EPSC Strategic Notes Issue 30

July 2019

Rethinking Strategic
Autonomy in the Digital Age
In the 21st century, those who control digital technologies are increasingly able to influence
economic, societal and political outcomes. Policymakers around the world are waking up to the
critical imprint that digital technologies have on their countries’ strategic autonomy and a global race for
technological leadership has ensued.
Despite its many assets, the EU is in danger of falling behind in this race. This not only places its long-term
economic prosperity at risk, but opens it up to a whole range of strategic vulnerabilities – all the more so
against a backdrop of escalating geopolitical tensions.
While staying true to its long-standing commitment to openness, competition, and free and fair trade, the
EU must also acknowledge and better understand the new dependencies and vulnerabilities that accompany
technological progress and ubiquitous connectivity, and ensure it has the right protections in place to deal with
them. The EU’s ability to defend and promote its interests, as well as its credibility as a strong
foreign policy actor, will largely be a function of its cyber resilience and technological command.

Strategic autonomy: A strong tech sector is a prerequisite

no longer just a question of defence Without a strong industrial base, built on a common tech
Cyberattacks and espionage, forced tech transfers, strategy and pooled resources, Europe will be unable to
electoral interference, the roll-out of new dual-use domestically produce the technologies it needs to stay
technologies, and a growing ‘geopoliticisation’ of at the forefront of global competition – be it in economic
technology imply a paradigm change for the notion of or defence terms. Foreign imports will remain necessary,
strategic autonomy. In the digital age, a more holistic but collateral risks – e.g. supply chain disruptions or
approach is needed in order to protect European interests. compromised equipment penetrating Europe’s critical
infrastructure and digital systems – need to be managed.
Critical digital infrastructure:
Alliances are a must
high risks require extra caution
In an interconnected world of global value chains,
While open markets and competition must remain the where trust is becoming a rare commodity, there is
key drivers of innovation and efficiency, the growing a real need to build forward-looking alliances around
importance of digital technologies for most of Europe’s digital strategic paradigms. Europe is spearheading this
critical infrastructure warrants the application of a approach, e.g. in its partnerships with the US, Japan
more precautionary stance towards reliance on foreign or NATO, and with its efforts to craft rules on data
components, especially those coming from authoritarian governance and ethical uses of AI. But its ability to
states. This is particularly clear as regards 5G shape international norms and standards in a way that
technology, where stricter review mechanisms should reflects its interests and values will be a function of its
be applied to manage potential network vulnerabilities. technological edge and genuine demand for its products.

EPSC Strategic Notes are analytical papers on topics chosen by the President of the European Commission. They are produced by the European Political
Strategy Centre (EPSC), the European Commission’s in-house think tank.
Disclaimer
The views expressed in the EPSC Strategic Notes series are those of the authors and do not necessarily correspond to those of the European Commission.

1
EPSC Strategic Notes

Broadening the scope of What is more, cyberspace has given unprecedented

power to a much broader range of actors – be they
strategic autonomy non-state actors, rogue agents, or private citizens. As
digital technologies emerge as a new source of power
and influence, the large multinational corporations
Strategic autonomy refers to the capacity of that develop and operate digital services are becoming
a political entity to pursue its own course in essential to functions pertaining to public order and
international relations, that is, to set its own objectives national security itself, eroding the traditional power
and act upon them. In practical terms, it is a balancing act monopoly of the nation state.
on a spectrum ranging from absolute self-sufficiency or
autarky to full dependence. A reasonable level of strategic
autonomy – flanked with strategic partnerships and
Figure 1: Blurred lines in the digital age
alliances – is essential if the EU and its Member States From conventional to asymmetric threats
want to pursue and protect their own interests in the global • Offensive advantage in cyber
arena. Moreover, as underscored in the EU’s 2016 Global • Terrorism, transnational crime, hybrid warfare
Strategy, ‘an appropriate level of ambition and strategic
Blending of military & civilian technology (dual use)
autonomy is important for Europe’s ability to promote
peace and security within and beyond its borders.’1 • Artificial Intelligence, quantum encryption / computing, drones, ...

While the notion of strategic autonomy has primarily Challenges faced Opportunities for rogue
been understood as a defence-related concept, there is by state actors / non-state actors
growing impetus to consider a broader set of defining • Lack of cyber capacity • Manipulation and nudging
factors.2 It is also important to note that strategic leading to struggle with of public opinion
attribution, deterrence and • Cybercrime for economic
autonomy is not an end in itself but rather a means retaliation or political purposes
for protecting one’s interests. This reflects the fact that • Erosion of state monopoly
Europe’s ability to decide and act independently • Interference in public order
on force and security
is being challenged on new levels, warranting • New strategic imperatives • Undermining governance &
a rethinking of the strategic paradigms that have critical infrastructure
traditionally guide domestic and foreign policy. While
Source: European Political Strategy Centre
this relates to many areas, the impact of developments
in the digital technologies realm is particularly Those who are able to control digital technologies –
important, as ubiquitous connectivity permeates whether by developing the systems themselves, exploiting
every aspect of society, the economy and politics, them, or manipulating them – are increasingly able to
giving rise to new vulnerabilities. shape economic, societal and political developments.
Payoffs range from large-scale economic benefits to
Several trends increase the urgency of assessing and improved military capabilities and a comparatively
better understanding how weaknesses and shortcomings higher degree of strategic autonomy. A global race for
in digital technologies might translate into security leadership in key digital technologies or enabling
threats and strategic impediments. First, digital systems – such as Artificial Intelligence, 5G, or quantum
technologies are blurring traditional lines between computing – has ensued as a result, and it is increasingly
military and civilian technologies (Figure 1) as dual- characterised by international tensions and a growing
use technologies are rolled out and as the weaponisation ‘geopoliticisation’ of digital technologies around
of digital applications becomes easier, cheaper and more the globe. Yet, even those with the greatest technological
accessible. Seemingly innocuous digital innovations capacities are not immune to the vulnerabilities of the
in the civilian sphere are transforming into digital age – as evidenced by Russia’s interference in the
potential military threats, challenging the traditional US presidential elections in 2016. This highlights the need
defence-centred definition of strategic autonomy. for a greater anticipation of possible malign abuses of
new technologies – something that Western democracies
In addition, ubiquitous connectivity and digitalisation have all too often overlooked until it was too late.
are redefining the very notion of critical
infrastructure, as systems that were previously If Europe wants to maintain its ‘Weltpolitikfähigkeit’
isolated become connected, adding levels of (ability to play a role in shaping global affairs) in this
complexity for those operating – and safeguarding environment, it needs to react to these developments,
– them. Today, it is no longer just information and step up the competitiveness of its home-grown tech
communications technology (ICT) systems that are sector and mitigate factors that are undermining its
open to cyberattacks, but an ever-larger share of the strategic autonomy.
infrastructures that support an increasingly data-based
ecosystem – and that includes electoral processes.

2 EPSC Strategic Notes - Strategic Autonomy in the Digital Age

EPSC Strategic Notes

Core dimensions of knock-on effects with regard to future technologies.

The longer this vicious circle ensues, the harder it is
strategic autonomy to catch up down the line.

While access to imports can help to bridge some

Strategic autonomy is usually understood to encompass of Europe’s shortcomings, there are also risks
three sine qua non dimensions – industrial, that accompany an over-reliance on foreign
operational and political autonomy.3 These technology. First, a high dependency on imports –
dimensions can be used to assess how digital technologies from raw materials to components and equipment
are affecting Europe’s strategic autonomy (Figure 2). – exposes the EU, its Member States and businesses
to supply chain disruptions of all kinds.4 These
The first dimension relates to Europe’s industrial and can be caused either unintentionally – e.g. through
technological base. It covers Europe’s ability to fulfil external, uncontrollable events in countries of origin or
its own digital technology needs – economically and transit, such as local conflicts or natural disasters – or
militarily – both today and tomorrow. The impacts of intentionally – e.g. in the form of political blackmailing
a failure to do so can be either short- or long-term and hostile supply embargos.5 Notably, these
and more or less pronounced, depending on the sector, dependencies do not necessarily end after a product or
the level in the value chain and the criticality of the technology is imported, but can endure over the long
technology’s application. term, e.g. due to reliance on spare parts that can be
sourced only from the original manufacturer.
The second – operational – dimension pertains to the
resilience of Europe’s critical infrastructure and ICT Second, there is a risk of compromised equipment
systems, in particular to cyberattacks. As many of these penetrating the EU’s digital infrastructure, with
threats are interconnected and transnational in nature, severe cybersecurity implications.
vulnerabilities in one Member State can have cross-
border repercussions or even affect the Union as a whole. Third, lack of technological leadership can open the door
to increased foreign influence and control over key
Finally, weaknesses and vulnerabilities in either technologies as well as over providers of critical
of these two categories can undermine Europe’s infrastructure and essential services.6 This can lead
strategic autonomy on the third – political – to disadvantageous knowledge transfers and long-term
level, i.e. its ability to make well-informed decisions economic costs, or, even more worryingly, it can make
freely and independently. This includes, for instance, the EU susceptible to undue foreign influence – from
risks such as election interference, espionage, as intelligence operations to coercion or even sabotage.
well as dependencies on – or coercion by – foreign
governments. Weaknesses at industrial and operational
levels can also erode the EU’s ability to shape Figure 2: Digital technologies affect all
international rules, norms, and standards in a way elements of strategic autonomy
that reflects its interests and values.
STRATEGIC AUTONOMY
Ability of the EU and its Member States to
Industrial and technological base independently set objectives and act upon
them according to European interests
is key
A strong industrial and technological base will Political
therefore be essential for European strategic • Susceptibility to blackmailing / coercion
autonomy both in the short and the long run. • Integrity of democratic procedures
The more Europe lags behind, the lower its ability to • Ability to shape global norms, rules and standards
domestically produce the top-notch quality digital
technologies it needs to stay at the forefront of global Operational
competition – both in economic and military terms – or to • Exposure to cyber threats
guarantee the cybersecurity of its critical infrastructure and • Integrity of critical information infrastructure
systems. The costs of lacklustre technological performance
are particularly great in the digital age, when technologies Industrial
tend to build on one another (e.g. Artificial Intelligence • Import dependencies, supply chain disruptions
relies on big data analytics, which in turn requires access • Supply chain security, compromised equipment entering the EU
to the necessary data – an area where the EU already lags • Foreign control of critical infrastructure and essential service providers
behind due to its poor digital performance). The risk is • Ability to develop future capabilities
thus that failure to master one technology results in Source: European Political Strategy Centre

3 EPSC Strategic Notes - Strategic Autonomy in the Digital Age

EPSC Strategic Notes

Operational risks: Whether purposefully planted or not, the incident

puts into question the company’s purportedly flawless
cyber resilience at stake cybersecurity record.
All these entry vectors pose serious operational risks to
Europe’s digital infrastructure, compromising its cyber Moreover, cybersecurity risks stretch far beyond
resilience and thus diminishing its strategic autonomy. the debate on 5G. Manipulated components or
devices used in a wide range of sectors or applications
In addition, there are growing concerns that could carry built-in, hard-to-detect backdoors or kill
vulnerabilities could be inherently built into future switches on microchips or nano-circuits; software might
critical infrastructures. One of the novelties of 5G be infected with malicious code or infiltrated through
networks, for example, is the additional layer of control subsequent updates. Exploiting these Trojans, malevolent
software, designed to help ensure seamless connectivity. actors could then gain illicit access to information or
However, this also offers new ways for a malicious network control over a device. For instance, attacks could bypass
developer to conduct bugging operations or manipulate authentication or encryption systems, facilitating not
information. As 5G will soon be the de facto ‘central only intelligence gathering on sensitive political issues,
nervous system’ of the economy and form the but also industrial espionage and intellectual
backbone of a wide range of services essential property theft. Attackers might also gain remote
for the operation of vital societal functions and control of devices for sabotage purposes.12 This could
critical public infrastructures, guaranteeing its enable them to cause physical damage by prompting
integrity is key to ensuring the Union’s strategic the malfunctioning or disruption of services, or even the
autonomy. The European Commission’s Recommendation breakdown of whole systems. If embedded in military
on ‘Cybersecurity of 5G networks’ from 26 March 2019 or intelligence equipment, such risks can become life-
recognises this, and sets out a number of operational threatening and compromise entire operations.
steps and measures to ensure a high level of cybersecurity
of 5G networks across the EU.7 However, strategic autonomy can also be undermined
in the civilian sphere, in particular when such
Cybersecurity issues with network equipment are neither vulnerabilities are present in the digital infrastructure
new nor tied to certain manufacturers. In 2018, US- underpinning critical public services. This is all the more
based Cisco, a global industry leader, had to patch no less the case as the EU and its Member States transition
than seven backdoors in its products.8 Juniper, one of its towards ‘e-government’, progressively digitising public
competitors, was hit by a major backdoor scandal in 2015, and private services. An increasing number of
with evidence pointing to the US National Security Agency.9 functions essential to security and society as a
whole are becoming vulnerable to cyberattacks,
Notwithstanding this, most of today’s discussion as evidenced, for example, by the May 2017 ‘WannaCry’
focuses on Chinese providers such as Huawei virus, which wreaked havoc on German railway operator
and ZTE. While defenders of the companies argue Deutsche Bahn and the United Kingdom’s National
that there are no major indications of misbehaviour, Health Service.13
others take a more precautionary stance, arguing that
the absence of evidence of exploits does not In fact, vulnerabilities do not even need to be built
constitute evidence of the absence of exploits. The into the critical equipment itself: as more and more
2019 report issued by the UK’s ‘Huawei Cyber Security systems become digitalised and connected (e.g. smart
Evaluation Centre’ (HCSEC) Oversight Board, for instance, energy grids, Industry 4.0, autonomous vehicles, Internet
identifies ‘concerning issues in Huawei’s approach to of Things), vulnerabilities in non-critical digital
software development bringing significantly increased infrastructure might pose structural risks when
risk to UK operators’. It concludes that it can ‘only exploited systemically. Cascade effects and spillovers
provide limited assurance that all risks to UK national mean attackers will only need to find one entry vector
security from Huawei’s involvement in the UK’s critical to compromise an entire system (the so-called ‘weakest
networks can be sufficiently mitigated long-term’.10 link in the chain’). Low security standards and malicious
exploits can transform seemingly innocent devices into
Recent press reports have also suggested that millions entry vectors for attacks such as Distributed Denial
of Italian customers, as well as central infrastructure of Service (DDoS) attacks. This was evidenced with
components, were affected by hidden backdoors the 2016 ‘Mirai’ botnet, which exploited hundreds of
in Huawei equipment provided to Vodafone thousands of low-cost, seemingly innocuous Internet
between 2009 and 2012. Some sources claim that of Things devices, such as routers and personal
these vulnerabilities spread beyond Italy and were surveillance cameras, to carry out major Distributed
not properly resolved, despite statements by both Denial of Service attacks – crippling several high-profile
companies to the contrary.11 services such as French server-hosting firm OVH.14

4 EPSC Strategic Notes - Strategic Autonomy in the Digital Age

EPSC Strategic Notes

Digital technology central to future defence capabilities

Historically, advances in the defence sector drove significant technological progress and disruptive innovation in
the civilian sector. Today, however, the sheer pace of digital innovation in the civilian domain is bound to reverse
this relationship, making civilian technological leadership central to future defence capabilities.

This is the case with Artificial Intelligence, which is

set to have transformative, game-changing impacts Figure 3: EU outspent on private sector
in both civilian and military applications. If mobilised investment in AI
effectively and appropriately, these could enhance the Total estimated equity investments in AI start-ups annually, 2011
EU’s strategic autonomy, but if left unharnessed, they to 2018, by start-up location.
could have potentially devastating consequences.15 * 2018 figures are projections based on data for January-June.
Hybrid warfare, cyberattacks and disinformation
campaigns are increasingly carried out through data- China EU28 Israel USA Others
driven, AI-supported operations, while some countries 18
billions of US-$
are already testing lethal autonomous weapons. 16
14
Similarly, capabilities in quantum technology 12
will be crucial for secure communications and 10
counterintelligence, as well as successful intelligence 8
gathering. Advances in quantum computing are 6
already posing fundamental challenges to information 4
security, as this next generation of computers will be 2
able to break traditional encryption methods near- 0
2011

2012

2013

2014

2015

2016

2017

2018*
instantaneously compared with the billions of years of
processing that would be needed using conventional
Source: OECD estimates, based on Crunchbase (July 2018)
computers. According to industry experts, in little more
than five years, quantum computers will render many
of today’s security standards insufficient,16 potentially
Figure 4: China massively investing in
compromising not only private and commercial
interests, but also sensitive governmental and military quantum applications
secrets. In anticipation of these game-changing Quantum application patent families by priority countries and
publication year
developments, malign actors are suspected of ‘data
China North America Japan EU27 South Korea
harvesting’ – scraping and storing wastes of currently 600
encrypted information for future decryption and use. 500

Mastery of these frontier technologies will thus 400

be a key strategic enabler in the 21 century st 300
battlefield, translating into tangible advantages 200
in future conflicts. Even in more traditional defence 100
settings, a strong command of frontier technologies
0
will be critical. Whether it is machine-learning for
2012

2013

2014

2015

2016

2017

satellite image analysis, data mining for intelligence

gathering, control (or autonomy) of unmanned Source: Patinformatics.com
systems, or cybersecurity of weapons platforms and
operations: without a thriving civilian technology
sector, it will be increasingly difficult to maintain advanced military capabilities. Yet, Europe lags behind the US
and China in many dual-use domains, including quantum and Artificial Intelligence (Figures 3 and 4).

5 EPSC Strategic Notes - Strategic Autonomy in the Digital Age

EPSC Strategic Notes

With the number of connected devices projected to rise On the one hand, overreliance on imports as well as
exponentially over the next decade, security aspects foreign ownership of critical public and private
will become more pressing. Already in 2018, Internet of infrastructures and service providers make the
Things devices ranked as the number one attack target on EU and its Member States susceptible to external
the Internet, with Distributed Denial of Service being the pressure and even coercion. This has been the case in
most common attack type.17 Europe appears especially the EU’s foreign policy conduct, where decisions are to
vulnerable, with Polish cybersecurity firm F5 Networks be taken by unanimity in the Council. While the risk of
observing over 50% of reported global Distributed Denial external pressures is not restricted to digital technologies,
of Service attacks to take place on the continent.18 Europe’s dependencies on foreign technology can provide
adversaries with additional leverage – which is only likely
While these vulnerabilities are not exclusive to to grow further with the proliferation of new technologies.
foreign imports, global supply chains do muddy the
picture and make enforcement of cybersecurity On the other hand, technology has become an
standards and prosecution of perpetrators all the increasingly central element of democracy and
more difficult. For instance, one of the main suppliers governance in the digital era. While this has opened
of products used in the ‘Mirai’ attack, Chinese camera unprecedented new avenues for public discourse,
manufacturer Xiongmai Technology, only offered a democratic debate and citizen engagement, it is also
muted response to the incident, and critics argue that increasingly being hijacked and weaponised by malign
the security risks and poor design and production safety forces to undermine Western democracies. Threats can
standards of many Chinese Internet of Things producers be split into three vectors:
continue to be an issue.19
• Attacks that target IT systems and data to
interfere with the electoral process or voting
Furthermore, technical risks are only one side
technology: The US Department of Homeland Security
of the equation. A key contentious issue is the
announced it had evidence that Russian hackers
extraterritorial nature of certain foreign laws,
targeted voting systems in over 75% of states in the
such as the US Cloud Act, which gives its authorities
2016 US presidential election.22 Closer to home, the
legal access to data stored on US cloud providers’
supposedly ‘state-of-the art’ software developed for
servers regardless of their location. Similar provisions
operating Swiss elections was found to contain a grave
exist in Chinese law, raising even more serious privacy
cryptographic backdoor, theoretically allowing for large-
and data security concerns (see box page 12).
scale, untraceable manipulation of election results.23
Similar security concerns have led a number of European
Unclear boundaries between state and non-state
countries to drop electronic voting in recent years.
actors in third countries constitute another
serious political risk. In China, the entanglement • Threats that manipulate voting behaviour and
of ostensibly private companies with the Communist undermine trust in democracy: When malicious
Party and state networks adds a layer of opaqueness. A actors are unable to penetrate or corrupt particular
recent report by the Mercator Insitute for China Studies technical systems to disrupt elections, they can also
describes the challenge of tracking the web of party aim to delegitimise public institutions and the entire
influence, state control mechanisms and international democratic process. This can take place through
linkages that tie China’s digital ecosystem to central, targeted hacks and leaks to sway public opinion;
provincial and local governments – and the military.20 fake news to influence electoral results; and the
While ZTE’s ties to the state are officially recognised, use of psychometrically-targeted messaging based
Huawei promotes itself as a fully privately owned on mined user data – such as in the Cambridge
enterprise. This claim is disputed by experts who Analytica/Facebook scandal or the hack against the
point out complex governance structures and dilluted then presidential election frontrunner Emmanuel
decision-making powers that give way to party-state Macron’s campaign team in 2017 in France.24
co-optation in the form of government funding and
• Attacks that target public institutions: Recent
preferential procurement.21
hacks against and infiltrations of the EU’s diplomatic
communications network – often suspected to be
Political autonomy: linked to Russian and Chinese operatives – highlights
European democracies undermined? the EU’s persistent vulnerabilities.25 Reports about
Russian hacking group APT28 placing malware
The vulnerabilities described above have both direct and in German government networks and infiltrating
indirect implications for the political aspects of strategic both the foreign and defence ministries further
autonomy, i.e. the ability of the EU and its Member underscore the need for utmost caution, especially as
States to make decisions freely and without undue cybersecurity vulnerabilities are increasingly exploited
interference from foreign pressures. for geopolitical gains.26

6 EPSC Strategic Notes - Strategic Autonomy in the Digital Age

EPSC Strategic Notes

Russia has been widely recognised as pioneering Europe’s large market for online content and data-
the exploitation of disinformation operations and based services has enabled it to implement ambitious
cyberattacks as a foreign policy tool. But now, more consumer and data protection regulation, which has had
governments and non-state actors are employing a strong signalling effect on the global level and already
these tactics. Crucially, as trust in public institutions prompted action by many other jurisdictions. However,
and democratic mechanisms is declining, even the European players have not yet managed to capture
perception of vulnerabilities in such areas can already sufficiently significant market shares in the Internet
have harmful consequences. economy to achieve a similar norm-making status.
Similarly, although European tech companies were well-
When cyberattacks and manipulated information
positioned in the specification of international technical
pollute and distort the public debate, they
standards for cellular networks such as 2G, 3G and 4G,
effectively interfere with democracies’ ability
they are not in a similar position when it comes to 5G.27
to make well-informed decisions freely and
independently. However, more than that, by driving
In the meantime, as China’s technological and economic
polarisation and sowing division within targeted
footprint grows, so is its influence in international
societies, disinformation campaigns are effectively
standardisation processes (Figure 5). The country is also
leading to a growing fragmentation of the political
using its Belt and Road Initiative to generate lock-in
landscape in Europe, making it more difficult than ever
effects by imposing Chinese content requirements
to form stable governments and maintain consensus
and infrastructure standards. As the geography of
throughout their mandates. Weakened governments,
innovation shifts eastwards, it will become increasingly
driven by a distorted public discourse, find themselves
challenging for European players to pursue their
dissipating their political capital on domestic quarrels
interests on the global level.
rather than on international affairs, which in turn
reduces their country’s standing and ability to defend
Figure 5: China expanding its presence in
their interests in the global arena.
standard-setting bodies
From rule-maker to rule-taker Share (%) of Chinese representatives in ISO Technical Committee (TC)
secretariats, Sub-Technical Committee (SC) secretariats and Working Group
Ultimately, the ability of the EU and European (WG) secretariats.
stakeholders to shape rules and standards governing 2011 2018
10
digital technologies, their use, and the companies
producing and operating them, is crucial for its strategic 8
autonomy. Not only do industrial standards affect the 6
Share in %

