Suchergebnisse

Foreign direct investment (FDI) serves as a cornerstone of the global economy, driving economic growth and development across nations. However, amidst rising geopolitical tensions and uncertainties, there is a discernible shift towards strengthening or establishing new frameworks for FDI screening. This proactive approach is observable both in the United States and in the European Union and its member states. The growing reliance on these measures, designed to protect critical sectors and assets from potentially hostile third country acquisitions, may have implications that go beyond purely economic considerations, affecting transatlantic relations and the broader geopolitical landscape.

Revised version of a paper presented at the IAI Transatlantic Security Symposium 2023–24, held in Rome on 22 April 2024.

This Discussion Paper focuses on disinformation trends in the run-up to the European Parliament elections in Bulgaria, Germany, and Italy. It looks at the intricacies of misinformation around refugees, military support for Ukraine, and energy-related issues, offering insight into the possible impact on public attitude and electoral dynamics. It also emphasises national and EU initiatives to combat disinformation, underlining the importance of comprehensive plans to build resistance to disinformation and ensure the integrity of future elections.

China's investment and acquisitions in the European Union have increased significantly in recent years, raising concerns about their impact on European economies and security. The dynamics of the EU-China relationship have evolved significantly over time, with the past year marked by a deterioration in bilateral relations. This deterioration has been linked to a growing number of issues, such as China's responses to EU sanctions on human rights, economic coercion affecting the single market, and its stance on the Ukraine conflict. The EU faces the complex challenge of dealing with China as both a negotiationg partner, economic adversary and systemic competitor. This complexity characterises the current state of EU-China relations, where a variety of challenges and opportunities are emerging, driven by intertwined economic, political, and strategic factors.

The rapid evolution of digital technology has ushered in a data-centric economy, where data accessibility drives marketplace efficiency and economic growth across various industries. However, this shift, while offering numerous benefits, introduces significant privacy and data security challenges, particularly in the context of transatlantic data transfers. Considering the vast economic ties between the EU and the US, the transatlantic data flow vividly illustrates the complexities involved in governing and transferring data. It grapples with the ongoing challenge of striking a satisfactory balance between economic advantages stemming from data utilisation and various concerns pertaining to national security, digital sovereignty and individual rights.
In recent years, the European Commission approved two different frameworks on transatlantic data flow – Safe Harbour in 2000[1] and Privacy Shield in 2016[2] – asserting that the US provided a level of data protection for data transfers essentially equivalent to that guaranteed in the EU. However, despite initial optimism, both adequacy decisions faced a significant setback when the Court of Justice of the European Union invalidated them in what is commonly referred to as the "Schrems saga",[3] named after the Austrian activist who first challenged both frameworks before the European Court. The core arguments centred on the absence of adequate safeguards for personal data within US domestic law and the extent of state surveillance over such data when it was transferred, as initially disclosed by Edward Snowden in 2013.[4]
This legal development led to a period of significant uncertainty and further heightened the ongoing debate concerning the regulation of transatlantic data transfer. To address the consequences of this legal turmoil, both EU and the US committed to establishing "a renewed and sound framework for transatlantic data flows",[5] seeking a long-term solution to address the complexities of data privacy and security, eventually leading to the recently adopted EU–US Data Privacy Framework ("DPF").Why transatlantic data flows matter
Data flows hold immense significance for the transatlantic economic relationship and impact businesses of all sizes and industries. These data exchanges involve participation from more than 90 per cent of EU businesses that conduct transactions with the US, with a notable 70 per cent being small and medium-sized enterprises.[6] In fact, the volume of transatlantic data flow exceeds that of any other global relationship, contributing to the robust 7.1 trillion US dollars US–EU economic partnership.[7]
Nevertheless, the regulation of data exchange between the EU and the US has been a contentious matter, primarily due to their differing interpretations of fundamental rights and varying data protection standards. In the US, the oversight of how companies handle and secure personal data is predominantly marked by the absence of comprehensive federal legislation. Thus, privacy and data protection regulations vary across industries and are enforced by different agencies, resulting in a diverse and fragmented privacy landscape. In contrast, the EU operates under a comprehensive data protection framework primarily governed by the General Data Protection Regulation (GDPR), which places a strong emphasis on individual rights and imposes stringent obligations on data holders and processors. To this effect, the GDPR unequivocally forbids the transfer of personal data to third countries lacking sufficient data protection measures unless the European Commission issues adequacy decisions certifying whether a country conforms to the requisite standards.
Consequently, discrepancies in data standards have led to uncertainties for economic actors involved in transatlantic economic relations, prompting individual companies to seek ways to align with European requirements and prevent potential GDPR violations. These violations can result in sanctions of up to 4 per cent of the company's annual revenue, as exemplified by several cases involving tech giants: Meta, for instance, received a record-breaking GDPR fine of 1.3 billion US dollars last May – the largest in GDPR history.[8]
Lastly, positioned at the crossroads of data protection, international trade and national security, the topic of transatlantic data flow is intricately linked to the EU's strategy to assert digital sovereignty and secure strategic autonomy. This strategy places a significant emphasis on the localisation and retention of data belonging to European citizens within the EU borders. This approach is driven by the commitment to ensure that data of European citizens remains under the EU's established laws and regulations, which prioritise privacy protection. Consequently, even though the new framework does streamline the transfer of personal data between the EU and the US, it can give rise to concerns about a departure from the EU's broader goals of advancing its digital sovereignty.Restoring trust in the digital environment
In response to the legal uncertainties stemming from the Court of Justice's decisions, extensive collaboration between the US and the EU resulted in an agreement in principle in 2022. This agreement, endorsed by US President Joe Biden and European Commission President Ursula von der Leyen, reflected the shared commitment to facilitate data flows between both jurisdictions in a manner that protects individual rights and personal data.
