Towards Smarter EU Tech Rules – Step 3: How to Make Implementation and Enforcement Matter?
Best practices
- Make sure EU digital rules are designed for proper implementation
- Adopt right timing for implementation, enforcement, and evaluation
- Evaluate the governance of regulators, intervene in case of problems
While it can be easy to overlook implementation and enforcement of new tech and digital rules once they have been adopted by EU lawmakers, and disappear from the headlines, recent experience underlines the need to keep a close eye on these important final steps in the process. Because this is when regulators and companies test the practicality of tech rules, and when European citizens actually ought to reap the benefits.
Since 2019, the EU’s unprecedented wave of new tech legislation has also uncovered structural flaws in how rules are put into practice and subsequently upheld. The final article of this three-part series focuses on the crucial phase of implementation and enforcement. Let’s examine how Europe can ensure that its digital rules are not just well-designed and subject to legal scrutiny when being drafted, but also turn out to be meaningful in practice.
1. Make sure EU digital rules are designed for proper implementation
| WHAT WORKS | WHAT DOES NOT WORK |
|---|---|
| ✅ Ensure there is sufficient staff and resources for implementation and enforcement | ❌ Not establishing direct communication channels with regulated companies and their representatives |
| ✅ Publish a public overview for each piece of legislation: clearly setting out the timeline for implementation, including all acts, guidelines, and tools necessary to achieve compliance | ❌ Introducing rules that (inadvertently) cannot be enforced at the national level |
| ❌ Creating new barriers within the Single Market |
After officially being adopted by the EU institutions, most major pieces of tech legislation still require several follow-up steps before companies are able to implement these new rules properly. Think of delegated and implementing acts that set out important details, but also IT tools (such as databases and application programming interfaces, also known as APIs) and the appointment of responsible national authorities.
Without timely follow-up actions and a meaningful chance to collaborate with the European Commission, regulated entities end up facing more legal uncertainty and fragmentation – which EU frameworks are actually supposed to decrease.
This also imposes significant burdens on regulators and enforcers at the national level, who are suddenly bestowed with new powers and responsibilities, but may not have funds or resources to deal with them. As a result, implementation is often uneven across the 27 EU Member States, which in turn creates new barriers within the Single Market.
The implementation of the Digital Services Act (DSA), for example, foresees a number of implementing and delegated acts, as well as various pieces of guidance and the involvement of national authorities. Yet, no clear implementation timeline or calendar with necessary steps has ever been provided to companies regulated by the DSA, leaving them entirely in the dark.
2. Adopt right timing for implementation, enforcement, and evaluation
| WHAT WORKS | WHAT DOES NOT WORK |
|---|---|
| ✅ Put a Commissioner in charge of overall implementation and enforcement, and give them the power to intervene when necessary | ❌ Assuming implementation is an easy last step in the process after a political deal is struck – in reality, it takes time and practice to get it right |
| ✅ Maintain open communication with companies and trade associations to help streamline compliance | ❌ Agreeing timelines that are unrealistic for businesses or national regulators |
| ✅ Reflect the actual time required for a law’s implementation across all possible business models |
Timelines agreed for implementation and enforcement should take into account the actual amount of time businesses need to redesign products and internal processes, or introduce new security measures. Moreover, agreeing in advance on a clear timeline for the future evaluation of rules should ensure that policymakers can propose changes at regular moments, but also give those governed by legislation the certainty that rules will remain stable for a given time.
Indeed, the Commission’s proposal for a European Cyber Resilience Act only provided 12 months’ lead time for making changes to any hardware product deemed “highly critical” – including routers, modems, and smart meters. This proved to be an insufficient amount of time to redesign entire products and adjust manufacturing processes in a smooth way.
Moreover, such a short lead time does not allow previous models of products to phase out from the market naturally, leading to inefficiencies and impacting sustainability. In the future, legislative proposals that impact hardware require more lead time, reflecting the actual development and production cycles of the products concerned.
3. Evaluate the governance of regulators, intervene in case of problems
| WHAT WORKS | WHAT DOES NOT WORK |
|---|---|
| ✅ Streamline the structure and competencies of regulators across legislative frameworks | ❌ Assuming that all companies have enough resources to decode the governance structure of regulators responsible for all the different rules they are subject to |
| ✅ Guarantee a transparent governance process, and appoint clear points of contact | ❌ Overlooking the crucial role that good governance plays in smooth implementation and enforcement |
| ✅ Centralise the enforcement of cross-border matters at the EU level, and make this the default model for any new proposal |
Rollout and compliance monitoring stand or fall with the governance of the responsible regulators. In particular, the occasional disconnect between the Commission and regulatory authorities (at both EU and national level) tends to create difficulties for the digital sector – and affects companies of any size – when it comes to knowing whom to ask for guidance. When such problems arise in the future, the Commission should be much more proactive in intervening to fix them head-on.
For example, five years after adoption of the General Data Protection Regulation (GDPR), a number of significant shortcomings in its enforcement have become evident. This led the Commission to consider new legislation relating to GDPR enforcement in an attempt to streamline the handling of cross-border procedures. Yet, the actual proposal fails to address structural issues with the interplay between regulators, instead opting for cosmetic changes.