profitability of companies, as they shape patent royalties,

equipment sales or entire business models. They also 4
relate to the EU and its Member States’ ability to uphold 2
their interests and values over the long term.
0
TC/SC TC/SC/WG WG
Yet, this ability is to a large extent a function of Secretariats Secretariats Secretariats
the footprint that Europe has in the digital sector. A
Source: Swedish Institute of International Affairs / DIN
European ‘third way’ of regulating new technologies to
ensure they remain human-centric, safe and ethical will
only be successful if it is coupled with an innovative,
thriving tech environment, and genuine demand for
Falling behind?
European products and services. The further Europe In light of these risks and considerations, Europe must
falls behind on digital technologies, the lower its maintain a strong technological base in the digital
chances of shaping new technologies according sector and shore up its level of cyber resilience if
to its own preferences. This is particularly risky in a it wants to remain a credible actor in the global
world where disruptive technologies such as Artificial landscape and ensure an adequate level of strategic
Intelligence are already seeing their first serious autonomy. Yet, Europe has so far proven too slow in
misuses – whether in the form of deep fakes, digital developing, adopting and diffusing many of the recent
authoritarianism, autonomous lethal weapons or disruptive innovations. Its shortcomings in a number of
discriminatory algorithmic biases – and are increasingly critical digital value chains and technologies could see
perceived as a source of (military) power and control. it falling even further behind on frontier technologies
such as Artificial Intelligence, quantum computers or 5G,
which are set to play an increasingly central role in both
economic and military developments.

7 EPSC Strategic Notes - Strategic Autonomy in the Digital Age

EPSC Strategic Notes

Critical dependencies These high levels of concentration of production

outside of the EU come with a significant
The strength of Europe’s industrial and technological supply risk that needs to be managed, and are
base is largely dependent on having reliable access to often compounded by low substitution and recycling
raw materials, on the one hand, and to the necessary rates.30 What is more, the EU has no preferential
foreign components and technologies, on the other hand. trade agreements in place with any of the largest-
scale producing countries, making supply all the more
When it comes to raw materials, the EU is heavily susceptible to intentional disruptions.
reliant on international markets, with very limited
domestic production (Figure 6). Conscious of the In addition to its dependency on foreign raw materials,
risks, the European Commission has been regularly Europe’s reliance on foreign components and
reviewing and updating a list of critical raw materials technology is increasing as it falls behind on the
since 2011.28 While their criticality applies to the production of key digital technologies. In 2017, the
wider European industry landscape, many of them are EU’s overall trade deficit for high-tech products stood at
particularly essential for ICT devices and advanced 23 billion euro – largely due to sizeable Chinese imports
electronics. In fact, up to 88% of these imports to the (Figure 7). It is even higher when looking at specific
EU are used in the electrical and electronic equipment categories, such as electronics communications (65
sector, including applications such as optical fibres, billion euro) and computer office machines (46 billion
semiconductors or integrated circuits.29 euro).31

China is the major supplier of critical raw Such reliance on external partners carries with it the
materials, accounting for 70% of global supply and dual risk of supply chain disruptions and of intentionally
62% of the EU’s supply (e.g. rare earth elements, compromised components penetrating the EU’s digital
magnesium, antimony, natural graphite, etc.). Brazil, equipment and infrastructure.
Kazakhstan, Nigeria, Russia and Turkey are other
producers on which the EU has a high reliance.

Figure 6: China one of Europe’s largest suppliers of critical raw materials

Non-EU countries accounting for largest share of EU supply of critical raw materials, according to 2017 review
Kazakhstan
Phosphorus 77%

Russia
Scandium 67%
Norway Tungsten 50%
Silicon metal 23% Vanadium 60%
USA
Erbium 40% China
Helium 51% Antimony 90%
Samarium 40% Baryte 44%
Bismuth 84%
Morocco Cerium 62%
Phosphate rock Dysprosium 40%
Mexico 27% Europium 40%
Fluorspar 27% Gadolinium 40%
Gallium 36%
Turkey Germanium 43%
Borate 98% Holium 40%
Nigeria Indium 28%
Tantalum 43% Indonesia Lanthanum 40%
Brazil
Niobium 71% Natural rubber 32% Lutetium 40%
Magnesium 94%
Natural graphite 69%
Neodymium 40%
Praseodymium 40%
Terbium 40%
Thulium 40%
Ytterbium 40%
Yttrium 40%
Source: European Commission, DG GROW

8 EPSC Strategic Notes - Strategic Autonomy in the Digital Age

EPSC Strategic Notes

The picture looks even bleaker when considering the

Figure 7: Europe’s heavy reliance on China production of semiconductors and microprocessors
for high-tech imports – key components for developing high-performance
Balance of trade in high-tech products by top 20 partners, EU28, 2017 computing, Artificial Intelligence and edge computing.
(million euro)
As investment intensity of the industry has risen, it
20000 underwent an unprecedented market concentration
0 due to a number of mergers and acquisitions.34 In this
-20000 process, Europe has experienced a constant decline
-40000 in its worldwide share, today accounting for just 9%
-60000 of global sales, while the production capacity in Asia
-80000 (mainly in South Korea, Taiwan and Japan) has surged.35
-100000
UAE
Russia
Turkey
Saudi Arabia
India
Hong Kong
Brazil
Norway
Singapore
Canada
Israel
Mexico
Japan
Switzerland
South Korea
Thailand
Malaysia
United States
Vietnam
China
…and cloud and software markets
Europe also lags behind when it comes to
Sources: Eurostat (Comext database DS-018995) technological applications and software-based
services that have gradually become indispensable for
Underrepresented in electronics a large number of private and public sector operations.

value chains… For instance, no major desktop or mobile phone operating

system today comes from EU companies. Furthermore, the
Although Europe is successful in several niche areas, cloud computing industry is dominated by five US or China-
including embedded electronics, sensor systems based providers – Amazon, Microsoft, IBM, Google and Alibaba
or power electronics,32 an analysis of the global (Figure 9).36 As more and more services and applications are
electronics value chain reveals a considerable moving to the cloud, the repercussions are far-reatching and
underrepresentation of European manufacturers already felt by private and public institutions across Europe.37
in others (Figure 8). Compared to the EU’s 22% share
of global GDP, Europe performs relatively well when it While many of today’s dominant digital service and
comes to embedded electronics, with European-based equipment providers are established and trusted firms,
production accounting for 23% of global production. high market concentration can lead to excessive
reliance on a single provider or solution – so-called
However, for stand-alone electronic equipment, such digital ‘monocultures’ – thereby exacerbating cybersecurity
as personal computers or smartphones and other risks and reducing resilience in case of technical failures or
telecommunication devices, its share is only 6%. This system-specific attacks. In this context, the diversification
reflects the current domination of US and Asian of suppliers or service providers or the development of
companies in this global market.33 If one looks alternative – European – offerings warrants consideration,
at the production of electronic boards – the basis for in particular when it comes to sensitive areas, such as
complex electronic devices – EU production accounts the storage and processing of government information.
for a mere 10%, while almost two thirds of production Indeed, in a data-driven world, cloud technologies are
capacity is in Asia and less than 15% in the US.33 a key strategic asset that will likely grow even more
in importance as increasing connectivity and the shift
towards Artificial Intelligence technologies require ever
more computational power and data storage capacity.
Figure 8: Small EU footprint in global
production of electronic devices Figure 9: US firms dominate cloud service
European Economic Area (EEA) share of global production of electronic
systems (2017, in %)
provision, Chinese catching up
25 EU share of GDP Amazon Microsoſt IBM Google Alibaba
40%
EU share of global in %

