrative and technical controls instead of requiring all sensitive non-classified information to be stored locally.

The proposal to localize data will incentivize companies to hire EU-based cybersecurity experts, potentially undermining the benefits of globalized workforces. International medical research projects could suffer due to data localization requirements. Article 17(1)(c) of the EU's proposal requires sensitive non-classified information to be stored and processed within the EU.

France's Data Protection Agency similarly announced that education and research institutions should move away from using U.S. tools. The requirement to localize data assumes that the security of data depends on where it is stored, which is incorrect. The impact of the data localization requirement may not be limited to EU institutions, as it could lead to distrust of foreign services and potentially have a devastating effect on cross-border trade.

The EU is updating and harmonizing its government information security standards. The proposal to set up an EU-wide information security scheme aims to reduce exposure and mitigate risks, including inter-institution cooperation and governance, a common approach to categorization, modernized standards for remote work, and greater compatibility between systems. Authorities in Sweden announced last year that they no longer want to work in Microsoft Teams due to the risk of U.S. espionage.

In sum, while the EU’s localization rules aim to enhance data privacy and security, they pose challenges to economic efficiency and innovation. Alternatives focused on robust data security controls, standards alignment, and international cooperation can mitigate risks without the drawbacks of rigid localization requirements. These approaches may facilitate continued trust and compliance in a more interconnected digital economy.

1. The European Union's data localization policy raises concerns for businesses regarding increased costs, complexities, and impediments to cross-border data flows, which could slow economic growth and innovation.
2. The high fines for non-compliance with EU data regulations increase operational risks and uncertainties for companies handling EU data, potentially disadvantaging smaller companies that lack the resources to comply with strict local storage mandates.
3. Enforcing data localization could fragment the digital economy, creating diverging governance models that hinder trade and cooperation beyond the EU, and even lead to a single point of failure in terms of cybersecurity.
4. Alternatives to strict data localization, such as implementing robust data protection and encryption standards, compliance frameworks, certifications, and hybrid models, can assure data security and privacy while enabling cross-border operations and respecting EU privacy and security rules.

Read also: