Shaping the rules of our digital future: is the EU on the right track?

By all accounts, one of the leading concerns of EU regulators today is to foster an economy that is both innovative, and sustainable. But let us start with an assessment of the problem: the EU is still arguably a powerhouse when it comes to innovation, but a very rapidly declining one, with very few big tech companies originating here, and generally 85% of growth happening outside. As President of Microsoft, one the leading global Big Tech companies, you should probably have an opinion about this issue: looking at the EU over the past decades, what went wrong, and what does our future look like to you? 

To answer your question, I would like to first note that there really are two different aspects of the technology sector that people often miss or fail to put together. The first one is what people look for: something that is called a tech company, that looks like a tech company, for example, Apple, Microsoft, Google or Facebook. But this is a relatively short list, even globally, and it obviously is a much shorter list yet in Europe. This doesn’t mean that they do not exist – think of SAP, which continues to be a global leader, Spotify, which is the world’s leading audio streaming and media services provider, or Ericsson, which proved to be strong year in and year out. But then there’s the second part of the technology sector, which refers to the use of technology by every other industry. 

What will always be important for Europe, and every other economy, is to encourage the development of the tech sector, but then also use its technology solutions to foster innovations and competitiveness in the other industries it has a strong foothold in. 

Now, I do think that to foster the tech sector, one needs to strive to create a healthy ecosystem for the creation of new businesses. Technology is a sector where companies are born and then grow quickly; indeed, unicorns are sometimes only 3 to 5 years old. In this respect, I see a stronger spirit of innovation and entrepreneurialism across Europe now than ten years ago. This is in evidence at events like Web Summit in Lisbon, for example.  When I visit Microsoft accelerators in places like Berlin or London, or indeed Station F in Paris, I see that the European startup community is vibrant and thriving. New businesses will emerge from these initiatives. 

In the past, I observed a trend where creative people in Europe felt like they had to leave Europe if they wanted to build a new business. This is no longer the case, and this change is certainly a source of long-term strength. 

It is important for Europe to stay focused on the second aspect of the technology sector as well. The economic strength of Europe in the world really derives from a wide number of industries, in which European companies have deep domain expertise. Think for instance of the pharmaceutical industry, machine tools or manufacturing processes. It is important to keep in mind that each of these industries is being transformed by digital technology and the use of data. 

And what about the second aspect of EU’s ‘Fit for 55’ and other policy objectives: fostering an economy that is also inclusive and sustainable? On the sustainability side, for instance, the EU has recently launched multiple initiatives aiming to foster a tech / digital industry that participates in “addressing the main challenges of our time”, while also making sure that technology “serves the people and adds value to their daily lives”. What is your assessment of these initiatives – is the EU likely to strike the right regulatory balance? And what is the role of Big Tech in this respect?

Mostly, I would say that EU’s regulatory agenda is going in the right direction. It is very ambitious, it is very broad, and I think it is focused on the problems that matter, that concern consumers and businesses in Europe and indeed consumers and businesses around the world.

Technology has an important role to play, not only in driving economic growth, but also in supporting sustainability and helping shape more inclusive communities. This is central to our “Tech Fit 4 Europe” approach, which embraces the EU’s vision of creating a greener, more digital and more resilient Europe. We recognize that the technology industry has a responsibility to take action and contribute to the initiatives and proposals that the Fit for 55 package sets forward. Microsoft is committed to doing its part and has made bold sustainability commitments. These include a detailed plan to be carbon negative by 2030, to reduce Scope 3 emissions by half or more, and to remove from the environment by 2050 all the carbon the company has emitted since its founding in 1975. Equally important, we believe digital tools and solutions will play an essential role in driving sustainability efforts and delivering new innovations that will be needed to enable all sectors in the EU to meet their carbon reduction targets. 

In terms of inclusion, I think that Europe is already a more inclusive society than most, but obviously every society constantly faces new challenges from this perspective. I believe central to digital inclusion is to ensure that everyone has access to broadband connectivity, devices and skills. Europe today is in better shape than many places in the world when it comes to broadband coverage, but there are still pockets in some rural parts of Europe where it is not yet ubiquitous or inexpensive, and the pandemic has highlighted a more pronounced digital divide that we can no longer ignore. Not everyone has access to affordable devices at this point. 