Executive Order 14086, titled "Enhancing Safeguards for U.S. Signals Intelligence Activities", was issued by the Biden administration on 7 October 2022. In conjunction with this executive order, US Attorney General Merrick Garland issued a Regulation to establish a Data Protection Review Court.[9] Through these actions, the US committed to introducing additional protective measures aimed at addressing the concerns raised by the Court of Justice regarding mass personal data collection and the lack of objective criteria for limiting access to and utilisation of this data by public authorities.
In the following months, before finalising its adequacy decision on the DPF, the European Commission sought the opinion of the European Data Protection Board (EDPB) on the draft decision.[10] The EDPB recognised the improvements brought about by Executive Order 14086, particularly in terms of restricting access to EU data by US intelligence services to what is necessary and proportionate to protect national security. Nevertheless, it expressed several concerns, including those related to inadequate assurances regarding "temporary bulk collection" and the subsequent storage and sharing of data collected in bulk within the US legal framework. Additionally, on 11 May, the European Parliament conveyed its reservations regarding the content of the DPF.[11] While acknowledging that the capacity to transfer personal data across borders has "the potential to be a key driver of innovation, productivity and economic competitiveness", the Parliament underscored the critical necessity for robust safeguards to be firmly established. These safeguards are essential for protecting privacy rights, preventing illegal mass surveillance by the US and restoring the trust of both EU citizens and businesses in digital services, ultimately preserving the vitality of the digital economy. Taking into consideration the CJEU's reasoning in Schrems II, the European Parliament contended that the DPF did not entirely meet EU legal standards due to its lack of an "objective criterion" to validly justify government intrusion into privacy. Consequently, this raised concerns about the possibility of the CJEU invalidating the DPF, as it had done with previous frameworks.
Despite these concerns, on 10 July, the European Commission adopted the adequacy decision on the DPF, confirming that it provided an adequate level of protection for personal data. Consequently, personal data can now move freely from the EU to US companies that have self-certified their adherence to the DPF principles. Ursula von der Leyen stated that the new framework will "ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic",[12] while strengthening economic ties and reaffirming shared values. President Joe Biden also welcomed the adequacy decision, emphasising the joint EU–US commitment to robust data privacy protections and foreseeing increased economic opportunities for both jurisdictions and their companies.Third time's a charm?
On a positive note, the DPF now allows for the transfer of personal data from the EU to the US through a certification system. US companies commit to a set of privacy principles, eliminating the need for additional transfer mechanisms like Standard Contractual Clauses or binding corporate rules, as well as transfer impact assessments. Companies are required to complete their self-certification by October 2023 to be included on the DPF List, maintained by the US Department of Commerce. Additionally, the DPF introduces various safeguards, such as restricting US surveillance access to data that is "necessary and proportionate" for national security, the establishment of a Data Protection Review Court to address concerns about access to personal data by US intelligence agencies and mandating US companies to delete personal data when it is no longer needed for the original purpose of collection.
Despite significant progress, however, the path towards establishing a stable and reliable framework for transatlantic data transfers remains fraught with difficulties. Persistent concerns revolve around how the US will interpret the concept of "proportionate" access to data by US authorities and its adherence to the CJEU's criteria. Moreover, there are concerns about the Data Protection Review Court's composition: while made up of members from outside the US government, there are doubts about its appointment process, leading to potential issues with fair and transparent decision-making. Furthermore, the European Parliament has highlighted an additional weakness in the framework, which lies in its failure to address data accessed by public authorities through alternative avenues.[13] This includes methods such as the US Cloud Act or the US Patriot Act, data acquisition through commercial transactions or voluntary data sharing agreements.
Privacy activist Max Schrems argues that the new framework is "largely a copy" of previous ones.[14] The US Department of Commerce also considers that it "does not create new substantive obligations for participating organizations with regards to protecting EU personal data" and "[t]he privacy principles and the process to initially self-certify and annually re-certify remain substantively the same".[15] Moreover, Schrems stresses that substantial changes in US surveillance law are needed for true effectiveness and has signalled his intention to bring "the new deal back before the CJEU".[16]
A legal challenge has therefore been announced, possibly reaching the CJEU by late 2023 or early 2024 which may result in a temporary suspension of the DPF. While EU Justice Commissioner Didier Reynders remains confident in the framework's resilience against legal challenges, many companies are choosing to stick with EU-approved standard contractual clauses to maintain GDPR compliance, despite the associated challenges and expenses, in the face of ongoing risks and uncertainties.
