The European Union has an unusual IT strategy. While the US prioritizes the development of global tech giants, the EU focuses on becoming the sector’s leading regulator.
In 2022, the bloc launched two sweeping sets of stringent new rules: the Digital Markets Act (DMA), which seeks to bolster competition in online services, and the Digital Services Act (DSA), which aims to protect people from online harm. Analysts expect the regulatory drive to accelerate next year.
“The only thing we can be certain about is that there will be more regulation next year, and increased enforcement of it,” said Alan Calder, CEO of GRC International Group, a global provider of IT governance, risk management, and compliance solutions.
To gauge the details, TNW asked IT experts across the bloc what they predict from the EU’s policies in 2023. All expect significant changes in legislation, with certain technologies particularly prominent in their forecasts.
Our experts expect significant developments in cyber security regulation. Kostas Rossoglou, Shopify’s Head of Public Policy and Government Affairs for EMEA and International, highlighted the importance of the Digital Operational Resilience Act (DORA).
The recently-adopted regulation aims to harmonize the financial sector’s approach to cybersecurity. To comply with the rules, organizations will need to review legacy IT systems and potentially invest in new software potential investment in new software. This may be costly in the short term, but Rossoglou is optimistic that it will pay off. He expects levels of security to increase, thereby limiting attacks, reducing downtime, and saving cash.
“Although it will be a couple of years before mandatory compliance, it will eventually put financial organizations in a much stronger position for handling outages, leaks, unauthorized access, and data loss,” he said. “Within the highly sensitive information that the financial sector holds, this is incredibly important.”
“It’s never too soon to be aware.
Another proposal working its way through the EU is the Cyber Resilience Act. This regulation will establish cybersecurity requirements for connected devices, which will provide consumers with transparency on practices, testing, and general functions.
The legislation is currently going through a consultation process. Rossoglou recommends organizations keep a close eye on its progress next year.
“It is likely to be a year or two before it is finalized and then organizations will be given a 24-month transition period to comply,” he said. “However, it is never too soon to be aware of upcoming changes. Regularly monitoring for updates will ensure that businesses are prepared for the changes in good time.”
Indeed, these preparations could become increasingly crucial. Calder predicts new EU rules to be accompanied by stricter enforcement.
“The whole area of cyber security will, in particular, experience a ratcheting up in terms of regulation, and regulatory enforcement as the EU Commission moves to force organizations to take cyber security steps they’re failing to take voluntarily,” he said.
The EU is also developing new regulation for artificial intelligence, which is based on the technology’s potential to cause harm. Named the AI Act, the legislation will force anyone who wants to use, build, or sell AI products and services within the EU to follow the rules.
“It is expected that the legislation will set a precedent for other jurisdictions to evolve or follow,” said Matt Peake, Global Director of Public Policy at ID verification firm Onfido. “The framework is designed to be risk-based, so that the level of regulation will depend on the level of risk.”
According to a global survey by Accenture, the rules will have a deep impact. Some 95% of respondents said at least part of their business will be affected by the EU regulations.
Accenture’s researchers expect a risk management framework to become necessary for compliance with the AI Act. They also predict the regulation will be adopted before the end of 2023, with a two-year grace period before the rules come into force. That timetable, however, may be less generous than it appears.
“Our experience working with large organizations on major enterprise-wide compliance programs (e.g. GDPR, Responsible AI) suggests that it could easily take as long as two years to establish all the necessary controls they will need to be compliant,” the research team wrote in a report.
Follow the money
Cryptocurrencies are becoming a focal point of tech regulation. In the EU, a growing range of controversies has led the bloc to develop new legislation for the sector.
“I think 2023 will be a landmark year for crypto regulation,” said Ivan Liljeqvist, cofounder and CEO of Moralis, a Web3 API provider.
Liljeqvist highlights the importance of the Market in Crypto Assets (MiCA) bill. In February, the European Parliament is expected to vote on the bill — the first comprehensive crypto regulation in the continent.
With Big Tech getting into Web3 and the metaverse, competition is likely to heat up over the next few years — which could invite more regulatory scrutiny. The European Union recently introduced its Markets in Crypto Assets (MiCA) legislation, but even insiders from the EU Commission agree some of the phrasing around NFTs is ambiguous and even straight-up inaccurate.
The proposals could become integral to the European Commission’s future digital finance strategy. In addition, they may provide a reference point for other regulatory bodies.
“While the bill is unlikely to be rolled out until the end of the year, whenever we are dealing with legislative firsts I think the expectancy is for legislators to be cautious and over-regulate rather than under-regulate,” said Liljeqvist.
“What I want to see, and what I think others in the market want to see, is regulation that is sensible rather than stifling, protecting the principles of innovation and competition. I believe the most important thing is for the bill to be open-minded and flexible enough to be revised depending on how markets develop.”
Liljeqvist wasn’t alone in expressing caution. Jake Stott, CEO of Web3 creative agency Hype, is concerned about the impact on the market.
“As tech behemoths like Meta, Reddit, Google and Apple continue to venture into Web3 and NFTs, the regulatory situation could quickly escalate, triggering even more uncertainty in the market.”
“They must move at a faster pace.
Some critics, however, argue that the EU needs to be quicker to regulate the sector. Martin Magnone, co-founder and CEO of credit company Tymit, believes the new legislation will only start to make an impact in 2024.
“If the EU is to successfully take a stronger stand, they must move at a faster pace in line with industry movements,” he said.
The payment sector, meanwhile, is preparing for the European Commission’s review of the PSD2, an EU regulation for online transactions.
Industry insiders have high hopes for the review, which is slated for 2023. They believe it could lead European SMEs and consumers to receive better payment outcomes — at a better price.
Under the current rules, only credit institutions can access European payment schemes. As a result, non-banks and more innovative firms must go through traditional banks to benefit from the schemes.
“This creates dependencies on credit institutions and their legacy systems; single points of failure; and increases the cost of payment services offered by non-credit institutions to European SMEs and consumers,” said Elanie Steyn, Director of Operations at payments platform Modulr.
“Should the PSD2 review include consideration on which institutions can directly access and settle European payments, the impact could be seismic. Opening access has the potential to level the playing field, create greater competition, and lower payment costs for all Europeans.”
Indeed, many of the experts we spoke to expect the EU to prioritize open access.
“The EU’s main focus for 2023 will still be the Big Tech platforms and achieving their goal of making them more open and interoperable,” said Tymit CEO Martin Magnone.
“The measures introduced so far to moderate the monopoly of large tech companies, from labor laws to taxes, have only been partially effective and not yet produced the desired effects. In 2023, we will see the EU make further strides to remedy this and achieve its open access goals.”