Digital Single Market Update: Technology Standardization In The EU - Security

ICT standardization is a key part of the European Union's package of measures designed to improve Europe's competitiveness and productivity. As part of the EU's Digital Single Market (DSM) initiative, the European Commission has been working on common ICT standards that would ensure the interoperability of digital technologies, services, and devices.

The Commission has laid out a two-pronged plan of action. First, it plans to set standards in relation to core technologies such as 5G, the Internet of Things, Cloud Services, and Cybersecurity. Second, it will propose a series of measures to align research & development results with the new standards, and to improve collaboration between standard-setting organizations in Europe and internationally.

This Alert describes the current status of the Commission's action plans for more ICT standardization.

Summary

Standardization in the ICT sector is important both for software and hardware developers because it covers areas such as data management and interoperability as well as security of smart devices.

The EU believes that the constant emergence of new services, applications, and technologies necessitates a higher degree of interoperability between systems – on the basis that interoperability is essential to allow businesses and consumers to mix and change suppliers. The Commission wants to enforce more standardization in key areas to help deliver greater interoperability (and, ideally, without compromising innovation).

The Commission has encouraged businesses operating in the EU to get involved in various standards-related organizations, and to participate in the newly-created platform on European standardization.

Any business operating in the ICT sector should focus at least on awareness of the EU's standardization plans. For entities that want involvement and influence, there are plenty of opportunities to participate in open forums and standards-setting organizations.

Background

The European Commission launched its Digital Single Market (DSM) strategy in May 2015. We have written a number of articles following the DSM's progress: on its inception, one year in, and in 2017 following a mid-term review. The DSM strategy consists of three "pillars" and 16 "Key Actions".

As far back as 2011, the Commission set up the European Multi Stakeholder Platform on ICT standardization (MSP) to advise on matters relating to the implementation of ICT standardization, including:

identification of potential future standardization needs in support of European legislation, policies, and public procurement; and
cooperation between ICT standards-setting organizations like the European Standardization Organizations (ESOs) or Standards Developing Organizations (SDOs).

The MSP is composed of national authorities' representatives from EU Member States and EFTA countries, European and international ICT standardization bodies, stakeholder organizations that represent the industry, small and medium-sized enterprises (SMEs) and consumers. It meets quarterly.

Since standards in general are voluntary, European standardization became the subject of EU legislation in 2012 – Regulation 1025/2012 of 25 October 2012 (European Standardization Regulation). It sets the legal framework in which the actors in standardization operate.

The European Standardization Regulation was set up to:

establish rules with regard to cooperation between European standardization organizations (e.g., European Committee for Standardization (CEN), the European Committee for Electrotechnical Standardization (Cenelec), and the European Telecommunications Standards Institute (ETSI)), national standardization bodies (e.g., Deutsches Institut für Normung (DIN) in Germany), Member States of the EU, and the Commission;
establish European standards and European standardization deliverables for products and services in support of EU legislation;
identify ICT technical specifications eligible for referencing; and
finance stakeholder participation in European standardization.

Under the European Standardization Regulation, annual work programs exist to identify strategic priorities for European standardization. Those programs will indicate the European standards and European standardization deliverables that the Commission intends to request from the various European standardization organizations. The Commission may even request one or several organizations to draft a European standard within a set deadline. In urgent cases, the Commission is allowed to issue standardization requests without prior notification in the annual work program. The annual work programs are available on the website of the Commission and provide a helpful guide that outlines what to expect in terms of new laws and regulations.

To bring the prior standardization programs within the DSM, in April 2016 the Commission adopted a Communication on ICT Standardization Priorities for the Digital Single Market (the Communication). This Communication builds on the European Standardization Regulation and proposes to prioritize ICT standardization as the cornerstone of its DSM strategy in order to support Europe's role in the global digital economy. The Commission sets out five priorities as the building blocks of ICT standards-setting that should increase competitiveness and help European technology businesses better access the global market.

