Abstract
This commentary intends to provide a scholarly reaction on the two papers in this Special Issue, that discuss the emerging European legislation in the field of technology standards. The contribution of Marta Cantero Gamito addresses the (draft) Artificial Intelligence Act (AIA), whereas the contribution of Irene Kamara covers the (draft) Cyber Resilience Act (CRA). Both pieces of legislation use the ‘New Approach’ regulatory technique, whereby the European Commission requests three European standards bodies to develop technical standards in support of its policies in the fields of AI and cyber resilience respectively. Drawing on the findings of these contributions, this paper starts from the premise that through its recent policy initiatives, the European Commission attempts to gain regulatory authority in the technological domains by tightening its regulatory muscle around ETSI. In doing so, the Commission invokes its concerns about ETSI’s legitimacy and procedural safeguards. Yet, as this commentary concludes, such practices are potentially detrimental to the EU’s role as a global technology actor but also to the legitimacy of European standardization.
Introduction
This commentary addresses two contributions to this Special Issue that discuss the recent European legislative initiatives in the field of technology and the role that the European Standards Organizations (ESOs) and in particular, ETSI, play in these initiatives. The contribution of Marta Cantero Gamito addresses the (draft) Artificial Intelligence Act (AIA), whereas the contribution of Irene Kamara covers the (draft) Cyber Resilience Act (CRA). Although fundamentally different, these legislative proposals have two common features that are particularly interesting for European standardization. First, while primarily intended to foster economic integration through the internal market (as suggested by the legal basis of Article 114 of the Treaty of Functioning of the European Union),Footnote1 they are enacted in times when the EU global leadership in the technological sector is high on the Brussels’ agenda. Second, while covering current and emerging technologies, the two proposals also touch upon constitutional issues, including fundamental rights, fairness, values and national security, arguably bringing a new dimension into the traditional domain of product safety regulation.
This commentary argues that through the recent EU legal and policy standardization initiatives, the European Commission does not as such aim to increase the legitimacy of private rulemaking but attempts to assert its authority over the emerging regulatory fields. To that end, the Commission will not shy away from using different tools available in the European standardization toolbox, ranging from adopting ‘common specifications’ where the results of harmonized standards are not satisfactory to the Commission’s requirements,Footnote2 to using its power to ‘demote’ ESOs from the producers of harmonized European standards. This commentary concludes that such practices are potentially detrimental to the EU’s role as a global technology actor but also to the legitimacy of European standardization.
Standardization of emerging technologies
New technologies often call for new methods of their regulation. In the EU, where standards have commonly existed in the realm of product safety, the ‘New Approach’ regulatory technique is increasingly entering the domain of (emerging) technologies, not least in support of the digital single market (Almada and Petit Citation2023; De Vries, Kanevskaia, and De Jager Citation2023). This phenomenon, in part, also alters the very nature of standardization: from voluntary technical rules separating lawyers from engineers, standards are increasingly becoming more ‘ubiquitous’, more ‘normative’ and more ‘binding’. Therefore, it comes as no surprise that the legitimacy of standardization as a regulatory technique, and of standards as a means to support the EU harmonization policy, has recently been questioned by scholars (Eliantonio and Cauffman Citation2020).
As discussed by others in this Special Issue, the concept of legitimacy is multifaced (see De Vries Citation2024; Volpato and Eliantonio Citation2024; and Bijlmakers Citation2024). In general terms, legitimacy revolves around the validity and justification of authority (Buchanan and Keohane Citation2006; Senden Citation2020), and is thus an important component when assessing regulators’ performance. ESOs are no exception to such an assessment. The Commission’s demands for legitimacy of European standardization are apparent from the recent EU Standardization Strategy, where it calls upon ESOs to modernize their governance to ‘fully represent the public interest and interests of SMEs, civil society and users’ and to ‘facilitate access to standards’ (EC Citation2022a). These calls for ‘throughput’ legitimacy imply that the rulemaking authority of the ESOs hinges upon standardization processes that offer sufficient procedural safeguards and are open and inclusive (Kanevskaia Citation2023; Volpato and Eliantonio Citation2024). Legitimacy concerns are also echoed by the recent case law of the European Court of Justice (CJEU)Footnote3 that deals with the legal value of harmonized standards and their public availability. In the technology field, where standards evolved from simply providing interoperability or specifying technical features to important regulatory and policy instruments, legitimacy demands are especially apposite.