Striking the delicate balance between privacy concerns, free trade imperatives and national security interests within the realm of data remains a formidable challenge, although recent trends around transatlantic data flows are encouraging. The Schrems saga has vividly highlighted the imperative to bridge legal disparities between the EU and the US, emphasising the importance of creating a digital international environment founded on trust, cooperation and regulatory alignment.Federica Marconi is a Researcher in the Multilateralism and Global Governance Programme at the Istituto Affari Internazionali (IAI).[1] European Commission, Commission Decision of 26 July 2000 Pursuant to Directive 95/46/EC on the Adequacy of the Protection Provided by the Safe Harbour Privacy Principles and Related Frequently Asked Questions Issued by the US Department of Commerce, http://data.europa.eu/eli/dec/2000/520/oj.[2] European Commission, Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 Pursuant to Directive 95/46/EC on the Adequacy of the Protection Provided by the EU-U.S. Privacy Shield, http://data.europa.eu/eli/dec_impl/2016/1250/oj.[3] Court of Justice of the European Union (CJEU), Judgment of the Grand Chamber in Case C-362/14: Maximillian Schrems v. Data Protection Commissioner [Schrems I], 6 October 2015, https://eur-lex.europa.eu/legal-content/en/TXT/?uri=celex:62014CJ0362; and Judgment of the Grand Chamber in Case C-311/18: Data Protection Commission v. Facebook Ireland Limited and Maximillian Schrems [Schrems II], 16 July 2020, https://eur-lex.europa.eu/legal-content/en/TXT/?uri=celex:62018CJ0311.[4] Caspar Bowden, The US Surveillance Programmes and Their Impact on EU Citizens' Fundamental Rights, Brussels, European Parliament, September 2013, https://op.europa.eu/s/y0iF.[5] European Commission, Commission Issues Guidance on Transatlantic Data Transfers and Urges the Swift Establishment of a New Framework Following the Ruling in the Schrems Case, 6 November 2015, https://ec.europa.eu/commission/presscorner/detail/en/IP_15_6015.[6] DigitalEurope, Good News for Thousands of Businesses': Reaction to EU Assessment of US Data Protection of Personal Data, 10 July 2023, https://www.digitaleurope.org/news/good-news-for-thousands-of-businesses-reaction-to-eu-assessment-of-us-data-protection-of-personal-data.[7] White House, Fact Sheet: United States and European Commission Announce Trans-Atlantic Data Privacy Framework, 25 March 2022, https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/25/fact-sheet-united-states-and-european-commission-announce-trans-atlantic-data-privacy-framework.[8] European Data Protection Board, 1.2 Billion Euro Fine for Facebook as a Result of EDPB Binding Decision, 22 May 2023, https://edpb.europa.eu/node/6052.[9] US Code of Federal Regulation, Part 201: Data Protection Review Court, https://www.ecfr.gov/current/title-28/part-201.[10] European Data Protection Board, Opinion 5/2023 on the European Commission Draft Implementing Decision on the Adequate Protection of Personal Data under the EU-US Data Privacy Framework, 28 February 2023, https://edpb.europa.eu/node/5132.[11] European Parliament, Resolution of 11 May 2023 on the Adequacy of the Protection Afforded by the EU-US Data Privacy Framework, https://www.europarl.europa.eu/doceo/document/TA-9-2023-0204_EN.html.[12] European Commission, Data Protection: European Commission Adopts New Adequacy Decision for Safe and Trusted EU-US Data Flows, 10 July 2023, https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3721.[13] European Parliament, Resolution of 11 May 2023, cit.[14] NOYB, European Commission Gives EU-US Data Transfers Third Round at CJEU, 10 July 2023, https://noyb.eu/en/node/1324.[15] Data Privacy Framework Program website: FAQs - EU-U.S. Data Privacy Framework (EU-U.S. DPF), last updated 17 July 2023, https://www.dataprivacyframework.gov/s/article/FAQs-EU-U-S-Data-Privacy-Framework-EU-U-S-DPF-dpf.[16] NOYB, European Commission Gives EU-US Data Transfers Third Round at CJEU, cit.

In an era of unprecedented technological advancement, digital transformation is revealing its enormous potential, but also presenting new challenges. At its core, it represents a catalyst for innovation, igniting advancements that enhance productivity and propel economic growth. Thus, harnessing its transformative power holds the promise of unlocking new opportunities, solving complex challenges and ultimately shaping a more inclusive and sustainable future for humanity.
However, rapid technological progress has ushered in a new era of interconnectedness and interdependence, where nations are increasingly reliant on digital systems and networks to power their economies and safeguard their national security. In this regard, the intersection of technological advancement and the amplification of geopolitical tensions has brought into sharp focus the myriad threats that countries face in the contemporary landscape. Among others, cyberattacks, in particular, have grown more sophisticated, transcending national borders and necessitating collaboration and partnerships among nations to protect against such threats.
These challenges have prompted all major actors – both public and private – to intensify their efforts to protect their data and digital assets. They are devising and implementing a variety of risk management strategies. The empirical evidence shows that the most effective and resilient cybersecurity policies and approaches are those tailored to specific risks and security requirements. Individual organisations need to adopt the cybersecurity measures most appropriate for the challenges they face, based on a careful risk assessment. This requires the adoption of internationally recognised cybersecurity frameworks and standards that are based upon the principles of risk management and that are relevant across sectors to strengthen consistency and continuity among interconnected sectors and throughout global supply chains.
Cybersecurity threats are transnational by definition and as such they can be countered effectively only through global mechanisms aimed at risk reduction and trust building. A primary objective of multilateral cooperation should be the adoption of interoperable policy frameworks that promote international harmonisation and consistent cybersecurity mechanisms. The G7 can provide a fundamental impulse for this cooperation at the global level by encouraging the development and implementation of risk-based, consensus-driven frameworks, standards and risk management best practices. A commitment to these internationally recognised cyber risk management approaches and frameworks can advance economic security and enhance cyber resilience across the ecosystem.The G7's past initiatives
Recognising the enduring and constantly shifting landscape of cyber threats at a global level, the G7 has tried to adopt measures to confront these challenges head-on, with a particular focus on the financial sector.