20
Share of worldwide revenues

15 30%
10
5 20%

0
Electronic Electronic Semiconductors Other 10%
equipment boards electronic
stand alone components
embedded 0%
Q4 15

Q1 16

Q2 16

Q3 16

Q4 16

Q1 17

Q2 17

Q3 17

Q4 17

Q1 18

Source: European Political Strategy Centre, based on data from DECISION

Etudes & Conseil (forthcoming) Source: Synergy Research Group

9 EPSC Strategic Notes - Strategic Autonomy in the Digital Age

EPSC Strategic Notes

Still in the race When it comes to public investment, even the most
ambitious European R&D programmes seem timid in
Despite these shortcomings, there are fields in global comparison. While French President Emmanuel
which European players maintain a strong global Macron set up a 1.5 billion euro fund for R&D in Artificial
position. This includes enterprise software – with Intelligence in France in April 2018,44 the Chinese city
global giants SAP or Amadeus; industrial robotics – with of Tianjin alone announced a plan to pump 13.5 billion
8 out of the world’s 20 biggest firms headquartered euro into the industry.45
in Europe;38 or indeed mobile infrastructure – a fast-
growing market that notably includes 5G. Although
Huawei is expanding rapidly and has become the single Figure 10: EU providers remain in top 3
Revenue shares (%) of worldwide service provider equipment*
largest player with a 29% share of the global telecom
equipment market in Q3 2018, the two leading European Huawei Nokia (inc Alcatel Lucent) Ericsson ZTE
Cisco Ciena Samsung
mobile infrastructure companies – Nokia and Ericsson 32%
– together still hold 30.4% of the global market (Figure

Revenue Share %
10) – despite China’s market being largely closed off. 24%

16%
Too timid on R&D
8%
In order to preserve its competitive sectors and regain
ground in others, investments in future technologies are 0%
2013 2014 2015 2016 2017 2018
essential. However, there are reasons to fear that Europe Note: *includes broadband access, carrier IP telephony, microwave,
might again fall behind on key strategic technologies. mobile RAN, optical, SP router and CE switch, wireless packet core
Research and development (R&D) activities targeting Source: Dell’Oro, 2018
digital technologies have been substantially higher
in both the US and China for many consecutive years.

Supply chain security: not an EU-specific problem

While the EU and its Member States are undoubtedly
vulnerable in certain areas and supply chains, Figure 11: Semiconductors top oil as
understanding the full picture requires a more nuanced China’s number one import
analysis. Indeed, other global actors are arguably Annual Chinese imports of crude oil vs integrated circuits
also vulnerable, suggesting that technological Crude oil Integrated circuits

in percent of total imports (lines)

vulnerability is relative rather than absolute. 400 16
in billions of dollars (bars)

The US Department of Defence identified hundreds of 300 12

products where it relies on Chinese and other foreign
200 8
components for its defence and technological base.39
It also imported about 150 million US dollars’ worth of 100 4

rare earth metals and compounds in 2017, nearly 80% 0 0

2012 2013 2014 2015 2016 2017
of which from China, giving way to mounting pressures
Sources: Natixis, CEIC
within the US to resume mining operations for rare
earth elements at home.40

China, in turn, is critically dependent on foreign technology for semiconductors, which are central to most
electronic devices (Figure 11).41 This reliance of Chinese businesses on foreign technology was highlighted when
the US embargo on China-based technology company ZTE almost led to its collapse. Faced with a 260 billion US
dollar annual import bill, China is trying to grow its chip industry, namely through acquisitions abroad, prompting
countries such as Taiwan and South Korea to put policies in place to restrict Chinese purchases of domestic
semiconductor producers and intellectual property flows into China.42 After a state-owned enterprise from China
failed to take over US chipmaker Micron in 2015, the latter reported a massive case of industrial espionage and
accused newly founded Fujian Jinhua Integrated Circuits of attempts to copy its products.43

As these cases illustrate, in today’s interconnected world of globalised supply chains, no one can walk alone.
From a strategic point of view, the issue is hence more complex than simply seeking to prevent, or
eliminate, vulnerabilities in supply chains. In many respects, it appears more realistic to find ways to
manage and reduce, when possible, these vulnerabilities. Likewise, some dependencies might be less
critical than others, depending on the country of origin and the technologies involved.

10 EPSC Strategic Notes - Strategic Autonomy in the Digital Age

EPSC Strategic Notes

Trends in the private sector paint a similar picture: Intellectual property at risk
US and Chinese companies by far outpace their EU
counterparts in terms of growth of R&D investments, on an unlevel playing field
increasing their spending by 9% and 20% respectively Europe’s struggles cannot all be put down to lack
from 2017 to 2018, against just 5.5% for the EU. of R&D investment in digital technologies. There
Consequently, the global R&D share of European are indeed examples of where it has succeeded in
companies in ICT industries retracted by more developing frontier technologies and even of building
than 8% compared to 2017.46 frontrunner, innovative companies. However, all too
often, these are then bought up by non-EU competitors
These developments are also reflected in patent trends. – along with all their know-how, copyrights and patents.
In 2017, China surpassed Japan and came in second This is all the more likely to happen in an environment
after the US as the main source of international patent where start-ups face a lack of available scale-up
applications.47 A look at the types of patents filed also funding, but it can also be the result of targeted
shows the direction of travel, with four of the five top foreign industrial strategies and a distorted,
categories representing applications from the digital unlevel playing field (Figure 13).
technology sphere. In fact, two Chinese telecoms
companies were the top filers of international patent Increased foreign acquisitions and strategic investments
applications in 2017, with Huawei (number one filer) in Europe have siphoned away ownership over some of
and ZTE (number two) followed by Intel, Mitsubishi and Europe’s most innovative companies. While the influx
Qualcomm. All top 10 firms – Ericsson being the only of capital has been a welcome boost to the economy
European one – are from the digital technology sphere, in certain cases, it has also come with concerns about
underlining the research intensity of the sector.48 unfair trade and investment practices, strategic
technology transfers and opaque ownership structures.50
In addition, while American and Chinese patent activity In recent years, China’s industrial policy has been
prioritised digital communications, computer technology specifically tailored towards gaining access to
and electronics, the European frontrunner, Germany, key technologies in Europe and the US in order
filed most of its patents in the field of transport, to build up its own global presence (see box on
followed by electronics and mechanical elements (Figure page 12).
12). It is therefore perhaps unsurprising that projections
foresee that 95% of the roughly 200 billion Internet of European businesses also regularly point out other
Things devices connected globally by 2020 will have unfair industrial and investment practices,
been produced in China.49 ranging from large-scale industrial espionage, to
lax intellectual property protection in the Chinese
From a strategic autonomy perspective, it should market and ‘forced’ knowledge transfer, whereby
be clear that, as digitalisation progresses, these companies wanting to gain access to the Chinese market
technological shortfalls will not only generate are made to enter into joint ventures that result in their
economic disadvantages, but also have much technology being handed over to their Chinese partners.
broader implications for the EU’s ability to protect The role of China’s state-owned companies –
its strategic interests. This is all the more true as supported by tax breaks, subsidies and low-cost loans
commercial innovation already outpaces military R&D from state-owned banks – is particularly problematic.
in many areas including dual-use technologies, making
cutting-edge R&D a cornerstone of strategic
autonomy in the long term.
Figure 13: EU’s commitment to open
markets not always reciprocal
Restrictions on foreign investments are higher in China than in the EU
Figure 12: A question of priorities according to the FDI Restrictiveness Index (1=closed; 0=open)
Research priorities, ranked by number of patent applications, 2017 0,35
US China Japan Germany
0,30
Transport 3rd 1st 0,25
Medical technology 2nd 2nd 0,20
Digital 3rd 1st 0,15
communication
0,10
Computer 1st 2nd 0,05
technology
0,00
Mechanical China Canada United States Japan EU22 (OECD
elements 3rd
members)
Electrical machinery, closed open
apparatus, energy 3rd 1st 2nd
Source: Organisation for Economic Cooperation and Development,
Source: World Intellectual Property Organisation FDI Restrictiveness Index 2017