Artificial Intelligence (AI) and cybersecurity (and cyber resilience) are fundamentally different and cannot be compared, also due to their different regulatory history. Cybersecurity standardization as such is not new in the EU and, as explained in Kamara’s contribution (Kamara Citation2024), ESOs have been developing (cyber)security standards for quite a while. In turn, the European proposal to regulate AI by the means of the ‘New Approach’ is very recent, even though the initiatives for AI standardization have been unfolding before the first draft of the AIA saw the light in April 2021, both in intergovernmental standards bodies like the International Organization for Standardization (ISO) and International Telecommunications Union (ITU) and as well as in private standards bodies or single-actor initiatives of large tech companies (Cantero Gamito Citation2021).
From the technical perspective, standards allow to develop and use (elements of) technologies relevant for AI and cybersecurity systems. From the economic perspective, standards support economic integration through harmonization, ensuring that products and systems can be legally marketed in the EU. From the (geo)political perspective, looking inwards, they help strengthening resilience and national security whereas looking outwards, they contribute to European technological leadership (EC Citation2022a). From the constitutional perspective, standards interfere with fundamental rights and values (Senden Citation2020). From a normative perspective, they provide architecture constraining our behaviour, sometimes in ways that are comparable to laws (see, by analogy, Lessig Citation1999). Cantero Gamito refers to it as providing ‘a framework for public order’ (Cantero Gamito Citation2024), while Kamara refers to the ‘para-law or post-law functions’ of standards (Kamara Citation2024). The interplay of these perspectives makes technology standardization challenging but also exceptionally interesting to study.
In a traditional ‘New Approach’ fashion, the AIA and CRA impose obligations – essential requirements – for economic actors to comply with, while delegating the definition of these essential requirements to harmonized standards developed in the ESOs, and to conformity assessment procedures performed by private actors. Both legislations use technical standardization to support European policy goals. In this regard, the contributions of Cantero Gamito and Kamara question the appropriateness of the European standardization system that was meant primarily for product safety, for the fields of AI and cybersecurity respectively. Cantero Gamito warns that once the questions pertaining AI regulation and governance become ethical and cannot be solved by technical standards only, the current legislative proposal can be viewed as providing too much freedom for private actors to decide on constitutional and fundamental rights issues (Cantero Gamito Citation2024). Kamara, in turn, demonstrates shortcomings in the implementation of the ‘New Approach’ to achieve European cyber resilience goals, focusing on the lack of participation and representation of a broader scope of the relevant actors in standardization processes, as well as on the absence of a meaningful inter-institutional collaboration between ESOs (Kamara Citation2024).
ETSI as a traditional standards developer in the technology sector
Out of the three ESOs, ETSI has established itself as a leader in the development of technology standards. ETSI’s work spans mainly across technological and digital elements, while the traditional focus of CEN and CENELEC is more on product safety (although, as seen from Kamara’s contribution, CEN/CENELEC have also been active in technological domains (Kamara Citation2024)). As the overlaps between CEN/CENELEC and ETSI are increasing, so does the institutional competition between these bodies which, as I explain below, also has implications for the legitimacy of the European standardization system.
Cantero Gamito discusses several ETSI initiatives on standardizing technologies for AI security, including the Industry Specification Group on Securing Artificial Intelligence (IG SAI) and the Operational Co-ordination Group on AI (OCG AI) (Cantero Gamito Citation2024), whereas Kamara highlights that standards relevant for the CRA proposal are already being developed in the ETSI’s Technical Committee (TC) devoted to cyber standardization (Kamara Citation2024). ETSI thus clearly provides an institutional framework for current and future standardization efforts in the fields of AI and cyber. Moreover, ETSI’s standardization work in these domains is linked to international efforts, such as those in ISO/IEC JTC1/SC 42 (AI) ISO/IEC JTC1 (cyber), and ETSI seems to be an attractive standardization venue among the industry actors (see also Temple Citation2024).
Both contributions agree that ETSI is emerging as a non-traditional regulatory authority, and that this increasing regulatory role also implies a growing authority to decide on value-laden and constitutional questions. However, while ETSI TC Cyber seems to be already involved in developing harmonized standards supporting the CRA, the Commission in its recent standardization request has excluded ETSI from developing harmonized standards supporting the AIA, citing legitimacy concerns and governance issues pertaining to ETSI, including the influence of foreign firms.Footnote4 Remarkably, ESOs’ governance processes have hitherto received little attention from the Commission, who seemed reluctant to interfere in ESOs’ self-regulation. Together with the recent Standardization Strategy (EC Citation2022b), ETSI’s exclusion represents a significant shift in the Commission’s approach to ESOs’ governance, and one that focuses on inclusiveness and procedural safeguards. The remainder of this commentary suggests which consequences the Commission’s exertion of influence on ETSI may bring for European standardization and why the Commission might seek to re-visit its ‘hands-off’ approach to ESOs’ governance.