In 2015, the G7 Cyber Expert Group (G7 CEG) was established as a multi-year working group responsible for coordinating cybersecurity policy and strategy among G7 member countries. The G7 CEG also serves as a channel for sharing information, establishing a common understanding of the threat landscape, and facilitating incident response by implementing risk mitigation measures. To this end, the G7 CEG organises annual incident response exercises[1] and quadrennial cross-border cyber simulations. It also produces reports on specific cybersecurity issues relevant to the financial sector.[2]
In October 2016, the G7 Fundamental Elements of Cybersecurity for the Financial Sector (G7FE) were published. The objective was to enhance the resilience of the financial system by providing a set of cybersecurity practices and assisting private and public entities in developing and implementing cybersecurity policies and operational frameworks.[3] During Germany's G7 presidency, two additional reports were drawn up by the G7 CEG, setting out fundamental elements for risk management. The G7 Fundamental Elements of Ransomware Resilience for the Financial Sector contain specific recommendations for financial market agents, focusing on how they can address the increasing threat of ransomware attacks (a type of malware that prevents from accessing devices and the data stored on it, usually by encrypting files).[4]
Moreover, the G7 Fundamental Elements for Third Party Cyber Risk Management in the Financial Sector addresses new cybersecurity risks stemming from the increasing use of service providers by financial institutions.[5] Private and public entities in the financial sector have increasingly relied on third-party relationships to support their business operations, resulting in a notable increase in the use of ICT providers in recent years. However, reliance on third parties should be coupled with robust third-party risk management to address ICT supply chain risks to individual firms. Systemic cyber risks to the financial sector may need to be addressed in a more comprehensive, holistic approach involving public and private sector stakeholders from government, supervisors, financial firms and technology companies. During Japan's Presidency in 2023, the Ministerial Declaration of the G7 Digital and Tech Ministers' Meeting, held prior to the Hiroshima Summit, addressed several important digital security issues beyond the financial sector. These included the need for international cooperation to provide secure and resilient digital infrastructure for developing and emerging economies, given their growing dependence on digital technology.
The Institutional Arrangement for Partnership (IAP) was endorsed by G7 governments at G7 Hiroshima 2023. The IAP is an international mechanism for operationalising Data Free Flow with Trust (DFFT) and represents an advancement in cross-border data flow. As today's global digital economy is fuelled by data, integrating both privacy and security measures for personal and sensitive data is paramount to safeguarding them against potential cyberattacks. Failure to do so could render them vulnerable targets for malicious exploitation.
Bringing governments and stakeholders together, IAP aims to ensure "principles-based, solutions-oriented, evidence-based, multistakeholder and cross-sectoral cooperation".[6] The IAP is hosted by OECD and is composed of the Secretariat, located within OECD, and project-based Working Groups, merging together government officials, stakeholders and experts.
Besides G7 initiatives, while comparatively limited in scope compared to them, some actions within the G20 context are also noteworthy. For example, the G20 under India's leadership adopted non-binding High-level Principles aimed at bolstering safety, security, resilience, and trust in the digital economy to support businesses.[7]
The United Nations is another major global player. The UN Security Council convened on 4 April 2024, specifically to address cyber-related issues. Hosted by the Republic of Korea and co-hosted by Japan and the United States, the session delved into the theme of the "Evolving Cyber Threat Landscape and Its Implications for the Maintenance of International Peace and Security".[8] The discussion brought attention to the narrowing gap between low-intensity, financially motivated cybercrimes and disruptive, large-scale cyberattacks, underscoring the urgent need for further proactive measures to address these evolving threats.Looking ahead
There are three areas in which the G7 can do more to address cybersecurity concerns. First, it can step up its support for the ongoing attempts to harmonise cybersecurity strategies between its member states with an eye to wider agreements in more inclusive bodies such as the G20 and the UN. Second, it should endorse efforts to establish common criteria to assess the trustworthiness of digital service providers that facilitate cross-border data flow. Third, in pursuing such goal, it should promote a wider and more systematic involvement of key stakeholders, including major industry actors as well as others that have expertise in cybersecurity, data protection and privacy.
Therefore, the G7 should consider undertaking further initiatives aimed at coming to a common understanding of what constitutes digital trust, with the goal of establishing a multilateral framework based on shared trustworthiness criteria. This framework would serve the purpose of addressing the cybersecurity, privacy and national security concerns while providing governments with a common basis by which to assess the trustworthiness of companies providing digital services and infrastructure such as cloud computing.
To that end, the G7 should call for the Data Free Flow with Trust (DFFT) Experts Group at the Institutional Arrangement for Partnership (IAP) to form a workstream that will focus on the technical work necessary for developing a multilateral framework on trustworthiness. It should call for the creation of an expert working subgroup within the IAP's DFFT expert group with the task of mapping out potential criteria to assess the trustworthiness of digital service providers. The G7 should also set up an ad hoc G7 group at the ministerial level to evaluate those criteria with the view of advancing and adopting a dedicated multilateral framework.
