.png)
10 months ago
31
The key to building a successful technology business is to grow at speed, and to do that we need to tap into the 500 million consumers on our doorstep. That’s why digital companies strongly support the EU single market and the idea of having one set of rules instead of 27.
Cecilia Bonefeld-Dahl, Director General of DIGITALEUROPE.
Unfortunately our digital laws are starting to resemble a regulatory spaghetti bowl. And as we scramble to strike a deal on landmark laws on AI and cybersecurity, we risk further entangling. As we enter this last, crucial phase in negotiations, let’s not forget that today’s compromises could turn into tomorrow’s headache for Europe’s competitive edge.
Only 8% of the world’s unicorns – young companies valued at one billion dollars – originate from Europe. This percentage has stagnated in the past four years.
Why? According to our community of promising small tech companies, regulatory burden and complexity is one of the top three barriers to growth.
The problem then worsens when EU laws trickle down to Member States, resulting in a maze of national bodies, sometimes duplicated regionally, all interpreting and enforcing the rules differently. In Europe, only 8% of SMEs trade across one internal EU border, a figure that has not changed over the past five years.
It is therefore no wonder that companies seek to grow elsewhere. According to Sifted, 20% of French unicorns have shifted their HQ to the US in the past year.
Overall, DIGITALEUROPE’s members report spending on average 15% more on compliance than five years ago, and there are more laws to come. In Brussels it is crunch time for both the AI Act and the Cyber Resilience Act (CRA). Two huge files that have been years in the making. Legislation that will affect millions of products in the EU market, as well as software, in two of the areas that will generate the most growth in the next few years – IoT and artificial intelligence.
The AI Act and the CRA will not exist in isolation, and will be layered on top of sectoral rules. Take healthcare, a sector that is digitalising very fast but is also covered by the Medical Device Regulation (MDR).
Let’s imagine you are a medium-sized company from Portugal that has developed new AI-powered medical imaging equipment capable of catching tumours that doctors could miss. A potentially life-saving tool.
Classified as high-risk under the AI Act, it would face extra compliance checks and paperwork to ensure it is safe. However, it will also have to comply with a different system under the medical devices regulation, entailing a whole other set of authorities, forms and hoops to jump through to ensure again the safety of exactly the same product. The Commission itself estimated the cost of complying with the AI Act alone as €300,000, a conservative estimate that overlooks the added complexity of overlapping laws.
Regulatory confusion will be particularly present in areas like cybersecurity. When there is a cyber breach, or ‘incident’, you must report it to the authorities. However, the MDR and AI Act differ in their definitions of a ‘serious incident’. Therefore, in a worst-case scenario the company could potentially need to submit up to 54 separate notifications or reports – one for each national authority under both the AI Act and the MDR.
This company would also be subject to the GDPR and the large swathe of new data rules. GDPR was a landmark regulation, but a common complaint is that each data protection authority interprets it in a different way.
Can I share my data or not? Can I transfer data from my European factory to my customers and suppliers in the US? These should be simple questions but there are multiple answers depending on who you ask.
On top of data protection authorities (one in each Member State and sometimes per region – looking at you, Germany), each Member State will have one or more authorities to administer the new data rules stemming from the Data Act, as well as a new authority to certify AI systems. Not to mention the vast web of different cyber authorities and rules at both EU and national levels.
The CRA will also add rules, from risk management to reporting, with again more technical standards and authorities getting involved in regulating exactly the same product.
Luckily, medical devices are excluded from the CRA, recognising the medical device regulations already have cyber safeguards, but if you’re an Italian company making industrial robots, or any other connected product, you’ll be in no such luck.. The AI Act, GDPR, Data Act and CRA (not to mention the Machinery Regulation and other rules) will all apply to you.
If I were the CEO of one of these companies, I think I might give up. Wouldn’t you?
As our recent manifesto said, we believe that Europe can be a digital powerhouse. But we must take issues of regulatory overlap seriously.
President Von Der Leyen’s target of 25% reduction in business reporting is a fantastic start. Our own manifesto calls for a 50% decrease by 2030, taking into account all the barriers between and within member states. We must tackle the complexity that already exists.
But the sad truth is that once a barrier is in place, it is extremely difficult to shift it. Around two thirds of the barriers identified by the Commission have been in place for two decades.
Better not to create them in the first place.
The laws on AI and cybersecurity being negotiated right now could help solve some of these issues, or make them worse. We have the opportunity to make it easier for our best innovators to scale, and to stay, in Europe, but time is running out.
English (US)