The Commission’s efforts to curb ESOs’ regulatory authority
ETSI’s exclusion from the AIA standardization request may indeed be seen as an attempt to increase the legitimacy of harmonized standards, not least through ensuring that ETSI has sufficient procedural safeguards. However, if such practice persists, it may have a negative effect on the EU position in standardizing the technology sector. Cantero Gamito argues that ETSI’s exclusion is not only detrimental to the EU’s role as a global actor since it limits its possibilities to promote its global values, but also to the AI in general due to excluding the expertise that has been accommodated in ETSI (Cantero Gamito Citation2024).
This commentary suggests that changing ETSI’s governance, even if these changes are only meant to affect harmonized standards, may trigger responses at the global level. In this regard, it should also be noted that ETSI forms a backbone of 3rd Generation Partnership Project (3GPP) – a global consortium of regional standards bodies and large industry players that oversees the development of among others, standards and specifications enabling 5G connection. Similarly to cybersecurity standardization, where the parallel work of CEN/CENELEC and ETSI results in unnecessary duplication of standardization efforts, this duplication may also span to the other tech sectors, including the AI, which in a longer run will result in global fragmentation of the tech industry. At the same time, redefining ETSI’s role in the development of harmonized standards may also deter foreign firms from participating in ETSI’s processes, since they will be less likely to influence them. And while the latter consequence is arguably precisely the intention of the new European standardization strategy, it is questionable whether such chain reaction will be beneficial for the other objective of the strategy, namely strengthening the EU’s role in global standardization. Furthermore, domestic EU firms will likely follow the lead of global industry and bring their standardization efforts either to the global standards bodies like ITU and 3GPP, or to private consortia, the latter arguably often lacking procedural guarantees (Delcamp and Leiponen Citation2014).
Kamara underscores the importance of cooperation between the three ESOs in the cybersecurity sector (Kamara Citation2024). Since formal collaboration is already lacking, it is very unlikely to improve with the attempts to exclude ETSI from developing harmonized standards in sectors different than cybersecurity, but which still are critical for the European policy, such as the AI. Kamara highlights that openness and inclusiveness, promoted by the Commission, should also be translated to ESOs cooperation, and questions whether current flexible collaboration is sufficient to effectively address cybersecurity risks (Kamara Citation2024). Taking this argument a step further, this commentary suggests that the lack of intra-ESO competition may negatively affect the balance between ESOs. This is because as the Commission’s support and trust towards ETSI decreases, ETSI becomes a less equal of a counterpart to CEN/CENELEC, which in turn endows the latter with more power. This also may give the impression that CEN/CENELEC by definition satisfy the Commission’s demands for procedural safeguards – an impression that is incorrect since the European Standardization Strategy’s proposal to modernize governance concerned all three ESOs (EC Citation2022b).
Counterintutively, ETSI’s exclusion will lead to more inconsistency between European standards and the policies they underpin, rather than increase their legitimacy. By using its carte blanche to appoint and dismiss the ESOs through standardization requests, the European Commission shows its teeth towards private regulatory actors that for a long time were subjected to very little control and a very large discretion when structuring their governance processes.
It remains to be seen whether and to what extent the Commission will continue using the different tools it has at its disposal to curb ESOs when it is not satisfied with their governance, and how such interference with private processes will be viewed from the industry perspective. On the one hand, the growing control by the Commission is welcomed from the public law perspective, especially since the Commission is increasingly acquiring responsibility for harmonized standards.Footnote5 On the other hand, employing these tools may also give rise to uncertainties among private actors and ultimately interfere with private regulation in Europe. So far, ETSI demonstrated the importance it attaches to its status as an ESO by amending its Directives. Yet, ETSI’s perspective may change should the Commission’s interference with its governance processes become more common.
Concluding remarks
Kamara notes in her contribution that the EU law and policy is moving towards reactive and proactive measures (Kamara Citation2024). Standardization is no exception. Perhaps desirable from the legitimacy and democracy viewpoint, the Commission’s recent communications and policies depict its growing concerns about power relationships in the digital era. ESOs are undoubtedly becoming a source of power due to the vested knowledge and experience, but also because of their emerging function of translating European values into technical requirements and eventually, into (geo)political power. At the same time, and as submitted by this commentary, placing additional restraints on ESOs is undesirable in light of the institutional balance, consistency of the European policymaking and the EU’s global role in technology development.
Addressing legitimacy issues in the technological sector is a complex undertaking, but overpowering private actors may not lead to the optimal solution. Rather, more effort should be put into finding tangible and meaningful ways to strengthen public–private partnership and promote cooperation between industry, ESOs and global standards bodies, either through more forward and outwards looking policies that support global cooperation, or through inclusive operational frameworks of standards bodies.
Acknowledgement
I would like to thank Zuno George Verghese and two reviewers for their insights and feedback on a number of issues discussed in this commentary.