11 EPSC Strategic Notes - Strategic Autonomy in the Digital Age

EPSC Strategic Notes

Not only do these firms benefit from an unlevel playing opaque relationship between China’s private sector and
field when competing to buy up innovative technology its Communist Party, even deals with ostensibly private
firms, but there is also a probability that any intellectual entities can become controversial, as highlighted by the
property acquired in the process could be passed on to the takeover of German robotics company Kuka in 2016 by
Chinese state rather than retained as a commercial secret. Chinese household manufacturer Midea. While concerns
German machinery company KraussMaffei Group and focused on the risk of technology transfers and the
Swedish microchip manufacturer Silex Microsystems offshoring of production capacity, it is also noteworthy
are just some examples of recent takeovers of high- that soon after the takeover, Kuka entered into a joint
technology European assets with the involvement of venture with Changan Industry, a subsidiary of one of the
Chinese state-owned enterprises.54 Furthermore, given the country’s largest state-owned military enterprises.55

China’s ‘techno-protectionism’
Figure 14: China aiming for substitution
China pursues a state-centric approach, combining Semi-official targets for the domestic market share of Chinese
a comprehensive industrial policy with several products (in %)
strategic instruments. Its ‘Made in China 2020 2025
New energy vehicles
2025’ strategy aims to drastically reduce China’s High-tech ship components
dependence on imported technologies by replacing New and renewable energy equipment
foreign supply with domestic production (Figure 14).51 Industrial robots
Beijing is aiming for 70% ‘self-sufficiency’ in High performance medical devices
Large tractors above 200 hp
high-tech industries by 2025 and a ‘dominant’ and harvesters
Mobile phone chips
global position by 2049. Notably, takeovers in Wide-body aircraſts
Europe are especially targeting next-generation 0 20 40 60 80
IT (27.7%, see figure 15). Furthermore, many of Source: MERICS / Expert Commission for the Construction of a
Manufacturing Superpower
the technologies and products that this strategy
covers are dual-use, looking to boost not only China’s
economic strength but also its military capabilities. Figure 15: Europe’s next-generation IT
The Chinese system is also very protective with
targeted by Chinese takeovers
Chinese investments in Europe related to ‘Made in China 2025’ by
regard to public order: In the name of upholding sector of the acquired firm
the ‘national security and interests of the People’s Biopharmaceutical and
high-tech medical dev. 3.8%
Republic of China’, Beijing has, for instance, introduced New materials 10.0%
far-reaching legal obligations on companies Electrical equipment 9.2%
and individuals, regardless of geography. These Energy-saving and new 22.3%
energy vehicles
requirements are featured across several laws – most Advanced rail equipment 1.5%
Aerospace and aviation equipment 6.2%
prominently in the National Intelligence Law, Numerical control machinery 19.2%
and robotics
which demands that any organisation or citizen Next generation IT 27.7%
shall not only support, provide assistance, and Source: JRC computations on foreign ownership database. Period:
cooperate in national intelligence work, but Jan 2015 - Aug 2018
also guard the secrecy of any national intelligence
work that they are aware of (Article 7). The law also gives sweeping powers to Chinese intelligence agencies to
search premises, seize property and mobilise individuals or organisations to conduct espionage, giving intelligence
agencies legal ground to operate both within and outside of China.

In addition, the Internet is systematically closed off from foreign information and all content is subject to sophisticated
surveillance and control. China’s Cybersecurity Law develops the concept of ‘cyberspace sovereignty’. Therein,
the Chinese government sets out security reviews for critical information infrastructure to determine whether possible
damage, loss of function or data leaks of the related facilities would pose a significant threat to national security
and public interests.52 Economic, technological or scientific data relevant to national security or the public
interest can no longer leave China. In addition, Chinese authorities must ‘test’ and ‘certify’ computer
equipment of foreign firms – raising concerns over intellectual property theft.53

12 EPSC Strategic Notes - Strategic Autonomy in the Digital Age

EPSC Strategic Notes

The geopolitics of government’s Committee on Foreign Investment in the

United States (CFIUS) to make it harder for Chinese
technology companies to access developing US technologies.

Since then, the CFIUS thwarted various acquisition

As policymakers around the world wake up to the critical attempts.62 As a result, Chinese acquisitions and
impact digital technologies have on their countries’ level greenfield investments in the US dropped to 4.8 billion
of strategic autonomy, they are developing a variety of US dollars in 2018, down 84% from 29 billion in 2017
policy responses – some stronger than others, and often and 90% from 46 billion in 2016.63 Regardless of this
directed at an increasingly assertive and influential China. drop, the scope and scale of CFIUS activities were
expanded further in 2018, driving up tensions between
On the one hand, there is a rising concern among the US and China.
the US military and intelligence community over
weaknesses in the industrial and technological
base, especially with regard to future capabilities. The
Towards a ‘Tech Cold War’?
Pentagon itself issued a stark warning in September In May 2019, tensions reached a new high after US-China
2018, highlighting ‘surprising levels of foreign trade talks faltered, causing some observers to speak
dependence on competitor nations’ and an erosion of of a ‘Tech Cold War’. The Trump administration abruptly
capabilities of the manufacturing and defence industrial placed Huawei on the Department of Commerce’s export
base.56 Analysts are particularly concerned that Chinese blacklist, also known as the ‘entity list’. This requires
advances in hypersonic weaponry, cyberwarfare and American suppliers of Huawei to obtain a special licence
AI, among others, could challenge the US’ long-time from the US government under a ‘presumption of
military supremacy.57 Therefore, the Pentagon is seeking denial’. Although somewhat eased due to a subsequent
to preserve the US’ technological edge by addressing decision to grant a three-month exemption, the decision
critical bottlenecks, acting as an anchor customer to sent markets into a downward spiral and has ripple-on
support domestic suppliers and maintain US-based effects on other countries and industries. For instance,
production sites, and mitigating single points-of-failure. German chip manufacturer Infineon announced it would
temporarily halt its China business, and Google announced
On the other hand, there is a growing realisation that it would discontinue updates to its popular mobile phone
these dependencies are spilling over into everyday operation system Android for Huawei phones.64
security, economic and political considerations.
Huawei executives have responded with defiant
Already back in 2017, the US banned Kaspersky Labs language, stating that the US is underestimating the
– a Russia-based provider of security software – from company’s capacities and that contingency plans were
government agencies, following concerns that the in place. But given the widespread repercussions –
company was susceptible to undue Russian influence.58 such as UK-based chip manufacturer ARM, as well as
In August 2018, it also banned the use of technology several European telecom carriers, cutting ties with
manufactured by Chinese-headquartered Huawei and the company65 – most analysts consider the Chinese
ZTE by the government and government contractors, manufacturer’s position as fragile. In an implicit threat
citing national security reasons. Countries such as of retaliation, Chinese President Xi Jinping travelled to a
Canada, Japan, Australia, New Zealand and Taiwan rare-earth factory, recalling the reliance of US tech and
have taken similar measures against one or both of defence sectors on such imports from China.66
these companies, with Australia citing concerns that the
companies may be ‘subject to extrajudicial decisions from No matter how the situation plays out, the potential of
a foreign government’.59 large-scale and unexpected disruptions to global
supply chains is a new reality that businesses, as
Concerned about the growing Chinese presence in well as policymakers, need to recognise.
American tech markets, the US also revamped its
foreign investment rules to take into account What is also clear is that technological and
national security concerns, expanding the list of commercial interests are increasingly feeding into
‘critical technologies’ for which foreign investments can power politics and rising geopolitical tensions
be screened – and, if necessary, halted.60 The move – inspiring kneejerk reactions and a vicious circle of
came following a February 2017 draft report by the retaliatory measures. Against the backdrop of an
Defense Innovation Unit Experimental (a key agency of escalating trade war and a more transactional foreign
the US Defense Department),61 which sounded the alarm policy conduct, ‘tit for tat’ tactics between China and
about rapidly-growing strategic Chinese investments in the US have also crept into judicial affairs over the past
US technology companies and called explicitly on the months, drawing other countries into the process.