In this respect, technology companies have the resources and expertise to help bridge this divide. For instance, Microsoft is working to bring broadband access to disadvantaged students in multiple parts of Europe, and we continue to make accessibility and connectivity a priority through our Microsoft Airband Initiative, which has brought high-speed internet access to millions of people in previously unconnected communities across the US and around the world since launching in 2017. We also recently launched a global “Open Data Campaign” to help address the looming “data divide” and encourage greater data sharing and access. Helping organizations of all sizes harness the benefits of data and the new technologies it powers – something President von der Leyen has pointed out can be a “powerful engine for innovation and new jobs” – will significantly contribute to Europe’s digital transformation and inclusion efforts.

Perhaps even more importantly, digital skills need to be expanded. Indeed, as digital transformation brings socio-economic changes in the labour market, there is no doubt that education and lifelong learning will be critical to building workers’ resilience. Ensuring that everyone can benefit from the economic opportunities in the new digital economy should be a key priority for Europe, and the focus for schools and programs should be on the development of both technical and soft skills. According to one study by the European Commission, 42% of Europeans still lack basic digital skills. The European Commission is fully aware of the challenge and has proposed a new European Skills Agenda as well as a “Pact for Skills”, mobilizing stakeholders to create better training opportunities. Here again, we believe that technology companies can play an important role. Take the example of the AI School network that Microsoft has developed in France with Simplon, where job seekers from a variety of backgrounds can embark on a free, intensive seven-month course, during which they learn AI development skills, followed by 12 months of employment at participating companies. This network has expanded to 39 schools since 2018 and has trained 750 students. Or take LinkedIn Learning and the additional online courses we’ve made available there, providing a means for people to more easily bridge the gap between the skills they have and those they need in order to pursue new job opportunities for themselves.

When it comes to sustainability, it seems clear to me that what Europe is focusing and leading on is making the economy as a whole more sustainable. Fit for 55 is a great example of that, by providing a framework for moving more quickly and more profoundly to create a net-zero carbon economy in Europe. Because it is designed to encourage innovation, foster the competitiveness of green industries now and in the future, and ensure the progress is inclusive and just, I believe it has a good chance of succeeding. 

Technology companies can help through our own sustainability commitments and, perhaps even more importantly, by enabling other sectors to achieve their goals through the use of digital tools and solutions. 

One of our priorities is to ensure that our data centres are energy efficient and using green energy. Because of ongoing energy efficiency investments in our data centres, today the Microsoft cloud is up to 98 percent more carbon efficient than on-premises data centres. With Fit for 55, we look forward to supporting the conversation around common metrics for measuring data centre sustainability, as part of the revision of energy efficiency rules and as a contribution to the goal of climate-neutral data centres by 2030. 

But technology companies alone cannot control the outcome here. Like other users, our data centres and our offices around the world plug into the local grid, consuming energy from a wide variety of sources. What we can do is change the way in which we purchase energy. Our existing commitment to execute power purchase agreements equivalent to 100% of our energy needs by 2025 has already made Microsoft one of the largest purchasers of renewable energy in the world. Going forward, we will continue to innovate with our energy purchasing contracting to help bring more zero-carbon energy onto the grid and move more high carbon intensity energy off the grid. 

And the grid is not the only infrastructure that Microsoft can help decarbonize. By creating new digital tools, we can also empower our customers to decarbonize their own operations and infrastructure, and this is indeed the motivation of our new Microsoft Cloud for Sustainability offering.

Finally, we also have to focus on making our services more energy efficient, our devices easier to recycle, with less carbon impact in terms of the emissions that result from the components and the like that go into it. This is why we welcome the upcoming EU focus on sustainable products through the Sustainable Products Initiative (SPI). 

You have recently stated, in your capacity as President of Microsoft, that Big Tech companies have to assume the responsibility for the world that their technologies helped create. You have also voiced support for the EU initiatives on the regulation of digital ‘gatekeepers’ or intermediaries. But what is, in your opinion, the main societal concern and worry with these companies today, and what kind of regulation seems appropriate?

