The latest iteration of the most expansive, omnipotential cybersecurity legal regime ever drafted appeared a few days ago. (See: REPORT on the proposal for a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020) The European Union (EU) Cyber Resilience Act (CRA) is attempting to assert jurisdiction and control over all “products with digital elements” defined as “any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market.”

In the name of taking the global cybersecurity lead and protecting EU citizens, it seeks to impose dozens of onerous, if not impossible, conformance requirements on all “products with digital elements” and associated obligations on every “manufacturer, importer, or distributor.” Control would be imposed through extensive surveillance, “sweeps,” CRA bounty hunters, and enforcement measures combined with enormous penalties imposed on product non-conformance or “economic operator” non-compliance with the CRA obligations.

Although the CRA is well-intentioned, the long arc of cybersecurity history over the past 55 years has demonstrated its approach is ineffective, misdirected, and potentially a vulnerability itself. One of the many fatal flaws includes its reliance on certain designated standards.

The CRA would accomplish this almighty task using “harmonised standards” from the three “European Standardisation Organisations (ESOs)” (CEN, CENELEC, and ETSI), “taking into account existing or imminent international standards for cybersecurity” and implemented through “European cybersecurity certification schemes.” [Note that although ETSI is primarily a major international standards organisation, it also serves the EU as an ESO with separate standards.]

The standards myth that does not stop

Buried among the 47 definitions of the new draft, “international standard” is defined to mean “a standard produced by…the International Organisation for Standardisation (ISO), the International Electrotechnical Commission (IEC) and the International Telecommunication Union (ITU).” Woa! What? The EU CRA incredulously is exercising total cybersecurity regulatory dominion over all the “products with digital elements” in the world using the standards of a designated monopoly cartel consisting of CEN/CENLEC fronting ISO/IEC, plus ETSI (in ESO mode) and ITU?

As a legal historian, the embedded mystery was why the EU CRA would designate the ISO, IEC and ITU as the only bodies that produce “international standards.” The EU is effectively re-creating a three-organisation cartel that had total dominion over international information communications and computing technology and services as they existed 30 years ago! Doing so seems unlikely to serve the EU and its Member States well today. That cartel world is long gone. It was and remains very anticompetitive. Almost all the ICT products that the world uses today, including the cybersecurity capabilities, are developed using standards produced by a diverse ecosystem of other industry-driven international standards bodies, including product developer communities.

The alleged basis for the international organisation cartel is found in the CRA Explanatory Statement addition (37a) on page 155 as:

“According to the WTO Agreement on Technical Barriers to Trade, when technical regulations are necessary and relevant international standards exist, WTO Members should use those standards as the basis for their own technical regulations. It is important to avoid duplication of work among standardisation organizations, as international standards are intended to facilitate the harmonization of national and regional technical regulations and standards, thereby reducing non-tariff technical barriers to trade. Given that cybersecurity is a global issue, the Union should strive for maximum alignment.”

However, neither the WTO technical barriers to trade agreement nor the more specific general agreement on trade in telecommunications services (GATS) say what is asserted. The GATS says:

7. Relation to International Organizations and Agreements
(a) Members recognize the importance of international standards for globalcompatibility and inter-operability of telecommunication networks and services andundertake to promote such standards through the work of relevant internationalbodies, including the International Telecommunication Union and the InternationalOrganization for Standardization.
(b) Members recognize the role played by intergovernmental and non-governmentalorganizations and agreements in ensuring the efficient operation of domestic andglobal telecommunications services, in particular the InternationalTelecommunication Union. Members shall make appropriate arrangements, whererelevant, for consultation with such organizations on matters arising from theimplementation of this Annex.

Available at: https://www.wto.org/english/tratop_e/serv_e/12-tel_e.htm

The more generic Technical Barriers to Trade agreement simply states, “The Agreement encourages Members to use existing international standards for their national regulations, or for parts of them, unless “their use would be ineffective or inappropriate” to fulfil a given policy objective” and generally refers to the ISO, IEC and ITU. See https://www.wto.org/english/tratop_e/tbt_e/tbt_info_e.htm

It is also worth noting the context. First of all, the provisions were negotiated beginning in 1988 when WTA was still the GATT, and perfected in the early 90s as GATT became the WTO. It occurred at a time when public telecom service providers and equipment vendors were attempting to open global markets and concerned that national technical standards would be used to impede market entry.

Several facets of the Agreement are noteworthy. First is the scope, which applies only to “access to and use of public telecommunications transport networks and services.” Those terms were understood to be narrowly defined as legacy telecommunication services. It speaks extensively about access to private leased services and “resale” because at the time, they were used for providing internetworking and mobile services. The only treatment of standards is found in clause 7. Note that clause 7 is not normative, and it speaks only of promoting standards “through the work of relevant international bodies, including the International Telecommunication Union and the International Organization for Standardization.” 

It goes further in 7(b) to say, “Members recognize the role played by intergovernmental and non-governmental organizations and agreements in ensuring the efficient operation of domestic and global telecommunications services, in particular the International Telecommunication Union.”

There is only one global intergovernmental standards organization today, and that is the ITU. ISO, like almost other standards bodies, are simply private, incorporated entities. Are all non-governmental organizations within the scope of the 7(b) provision? There was never any intention in this drafting process 30 years ago to create an international standards cartel.

Why is this important? Because almost every standard related to cybersecurity was developed after those agreements by international standards organisations other than ISO, IEC, and ITU, and it is those standards which are used globally by both private and public sectors. Organisations like 3GPP, IETF, and IEEE, among scores of others, are what matter today.

At the time these negotiations occurred, I was the ITU’s Chief of Telecommunication Regulations and Relations between Members, and representing the Secretary-General when they occurred, and wrote the provisions to protect ITU interests at the time in 1991. Further checking with the now-retired chief of the WTO Secretariat GATS division confirmed she knows of no basis for constraining international ICT or cybersecurity standards to only those of ISO, IEC, and ITU.

The myth propagation needs to stop.