Key Activities

The Commission identified the following five priority areas of ICT standards-setting:

5G Communications
Cloud Computing
(Big) Data Technologies
Internet of Things (IoT)
Cybersecurity

These five key priority areas were chosen by the MSP and backed up by a public consultation. The Commission wants to increase competitiveness of European companies and innovators in these areas through stronger European leadership in the process of standards-setting.

1. 5G Communications

Priorities in this area include, among others, new radio access technologies. With regard to new radio access standards, the priorities are on backward compatibility with the existing xG ecosystem and improving spectrum efficiency usage in line with the existing EU spectrum policy.

The Commission plans to foster the emergence of global industry standards under EU leadership for key 5G technologies through the exploitation of the 5G public-private partnerships results at the level of key EU and international standardization bodies such as the 3rd Generation Partnership Project (3GPP), the International Telecommunication Union (ITU), and the Open Platform for Network Functions Virtualization (OPNFV).

Further, the Commission wants to ensure that 5G standards are compatible with innovative use cases of vertical markets (e.g., automotive, health, and manufacturing industries), notably through broader participation of industries with sector-specific needs in 5G standardization organizations.

2. Cloud Computing

The EU believes that proprietary solutions, purely national approaches, and standards that limit interoperability would severely hamper the potential of the DSM. Therefore, the Commission notes that the take-up of cloud computing services by businesses, consumers, public administrations, and the scientific sector requires not only seamless and user-friendly access, but also trust and confidence, particularly regarding cloud providers' compliance with appropriate levels of data protection, security, and service levels.

Hence, the Commission intends to support funding for the development and use of ICT standards to further improve the interoperability and portability of cloud technologies. More specifically, the Commission wants to make more use of open-source elements by better integrating open source communities into SDOs' standards-setting processes.

The Commission also maintains its long-standing goal of facilitating the adoption of cloud computing services through the use of international standards on service level agreements (SLA). In addition, the Commission has proposed that ESOs should update the mapping of cloud standards and guidelines for end users (especially SMEs and the public sector).

3. (Big) Data Technologies

As many authors, including the Commission, pointed out: "Data is the fuel of the digital economy." For the Commission, efficient sharing and exchange of data across national borders, within "data value chains" (e.g., data exchange on spare parts between vehicle manufacturers and the aftermarket, access to vehicle data for service providers, or ensuring cross-border energy trading) and across sectors (e.g., sharing traffic data with parcel services) is key to the DSM.

That is why the Commission proposed to increase investment in Research, Development & Innovation specifically for data interoperability and standards (including cross-sectoral data integration, e.g., for entity identifiers, data models, multilingual data management, and better interoperability of data and associated metadata). The Commission wants to bring the European data community together, through the H2020 Big Data Value Public-Private Partnership, to identify missing standards and design options for a big data reference architecture. In the field of scientific research, the Commission wants to support data and software infrastructure services for access and long-term preservation of scientific data.

4. Internet of Things (IoT)

The Commission expects the number of connected devices to exceed 20 billion by 2020 and, as a result, the EU needs an open platform approach that supports multiple application areas and cuts across silos to create competitive IoT ecosystems. For this approach, open standards would be required that support the entire value chain, integrating multiple technologies based on streamlined international cooperation and a clear intellectual property rights framework enabling easy and fair access to standard essential patents (SEPs).

That's why the Commission wants to foster an interoperable environment for the IoT, working with ESOs and international SDOs. This will develop consensus under the umbrella of the Alliance for Internet of Things Innovation (AIOTI), targeting reference architectures, protocols, and interfaces, the promotion of open application programming interfaces (APIs), support of innovation activities related to reference implementations and experimentation, and the development of missing interoperability standards. The Commission also wants to promote an interoperable IoT numbering space that transcends geographical limits, and an open system for object identification and authentication. Additionally, the Commission wants to explore options and guiding principles, including developing standards, for trust, privacy, and end-to-end security, e.g., through a "trusted IoT label". Furthermore, the Commission wants to promote the uptake of IoT standards in public procurement to avoid lock-in, notably in the area of smart city services, transport, and utilities, including water and energy.