Certainly, when one focuses on market dynamics, and not on societal issues that we have just discussed, there is an understandable and even a natural focus on the role of gatekeepers that in effect create bottlenecks in the economy. The history of competition law shows that this concern is a recurring theme. We saw it for oil and steel companies, for railroads, telephones, as well as for computing. The essence of the problem is that when there is a very small number of companies with very large economic power, these companies in effect stand between other businesses and their customers and consumers. So, when these other businesses have to go through this layer or gate to reach their customers, concerns about undue economic influence can arise. 

Taking a step back and putting the debate in a broader historical perspective, the issues around companies like Google are really just the latest chapters in a long story that has chapters before it on Microsoft and IBM and AT&T. Indeed, we, at Microsoft, have been part of this story as well. A lot of the antitrust cases against Microsoft in the 1990s and the early 2000s were fundamentally focused on a concern that Windows, for example, not only was a gateway, but also enabled us to be a gatekeeper and potential bottleneck for new services, for instance new media players, consumer email services or browsers. All these cases have led to Windows now being an open platform. 

The question therefore is what are today’s bottlenecks? In today’s world, software developers, content creators, advertisers, retailers, and others increasingly rely on a handful of platforms to reach their customers. In other words, the platforms intermediate their customer relationships and set the rules of the market. An app store, almost by definition, is among the most quintessential of examples: it is a bottleneck a whole ecosystem of developers has to get through to reach their customers, with app stores on popular mobile operating systems sometimes unfairly burdening app developers and excluding innovative apps. So, I think it’s appropriate that regulators are now taking steps to clear the bottleneck, clear out the blockage that this model has created. Digital advertising is another area where an enormously elaborate web of technology and contractual practices have created not just a gate but a real bottleneck between people who want to purchase advertising and people who have advertising inventory to sell, be it in the area of search ads, display ads, or on the Internet as a whole.

But what regulators concluded, correctly in my view, is that the issues raised by gatekeepers today need solutions both in competition law and in new types of laws and regulations. This is why we support the latest efforts by the EU to adopt forward-looking regulation, such as the proposed Digital Markets Act to ensure that these gatekeepers operate fairly and do not undermine the ability of others to compete. Very often, competition cases begin before regulators have a clear sense of the remedy they want to pursue. What is different this time is that there are cases where the remedies are clear and allow for regulatory measures. Some of these will likely also be applied to our products like Windows. In a situation where regulators have a set of measures they want to see in place and apply to all the digital gatekeepers, they certainly face a choice: either spend a decade and bring a number of different competition law cases, which are going to move slowly, to finally get to the last chapter of the book after the equivalent of several hundred pages of reading, or just go directly to the last chapter a lot faster. I think that the second option is the one that regulators are likely to prefer, and I think that it is indeed important to address these issues rapidly.

And yet, the proposed DMA was met with a lot of criticism, both by businesses and in the academia. Some argue that it actually tackles the wrong problem by trying to improve the competition potential of gatekeepers’ business users through data sharing, rather than promoting competition from other tech giants and complementary products and services. Microsoft, on the other hand, has been vocal in supporting the EU approach – why is that?

I think that two separate questions need to be distinguished: what is the problem regulators want to tackle, and what is the appropriate solution? 

The problem, in my view, is that intermediaries with significant market power are able to, in effect, distort the market and get in the way of a healthy growth opportunity for businesses that want to get their products and services to their customers, consumers or other businesses. Sometimes this power manifests itself through prices that are monopolistic in economic terms: this is part of the debate arising around app store pricing. Other times it is reflected in their capacity of self-preferencing, and I definitely think that there are examples of such behaviour. A third aspect of the problem is gatekeepers being able not only to create bottlenecks, but actually to create blockages thwarting market growth. For example, when you force all purchases to be made in an application and deny businesses even the possibility to inform their customers that they can also purchase the goods or services elsewhere, when you put restrictions on the ability of people to create and offer subscription services for a portfolio, then you are really cutting back on the natural growth of the market.

