The views and opinions expressed in this article are those of the author.
The European Commission is fond of declaring its commitment to the free and open internet. As recently as February, in answer to a question tabled at the European Parliament, a Commission spokesperson declared: “The European Union supports a vision of the internet as a single and unfragmented, open, neutral, free, and secure network, supporting permissionless innovation, privacy and user empowerment, where human rights and fundamental freedom fully apply.”
But in practice, things aren’t looking quite so certain.
New EU cybersecurity rules are on track to enter a phase of interinstitutional negotiations in the coming weeks. If adopted in the form proposed by the Council, they will threaten to undermine key properties of the global internet.
The revised Directive on Security of Network and Information Systems, commonly referred to as NIS 2, will replace the EU’s existing cybersecurity Directive with the stated aim of responding to the rapidly changing threat landscape.
What’s at stake with NIS 2?
The Directive seeks, among other things, to increase cohesion between member states’ cybersecurity mechanisms and strengthen security in new sectors, particularly for digital infrastructure and digital providers. So far, so reasonable.
But implicated in the proposed new rules are a range of digital providers that form the backbone of the internet’s architecture. These are governed through a set of collaborative rules that work to ensure infrastructure and services are optimised for the benefit of users.
A number of European and international technology sector leaders including the Internet Corporation for Assigned Names and Numbers (ICANN), Réseaux IP Européens Network Coordination Centre (RIPE NCC), and the Council of European National Top-Level Domain Registries (CENTR) have voiced their concerns as to how the proposed Directive would impede their respective areas of work.
In a recent impact brief, the Internet Society joined these voices by examining how the broad scope of the proposed EU cybersecurity rules would upend the existing system and replace it with a rigid top-down approach that created a regional “Splinternet”, far from the European vision of “a single, neutral, free, secure, and unfragmented network”.
Top-down regulation at the European or any regional level simply does not work for internet infrastructure. Most providers are global in nature, operating across national boundaries and providing services to users all over the world.
For example, the country code top level domain .tv is used throughout Europe and the world for broadcast entertainment, despite formally being designated to the island country of Tuvalu.
The boundary between European and global internet infrastructure providers is often blurry, if it is there at all. Imagine how quickly the internet would fragment if every region or country defined its own rules for how global services should be governed.
The potential for damage is real: global internet infrastructure providers including domain name system services and certificate authorities may opt to leave the European market to avoid the complications NIS2 rules would create, reducing the number of suppliers.
Those that do choose to stay but become non-compliant may suddenly find that they are barred from the European market, and their customers may find a service they depend on is no longer available.
This could also lead to market consolidation and impede the growth and availability of internet infrastructure – much of which is currently provided for free by non-profits.
Businesses in Europe may quickly find it difficult to compete with foreign competitors who continue to enjoy a wider selection of alternative providers in their supply chain.
Squeezing digital European businesses at exactly the moment where economic recovery is most needed is counterproductive to larger European goals for digital prosperity.
The loss of internet infrastructure providers also hurts European users, who will experience an internet that is less reliable, less trustworthy, and potentially even less secure than that experienced by users elsewhere in the world.
When services from internet infrastructure providers are lost, links to websites may become outdated or inaccurate and could be exploited by criminals to gain access to private data for use in fraud or other scams.
Ramifications could also be political
NIS 2 will also have implications for the EU’s reputation in global internet governance. Due to the global nature of internet architecture, it’s not possible to regulate it in one region without issues of extraterritoriality arising in other regions. This could lead to unintended clashes between different laws, resulting in unpredictability and a lack of clarity.
Politically speaking, the EU’s actions will embolden other countries or regions to impose their own visions of a top-down approach on governance systems, as they have done in the past. When this occurs, the EU will no longer have credibility to challenge these actions.
Put simply, NIS2 would give carte blanche to other countries to shape the internet as they see fit, including for domestic censorship, surveillance or control objectives.
The vision of a single internet, that the EU has committed to support, will give way to a collection of domestic intranets that are largely disconnected from each other.
What we will be left with is something very different from the internet that has allowed cross-border commerce and communications to flourish for the past decades.
As NIS 2 reaches the final negotiation phase, it is essential that European policymakers prevent the harmful impact the Council’s iteration of the Directive will have on European internet users, European businesses, and Europe’s self-proclaimed position as protector of the single, global internet.
- Callum Voge is European advocacy manager for the Internet Society, an international NGO that advocates for an open, globally connected internet.