Key Takeaways

Contents

Key Takeaways 1

Introduction. 2

Excluding U.S. Experts From the European Telecommunications Standards Institute. 3

Excluding U.S. Experts From “Expert Working Groups” 5

Europe’s Master Standardization Strategy 6

NIST Cryptographic Standards Show the Value of Global Engagement and Underscore the Pitfalls of European-Only Standards 8

Protectionist Cybersovereignty Makes No Sense and Undermines the U.S.-EU Trade and Technology Council 9

Endnotes 11

Introduction

Europe’s statements about working with the United States (and other likeminded countries) on the technical standards involved in new and emerging technologies don’t match its actions, which seek to exclude experts from foreign firms that have for years played a constructive role in European standards setting.[1] This nationalist turn thereby paves the way for Europe to create a new protectionist pillar in its drive for cybersovereignty: standards that deliberately disadvantage foreign firms and products to favor local ones. In the process, the restrictions drive a wedge between the United States and the European Union at a time when the two need to deepen cooperation to address China’s innovation mercantilist drive for global technology leadership.

In little-noticed changes, the European Commission has proposed or enacted several policies that specifically exclude experts from U.S. and other likeminded trading partners, such as Japan:

▪ In February 2022, the European Commission’s European Strategy on Standardisation outlined how they want to downgrade the role, including removing the voting rights of experts from U.S. and other foreign firms and thereby preventing them from playing a key role at the European Telecommunications Standards Institute (ETSI), one of three key European standards bodies. It is exactly this open and meaningful engagement with foreign technical experts that allowed ETSI to have the type of influence over global technology policy that European policymakers so dearly want. Yet Europe is undermining ETSI due to unfounded fears about “undue influence” foreign stakeholders have at ETSI, despite ETSI itself claiming that these fears are purely hypothetical and unlikely.

▪ In mid-2022, a revised European Commission request for radio equipment cybersecurity standards dropped ETSI, only tasking the European Committee for Electrotechnical Standardization (CENELEC), one of the other European Standards Organizations (ESOs). This is another way to downgrade the role of experts from foreign firms at ETSI, as CENELEC is made up of representatives from government standards bodies. This is despite the fact that CENELEC has relatively limited expertise in developing cybersecurity standards when compared with ETSI.

▪ In July 2022, the European Commission’s Directorate-General for the Internal Market, Industry, Entrepreneurship and SMEs (DG GROW) issued guidance for the new radio equipment directive experts groups that limits representatives to those from EU-headquartered and controlled firms. This will obviously impact inclusiveness, but also the quality of specifications. For example, at that time, ETSI was represented at the radio equipment expert group by its vice chair (who is from Intel’s European office) and DIGITALEUROPE was represented by individuals from Sony and Samsung.

▪ In July 2022, a European Parliamentary committee approved amendments to European standardization law (in enacting restrictions on experts from U.S. firms) that lumps the United States in with China in stating that their firms have an impact on European standards and do not share the values and interests of the EU. Furthermore, it explicitly targets the role of foreign national standards organizations in changing voting requirements such that it only really depends on whether a proposal has the support of the majority of representatives from EU member states. In essence, the European Commission is intentionally using “values” and “interests” to enact discriminatory and exclusionary standards policy without any real justification.

▪ In September 2022, a draft European Commission decision to establish the expert group for the High-Level Forum on European standardization allowed the chair to restrict participation in sub-groups “dealing with critical and sensitive policy subjects that are directly relevant for the security of the Union to entities and individuals not subject to control by a third country acting either directly or by way of measures addressed to a third-country entity.”[2]

The Commission justifies these changes as necessary to defend European values and interests without any real justification and puts American firms in the same category as Chinese ones even in terms of any potential hypothetic risk to European standards setting. These values and interests seem largely mercantilist, as opposed to the more virtuous shared values in free and open trade and democracy that Europe raises in the context of transatlantic cooperation on standards for new and emerging technologies.