The G7 should also provide a forum for discussing and undertaking initiatives aimed at fostering cooperation among national bodies responsible for developing cybersecurity strategies. All G7 members have set up cybersecurity agencies to address cyber threats. Harmonising their strategies would greatly contribute to address transnational cyberattacks. The G7 should act as a key promoter of closer cooperation between national cybersecurity agencies through such activities as joint assessment of risks associated with the new technologies, sharing of best practices and coordination of standardisation efforts.Ettore Greco is Executive Vice President of the Istituto Affari Internazionali (IAI) and also Head of the Multilateralism and Global Governance programme of the institute. Federica Marconi is Researcher in IAI's Multilateralism and Global Governance programme.[1] European Central Bank, G7 Cyber Expert Group Conducts Cross-Border Coordination Exercise in the Financial Sector, 23 April 2024, https://www.ecb.europa.eu/press/pr/date/2024/html/ecb.pr240423~de1afe7ceb.en.html.[2] US Department of the Treasury website: G7 Cyber Expert Group, https://home.treasury.gov/node/970671.[3] G7 Finance Ministers and Central Bank Governors, G7 Fundamental Elements of Cybersecurity for the Financial Sector, 11 October 2016, https://www.ecb.europa.eu/paym/pol/shared/pdf/G7_Fundamental_Elements_Oct_2016.pdf.[4] German Federal Ministry of Finance, G7 Countries Adopt Reports on Cybersecurity, 13 October 2022, https://www.bundesfinanzministerium.de/Content/EN/Standardartikel/Topics/world/G7-G20/G7-Presidency/g7-reports-on-cybersecurity.html.[5] Ibid.[6] G7, Ministerial Declaration - The G7 Digital and Tech Ministers' Meeting, 30 April 2023, point 13, https://g7g20-documents.org/database/document/2023-g7-japan-ministerial-meetings-ict-ministers-ministers-language-ministerial-declaration-the-g7-digital-and-tech-ministers-meeting; Digital Agency website: Institutional Arrangement for Partnership (IAP), https://www.digital.go.jp/en/dfft-iap-en.[7] G20, G20 New Delhi Leaders' Declaration, 9 September 2023, https://g7g20-documents.org/database/document/2023-g20-india-leaders-leaders-language-g20-new-delhi-leaders-declaration.[8] Allison Pytlak and Shreya Lad, "The UN Security Council Discusses Cyber Threats to International Security", in Stimson Commentaries, 15 April 2024, https://www.stimson.org/?p=92869.

The rapid advancement of artificial intelligence (AI) will have a wide-ranging impact on multiple spheres including politics, security and global economy. The G7 serves as a crucial platform for advancing discussions and building consensus on AI governance. G7 leaders have adopted International Guiding Principles and a voluntary Code of Conduct for AI under the Japanese Presidency, corroborating their commitment to make progress in this sphere. To promote a responsible development and deployment of AI technology, governments are at work to facilitate dialogue and cooperation with like-minded countries and international agencies and organisations, while promoting a multi-stakeholder and a whole-of-society approach at a national level. On 22 January 2024, the responsibility for this initiative formally shifted to the Italian leadership, which is now called upon to take the conversation forward and channel the collaboratively effort of G7 leaders into effective implementation and interoperability of allied AI regulatory frameworks. Designing flexible regulatory packages, able to accommodate the rapid pace of technological innovation while ensuring trustworthiness, is a pressing challenge and a pivotal step. G7 leaders are thus faced with the reasonability to deliver progress on the regulation of the digital domain, to unlock the full potential of transformative technologies.

In a time of rapid technological advancements and changing energy paradigms, the European Union and the United States are trying to coordinate their efforts to navigate the complexities of an ever-evolving landscape. Transatlantic dialogues and cooperative endeavours are key mechanisms for mitigating tensions and fostering a common assessment of the opportunities and risks arising from these advancements. Critical in this regard are the problems of governance emanating from technological development and its consequences in the digital sphere as well as the delicate balance between security, competitiveness and environmental targets in the energy dimension.
Background paper of the IAI project "Building a transatlantic technology bridge: challenges and opportunities".

Electronic hardware has been vulnerable to malign cyber activities since the dawn of digital networks. However, the widespread adoption of the so-called Internet of Things (IoT) has led to a multiplication of cyber vulnerabilities in goods and pieces of infrastructure that were previously considered safe from digital threats.[1] The European Union witnessed this first-hand, with a significant increase in the number of cyberattacks to its hardware and software products in the last few years.[2]
Interconnectedness has been a boon to product efficiency, business opportunities and standard quality. Yet, it has also opened new avenues for malign activity, not only of the criminal kind. There are multiple examples of consumer goods bearing critical vulnerabilities, from webcams to pacemakers.[3] Amidst growing international tensions, such products will likely remain a playing field for state-sponsored and politically minded cyber actors. Since Russia's brutal invasion of Ukraine, the EU has observed a peak of attacks targeting digital service providers.[4] As a result of the conflict, cyberspace overall has registered an increase in offensive operations such as destructive malware, phishing campaigns and influence operations.
Cyber risks associated with the IoT are current, growing, cogent and critical – especially in the private sector and for small and medium-sized enterprises (SMEs). Recent reports have shown that 87 per cent of the companies affected by ransomware attacks in Europe are SMEs with under 50 employees.
Such companies are becoming progressively more connected; yet, each technological advancement entails an increase in vulnerabilities. Even though one of the main concerns lies with unmanaged devices, also devices that have been diligently managed can pose challenges, due to the lack of available patches for numerous known vulnerabilities. Inadequate authentication and unresolved vulnerabilities hold particular significance, as IoT devices can be exploited for activities such as bitcoin mining. This could be done, for instance, with hackers installing malware on a device or creating networks of compromised devices, also known as botnets.