So, the problem is multifaceted, and once this is recognised, it is easier to understand that the solution should be multifaceted as well. The solution may or may not involve the sharing of data with business customers. But I do think that it’s likely to involve drawing some clear lines and putting some practices out of bounds because they do more economic harm than good. 

This has also been true for Windows historically. A variety of rules were imposed on Microsoft that we still follow today, that aim to ensure that we don’t create an inappropriate or undue preference or blockage when it comes to products like browsers, music subscription or email services. As a result of various court orders, legal undertakings, and voluntary principles, Windows is an open platform, and the interfaces used by Microsoft’s own software products are open, documented and available to others. Indeed, the ecosystem enabled by Windows has allowed many leading digital platforms and online services to connect with their users and get a foothold in the market. 

And look at the services that are popular on Windows right now: the most popular browser is from Google, the most popular music service is from Spotify, the most popular consumer email service is from Google. So, the approach has proven effective in preventing what people were concerned about, that Microsoft could create a preference for its own services in a way that would thwart the opportunities for others. Exactly the same concerns abound today.

But there may be something new about the concerns that we have today. Maybe what the public concern is about this time around is that gatekeepers might stifle the competition in the marketplace of ideas, rather than in the marketplace itself: more political concerns and less purely economic ones.

I think that there are multiple public concerns at the same time, as is apparent from the wide variety of regulatory fields that are rapidly emerging concerning technology companies. 

First, there is market regulation and competition, the one field we talked about. Then, there is digital safety, which is what you refer to in your question. This is a prominent problem in Europe and in almost all of the world, and it does indeed involve some of the same companies that we’ve talked about. But the issues that we care about from this perspective are quite distinct. In fact, even when it comes to digital safety, we face a multifaceted challenge: we need to protect children, we need to protect against online terrorism and violent extremism, we need to think about hate speech or the spread of disinformation. This will require multistakeholder collaboration on a range of solutions, from technical tools to empowering young people through digital literacy programs – as highlighted in President Macron’s new call to “stand up for children’s rights in the digital environment”. But then there is a third concern, which is privacy and also freedom of expression. Cybersecurity is a fourth. Increasingly, we’re also seeing a distinct field, the latest evolution of telecommunication and connectivity regulation, as a fifth. We’re seeing a set of national security rules in some places, including protection for critical infrastructures, that is a sixth area of concern. And I think that we will also see the emergence of a set of sustainability-oriented regulations as a seventh field. 

On any given day, there are seven to eight regulatory fields addressing technology companies. And each regulatory field is a drastically different phenomenon and, to some degree, responds to a different problem. 

On a different topic, Microsoft has recently voiced support for the EU’s drive towards a “European digital sovereignty”. Microsoft has also stated that “Europe is uniquely positioned, with its history and traditions, to get digital sovereignty right”. But what is digital sovereignty all about, and why do you think that Europe can really deliver on its promise?

Territorial sovereignty as we know it everywhere in the world today was really created in Europe; it came out of the Peace of Westphalia and it spread around the world, and I think that Europe is in an excellent position to address the digital sovereignty concerns of the 21st century for a couple of reasons.

First, it understands the issues well. As I meet with European officials and governments, it is apparent to me that they do have a good grasp of the problem they want to solve. With respect to digital sovereignty, for them it really often comes down to three things: how they protect their national security, how they protect the privacy and rights of their citizens, and how they promote more economic opportunities for their own citizens and businesses. And certainly, Europe’s “digital decade” transition requires secure and trusted digital infrastructure and services allowing European businesses and citizens to harness the value of their data. So, Europe has a clear interest in retaining control over its data, and “digital sovereignty” refers to this self-determination. 

I think that Europe is well-positioned because it’s really been at the forefront, especially in the last 30 years, of the evolution of the concept of sovereignty itself, enabling nations to both retain their sovereignty and collaborate across borders in new ways. The EU is almost certainly the world’s best example of a successful model for both retaining sovereignty and setting common rules, and even a common strategy currently transgressing territorial borders. Digital technology obviously and by definition crosses borders, and it does so globally unless a government is able to stop it. 

