What does the EU's new digital strategy mean for financial services?

“Tech sovereignty” and the ability for the EU to “make its own choices, based on its own values, respecting its own rules” –  is how Ursula von der Leyen, President of the European Commission, summed up the vision behind the new EU digital strategy published in February.

The package sets out proposals to create a frictionless and resilient digital single market, boost and protect the competitiveness of European companies through data-driven innovation, and review the current legislative framework to ensure adequate safeguards for EU citizens, particularly in relation to Artificial Intelligence (AI). 

These are high-level plans for now, but draft legislation will follow later this year. The EU Digital Finance Strategy, expected in the third quarter of 2020, will put some of these cross‑sector proposals into a specific financial services (FS) context.

If the EU stays the course, this approach could have profound repercussions on FS firms wishing to offer technology or digital services in the EU. Whether the overall impact will be positive or negative will depend on a number of factors, including whether or not a business is headquartered within the EU or outside.

With this in mind, we take a closer look at the key policy proposals in the EU digital strategy that could have the greatest impact on financial markets and FS firms.

Opening up data

As part of its data strategy the Commission plans to create an overarching framework for the governance of common European data spaces, to allow business and public institutions to pool, access, and share data. [1] 

The focus of the framework will be on the governance mechanism to decide what data can be used in which situations, facilitate cross-border data use, and prioritise interoperability requirements and data standards within and across sectors. 

This cross-sectoral framework will be complemented by sectoral legislation in strategic sectors. For FS, initiatives on enhanced data sharing will be considered as part of the Digital Finance Strategy later in the year. The latter is expected to focus on making access to and processing of mandatory public disclosures easier (e.g. financial or supervisory reporting data). This is also in part to support other flagship EU initiatives such as the Capital Markets Union and sustainable finance. But further steps to ensure the full implementation of Open Banking, as well as initiatives to support the development of Open Finance in the EU, are also likely to be considered. 

In addition, the Commission will examine whether to impose data sharing across sectors where voluntary market efforts are deemed insufficient. The main focus is on BigTech companies and their data practices, with the Commission ready to consider additional ex-ante regulation to force them to open up their data, as one of the measures to ensure digital platforms markets remain competitive and fair.

Another planned measure to incentivise cross-sector data sharing is enhancing individuals' portability rights under the General Data Protection Regulation, including compulsory machine-readable real-time data access for certain products or services, e.g. data coming from smart home appliances or wearables.

Banks are likely to welcome these measures, as they have long lamented the lack of reciprocity between sectors’ data-sharing requirements since the implementation of the revised Payment Services Directive. But access to data is an enabler, not a panacea. FS firms, such as insurers, should heed the lessons of Open Banking and commit time and resources to defining a clear strategy to crystallise the opportunities, and respond to the challenges, of an open EU data ecosystem.

A new regulatory framework for AI

The Commission’s AI white paper sets out a number of investments the EU is planning to make to support the development of AI in Europe. However, its main focus is the development of a fit-for-purpose, risk-based, legislative framework for AI to address existing gaps and new risks.

This would include ensuring effective enforcement of EU legislation, enhancing the EU product safety legislation and extending its applicability to services (including FS), addressing risks arising from the changing functionality of AI systems through their lifecycle, and clarifying the allocation of responsibilities and liability between different operators in the AI supply chain (e.g. developer vs. distributors). These legislative changes would apply to all AI applications deployed in the EU.

However, high-risk AI applications would also be subject to additional mandatory requirements, which will have to be complied with prior to deployment. Among others, these include requirements in relation to training data standards, robustness and accuracy, human oversight, proactive information provision to deployers and competent authorities, as well as enhanced transparency and explainability for end-users. AI compliance assessments would be undertaken by designated EU bodies or, subject to mutual recognition agreements, nominated third-country authorities.

The Commission proposes two cumulative criteria to classify AI applications as high-risk:

• AI is used in a sector deemed to be high-risk, with the list of sectors being included in the new regulatory framework and reviewed periodically; and
• AI is used for high-risk purposes – e.g. uses of AI applications that produce legal effects on an individual.

However, the Commission also foresees exceptional circumstances where high-risk AI applications, irrespective of the sector they are used in, may still be subject to enhanced requirements if the risks are deemed sufficiently high. This could, for example, include recruitment processes or intrusive surveillance technologies.

Although the Commission does not list FS as an example of a high-risk sector, it is too early to assume this will not change following the consultation period, or in legislative debates thereafter. Even if FS remains out of scope as a sector, it is plausible that a number of AI applications, such as investment advice or credit scoring, may nevertheless be considered high-risk given their possible impact on individuals. Other novel AI applications, for example in relation to the use of connected / tracking devices in insurance, could also fall into scope, given their potentially intrusive nature.

Boosting the EU’s cloud offering

In no other area of the EU digital strategy do the words “technological sovereignty” resonate as loudly as they do in relation to the proposed plans for cloud.

To complement and support the envisioned data-sharing and AI ecosystems, the Commission intends to make significant investments to build a strong federated European market for secure, sustainable, interoperable and scalable edge and cloud infrastructure. In addition to data storage and sharing, such infrastructure is also intended to provide a wider range of resources to support the specific needs of EU industries and players, including cloud-to-edge capabilities, AI modelling, digital twins, and high performance computing. [2]

The end goal is to facilitate the set up a ‘cloud services marketplace’ for EU users by the end of 2022. Such a marketplace will enable users to select CSPs that comply with all necessary rules such as data protection, security, data portability and energy efficiency. Participation in the marketplace for CSPs will also be conditional on the use of transparent and fair contract conditions, in particular for Small and Medium Enterprises.  Given the particular attention to CSPs’ adherence to EU rules, the Commission plans the creation of a ‘cloud rulebook’, bringing together all applicable rules.  

These initiatives are clearly aimed at boosting the competitiveness of EU CSPs in a market dominated by a handful of large U.S. based companies. Increased interoperability and a wider range of providers will also help to ensure that individual CSPs do not pose a systemic threat to the economy or large businesses.

This is particularly relevant for FS firms, whose operational and cyber-resilience capabilities are increasingly under the spotlight. It also means that as part of their transition to cloud, FS firms wishing to service the EU market will need to assess CSPs’ likelihood of being able to operate in the EU in the future.

Conclusion

We expect the Commission will receive forceful and contrasting feedback on its strategy from a wide range of stakeholders – future legislative negotiations are also likely to be very challenging. This in turn makes elements of the timetable (such as setting up a cloud services marketplace end-2022) very difficult to achieve.

But, as we predicted in our Regulatory Outlook 2020, two competing objectives are driving EU digital innovation policy. The first is to make the EU a leading global, independent, technological and digital player. The second is to set the gold standard for AI governance, data privacy, ethics, and consumer protection.

It is too early to speculate how EU legislators will balance these two objectives in the final legislative outcome. But for FS, as well other industries, one thing is clear – any organisations wishing to participate in the EU digital economy will need to follow EU rules, and these are unlikely to align to those of any other major country.

***

Footnotes

[1] Data space – a digital area with the scale to enable the development of new products and services based on data.

[2] Cloud-to-edge capabilities – hybrid cloud deployment models that allow data processing at the edge (i.e. on peripheral devices) with no latency. Digital twins – digital model of a process, product or service. High Performance Computing – also known as supercomputing, it involves thousands of processors working in parallel to analyse billions of pieces of data in real time, performing calculations thousands of times faster than a normal computer.