The exposure of IoT devices and connected goods has to be contextualised within a broader trend, which sees overall cybersecurity risks becoming endemic. The European Repository of Cyber Incidents reports 1,634 total politically relevant cyber incidents since 2015, with 2023 marking a peak of 486 recorded incidents.[5] Fifty-three per cent of attacks in this timespan were directed against government and political institutions, 39 per cent against critical infrastructures and the others against commercial actors, private citizens, social groups, media and other non-state actors. The political and strategic ramifications of such actions can be far-reaching, as recently exposed by the 2021 attack against Colonial Pipeline in the US, when a hacker group identified as DarkSide hit the infrastructure with ransomware.[6]A fraught public-private relationship
The international debate has long pointed towards some forms of public-private partnership as the pillar of future cybersecurity governance, recognising the outsized role played by major businesses in shaping the digital commons and the supposed ease with which they could identify and act upon vulnerabilities in their products.[7] Yet, the divergence of interests between the state and private actors has been identified as a major shortcoming of this model, which rests on the assumption of an implausible dedication of private companies to implement costly self-regulation and monitoring.[8]
The proliferation of state-sponsored cyber actors and bustling criminal activity on the one hand, and the reliance on privately owned, operated or produced infrastructures on the other, has led to an intense debate regarding who bears the responsibility for guaranteeing the safety and security of connected products. This discussion is becoming ever more important considering that critical vulnerabilities and zero-day exploits – namely, a vulnerability that is only discovered once exposed – are more and more in the crosshairs of malevolent state-sponsored actors, both as a way to compromise operational technologies and to penetrate networks violating office routers or VPNs.[9]
As a result, the policy debate seems to have decisively moved towards a stronger role of public authorities, both at the national and international levels. In the conclusions on the EU's Cybersecurity Strategy for the Digital Decade, the Council emphasised that cybersecurity is vital for the "functioning of public administration and institutions at both national and EU level and for our society and the economy as a whole".[10] In the US, the director of the Cybersecurity and Infrastructure Security Agency recognised that "For too long, we have sacrificed security for features and speed to market, leaving us increasingly vulnerable, with the burden of security placed on those least able to bear it."[11]
In an attempt to create a positive cooperation between the public and private sectors, the upcoming EU Cyber Resilience Act (CRA), which proposes some new measures specific to product vulnerabilities, can become a landmark for this approach.The EU's Cyber Resilience Act
The CRA was first announced by European Commission President Ursula von der Leyen in the State of the Union address in September 2021, as part of the EU's toolbox towards a European Cyber Defence Policy.[12] Subsequently, the Council conclusions of May 2022 on the development of the European Union's cyber posture stressed the need for "a horizontal and holistic approach that covers the whole lifecycle of digital products, as well as existing regulation, especially in the area of cybersecurity".[13] Thus, the Council invited the Commission to propose common and horizontal cybersecurity requirements for all products with digital elements by the end of 2022.
On 15 September 2022, the Commission adopted the proposal for a Regulation aimed at mandating cybersecurity requirements for hardware and software products "with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network".[14] The focus of such requirements would include the products' design, development, production and availability on the market. At the same time, the CRA also complements the EU cybersecurity framework established by the EU Cybersecurity Act (Regulation (EU) 2019/881)[15] and referred to in the Network and Information Security (NIS) Directive 2,[16] which already includes measures to "introduce more stringent supervisory measures and stricter enforcement requirements, including harmonised sanctions across the EU".[17]
The Council has made several changes to the Commission's CRA proposal, concerning the scope, the support measures for SMEs, the declaration of conformity and the reporting obligations of manufacturers. With regard to the latter, the manufacturers shall notify any actively exploited vulnerability contained in the product and any incident having an impact on the security of the product with digital elements that they become aware of. For example, changes include a shift in the recipients of cybersecurity information, as manufacturers shall notify the designated national Computer Security Incident Response Team (CSIRTs) and not the European Union Agency for Cybersecurity (ENISA), as in the Commission's draft.
In addition, a two-step reporting process has been introduced. It involves an initial early warning notification to be made "without undue delay" and in any event within 24 hours of becoming aware of the actively exploited vulnerability or incident impacting the security of the product. The early warning is followed by a second notification within 72 hours, aiming to update the information already provided and indicate any available information about either the status of remediation or any corrective or mitigating measures taken.
The CRA also provides for a sanctions regime for non-compliance with the essential cybersecurity requirements, that may have fundamental implications for those involved. The potential maximum fines for non-compliance could be either from 5 to 15 million euro or from 1 to 2.5 per cent of annual global turnover, whichever is greater.
Given the complexity and sensitivity of the issues at stake, there have been several moments of discussion between EU member states to find a compromise. The representatives of the member states (Coreper) finally reached a consensus on horizontal cybersecurity requirements for products with digital elements on 19 July 2023, allowing the Council to start negotiations with the European Parliament on the final version of the proposed legislation.[18]A difficult balance
The CRA draft touches upon a diverse set of issues that need to be tackled to modernise and adapt Europe's cybersecurity governance. For the foreseeable future, this will likely remain a multilayered, complex affair which relies on two potentially fractious relationships: that between national cyber authorities and the ENISA, and that between cyber authorities and the private sector.
ENISA acts as an interface between the national and the European level: it promotes and participates in European working groups, it contributes to studies on practices at member state level meant to elaborate common guidelines, and it works to raise awareness on cybersecurity amongst European SMEs. ENISA also endures some undeniable difficulties stemming from its role as an EU organisation. For instance, it faces obstacles in maintaining an operational capacity to investigate and react to threats in real time, especially when political considerations are brought into the equation.
Each member state has its own national position on cyber security and defence. Similarly, different national Computer Security Incident Response Teams (CSRITs) have different approaches in dealing with cyber vulnerabilities and responding to emergencies. Their respective approaches largely depend on their internal security culture, both in terms of human resources and organisational habits.
The third protagonist to be factored in is, as mentioned, the private sector. The European information and communication technologies (ICT) industry does not seem to be inherently opposed to the CRA, but requires certain conditions to be met.
