Simplification of EU regulation must be comprehensive and based on careful impact assessment
The competitiveness of Europe’s tech sector depends largely on an enabling legislative framework. To be enabling, the legislative framework must be coherent and understandable. Thus, CSC warmly supports the Commission’s Digital Omnibus initiative to simplify EU regulation in the fields of data, cyber and AI. This must be done without a rush, ensuring careful and comprehensive impact assessments that take into account all legislation that is linked to these fields.
When it comes to data, legislation must be developed from the starting point of getting more value out of data created for Europe. Currently a great deal of value of European and Europeans’ data is created outside Europe due to the dependence of non-European data platforms. It is critical for Europe to find ways of tackling data leakage from Europe and turning the value streams towards Europe instead. For this to happen, legislation is only one part of the solution, and in addition the EU must take concrete action to strengthen the building of European competences and capabilities, for example in the form of investing in pan-European data infrastructures that can act as platforms for researchers and companies to innovate, scale, grow and compete.
Where need for data regulation arises, the rule of thumb must be to always build on community-developed standards and practices, enshrining them in law as needed. Another key point is to ensure uniform application of EU legislation across the Union, to avoid the kind of fragmentation that we have seen with the GDPR that hinders cross-border data flows between Member States and thus stands in the way of data-driven research, innovation and value creation.
As to cybersecurity related incident reporting obligations, these are particularly challenging for SMEs as they often lack dedicated cybersecurity teams while being frequent targets for cyberattacks due to weaker defences. Many SMEs are not fully aware of to whom report to, when to report, or how to report incidents. Companies may also need to report under GDPR if personal data is involved, adding another layer of complexity. Therefore, simpler requirements and clearer guidelines are needed.
Smooth application of the AI Act rules also requires clear EU-wide guidelines as some parts of the Act are somewhat ambiguous. Resulting uncertainty may lead to several missed opportunities in case companies decide to drop AI-related business ideas just to be sure of not breaking any rules. In particular, guidelines are needed to clarify the impact of copyright on AI development and to remove any incoherences between the AI Act and copyright regulation. The AI Act also partly overlaps with sector-specific regulations, especially in the health sector. These overlaps must be identified and removed. In addition to simplification and clarification efforts, the Commission must look into providing companies with tools for analysing the simultaneous impact of several different regulations, similar to what Lean Entries (leanentries.com) is developing.
As digitalisation is a systemic change in the whole society, it is not sufficient to focus only on renewing digital legislation, but also all other legislation must be reviewed in order to identify barriers, gaps and any kinds of linkages that might hinder the coherence of the overall legislative framework with regards to digital and data. The key aim must be to ensure coherence across all legislation, which requires cross-administrational cooperation and collaboration in preparation of laws, at EU and national levels. Also, a clear common understanding of the drivers behind simplification and improving our structures must be kept in mind. Competitiveness of the European digital sector and tech and data sovereignty are in CSC’s view the key drivers, and all legislation must be geared towards this.
Picture: Adobe Stock
Read more
Contact
Irina Kupiainen
Irina Kupiainen is responsible for CSC’s Public Affairs.