So, with that understanding of the problem and that capacity to foster cross-border collaboration, there is a lot that the European governments can work with and build on. This is why we believe that Europe is and will remain at the forefront of this issue. By leading with a rules-based approach, Europe can truly build on digital technology to reap the benefits of the digital economy without compromising on its decades-long commitment to competitive and open markets. 

Your answer leads us to the question of the role that the EU could play as a global standard-setter in shaping the future of the digital economy. Indeed, major jurisdictions seem to face deep disagreements about the way in which the digital economy is to be regulated, resulting in an increased role for unilateral regulatory action. But, as Anu Bradford has recently pointed out, in many areas EU regulatory actions enjoy a “Brussels effect”, which is due to a unique combination of market forces. Microsoft is a leading example of a company that has decided to apply stringent standards unilaterally set by the EU (e.g., on privacy) to all markets. How do you explain this effect? And do you expect it to last, while the role of standard setter is, naturally, also claimed by other jurisdictions, and especially China, following Xi Jinping’s recent ‘crackdown’ on Big Tech?

I think that there indeed has been an important and strong “Brussels effect”. The European Union, with the leadership of the European Commission, has been very successful in setting norms and even detailed guidelines and regulations that have been applied in Europe and influenced the rest of the world. If you take the GDPR, the regulation spread rapidly around the world in part because there wasn’t really any alternative or competing model. So, Europe had the first-mover advantage of proposing a model that technology companies rapidly implemented. And it really set the terms of the debate everywhere: any conversation about privacy anywhere would probably start in the first five minutes with a conversation about the GDPR. 

The “Brussels effect” is still significant, but I also sense that the world is changing. And as we look to the period from now to the 2030s, the decade will likely be different from what we have experienced in the past. I think what’s important to recognize today is that there are more governments considering similar regulatory proposals or at least the same topics simultaneously. This is very different from the situation of the GDPR, debated roughly a decade ago. Now, take the DMA or the DSA, or any other proposal in Brussels, and you are going to find multiple other jurisdictions debating the very same topics. Indeed, we have entered a new era of international relations for technology regulation, with a more diverse, multipolar and multifaceted world. The UK has rapidly emerged as a major regulatory force, with London and Brussels really working on similar sets of issues. You see similar actions in the US, very rapid action in China. Those are perhaps currently the largest countries where we’re seeing regulatory initiative, and I think India easily could join them. But then there are a number of other countries as well that are very influential in part because they move quickly and they have capability, for instance Australia, South Korea and Japan, three more countries that are exercising enormous influence. Take South Korea. Its Parliament has already adopted a law on the regulation of app stores, while the EU is continuing to debate the DMA. 

So, we are now entering a different era. In my view, the real goal for technology regulation now is to get the balance right, to encourage tech companies to exercise more responsibility and to implement new steps that will ensure that technology is subject to the rule of law. Regulators like being leaders and setting standards, and this is a good thing, but increasingly what we see is more collaboration between regulators and governments across borders. The Brussels effect of the 2030s may not look like the one in the past, i.e., adopting standards and watching others debating the proposal, but talking with other regulators before moving together in concerted actions. 

One of the things that is striking to me today is that if I have a conversation with, for instance, a prime minister in one part of the world, they often mention that they had a conversation that same day with the prime minister in another part of the world on that same topic. Today, ideas are moving around and the key to wielding global influence is no longer in waiting until the proposal is ready and suggesting that everyone else copy it, but in being very collaborative and a real thought partner for other governments. And this is indeed what I witness in Brussels, in Paris, in Berlin, in London, in Washington and so on and on.

But not in Beijing? 

The interesting thing in China is if you look at the list of issues, it’s exactly the same. If you look at the list of regulatory proposals that are emerging, sometimes they are the same, sometimes they are different. The approach to regulation can vary and is the reflection of the core values and goals of each government. 

In this respect, Europe has a natural advantage because European values have so often spread around the world. Everywhere, people and governments talk about their own values, but frankly, if I have a conversation in the US about American values, most of them will be values that were born in ancient Greece, moved to either France or England, and then crossed the Atlantic in the 1700s. 

