By Hanna Blankemeyer and Kai Peters
Digitalization is a challenge not only for companies, but also for EU lawmakers in Brussels. The best example is the EU Cybersecurity Act that is currently being debated in the European Parliament. With this proposal, the EU wants to establish European benchmarks for IT security - but drafting a legal framework for digital technologies is proving more challenging than expected.
Legislation always faces the challenge of anticipating the future and covering a wide range of often unknown scenarios, while still providing legal certainty and regulatory reliability. Especially in the digital age, where business models and technological possibilities are changing faster than ever, any political framework needs to be more flexible to cope with disruptive changes. Rules that solve a problem today might be outdated tomorrow. But flexibility has its limits. Legislation at will would be equally problematic, since it would undermine the basis for companies' planning and investment decisions.
Currently being debated by the European Parliament and Council, the EU Cybersecurity Act is a good example of how not to approach this problem. In a first attempt, the European Commission proposed European certificates for cyber security, indicating the level of protection offered by a product. These certificates are supposed to be issued by a third party - probably following rather general criteria of IT security.
This seems like a good and fast initiative at first, but it leaves a lot of unanswered questions. Where are the essential requirements laid down? Is certification an appropriate tool for assessing conformity, or are there other ways that are easier and more flexible? And finally, what is the legal basis for taking an insecure product from the market?
It is therefore hard to understand why the Commission is not facing the challenges of modern legislation using a tried and tested system that is already in place. The "New Legislative Framework" (NLF) concept (also known under the buzzword New Approach) might be a solution to many problems for lawmaking in the digital age. However, it looks as if there is still a need to broaden the fanbase of the NLF among EU officials.
Sensors or cages - let industry decide
The New Legislative Framework is essentially a way to make laws that takes into account the fact that politicians cannot formulate a rule for every single case in future scenarios. Instead, lawmakers determine the public policy goal they want to achieve - and leave it to industry to decide the technical details for how to get there. Although policymakers prescribe the legal framework in which companies operate, industry still has enough room to compete to develop the best and most efficient technologies, processes and products.
This system is already in place when it comes to product safety, for example. Instead of anticipating everything that could possibly go wrong, lawmakers formulate general rules - a machine must be safe. They then leave it to industry-driven standardization bodies to work out what exactly must be done to meet the target of a safe machine. It does not necessarily make a difference whether a worker is protected by a physical cage around a machine or a sensor that stops a robot’s arm as a person enters its radius - as long as the worker is protected. The big advantage is that safety requirements are fixed in legal acts, but industry can choose the most innovative and efficient ways to get there.
Critics of the New Legislative Approach argue that this system gives companies too much freedom, so that public authorities risk losing control. Part of this is based on a misconception: Under the NLF, the legislator fixes essential obligations in the law and the manufacturer is fully obliged to comply with this requirement if he wants to bring the product into the single market. Even if a manufacturer 'self-declares', the business is fully responsible, and therefore liable, for complying with the obligations.
Furthermore, if non-compliant products remain on the market, this is often not a fault of the legal framework itself, but is caused by a lack of market surveillance. An effective watchdog is needed to ensure that the solutions industry comes up with actually meet the requirements.
Faster solutions, international recognition
There are also indisputable benefits to the NLF. First, it means that regulation also covers new developments by leaving the detail to standards. Standardization bodies are mainly industry-driven, so they have the best insight into what is needed to fulfill the goals set by policymakers. It is crucial that European companies do not face unnecessary delays compared to their competitors when bringing innovation to the world market - and that authorities are released from continuously updating regulation to keep up with technology.
Second, the EU must be careful not to set up a framework that works for Europe but is detached from efforts made by the rest of the world. Standards are often determined not for a regional market, but globally. Already, 40 percent of machinery standards are equal to international ISO or IEC standards. Given that the big emerging markets are outside Europe, this helps European companies to do business with the rest of the world. No problem again for the NLF: Instead of bothering companies with details in Europe-only regulation, international standards can be transposed 1:1 into European standards, resulting in both access to international markets and compliance with EU rules.
Third, the legislator can choose the most appropriate way of checking if a product is in line with the requirements. If needed, for example, a mandatory examination by a third party (such as TÜV) could be requested for products that bear a high risk to the public, such as pressure vessels. For most product groups, however, self-declaration that a product fulfills all standards is sufficient. This is arguably the case for the issue of cyber security with regard to most product groups in the mechanical engineering sector.
For the Cybersecurity Act, there is at least some hope that EU officials and policymakers will ultimately re-discover the New Legislative Framework as a suitable tool for ensuring an EU-wide standard of IT security. The European Parliament is currently discussing changes to the initial proposal, with some MEPs criticizing the handling of the B2B sector. Once through Parliament, the EU cyber security legislation has to be approved by the member states.
Both European industry and citizens would benefit if EU lawmakers would return their focus to the NLF. Digitalization will create more challenges in the years to come - and EU legislators need a suitable approach.