Ultimately, Europe’s nationalist approach to standards will result in poor outcomes that will hurt European consumers and industry while creating the illusion that Europe can drive its own technological destiny. It also runs the risk of repeating Japan’s and China’s respective experiences with the “Galapagos Island” syndrome with regard to country-specific technical standards that undermine their tech sectors and firms.[3] And, as noted, it will drive a further wedge between the United States and the EU. The United States should call Europe out for its hypocrisy at the next Trade and Technology Council’s discussion—and failing a change in approach, start preparing countermeasures.

Excluding U.S. Experts From the European Telecommunications Standards Institute

Despite ETSI being very much a European organization, its success in developing standards adopted around the world stems from the fact that it allows participants from U.S. and other foreign firms to participate—and vote—in its development of standards alongside representatives from local firms and government standards bodies.[4] Technical experts from foreign firms have long helped European policymakers figure out how best to address public policy concerns via standards. The involvement of private sector expertise is important. Because of the depth of expertise in firms from around the world, the level of expertise in the private sector will always be orders of magnitude greater than what any government will have on its own. These experts are often the same people who develop the technologies in question and so are best placed to help design associated standards as they best understand the technology.

ETSI has more than 900 member organizations worldwide, drawn from over 60 countries and 5 continents.[5] ETSI’s board includes representatives from firms from around the world (via their European offices) such as Samsung, Sony, IBM, AT&T, Qualcomm, Cisco, and Apple.[6] For example, ETSI has been hugely influential in the 3rd Generation Partnership Project (3GPP), a group of standards organizations that develops protocols for mobile telecommunications.[7] Likewise, ETSI’s Broadband Radio Access Networks (BRAN) standards have been used as the basis for radio regulations in parts of Asia and Africa.[8] ETSI has been seen as a largely technical organization—until now.

The Commission is injecting its tech sovereignty goals directly into ETSI. The European Strategy on Standardisation (ESS) outlined reforms to ETSI’s governance to exclude experts from U.S. and other foreign firms from ETSI’s decision-making process, including for the harmonized European standards (hENs) the EU requests as part of its laws and regulations.[9] ETSI’s work on hENs is a small, but crucial, part of its work. It would limit participation in decision-making to national standards bodies from EU member states (that are also members of ETSI) and imposing requirements on national standards bodies to base their decisions on input from EU-headquartered (so only local) stakeholders.

This is a critical change, as ETSI is one of three designated ESOs that develop hENs for EU laws and regulations. The Commission states, without elaborating, that it wants to do this to counter “uneven voting power to certain corporate interests.” The Commission also defends the changes as necessary to prevent any “undue influence” of “non-EU interests” on the development of standards to support EU law. The Commission rejects criticism of its move, saying that experts from U.S. and other firms can still participate—they just can’t vote. But voting is central to participation. Why would experts engage if they know it’ll be disregarded out of hand without genuine consideration. On top of this, some Commission officials want to go further and expand this ban on foreign firm participation to all ETSI standards discussions, which would truly degrade its role in influencing global standards.

In response to the ESS, ETSI stated that there has been no such case of “undue influence,” and in fact, there hasn’t been a situation even close to the scenario the Commission fears:

At the same time ETSI recognises the legitimate interest of the European Commission to prevent any undue influence of non-EU interests on the decision making on standardisation in support of EU law. While such a case has never occurred so far and there was not even a situation close to it, there is a theoretical possibility that such a case might happen, which in the end could impact the European single market due to unavailability of the presumption of conformity. However, this is highly unlikely to happen and would be rather complex and complicated to reach as it would involve undermining a number of process steps and decision making layers, including influencing peer review and checks and balances.[10]

Unfortunately, the Commission’s changes to ETSI’s governance are just one part of a broader effort to marginalize it and prevent experts from U.S. and other foreign firms from contributing to the development of European standards. For example, the Commission’s first-draft standardization request for cybersecurity standards relating to the radio equipment directive included ETSI and CENELEC.[11] But the subsequent standardization request only tasked CENELEC, despite CENELEC’s relatively limited expertise in developing cybersecurity standards (when compared with ETSI’s far more extensive expertise).