Disclosure statement
No potential conflict of interest was reported by the author(s).
Additional information
Notes on contributors
Olia Kanevskaia
Olia Kanevskaia is an assistant professor of European Economic Law and Technology and a researcher at Utrecht Centre for Regulation and Enforcement in Europe (RENFORCE).
Notes
1 Note however that AIA has a secondary legal basis of Article 16 FTEU (fundamental rights).
2 See Article 41 Proposal for a Regulation of the European Parliament and of the Council laying down harmonized rules on artificial intelligence (Artificial Intelligence Act) and amending certain Union legislative acts [8115/21 – COM (2021) 206 final] (‘AIA’).
3 C-588/21 P, Public. Resource.Org and Right to Know v Commission and Others, ECLI:EU:C:2024:201.
4 See the news coverage of this issue by Luca Bertuzzi, Commission leaves European standardization body out of AI standard-setting, EURACTIV (9 December 2022), available at https://www.euractiv.com/section/artificial-intelligence/news/commission-leaves-european-standardisation-body-out-of-ai-standard-setting/.
5 See above n 3.
References
- Almada, M., and N. Petit. 2023. “The EU AI Act: A Medley of Product Safety and Fundamental Rights.” SSRN Electronic Journal. https://doi.org/10.2139/ssrn.4308072.
- Bijlmakers, S. 2024, Forthcoming. “Commentary on Volpato and Eliantonio, Temple and De Vries: ETSI’s Legitimacy as an ESO in Times of Crisis.” Innovation: The European Journal of Social Science Research.
- Buchanan, A., and R. O. Keohane. 2006. “The Legitimacy of Global Governance Institutions.” Ethics & International Affairs 20 (4): 405–437. https://doi.org/10.1111/j.1747-7093.2006.00043.x.
- Cantero Gamito, M. 2021. “From Private Regulation to Power Politics: The Rise of China in AI Private Governance through Standardisation.” SSRN Electronic Journal. https://doi.org/10.2139/ssrn.3794761.
- Cantero Gamito, M. 2024. “The Role of ETSI in the EU's Regulation and Governance of Artificial Intelligence.” Innovation: The European Journal of Social Science Research.
- Delcamp, H., and A. Leiponen. 2014. “Innovating Standards through Informal Consortia: The Case of Wireless Telecommunications.” International Journal of Industrial Organization 36: 36–47. https://doi.org/10.1016/j.ijindorg.2013.07.004.
- De Vries, H. 2024, Forthcoming. “Legitimacy of the European Telecommunication Standards Institute ETSI in the Context of the European Standardisation Strategy, Innovation.” The European Journal of Social Science Research.
- De Vries, S., O. Kanevskaia, and R. De Jager. 2023. “Internal Market 3.0: The Old “New Approach” for Harmonising AI Regulation.” European Papers 8 (2): 583–610.
- Eliantonio, M., and C. Cauffman, eds. 2020. The Legitimacy of Standardisation as a Regulatory Technique: A Cross-disciplinary and Multi-level Análisis. Cheltenham: Edward Elgar Publishing.
- European Commission. 2022a. “Draft Standardisation Request to the European Standardisation Organisations in Support of Safe and Trustworthy Artificial Intelligence.” European Commission, December 5, 2022. https://ec.europa.eu/docsroom/documents/52376.
- European Commission. 2022b. “An EU Strategy on Standardisation. Setting Global Standards in Support of a Resilient, Green and Digital EU Single Market”, COM(2022) 31 final. https://ec.europa.eu/docsroom/documents/48598.
- Kamara, I. 2024. “European Cybersecurity Standardisation: A Tale of Two Solitudes in View of Europe’s Cyber Resilience.” Innovation: The European Journal of Social Science Research.
- Kanevskaia, O. 2023. The Law and Practice of Global ICT Standardization. Cambridge: Cambridge University Press.
- Lessig, L. 1999. Code and Other Laws of Cyberspace. New York: Basic Books.
- Senden, L. 2020. “Towards a More Holistic Legitimacy Approach to Technical Standardisation in the EU.” In The Legitimacy of Standardisation as a Regulatory Technique: A Cross-disciplinary and Multi-level Analysis, edited by M. Eliantonio and C. Cauffman, 20–47. Cheltenham: Edward Elgar Publishing.
- Temple, S. 2024, Forthcoming. “In a Competitive Market It Is the Market That Determines the Legitimacy of a Standard, Innovation.” The European Journal of Social Science Research.
- Volpato, A., and M. Eliantonio. 2024. “The Participation of Civil Society in ETSI from the Perspective of Throughput Legitimacy, Innovation.” The European Journal of Social Science Research 1–17.