I think that European values are fundamentally humanistic, and are the values embraced by most of the world’s democracies. Therefore, a world where Europe is not only advancing its own regulatory proposals but doing so in ongoing collaboration with other parts of the world will likely lead to more consistent technology regulation and the enshrining of values that are, for me, timeless, to an ever-evolving technology sector.

What your answer seems to point to is the need for collaboration especially between ‘likeminded’ jurisdictions, which raises the question of the relationship between the US and the EU. Clearly, the two still have more in common than driving them apart and share a lot of the values you talked about. One could expect that, on these issues, the two would more easily fall in line. But this doesn’t seem to be the case now: businesses must deal with the implications of the ECJ Schrems II ruling, and it is unclear whether a convergence is on the horizon. Microsoft, for its part, has recently launched a strong call for a “transatlantic technology alliance”, as a path forward for cooperation on democracy, trust and fairness in the digital economy. What is this initiative about, and are you optimistic about the near future?

In fact, in many ways, I would say that we probably have had more of a transatlantic alliance in the area of technology than we sometimes realize or talk about. Maybe there is just a lot that we take for granted, maybe we take too much for granted. There are clearly many more similarities than differences between Europe and North America, including the US. Obviously, there are also differences. For instance, the EU is more comfortable with regulation and less comfortable with letting the market regulate itself, while in the US the opposite is true. But if you look closer to the policy proposals today coming from the Biden administration, the legislation coming out of the House Judiciary Committee, and so on, the discussions are remarkably similar. Even if on one side of the Atlantic a company is a gatekeeper and on the other side it is an essential trading partner, what regulators are worried about is the same thing: potential bottlenecks in the digital economy. 

Challenges arise, on the other hand, when one gets to the issues of privacy, or privacy and national security. We’ve been in this cycle since 2013 with the Snowden disclosures, with new questions emerging every few years, culminating in the Safe Harbour regime being replaced by the Privacy Shield that was then struck down by the Schrems II ruling. We now urgently need a new transatlantic solution. 

In my opinion, the path forward is difficult only because people get so absorbed by the differences that they fail to appreciate that similarities are much more important. We urgently need to define some common ground and a compromise, and it should be a matter of weeks or months, because we cannot afford to keep waiting. Coordination on technology governance is critical to the future of the transatlantic relationship and is necessary to enable the EU and the US to lead the way towards global regulatory standards. With its specific work streams addressing many of these issues, the EU-US Trade and Technology Council founded last summer should be an essential part of cross-border cooperation. 

The technology alliance can begin with identifying our common principles, guided by our shared commitment to democratic values and the responsible use of digital technologies. But much more needs to be done to build public trust in digital technologies, particularly when it comes to AI and the use and benefits of data. I am encouraged to see the Biden administration engage with the European Commission’s legislative proposals on AI, and hope that this might be a foundation for future regulatory cooperation. But the transatlantic alliance must also reinforce our common commitment to open markets, allowing businesses on both sides of the Atlantic to collaborate, grow and thrive. In this respect, more work needs to be done to implement a sustainable solution for transatlantic data flows, to counter the uncertainties created by the Schrems II decision. Ideally, US-EU agreements on privacy and lawful access to data would pave the way for a consensus on the movement of data across borders among trusted democratic allies and partners around the world. 

Another area where more work is needed is in defining common principles for digital trade and rules that make technology supply chains more secure and resilient. Here again, an alliance between the EU and the US might allow them to jointly advance principles in multilateral forums like the OECD and the WTO. But for any of this to succeed, industry actors and civil society must also be involved in the process to develop new principles, norms and regulations. At Microsoft, we believe that this is a shared responsibility.