Excluding U.S. Experts From “Expert Working Groups”

The European Commission has long used “experts groups” to tap into outside specialists for advice to help shape laws, regulations, and standards. Expert group members can be individuals, organizations (e.g., firms, trade associations, nongovernment organizations, and unions), and public agencies.[12] The expert groups are critical intermediaries in developing the standards requests that direct ESOs such as ETSI to develop the standards required by EU directives.[13] They also work in a standards-like process to create “technical specifications” (these quasi- or shadow-standards are potentially problematic given the Commission may use them instead of international standards). There is no potential for “undue influence.” All the expert group’s advice and work is nonbinding. The Commission has the final say. In the past, U.S. firms sent experts as they valued the opportunity to contribute, especially as it related to standards. Now, experts from U.S. firms are excluded alongside experts from other foreign firms.

For example, the European Commission’s Directorate-General for the Internal Market, Industry, Entrepreneurship and SME’s (DG GROW) guidance for the new radio equipment directive (RED) experts groups, which came into effect on January 1, 2022, is limited to only representatives from EU-headquartered and controlled firms).[14] It covers a range of connectivity issues that impact a broad swath of the economy, from smartphones to advanced manufacturing to connected automotives. Representatives from U.S. and other foreign firms that are major players in the sector need not apply. The RED experts membership list shows a purely European approach to developing standards for the sector.[15] This means U.S. firms have to abide by the EU technical specifications this expert working group develops, but without having the opportunity to contribute, which would ensure they’re invested in the EU’s approach.

Excluding experts from foreign firms obviously reduces inclusiveness, but also transparency and the quality of the specifications. For example, in the radio equipment expert group, ETSI is represented by its vice chair (who is from Intel’s European office), and DIGITALEUROPE is represented by individuals from Sony and Samsung. Regardless of whether these individuals are European or reside in Europe, all of them will have to stop participating when the rule change comes into effect. What this highlights is that for a global industry such as radio equipment, excluding representatives from foreign companies will lead to a large decrease in technical expertise.

The fear is that what the Commission has done with the radio equipment directive will become the norm and that foreign experts will be excluded from other major laws and regulations in the future. It appears this fear is well founded. A recent draft European Commission decision on establishing the expert group for the High-Level Forum (HLF) on European standardization allows the chair to restrict participation in sub-groups “dealing with critical and sensitive policy subjects that are directly relevant for the security of the Union to entities and individuals not subject to control by a third country acting either directly or by way of measures addressed to a third-country entity.”[16]

Excluding foreign experts makes it easier for the European Commission and other representatives to deliberately engineer standards to discriminate against U.S. and other foreign firms and their products. By excluding experts from U.S. firms, it also increases the likelihood that U.S. (and other leading foreign) firms won’t use the EU standards more broadly and raises the prospect that its trading partners will retaliate, including by excluding EU firms from their own standards bodies. As with the ETSI governance reforms previously mentioned, it’s also self-defeating in that Europe doesn’t have the technical expertise in many areas in which it’s trying to develop technical specifications.

Europe’s Master Standardization Strategy

The Commission’s response and edits to draft standards legislation reveals its flimsy justification: that it’s necessary to protect European values and interests, without detailing any evidence or cases of undue influence that would supposedly undermine them and thus justify such major changes. It’s not clear how a “value” is embedded in a technical standard such as 6G and other telecommunication and advanced manufacturing standards. And the goal to protect EU interests is protectionist, something EU officials regularly claim they are anything but.

