Strategic Foresight: How will EU regulatory impact Responsible AI, Data and Cloud strategies?

Click to enlarge

The Commission of Ursula von der Leyen aims to strengthen European digital sovereignty by enhancing Europe's control over its data and digital capabilities. Simultaneously, the Commission promotes innovation within the continent. The focus on data, cloud services, and the regulation of artificial intelligence (AI) reflects these sovereignty objectives. With the end of the von der Leyen Commission approaching in 2024, no new initiatives are expected. However, navigating the evolving policy landscape has been challenging for users of data and cloud services, leading to uncertainty around transatlantic data flows and cloud transformation under European Union privacy rules. Understanding the policy landscape is crucial for those working in these areas.

Impacts of digital regulations on sovereignty

After the landmark Schrems II ruling in 2020 and the looming risk of foreign authorities’ access to critical data, Nordic organisations have experienced a degree of uncertainty. Specifically, this uncertainty revolves around transfers of personal data. The EU Commission is currently looking to relieve these uncertainties with a new data pact between the EU and the US (Data Privacy Framework). At the same time, the EU is preparing initiatives to enhance Europe’s digital sovereignty, most notably, through security labelling of cloud services and new risk-based rules on AI products and services. Organisations can adapt to the changes proactively by exploring multi-cloud solutions for different types of data and assessing the ethical and security risks associated with the use of AI.

Estimated timeline for key digital sovereignty related EU regulatory initiatives. (Click to enlarge)

Recommendations and action points for Data, Cloud, and responsible AI strategies:

• Organisations should prepare for data transfer uncertainty and conduct regular risk assessments. The upcoming EU-US Privacy Framework can be reliably trusted upon only for a 2 – 3 years’ time, pending an EU level court decision.
• Organisations should consider sovereign cloud for processing and storage of the most sensitive data to ensure security and compliance with upcoming regulations (such as the EUCS sovereignty requirements).
• Organisations should prepare for an increasingly complicated regulatory framework (e.g., the AI Act and the Data Act to co-exist with the GDPR). With increasingly diverse national implementations of data and cloud policies, organisations are recommended to conduct country level compliance strategies.
• Organisations planning to utilise AI applications should implement responsible AI to ensure legality and ethical standards in the AI development and AI use cases. They should conduct regular impact assessments, as large uncertainties loom with the scope of the upcoming EU AI regulations.

Impacts of digital regulations on security

Security landscape in Europe has changed dramatically after the Russian invasion of Ukraine in February 2022, accelerating the development of new regulation on cybersecurity and critical infrastructures. While security needs are urgent, new legislation takes years to prepare and finalise. It is therefore no longer sufficient for organisations to merely react to new legislation; they should proactively consider their role and responsibilities in the security landscape, preparing for new laws in the making, such as the Cyber Solidarity Act (CSA) and the Critical Entities Resilience Directive (CER).

Estimated timeline for key security related regulatory initiatives. (Click to enlarge)

Recommendations and action points for security:

• Organisations should assess whether they are likely to be included in the scope of the growing body of regulation aimed at critical infrastructure (e.g., the upcoming CER directive). With the rapid pace of change, those who fail pro-actively plan compliance will risk facing sanctions.
• To comprehensively understand the rapidly changing trends of global politics, companies should deploy specialists in hybrid threats and experts in societal changes.
• Organisations in critical sector should pro-actively engage in dialogue with both the EU level and national decision makers to clarify their role in the changing security landscape and ensure security in collaboration with the public sector.
• The private sector is more agile that EU regulations to respond to rapid changes in the geopolitical environment, and therefore companies should be confident of participating pro-actively in the security field and take the leading role there.

Impacts of digital regulations on sustainability

Sustainability considerations are increasingly impacting the use of data and AI in Nordic organisations. Furthermore, sustainability considerations are influencing their choice of cloud service providers. Currently, the industry and self-regulation are in the driver’s seat when it comes to sustainability standards applied to digitalisation and data centres. However, the EU is ramping up its efforts to increase sustainability of these sectors through regulation. The most notable development – the EU Sustainable Finance Taxonomy – divides economic activities into green and non-green categories based on technical criteria laid down in legislation, requiring companies to disclose the percentage of their business that meets these criteria. The Taxonomy framework will be implemented in segments, with parts of it already applicable and reporting requirements gradually growing. Organisations should proactively invest in the collection and analysis of their non-financial data, thereby preparing for the tightening regulation seizing the opportunity to utilise sustainability data for business growth.

Estimated timeline for key sustainability related regulatory initiatives. (Click to enlarge)

Recommendations and action points for responsible AI:

• As sustainability regulations continue to evolve, companies should plan changes by implementing scalable and flexible AI applications to adapt to new regulations.
• Organisations should strive for early compliance with the voluntary EU Sustainability Finance Taxonomy standards as preparation for the tightening sustainability regulation.
• Organisations should take pro-active steps to assess their use of responsible AI from ethics and sustainability perspective. Thereby preparing themselves for the tightening regulation in the field and develop policies and user guidance for responsible AI use cases.
• As sustainability reporting requirements, such as ESG reporting, are increasing, companies should invest in real-time sustainability data collection and data governance. Companies can act as pioneers in the change toward a more sustainable processes and supply chain.

With new EU regulations on the horizon, organisations are expected to proactively analyze and incorporate the upcoming legislation into their strategies for data, cloud native, and responsible AI. Our Strategic Foresight Report provides invaluable insights from EU institutions, Nordic decision-makers, and security specialists on sovereignty, security, and sustainability.

Read the full Strategic Foresight on the EU’s digital policies.

At Tietoevry Tech Services, we are dedicated to driving enterprise-wide digital transformation. We help organisations and companies with their cloud, data, and AI strategies, enabling them to capitalize on new opportunities in today's dynamic business environment. Our expertise lies in modernizing the digital landscape of our customers, empowering them to stay ahead in an ever-evolving market.