13 EPSC Strategic Notes - Strategic Autonomy in the Digital Age

EPSC Strategic Notes

For instance, when Meng Wanzhou, the daughter of the updates to ensure the integrity of European telecoms
founder of Huawei, was arrested in Vancouver in late 2018, infrastructure? What disruptions could affect Europe’s
it took China less than a week to detain two Canadian critical infrastructure, households and businesses if the US
nationals in a move that was widely seen as an act of does not extend its 90-day grace period for this ban? What
retaliation.67 In early 2019, Polish authorities arrested two future for US-EU security cooperation when US Secretary
individuals – one of them a Chinese citizen and Huawei of State Michael Pompeo has already warned that the
employee – on spying charges and are now calling for the US might stop sharing information with partners who
EU and NATO to take a ‘joint stance’ on Huawei.68 adopt Chinese 5G technology in their networks and critical
information systems?72
In this volatile environment, the EU finds itself
squeezed between an emergent China and a Being subject to such arbitrary actions – without any
US fighting to retain its global tech supremacy. control but with maximum exposure – is why the EU must
Without any doing of its own, the EU now risks being get serious about its own digital strategic autonomy.
caught in a dispute that can have more adverse effects
than, for instance, in the United States, which is broadly
speaking without Chinese telecoms infrastructure. This is A measured approach to
in stark contrast to Europe, where Huawei equipment
already constitutes a significant share of mobile strategic autonomy in the
network infrastructure (Figure 15). Huawei’s stake in
Europe’s 4G base-station market for 2018 is reported at digital age
over 40%,69 and thought to be even higher for individual
Member States). On 5G, Chinese network manufacturers With the US and China raising the stakes in the struggle
ZTE and Huawei are involved in one third of trial projects for technological leadership, the EU and its Member
in the EU28, while European competitors are allowed States need to consider their own positioning
only a marginal role in China’s 5G rollout.70 in this global race. Based on a rigorous and honest
analysis, they need to devise strategies on how to
With Huawei already a leading manufacturer of 5G trial respond to current vulnerabilities – and anticipate future
equipment in Europe,71 and in the absence of a change in challenges better and earlier.
Member States’ approach to the company, its presence
is slated to grow. Its considerable footprint in European It is clear that they already have a wide arsenal of
markets and networks makes it difficult to estimate the instruments at their disposal to safeguard and build up
knock-on effects that US restrictions on the firm might have their strategic autonomy – even in this fast-paced digital
in the EU. The recent export ban by the US administration age. However, what is still lacking is an overarching
caused turmoil and highlighted some pressing questions: and strategically-driven vision guiding the use of
Will Huawei still be in a position to provide the necessary these instruments towards protecting European interests.

Figure 15: Huawei already deeply intertwined in Europe’s digital infrastructure

Key activities by category

Network solution & infrastructure

Research & Development (R&D)
Memorandum of Understanding (MoU)
5G Trials with Huawei hardware

UK • Internet of Things R&D lab with Vodafone (2016)

BE • Cybersecuirty and transparency centre (2019)
FR • Supply of cloud architecture for TV channel TF1 (2017)
CH • Co-developed cloud platform supplying 90% of CERNs
computing power (2017)
IT • Joint development of ‘Cagliari Smart City’ (2018)
NL • Municipal government network solution (2015)
DE • MoU to develop ‘Duisburg Smart City’ & ‘Rhine Cloud’ (2018)
HU • Network security testing service (2017)
CZ • WiFi network hardware for metro service (2018)
EL • High-speed data infrastructure at Port Piraeus (2018)

Source: Mercator Institute for China Studies (MERICS)

14 EPSC Strategic Notes - Strategic Autonomy in the Digital Age

EPSC Strategic Notes

Risk assessments must follow an objective process,

Figure 16: Protecting strategic autonomy based on a thorough analysis of the risks and
in digital technologies involves many vulnerabilities of 5G networks. In that, they should go
different policy instruments beyond examining the trustworthiness of (private) vendors
to include legal and extrajudicial provisions that these
Privacy / data are subject to in their home countries and that might be
protection
detrimental to European interests. They should also look
at the full 5G value chain, including business models,
Investment Trade
screening rules integrated services and maintenance arrangements (i.e.
who will patch the equipment). In view of the impending
Holistic 5G roll-out, which will often be built on top of the existing
approach 4G network, a better understanding of what percentage
Export Cyber
control of the current 4G network is comprised of non-
security
European vendors is also urgently needed.

Industrial and Government / Bolstering Europe’s own capabilities

innovation policy public procurement
and building trust in digital
Source: European Political Strategy Centre
As a next step, the EU and its Member States should
Going forward, it will be pivotal for the EU to come to a common understanding of their strategic
move to a much more holistic approach towards priorities, identifying critical technologies in which
strategic autonomy that encompasses security domestic production capacity and mastery is necessary.
and defence, technological, industrial and
infrastructural aspects across all policy areas More generally, they must finally address their
(Figure 16). Concrete steps to improve Europe’s cyber significant and persistent shortcomings with
resilience and enhance its level of strategic autonomy in regards to the development and deployment of
the digital domain include: digital technologies. It is no longer a mere economic
threat, but also poses a severe security vulnerability.
Better understanding Europe’s Discussions about EU strategic autonomy
vulnerabilities and dependencies should go hand in hand with those on industrial
First and foremost, a thorough mapping of dependencies policy, and must include measures that promote the
and threats as well as of broader challenges to presence of European industries in the supply chain
Europe’s strategic autonomy is needed. The European of digital technologies, foster their innovation and
Commission’s Recommendation on ‘Cybersecurity of competitiveness, and provide the right ecosystem for
5G networks’73 marks a starting point towards building European tech players to grow. Member States need
common situational awareness. In addition, the Network to pool resources and find ways to complement
and Information Security Cooperation Group – already each other in key value chains. Joint and
tasked with developing a European toolbox for 5G security ambitious investments are needed in major
– should expand its focus to include vulnerabilities to emerging technologies – Artificial Intelligence,
Europe’s digital strategic autonomy more broadly. quantum, next-generation microchips or 6G – to be
Particular attention should be paid to foreign technology able to compete on par with the US and China. This is
presence in critical infrastructures and essential services already starting to happen, e.g. under the umbrella of
across Europe, the security of international data flows, and ‘Important Projects of Common European Interest’74
the EU’s supply chains for key digital technologies. or the envisaged European Partnerships under Horizon
Europe, Digital Europe Programme and Connecting
This process could draw up a list of critical information Europe Facility, but more concerted action will be
technologies that are of high importance to the EU’s required to bridge gaps in funding, capabilities, and
strategic autonomy and have a high risk associated skills.75 If managed well, targeted investments into
with their supply. Comparable to the critical raw projects of European strategic interest can serve
materials list and subject to regular review, it would both security and economy, as exemplified by the
assess the reliability of trade partners – reflecting on successful Galileo/Copernicus space programme or the
existing alliances that the EU and its Member States launch of EuroHPC – the European High-Performance
have, most notably with NATO – while also assessing Computing Joint Undertaking.76 Other forward-looking
potential bottlenecks or threats of supply disruptions, and initiatives that will enhance the EU’s level of strategic
possibilities for substitution and recycling. autonomy are the Space Situational Awareness and
GOVSATCOM components of the EU Space Programme.