The Commission’s text changes and comments in the European Parliament’s Committee on the Internal Market and Consumer Protection’s report on draft standards legislation details its flimsy justification.[17] The text includes similar language about restricting access to European standards, as in the ETSI case. The Commission’s response to a proposed amendment to language in this draft legislation from several Greens/European Free Alliance members of parliament states:

The Commission recognises the substantial impact that private companies from third countries (such as China and the US) have on the final drafting of European Standards, and it also recognises that these companies sometimes do not share the values and interests of the EU. For this reason, it is of outmost importance to ensure that the final decisions on standards will primarily take into account the views of stakeholders which are based in the territory of the Union.[18]

The very notion that European policymakers lump China and the United States together is atrocious and offensive. China is not in the North Atlantic Treaty Organization (NATO). China is not a democracy. China is not a rule of law nation. China is trying to be globally dominant in technologies (something the United States is not trying to do). If the EU really believes that the United States and China are interchangeable, they should be forthright and abandon the transatlantic alliance.

Without skipping a beat or displaying any sense of irony, in the next section of text, the Commission states (emphasis is from original text):

In the past years, the practices in the European standardisation organisations as regards their internal governance and decision-making procedures have changed. As a result, the European standardization organisations have increased their cooperation with international and European stakeholders. Such cooperation is welcome as it contributes to the transparent, open, impartial and consensus-built standardisation process. However, when European standardisation organisations execute standardisation requests to support Union legislation and policies, unrestricted participation of any stakeholder in their internal decision making may lead to decisions that do not entirely take into account the interests, policy objectives, and values of the Union as well as public interests in general.[19]

To make it clear that the Commission is intentionally using values and interests to enact discriminatory and exclusionary standards policy without any real justification, in amendment 9, the Commission makes minor revisions (emphasis added):

National standardisation bodies play an essential role in the standardization system, both, at the Union level, in accordance with Regulation (EU) No 1025/2012, and at the level of Member States. National standardisation bodies are therefore best placed to make sure that the interests, policy objectives and values of the Union as well as public interests in general are duly taken into account in European standardisation organisations.[20]

So the Commission welcomes international cooperation, but just not if it was already taking place via its own ESOs, as it wants to exert strict control over standards via EU standards bodies such that other countries would have to adopt their standards in order to “cooperate.” Essentially, the Commission wants to retain the freedom to enact protectionist-based tech sovereignty, and for other countries to adopt it.

Most recently, the European Parliament Committee on the Internal Market and Consumer Protection (IMCO) voted on a revised amendment to the draft standards legislation that creates further uncertainty and another restriction on foreign participation and voting:

The participation of national standardisation organisations of third countries should not amount to impeding the adoption of any decision concerning European standards and European standardisation deliverables supported by the majority of national standardisation bodies from Member States of the Union and, where applicable, other members of EEA that are notified as national standardisation bodies in accordance with Regulation 1025/2012.[21]

Essentially, the majority (not even consensus) of European national standards bodies at ESOs (including ETSI) could agree to move a proposal forward, essentially disregarding the broader membership. Similar to the claims of “undue influence,” IMCO does not specify if/how foreign participants have been impeding decision-making.

NIST Cryptographic Standards Show the Value of Global Engagement and Underscore the Pitfalls of European-Only Standards

If the United States adopted a similar protectionist, nationalistic approach to standards with encryption and cybersecurity, we would not have the strong standards used by firms in Europe and elsewhere around the world. The U.S. National Institute of Standards and Technology’s (NIST’s) development of a flagship cryptographic algorithm standard—known as an Advanced Encryption Standard (AES)—is a case study for why the European Commission’s approach is not only shortsighted but harmful to good technology and policy outcomes.

In the late 1990s, NIST needed a new encryption standard, as the existing one—the Data Encryption Standard (DES)—could be broken, which was obviously problematic, especially given its use by the U.S. government and large parts of the economy. NIST made the replacement process open to the international cryptographic community, which led to 15 proposals from 10 different countries, including Australia, Canada, France, Korea, the United Kingdom, and Japan. During one round of analysis, NIST heard a rumor in Europe that they were expected to pick a proposal from IBM because NIST would want an American company and IBM had worked with NIST on DES. But ultimately, remaining true to their commitment to judge submissions based on their merits, NIST chose the Belgian academic candidate Rijndael to become the new AES.

