11. The Economic Impacts of the Proposed EUCS Exclusionary Requirements: Estimates for EU Member States
- Author:
- Matthias Bauer and Philipp Lamprecht
- Publication Date:
- 10-2023
- Content Type:
- Working Paper
- Institution:
- European Centre for International Political Economy (ECIPE)
- Abstract:
- The EU Agency for Network and Information Security (ENISA) is proposing a far-reaching “European Cybersecurity Certification Scheme for Cloud Services“ (EUCS) to be established in the European Union (EU). According to the latest draft of August 2023, leaked by Politico in September 2023, the proposed EUCS would by design prevent non-European vendors from providing “high assurance level” cloud services in the EU. In this study, we show that the proposed “immunity” requirements, i.e., foreign ownership and headquarter restrictions, local staff requirements, and data localisation would lead to significant losses in Member States’ aggregate economic activity and drive a big wedge between economic growth in the EU and the growth of non-EU economies. The projected losses in annual EU GDP will vary from EUR 610 billion to EUR 29 billion within approx. two years of implementation, contingent upon the specific sectoral coverage of high-assurance use cases under the cloud service evaluation level CS-EL4. The results fit into the overall picture of EU digital policy, which has weakened rather than strengthened the competitiveness of EU industries in the past. Our findings align with the broader impacts of EU digital policy, which runs the risk of exacerbating the growth gap and technology disparity between the EU and other advanced economies. Cloud services have become increasingly popular and integral to Europe’s economy. Cloud services are granting businesses of all sizes equal access to global data and resources, stimulating collaboration, and bolstering competitiveness. Advanced cloud services are levelling the playing field in domestic commerce and international trade. Smaller enterprises can harness advanced IT capabilities, particularly cloud-based supply chain management, to streamline their operations. Cloud computing solutions are also playing a crucial role in modernising public services, offering transformative potential for government administrations and service quality. Cloud services adoption is expected to grow substantially in the years ahead, driven by data analytics, AI applications as well as quantum and edge commuting solutions. The global cloud computing market is on a rapid growth trajectory and is expected to reach some EUR 2,080 billion by 2030. Industry forecasts indicate that cloud services and transversal cloud-based technologies like AI applications, quantum, and edge computing will experience consistent growth in innovation and are increasingly finding broader applications across various industries. Overall, the global market for IT services is highly competitive and dynamic, with global cloud service providers competing against a broad range of IT service providers of varying scale, including on-premises hardware vendors, private and co-located data centre providers and software providers. Despite showing a trade deficit in international cloud services trade, trade in ICT and digitally enabled services is not a one-way-street for the EU. Recent trade data reveals that the total value of EU exports in digital and digitally enabled services to the rest of the world is roughly equivalent to the total value of EU imports from the rest of the world. This balance in trade is also observed in EU digital trade with the US, where EU exports of ICT services to the US nearly match US exports of digital services to the EU. The proposed EUCS exclusionary requirements entail various negative consequences. As recognised by the European Commission’s latest progress report on digitisation in the EU, European companies have yet to reach the “Digital Decade” targets, especially when it comes to embracing cloud-supported technologies such as AI and big data, as the adoption of digital technologies remains significantly below these objectives.[1] Exclusionary requirements would create operational inefficiencies and increased production costs for cloud services providers and cloud adopters. They would undermine investments in the domestic economy, resulting in reduced international trade, competition, and innovation. The imposition of exclusionary requirements by the EU could create a domino effect of restrictions caused by retaliation and protectionism. Data localisation and nationality requirements stifle innovation and competition, particularly in data-driven industries. The creation of redundant capacities in the EU would have adverse environmental impacts, including increased energy consumption, land use, and electronic waste. Immunity requirements would increase rather than mitigate cybersecurity risks, creating a security deficit for EU cloud adopters that lose access to proven global risk detection and prevention solutions. This study provides estimates of potential GDP and industry output effects from the implementation of exclusionary requirements under the proposed EUCS framework.[2] It is shown that the strict “immunity” requirements in the EUCS cybersecurity certification framework would severely limit European customers’ access to advanced technologies, innovation and global ICT industry growth trends. The study’s findings highlight the significant economic consequences of potential restrictions on access to global cloud services across three scenarios of different sectoral coverage. It is shown that even in the least restrictive scenario, where “immunity” requirements would only be applied to a narrow spectrum of sectors and highly critical use cases, the reduction in the EU’s annual GDP could be substantial. In scenario 1 (broad critical sector coverage), reflecting political demands of the current French government, the EU’s annual GDP is projected to decrease by 3.9% when accounting for lost cloud capacities and forgone cloud capacity and productivity growth, within 2 years of implementation. For scenario 2 (medium critical sector coverage) and scenario 3 (narrow critical sector coverage), the estimated annual losses in GDP amount to -2% and -0.2%, respectively. In terms of current EU GDP, annual losses would amount to EUR 610 billion, EUR 317 billion, and EUR 29 billion, respectively, underscoring the significant magnitude of the potential impacts. For the broad critical sector coverage scenario, our results also show that the EU’s annual GDP losses accumulate over longer periods of time. After 5 years following the implementation of exclusionary EUCS requirements, the annual growth losses for the EU and its Member States remain significant. This is due to the inability of European businesses and the EU’s public sector to tap into the worldwide innovation and productivity gains offered by globally accessible technologies and services. For the EU, we estimate the annual GDP loss to be -3.6%, with a trend to further accumulate in subsequent years.
- Topic:
- Science and Technology, European Union, Cybersecurity, Digital Economy, and Digitization
- Political Geography:
- Europe