In today’s edition, we go digital by analysing a new EU’s piece of legislation and a crucial digital initiative by the United Nations. Enjoy!

The European Cybersecurity Certification Scheme

Last week, the European Commission marked a significant milestone by adopting the inaugural European Cybersecurity Certification Scheme, aligning it with pertinent European legislation. This ground-breaking system establishes EU-wide standards and procedures for certifying ITC products throughout their lifecycle, enhancing user trustworthiness. As outlined in communication from Brussels, certification offers formal acknowledgement that products can be relied upon to safeguard both hardware and software components citizens utilise daily.

This voluntary scheme complements the Cyber Resilience Act, which mandates cybersecurity requirements for all hardware and software products within the European Union. Adopting this certification system signals a pivotal stride toward fostering a trustworthy EU digital single market. It forms an integral piece of the broader EU cybersecurity certification framework currently under development. Notably, this advancement will bolster the implementation of the NIS 2 directive.

Scheduled for imminent publication in the Official Journal of the European Union, the scheme will come into effect 20 days later. With a focus on holding hardware, software, and services manufacturers accountable within the 27 Member States, this certification initiative underscores the European Union’s commitment to cybersecurity strategy. While the Cyber Security Act addresses products already circulated by voluntary certification, forthcoming regulations such as the Cyber Resilience Act will mandate cybersecurity considerations throughout product development and lifecycle management.

While this marks the inaugural certification, more are anticipated, particularly in critical areas such as 5G and cloud services, which are pivotal to the digital future. The European Commission has also proposed incorporating managed security services, offering vital protection for small and medium-sized enterprises.

This development is pivotal in the ongoing competition for economic dominance among the US, the EU, and China in the global technological landscape. Although voluntary, market dynamics are expected to drive worldwide manufacturers toward obtaining such certification, with a ‘cybersecurity sticker’ likely becoming a prerequisite for market viability.

Admittedly, prices may rise as a result, underscoring the undeniable cost of cybersecurity. Certified hardware, software, and services may witness initial price increases. However, given the dynamic nature of cybersecurity and the scalability of the sector, market absorption of these costs is anticipated, accompanied by substantial benefits.

This landmark initiative aims to fortify cybersecurity within the EU and sets a precedent for global standards, emphasising the importance of robust cybersecurity measures in an increasingly digitised world.

The UN’s Global Digital Compact

UN Secretary-General António Guterres launched the Global Digital Compact initiative in the report Our Common Agenda, published on 21 September 2021.

Its goal is to reach a worldwide understanding of digital technologies under the motto of sharing, freedom and security.

The Global Digital Compact stems from the consideration that, in addition to representing an enormous opportunity for achieving the sustainable development goals set by the UN in its 2030 Agenda, if misused, digital technologies can fuel divisions between states, undermine human rights and increase inequality.

Therefore, according to the UN, to reap the benefits of digital transformation while reducing its risks, the role of international cooperation is indispensable, called upon to establish shared principles helpful in building an open, free and secure digital future for all.

With the GDC, states are called upon to agree on seven issues listed by the UN secretary in his report Our Common Agenda.

1. Connecting all people to the Internet, including all schools.

2. Avoid Internet fragmentation (i.e. preventing individual states from preventing or limiting their citizens’ access to the Internet or creating national networks isolated from the rest of the digital world).

3. Protect personal data.

4. Enforce human rights also online.

5. Introduce accountability criteria to counter discrimination and misleading content.

6. Promote the regulation of artificial intelligence.

7. Digital commons as a global public good.

In addition to these seven pillars outlined by Guterres, organisations and individuals can suggest other issues to be included in the Global Digital Compact.

According to the roadmap set by the UN, the Global Digital Compact is to be signed on 22 and 23 September 2024, during the so-called Summit of the Future, convened by the UN Secretary-General to discuss not only digital but all the most critical issues for the world’s future.

However, some issues need to be addressed.

On 21 August 2023, Icann, Apnic and Arin (three of the most influential organisations that manage Internet Governance) publicly denounced the marginalisation, if not outright exclusion, of the ‘tech community’ by the GDC.

According to these organisations, the realisation of the GDC requires a significant shift of control over the entire digital ecosystem into the hands of international organisations, such as the UN, which can recursively declare the existence of ‘rights’ and then invoke their respect by member states, thus justifying moral suasion and ‘interventionist’ political choices (i.e. to decide bans on connection to the transport networks of ‘rogue countries’ or to redefine data traffic routes to avoid certain geopolitical areas).

Such a scenario mainly concerns the Big Internet (namely, the few corporations serving as gatekeepers to the digital realm), which, as the war in Ukraine has shown, has assumed crucial political and strategic importance.

As a result, a subtle concern arises from the controversy surrounding critics of the GDC’s purpose: it may be time for states to realise that the governance of the Big Internet cannot continue to be handled solely by entities claiming technical neutrality while seeking to influence state decisions without being subject to public oversight.

For instance, we can consider the incident where one such entity autonomously declined to sever Russia’s connection to the IP number assignment system, as requested by the Ukrainian government, to isolate it from global connectivity. Another example is the objection to the EU’s decision to fund a Union ‘DNS resolver,’ which translates numerical sequences into user-friendly Internet addresses.

In light of such occurrences, it’s inevitable to question how an entity lacking political legitimacy but asserting a purely technical role can make decisions impacting state and military strategies or engage in debates on matters subject to dispute, albeit made within the framework of power delegated by international treaties, such as the case with the EU.

While this issue is familiar, it has yet to garner significant attention on national and international political agendas. This is mainly due to the flexible management of Internet governance regulatory aspects, which have historically operated with less formality than full integration into the executive apparatus.

Times have evolved, with countries increasingly intolerant towards boundaries limiting their control over telecommunications resources. Notably, Russia has enacted legislation in this regard, and the EU, alongside initiatives like the Union DNS resolver, is pursuing data transport independence, investing in submarine cables to route information through networks of non-hostile countries.

In conclusion, the dispute between organisations and the UN reflects a broader perspective, highlighting the involvement of not only states or their representative organisations but also industries and grassroots entities whose influence has surpassed institutional foresight. It underscores the growing role of soft power in international relations, particularly concerning those overseeing information technologies.

The UN’s involvement in Internet governance, whether de facto or de jure, signifies that decisions in this realm can no longer be in the sole hands of the ‘tech community’ but must also consider and respect guidance from the General Assembly and, in severe cases, the Security Council.

If this analysis holds, the romantic concept of a genuinely neutral, borderless, and ‘self-governing’ network is relegated to history, replaced by the incorporation of the Big Internet into potential arenas of geopolitical confrontation and contention.