The process of selecting and reviewing the application was just as important as the many new applications it inevitably led to and the impact they would have economically. As Miles Smid detailed in “Development of the Advanced Encryption Standards” for the Journal of Research of the National Institute of Standards and Technology:

This process brought U.S. government agencies, academia, and industry together in an international setting to develop a strong cryptographic algorithm standard. [The International Standards Organization] moved from a position where cryptographic standards were not considered an appropriate topic for standardization to a position where multiple cryptographic algorithms are now available for selection by the international community. The atmosphere changed from mutual suspicion to productive cooperation. The success of the AES development effort demonstrated that by maximizing inclusiveness and transparency, NIST could develop better cryptographic standards with fewer problems and less resistance than if the U.S. government tried to develop standards without the participation of interested parties…. Cooperation between the U.S. government and the cryptographic community increased trust and led to more significant analysis. As a result, the AES algorithm is now used worldwide.[22]

NIST built on this in adopting an open approach in subsequent standards. For example, the winner of NIST’s Secure Hash Algorithm (SHA-3) competition in 2012 was a European submission (Guido Bertoni, Joan Daemen and Gilles Van Assche of STMicroelectronics and Michaël Peeters of NXP Semiconductors).[23]

Similarly, NIST’s recent process for developing post-quantum cryptographic standards highlights why its open and transparent approach is so valuable. It also stands in contrast to a related effort in Germany to develop similar standards. In 2016, NIST started a competition to devise and vet encryption that could resist an attack from a future quantum computer.[24] It was an open process that leveraged global cryptographic expertise (including from Europe) via a call for proposals, followed by evaluation and testing. In recent years, it has received 69 algorithm submissions from around the world. On July 5, 2022, NIST announced the first four quantum-resistant cryptographic algorithms—called CRYSTALS-KYBER, CRYSTALS-Dilithium, FALCON, and SPHINCS.[25] These algorithms differ in purpose, but the overarching aim is to create a basket of algorithms to provide for alternatives if a vulnerability is discovered in one of them and to accommodate systems that have limited computing capacity. NIST plans to make a final decision in 2024. By working with international partners, NIST hopes to win global support for the final standard, which would increase the number of firms that use it instead of firms using (or having to choose from) competing standards from other countries.[26]

Meanwhile, in March 2020, Germany’s Federal Office for Information Security (BSI) ran its own process and recommended two algorithms: FrodoKEM and Classic McEliece.[27] Classic McEliece was not among the four selected by NIST, although it was selected for further evaluation. But the bulk of the industry didn’t react to BSI’s recommendation, instead waiting for the NIST process to conclude before deciding where to deploy resources to implement the chosen algorithms. This reinforces the point that stakeholders put their faith in open and transparent processes, and it may ultimately be the case that Classic McEliece does not see much deployment outside Germany. The lessons from this for the European Commission should be self-evident, especially as the need for best-in-class technical standards is more important than ever.

Protectionist Cybersovereignty Makes No Sense and Undermines the U.S.-EU Trade and Technology Council

The European Commission has highlighted that now, more than ever, standards not only deal with technical issues but with democratic values and interests as well, citing cybersecurity for critical infrastructure as an example in the ESS where standards carry a “strategic dimension.”[28] While it’s unclear what exactly they mean by this, their actions define it as protectionist-based industrial policy. It’s otherwise hard to understand exactly how excluding expertise from American firms achieves their policy goals, such as good cybersecurity, especially in light of the NIST example. If there were a case to be made for standards with a “strategic dimension,” it’d surely be the encryption and cryptography used by the government and the most advanced technology and communication companies and services, yet these are exactly the areas where NIST runs open, global competitions.