Another issue on which pushing for international multi-stakeholder cooperation seems to be necessary and pressing, and one it is well known that you have a strong personal interest in, is cybersecurity and cyberwarfare. Indeed, there seems to be today a strong political call for greater international coordination on defining the oversight framework of the use of digital technologies in cyberwarfare, as well as the promotion of violent and terrorist content (take, for instance, the Christchurch Call and the even more recent Paris Call). What are, from your personal perspective, and the perspective of a global company such as Microsoft, the main challenges in this respect today? Is the existing international normative framework (e.g., the Geneva conventions) fit for the job, and what other actions need to be taken in your view?

I think that we need to recognize that we are currently dealing with three types of cyber threats and that they are probably more connected than we realize. The first one is nation-state attacks: attacks against other governments as well as critical infrastructure and tech companies, either for espionage purposes or for the potential disruption of an economy, as we in effect saw in Ukraine in 2017. Similarly, the recent SolarWinds hack provided a moment of reckoning that demonstrated technology’s inherent strengths and weaknesses and illustrated the degree to which it had become both a defensive tool and an offensive weapon. And perhaps more than anything, it showed the world how much work we must do to manage all the implications of inventions that are remaking the century in which we live.

The second is ransomware attacks, which are being advanced for money by criminal organizations. It is important to recognize that these groups fundamentally flourish because certain governments allow them to prosper. Governments have to protect citizens against cybercrime and enforce efficient cybersecurity frameworks. 

And the third is disinformation, where we should be especially concerned about campaigns sponsored by foreign governments. This third aspect is potentially the most existential threat to democracy. A democracy requires that people at least share a common understanding of facts, before they can start arguing about what implications can be drawn from what those facts mean. When disinformation fuels a fundamental disagreement about basic facts, democracy itself is at risk.

When these three threats are put together, the first thing to recognise is that they mostly come from a handful of countries. We see Russia, China, Iran and North Korea as the four countries that give rise to most concerns. And it is obvious that we need to strengthen our defences in response. The nature of these defences might vary, but it all starts with better threat detection, so that we can identify these attacks, alert everyone and respond quicker. A variety of measures exist that, we know, can thwart many or most of these threats, especially the more traditional cybersecurity and ransomware attacks. There are cybersecurity ‘best practices’ that need to be implemented and taken seriously. In my view, part of it goes back to one of the first topics we discussed, which is digital inclusion: one of the challenges we face today is the shortage of skilled people in the workforce to help us with cybersecurity needs. We really need to focus on training initiatives in this area. 

But ultimately, the answer to these challenges rests on the foundations of the rule of law. But the concepts underpinning the rule of law need to also evolve to stay up to date with the new challenges raised by cybersecurity, and therefore we see new security laws and digital safety initiatives becoming increasingly important. International law and global norms are of utmost importance here. 

Insofar as we cannot yet have global norms absent a universal consensus, we badly need the world’s democracies to unite and work together. 

It is very encouraging in this respect to see the French government and Paris itself playing the important role of beacon on the hill, so that other democracies find their way to a more common solution. I think that the Paris Call of November 2018 has been very important, with its nine broad guiding principles to secure cyberspace. Among these, I believe that we should especially focus on the third one, i.e., defending the electoral processes, because it is the newest and it is fundamental for the protection of institutions that are necessary for any democratic society to function properly.

One last important point to note is that we need to recognize that in the 21st century, multilateralism will only be successful if it takes the form of multistakeholderism. The great vision of President Macron, supported by other leaders such as New Zealand’s Prime Minister Jacinda Ardern, and so many others, has been to recognize that the issues raised by digital technologies sometimes almost uniquely require that governments, civil society and businesses be brought together. It shouldn’t be forgotten that cyberspace in reality consists of real space, owned and operated by individuals or companies in the private sector, and not by governments; just think of data centres or undersea cables. This might appear to be an issue relating to large corporations, but the truth is that cyberspace extends into all of our homes, it is literally carried around in our pockets in the form of our smartphones. So, all of us are concerned, and all of us need to work together. To be clear, none of this is about taking decision making power away from states. Rather, it is about empowering states to make the best possible decisions, based on the most complete information available. This is about giving all relevant stakeholders a voice. If our only strategy is to bring together the world governments, we risk falling very short and failing at our mission. We clearly need to rely on an approach where we ask each stakeholder in our societies to do its part, and to do it well.