The CRA mandates that all manufacturers have resources and procedures in place to mitigate vulnerabilities in products with digital elements and to ensure that vulnerabilities in their products can be addressed through security updates. Article 11 in particular sets a series of requirements that manufacturers have to comply with concerning the reporting of exploited vulnerabilities to the competent authority.[19] Such a development should significantly improve the cybersecurity of products placed on the market in the EU and elsewhere. At the same time, increasing the responsibility of manufacturers by obliging them to provide security support and software updates to address identified vulnerabilities may "undermine the security of digital products and the individuals who use them".[20]
Yet, the CRA is horizontal to almost all sectors of the economy: every product, device or software application that contemplates connection to a network falls within the scope of the Act. It affects industry sectors that are less accustomed to the digital sphere and which will have to go through a number of procedures for the certification of conformity of their products. As a consequence, the wider industrial sector is asking for some time to adapt and get acquainted with the legislation and its implications.
An additional argument put forward by the industrial players concerns the security of information. By sharing details on their products' cyber vulnerabilities, they worry they would unintendedly be feeding malevolent actors with information on ways to exploit such vulnerabilities. Moreover, whilst sharing information about significant cybersecurity incidents is deemed crucial to support collective defence actions, exchanging data about unpatched vulnerabilities before effective countermeasures are available can divert the attention of responders, as becoming aware of the presence of a vulnerability may compel those concerned with user protection to take hasty action rather than trying to identify the root cause of the incident and elaborate a structured response.Looking forward
The adoption of the CRA represents a significant milestone in the EU's journey towards becoming a global leader in setting cybersecurity standards. Over the years, the cumulative effect of past initiatives at both EU and national levels had resulted in a somewhat fragmented legislative landscape within the internal market, underscoring the necessity for a comprehensive and global perspective. Legal developments such as the drafting of the CRA aim to standardise cybersecurity practices and certifications across the EU, thereby contributing to a more harmonised and robust cybersecurity landscape. Such legal efforts, however, must be complemented by other actions in order to achieve comprehensive digital security.
As known, cooperation and information sharing are key in order to prevent threats, also in the cyber domain. The adoption of a standardised vocabulary for threat intelligence – that is, evidence-based knowledge about existing cyberattacks or emerging cyber threats – would facilitate the sharing of threat intelligence both internally and externally, and both between public and private entities.[21]
As the virtual landscape exposed to cyber risks continues to expand, it is crucial to promote a corresponding increase in cyber awareness. A positive step in this direction is demonstrated by an increasing focus on coordination and information sharing by public and private actors working in cyber defence, as also stipulated by the CRA.
Furthermore, these efforts must be accompanied by a broader cultural shift. It will be important to promote an action of cultural mentoring to facilitate the transition of private companies, and especially SMEs, to the digital realm, ensuring that they not only meet compliance requirements but also become proactive contributors to the broader cybersecurity ecosystem.
By combining regulatory measures, threat intelligence standardisation, enhanced cyber awareness and a cultural mentoring approach, the EU is better positioned to fortify its cybersecurity posture and foster a more resilient digital landscape.Ottavia Credi is Researcher in the Defence and Security Programmes at the Istituto Affari Internazionali (IAI). Michelangelo Freyrie was a Junior Researcher in the Defence and Security Programmes at IAI. Federica Marconi is a Researcher in the Multilateralism and Global Governance Programme at IAI.
The authors would like to thank Paola Tessari (IAI) for her valuable contribution to this commentary. For the fruitful exchange of view, the authors would like to thank Anitec-Assinform, the Italian National Cybersecurity Agency (Agenzia per la cybersicurezza nazionale, ACN) and Microsoft. The views expressed in the commentary are those of the authors' only.[1] Elizabeth MacBride, "The Dark Web's Criminal Minds See Internet of Things as Next Big Hacking Prize", in CNBC, 9 January 2023, https://www.cnbc.com/2023/01/09/the-dark-webs-criminal-minds-see-iot-as-the-next-big-hacking-prize.html.[2] Javier Espinoza, "EU to Impose Tough Rules on 'Internet of Things' Product Makers", in Financial Times, 7 September 2022, https://www.ft.com/content/cfa2e2be-8871-4b56-b7bf-c5d2c55e8ed5.[3] Harold Kilpatrick, "5 Infamous IOT Hacks and Vulnerabilities", in IOTSolutions World Congress, 3 October 2018, https://www.iotsworldcongress.com/5-infamous-iot-hacks-and-vulnerabilities.[4] European Union Agency for Cybersecurity (ENISA), ENISA Threat Landscape 2022, November 2022, https://www.enisa.europa.eu/publications/enisa-threat-landscape-2022.[5] European Repository of Cyber Incidents, Cyber Incident Dashboard, last updated on 30 October 2023, https://eurepoc.eu/dashboard.