It simply doesn’t make sense to exclude experts who have engaged in good faith at ETSI and with the Commission’s expert groups for years. Never mind the fact that its restrictions prevents many of its own experts—namely Europeans working for U.S. and other foreign firms—from participating. If the experts participating are European citizens and employees of organizations that are authorized to operate in the EU, then the EU and its member states have the means and mechanisms to address genuine security considerations.

What the NIST example highlights is that what matters in terms of developing good technical standards is governance. The Commission should focus on this, rather than a misguided assessment that foreigners are by default bad and undermine European values and interests. ETSI’s governance may well need updating to clarify the role and responsibilities of national standards bodies and other participants, such as how to support greater involvement from small and medium-sized enterprises, civil society, and academics.[29] If the Commission were actually serious about the good governance of standards bodies and hypothetical worse case scenarios, it’d be best to focus on EU national standards bodies, some of which are not well resourced and thus far more susceptible to the type of hypothetical “undue influence” (presuming what they’re afraid of is well-resourced state-owned enterprises) that it’s supposedly worried about at ETSI.

The Commission’s actions fly in the face of repeated commitments the European Union has made at the G7 and elsewhere. The 2022 G7 Digital Ministers’ ministerial declaration states:

We affirm our support for international cooperation within the G7 and with likeminded partners to support the development of open private sector-led, voluntary and consensus-based standards based on inclusive multi-stakeholder approaches in line with our open, democratic values and principles…. We reiterate the need for technical standards development to continue to be underpinned by transparency, openness of process and participation, relevance, and consensus-based decision-making in line with the WTO Agreement on Technical Barriers to Trade (TBT) Code of Good Practice and the TBT Committee Decision on Principles for the Development of International Standards.[30]

The 2021 G7 Digital and Technology Minister’s statement includes a similar commitment.[31]

The Biden administration should make this a central issue at the EU-U.S. Trade and Technology Council’s (TTC’s) Working Group 1 on Technology Standards.[32] The TTC and its various working groups have yet to prove they can deliver meaningful cooperation and action. If the Commission gets away with actively undermining good-faith, technically focused engagement by U.S. firms in developing standards in Europe (which also have a global impact) while it engages with the United States on the issue, then it would raise the question, What’s the point of talking about standards at the TTC? It would also increase the likelihood that whatever, if anything, comes out of the TTC on standards in the future will be marginal and ad hoc, as the European Commission is clearly not being genuine in seeking to build meaningful ways to work with the United States on standards for new and emerging technologies. In this case, the European Commission would appear to be making a cynical calculation that that the Biden administration won’t do anything about these clearly protectionist standards policies, as it’s not a priority issue compared with cooperation with Russia and China. The Commission benefits from the fact that the U.S. government does not participate in ETSI or the expert groups, so it don’t see how these proposals have changed over time and thus don’t appreciate how they’d impact U.S. standards engagement in Europe.

The best-case scenario would be—after the United States raising this issue at the TTC—it leading European officials to reconsider these changes given how it undermines the EU’s broader goals in terms of having a global impact on technology standards via cooperation with likeminded, value-sharing trade partners such as the United States. It’d be akin to the EU revising its decision to exclude certain foreign researchers from major quantum computing, space, and other projects funded by Horizon Europe, realizing it would damage relationships with longstanding partners and its own potential to research new and emerging technologies.[33]

However, if the EU refuses to change these restrictions, the United States should initiate retaliatory measures and new trade law provisions on technical standards (for use in future agreements to prohibit these types of exclusions) and a potential WTO TBT case (given Europe is breaching its commitment to open participation in setting standards).

Europe can’t have it both ways: talking the talk on greater levels of transatlantic digital cooperation yet systemically working against U.S. economic interests. It’s time for the EU it to start walking the walk—of a real EU-U.S. alliance.

Endnotes