5. Cybersecurity

The Communication states that "cybersecurity provides the bedrock of trust and reliability on which the [DSM] will be built." According to the Commission, innovative communication technologies, widespread use of smart objects, distributed computing devices, and data services will provide even bigger business and growth opportunities if they are fully integrated into the DSM. Seamless and interoperable secure authentication across objects, devices, individuals, and entities is in fact needed to enable secure and transparent access to and exchange of data. More specifically, new authentication protocols may be required to build trust in seamless electronic identification and authentication, supported by global cross-domain interoperability standards based on comparable authentication schemes.

The Commission wants to invite ESOs, other SDOs, and relevant stakeholders to draw up practical guidelines covering IoT, 5G, Cloud, Big Data, and smart factories. The Commission might consider adopting a Recommendation regarding the integration of cyber security and application of privacy and personal data protection requirements including data protection-by-design and data protection-by-default. In addition, the Commission will invite ESOs and other SDOs and relevant stakeholders to develop standards that support global interoperability and seamless trustworthy authentication across objects, devices, and natural and legal persons based on comparable trust models. Furthermore, the Commission wants to support ESOs, SDOs, European regulators, as well as public-private initiatives, including those in support of the existing Directive 2016/1148 on security of network and information systems (NIS Directive) implementation, in the development of standards-based cybersecurity risk management guidelines for organizations and of corresponding audit guidelines for authorities or regulators with oversight responsibilities.

Next Steps for 2018 and Beyond

European ICT standardization is an on-going project of the Commission, which plans to re-visit the area frequently in the near future in order to adapt to the fast-paced environment of technological changes and current needs of the EU to compete with other industries in a globalized economy.

New technologies, such as distributed digital ledger technologies (blockchain), will gain more priority and become subject to European standardization once the underlying infrastructure becomes more available. Standardization, especially regarding the development of smart homes and smart cities, as well as intelligent transportation systems and advanced manufacturing, is likely to become a key EU priority in the next few years.

The Commission will continue to publish an annual "Rolling Plan on ICT Standardization" with the support of the MSP, and its annual work programs for European ICT standardization. The Rolling Plan reflects on new EU policies and new technologies that need to be incorporated into the ICT standardization process. Currently, the priority activities for a connected DSM include:

Quality improvement of fixed and wireless/mobile services, including industrial networks
Establishing standards facilitating the development of 5G technological advances in the 26 GHz band (24.25 – 27.50 GHz) and higher mm-wave bands
Improvement of railway radio communication systems, the exchange of data for passengers and schedules, and IT security
Increase of interoperability and easy data-sharing between operators across value chains, notably on product lifecycle management and logistics.

The Commission also wants to:

strengthen the role of CESNI, European Committee for Inland Navigation Standards, for the development of technical standards for inland navigation vessels
match European global navigation satellite system products with end-user applications
harmonize safety standards for 3D printers, robots, autonomous vehicles, wind turbines, automated machines, and food machines
strengthen safety and performance requirements for medical devices and for in vitro diagnostic medical devices
update hygiene and safety requirements and test methods for construction products in contact with water
support work on the essential requirements for unmanned aircraft.

While standardization generally facilitates marketing of products, new standards and regulatory frameworks may also require better compliance systems and adherence to legal requirements for, e.g., smart devices. It would not come as a surprise if, for instance, the EU follows the United States in establishing a law requiring reasonable security features in all connected devices sold or offered for sale in the EU (for a U.S. perspective, see our MoFo article " New California IoT Law Requires Security for Connected Devices"). It remains important for companies operating in this area (whether emerging companies aiming to develop such technology, or established enterprises digitizing their businesses or rolling out new products) to stay current with legal trends on both sides of the Atlantic.