[6] Sean Michael Kerner, "Colonial Pipeline Hack Explained: Everything You Need to Know", in Whatls Features, 26 April 2022, https://www.techtarget.com/whatis/feature/Colonial-Pipeline-hack-explained-Everything-you-need-to-know.[7] See, for instance: Kristoffer Kjærgaard Christensen and Karen Lund Petersen, "Public–Private Partnerships on Cyber Security: A Practice of Loyalty", in International Affairs, Vol. 93, No. 6 (November 2017), p. 1435-1452, DOI 10.1093/ia/iix189; Raphael Bossong and Ben Wagner, "A Typology of Cybersecurity and Public–Private Partnerships in the Context of the European Union", in Oldrich Bures and Helena Carrapico (eds), Security Privatization. How Non-security-related Private Businesses Shape Security Governance, Cham, Springer, 2018, p. 219-247, DOI 10.1007/978-3-319-63010-6_10; Daniel R. McCarthy, "Privatizing Political Authority: Cybersecurity, Public-Private Partnerships, and the Reproduction of Liberal Political Order", in Politics and Governance, Vol. 6, No. 2 (2018), p. 5-12, https://doi.org/10.17645/pag.v6i2.1335.[8] Madeline Carr, "Public–private Partnerships in National Cyber-Security Strategies", in International Affairs, Vol. 92, No. 1 (January 2016), p. 43-62, DOI 10.1111/1468-2346.12504, https://www.chathamhouse.org/sites/default/files/publications/ia/INTA92_1_03_Carr.pdf.[9] ENISA, ENISA Threat Landscape 2022, cit., p. 22-23; and ENISA Threat Landscape 2023, October 2023, p. 22-23, https://www.enisa.europa.eu/publications/enisa-threat-landscape-2023.[10] Council of the European Union, Council Conclusions on the EU's Cybersecurity Strategy for the Digital Decade (6722/21), 22 March 2021, point 2, https://data.consilium.europa.eu/doc/document/ST-6722-2021-INIT/en/pdf.[11] Jen Easterly and Tom Fanning, "The Attack on Colonial Pipeline: What We've Learned & What We've Done Over the Past Two Years", in CISA News, 7 May 2023, https://www.cisa.gov/node/18129.[12] European Commission, 2021 State of the Union Address by President von der Leyen, 15 September 2021, https://ec.europa.eu/commission/presscorner/detail/en/SPEECH_21_4701.[13] Council of the European Union, Cyber Posture: Council Approves Conclusions, 23 May 2022, https://europa.eu/!6VvGNk; and Council Conclusions on the Development of the European Union's Cyber Posture (9364/22), 23 May 2022, point 4, https://data.consilium.europa.eu/doc/document/ST-9364-2022-INIT/en/pdf.[14] European Commission, Proposal for a Regulation on Horizontal Cybersecurity Requirements for Products with Digital Elements… (COM/2022/454), 15 September 2023, Art. 2(1), https://eur-lex.europa.eu/legal-content/en/TXT/?uri=celex:52022PC0454.[15] European Parliament and Council of the European Union, Regulation (EU) 2019/881 of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on Information and Communications Technology Cybersecurity Certification… (Cybersecurity Act), http://data.europa.eu/eli/reg/2019/881/oj.[16] European Parliament and Council of the European Union, Directive (EU) 2022/2555 of 14 December 2022 on Measures for a High Common Level of Cybersecurity across the Union…, http://data.europa.eu/eli/dir/2022/2555/oj.[17] Maria del Mar Negreiro Achiaga, "The NIS2 Directive: A High Common Level of Cybersecurity in the EU", in EPRS Briefings, February 2023, https://www.europarl.europa.eu/thinktank/en/document/EPRS_BRI(2021)689333.[18] See the steps of Procedure 2022/0272/COD: https://eur-lex.europa.eu/procedure/EN/2022_272; and European Parliament, Legislative Train Schedule: Horizontal Cybersecurity Requirements for Products with Digital Elements, as of 20 October 2023, https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-european-cyber-resilience-act.[19] To read the text of Art. 11, see European Commission, Proposal for a Regulation on Horizontal Cybersecurity Requirements for Products with Digital Elements, cit.[20] Tony Anscombe et al., Joint Letter of Experts on CRA and Vulnerability Disclosure, 3 October 2023, https://www.centerforcybersecuritypolicy.org/insights-and-research/joint-letter-of-experts-on-cra-and-vulnerability-disclosure.[21] Boning Feng, "Threat Intelligence Sharing: What Kind of Intelligence to Share?", in Concordia Blog, 20 August 2021, https://www.concordia-h2020.eu/?p=5655.

L'edizione 2023 del rapporto sulla politica estera italiana dell'Istituto Affari Internazionali si concentra sulle principali questioni affrontate nell'ambito internazionale da parte del governo di Giorgia Meloni – i rapporti con gli alleati e le istituzioni europee, la prosecuzione della guerra contro l'Ucraina, le politiche energetiche e climatiche, l'aumento della pressione migratoria, il conflitto israelo-palestinese – e le relative implicazioni per le principali direttrici della politica estera italiana – il pilastro europeo, la prospettiva mediterranea e l'alleanza transatlantica. Specifica attenzione viene dedicata al contributo al sistema di sicurezza europeo e atlantico, alla strategia verso l'area del Mediterraneo allargato, ai rapporti con la Cina dopo l'uscita dal memorandum d'intesa e al ruolo italiano nelle organizzazioni multilaterali e nella cooperazione allo sviluppo. Accanto a questi temi vengono approfonditi anche nuovi ambiti, come l'attenzione a tecnologie emergenti quali l'intelligenza artificiale, il crescente attivismo nei confronti dell'Indo-Pacifico e le iniziative verso il settore dell'aerospazio. Un focus specifico è dedicato ai grandi eventi internazionali e al nuovo rapporto con l'Africa, delineato ambiziosamente nel cosiddetto "Piano Mattei". Il rapporto, come di consueto, è frutto del lavoro congiunto di un gruppo di ricercatori dell'Istituto coordinato dal Programma Politica estera dell'Italia, e mira a evidenziare i tratti salienti della politica estera del governo Meloni. Al secondo anno di legislatura è possibile individuare i primi elementi di continuità e discontinuità rispetto alle linee consuete dell'azione internazionale del nostro Paese.