15 EPSC Strategic Notes - Strategic Autonomy in the Digital Age

EPSC Strategic Notes

The EU should also step up flanking measures that The EU’s public procurement rules and grant
can help reduce dependencies and increase its provisions ought to better take account of the criticality
level of strategic autonomy. For instance, a faster of digital technologies in sensitive sectors and more
transition towards a circular economy can reduce clearly address liability and security issues. This means
reliance on certain critical raw materials. giving sufficient weight to security considerations
when evaluating proposals – and developing a more
In a world with ubiquitous connectivity between all common understanding of what these are. But it also
things, vulnerabilities will increase exponentially. And means placing greater emphasis on the diversification
as sensors, algorithms and data flows become an of hard- and software providers, as well as on
integral part of our lives, citizens’ distrust in technologies the transparency of supply chains for network
stems overwhelmingly from security concerns. That is equipment – particularly when it comes to the
why existing institutional structures need to be ownership and governance structures of suppliers
strengthened – or new ones built – so Europe can and service providers.
more effectively address the multitude of policy
issues that are arising at the intersection of digital The same is true for questions of ownership of critical
and security. information infrastructure, where foreign direct investment
screening provides a valuable tool, but could be supported
Furthermore, the EU should continue to shape by a more structural assessment from the European
the digital sphere in line with Member States’ Commission that proactively informs Member States of
preferences, who on their own stand little chance sectoral and technological trends that could affect the
of upholding their citizens’ interests vis-à-vis global Union’s strategic autonomy. Ultimately, this process might
tech giants or managing disruptions brought about by warrant restrictions or specific requirements – such
digitalisation. Building on its strong track record in setting as proof of integrity – to be applied to certain
standards and acting as a normative power, as illustrated suppliers when it comes to critical infrastructure or
by the General Data Protection Regulation (GDPR), the sensitive government functions such as intelligence
‘ethics guidelines for trustworthy Artificial Intelligence’ agencies or executive offices – a procedure already
or the ‘Code of Practice against disinformation’,77 EU implemented in various Member States.
policymakers are developing a rich toolbox to ensure
that developments in the digital age are compatible with Levelling the playing field
European values and strategic interests.
As outlined in the Joint Communication ‘EU-China: A
Strategic Outlook’,78 the EU and its Member States must
Protecting critical information balance competition and open markets – as key drivers of
infrastructure innovation – with safeguards that ensure that domestic
It is clear that the EU cannot and should not aspire industries do not suffer from unfair, distortive trade or
full self-sufficiency in digital technologies. A significant industrial practices by global competitors.
share of its existing digital infrastructure, such as
telecommunications networks, relies strongly on foreign Although trade and investment barriers may result in an
technology and providers, and will continue to do so. This economic negative-sum game, they might nonetheless
is not a problem per se and can even bring advantages be considered necessary for certain critical sectors in
such as lower prices and greater choice. Yet, in light light of strategic concerns, as demonstrated with the
of ensuring Europe’s cyber resilience, supply chain recent adoption of the EU foreign investment screening
security and the integrity of its critical information mechanism. Similar safeguards may be warranted in
infrastructure must be considered more thoroughly. other areas and the full range of EU policies should
In particular, as regards the rollout of 5G networks, be reviewed critically to assess whether they risk
a more precautionary approach is needed that running counter to the EU’s strategic autonomy.
acknowledges security risks as well as the long-
term economic benefits of secure and trustworthy Against this backdrop, the European Commission
network infrastructure. Indeed, Europe can only seize should review the openness of European funding
the new economic opportunities offered by mission- programmes such as Horizon Europe, Important
critical 5G services if these are trusted by all actors in Projects of Common European Interest’ or the
the economy and society. Otherwise, what may seem 5G public-private partnership, with a view to
‘cheap’ today may actually turn out to be very expensive identifying and scrutinising projects that are potentially
in the long run, when considering the cost of losing disadvantageous to Europe’s strategic autonomy or its
technology leadership or the price of being dependent on long-term interests. For example, should third countries
authoritarian third countries. that do not reciprocate European openness in their own
research programmes be entitled to participate? Does

16 EPSC Strategic Notes - Strategic Autonomy in the Digital Age

EPSC Strategic Notes

it make sense to pool significant EU resources towards be paramount for Europe to build on such initiatives
building world-class technology solutions in an effort to and activate its broad global network to foster future
pursue strategic autonomy and digital leadership, while at alliances on digital security. And, given the need for all
the same time inviting companies from countries that are countries to gradually adopt new technologies such as 5G
deemed ‘systemic rivals’ into the consortia? and AI in the near-term, while being exposed to the same
challenges, partner countries should be encouraged
In addition, and following the implementation of the to opt for higher levels of data protection and
foreign direct investment screening mechanism, a security standards, especially in accession countries
pertinent next step would be the adoption of the and the European neighbourhood region.
International Procurement Instrument as an
offensive measure aimed at ensuring reciprocal market In addition, the EU and its Member States should enhance
access in public procurement. Furthermore, the EU and their cyber defensive efforts in line with the EU Cyber
its Member States should strengthen export rules Defence Policy Framework. They also need to increase their
to avoid unintentional technology transfer, especially cyber diplomacy efforts, including further operationalisation
of potential dual-use applications of general-purpose of the joint EU diplomatic response to malicious cyber
technologies such as Artificial Intelligence. activities (the ‘cyber diplomatic toolbox’). Above all, the EU
should continue efforts to set rigorous cybersecurity
Upgrading digital diplomacy and standards, to discourage the development and
proliferation of weaponised digital technologies, and
shaping tech developments with to promote trusted supply chains around the globe.
like-minded countries
As the EU knows from its own experience, nations
In the current environment, there is a clear risk of stand taller in the international realm when they
fragmentation, expanding digital protectionism, stand – and act – together. The beginning of a
and waning trust, which would be detrimental to new political cycle offers a much-needed opportunity
both economic and political relationships globally. to upgrade ‘digital diplomacy’ to a joint priority
Successful international cooperation and multilateral for EU institutions and EU Member States’ diplomatic
solutions will be paramount to set defining joint standards services, creating a network of trusted digital partners.
and guidelines, and avoid the disruption of global value The seeds for such an approach are already being sown
chains and data flows. with the EU’s ambitious ‘Connectivity Strategy’ with Asia.

Gatherings such as the one in Prague in May 2019 – where

over 30 EU and NATO members, plus like-minded countries
such as Japan and Australia, met to discuss 5G security
Conclusions
guidelines, in a move largely interpreted to coordinate a
Strategic autonomy in the digital age is not
response to Chinese influence in the technology79 – may be
about acting alone, but about being able to act.
a harbinger of things to come, as democracies feel the
In this regard, the transformative changes introduced
need to align their security interests more closely
by technology and ubiquitous connectivity require a
in the face of growing authoritarianism, shifting
rethinking of the strategic paradigms and assumptions
technology supremacy and an increasingly volatile
about what enables the EU and its Member States to
geopolitical environment.
pursue their long-term interests.
While recognising that technology developments are
2019 will be a decisive year for the EU. Preparing Europe
predominantly driven by the private sector, the EU
for the challenges ahead will require a holistic and
should spearhead forward-looking dialogues with
strategic approach, spanning (and synchronising)
like-minded countries and partners on how to
many different policy instruments. To match global
shape emerging technologies to ensure that they
competitors, Member States will increasingly have to pool
are compatible with the values and principles that
their resources and complement one another in strategic
underpin democratic societies. This would not only
supply chains wherever possible. For this to be efficient,
help to address aspects of data governance and supply-
they need to come to a common understanding of their
chain sanitation, but would also increase retaliatory
priorities concerning the geopolitics of digital technologies
costs for adversaries and serve as a strong incentive for
– and how to advance these. This might not be an
compliance to agreed norms and rules.
easy task, but the strategic imperative is clear: Europe
should do more to identify, promote and protect its
An early example of such partnerships includes
interests, before it is too late to do so effectively.
the agreement between the EU and Japan on data
Digital technologies need to be front and centre in
equivalency, enabling the free and safe flow of data in
this important endeavour.
an area comprising a third of the global economy. It will

17 EPSC Strategic Notes - Strategic Autonomy in the Digital Age

EPSC Strategic Notes

Notes
1. High Representative of the Union for Foreign Affairs and Security 23. Zetter, Kim, Researchers Find Critical Backdoor in Swiss Online
Policy and Vice-President of the European Commission, Shared Voting System, Motherboard, 12 March 2019.
Vision, Common Action: A Stronger Europe, June 2016. 24. Untersinger, M., La campagne d’Emmanuel Macron dans le viseur
2. Earlier noteworthy publications on this topic include: de pirates russes, April 2017.
Timmers, Paul, Cybersecurity Is Forcing A Rethink Of Strategic 25. Sanger, David & Erlanger, Steven, Hacked European Cables Reveal
Autonomy, 14 September 2018; Lippert, Barbara, von Ondarza, a World of Anxiety About Trump, Russia and Iran, The New York
Nicolai and Perthes, Volker, European Strategic Autonomy, SWP Times, 2018; Cerulus, L., EU mission in Moscow discovers potential
Research Paper, 4 March 2019. hack into systems, May 2019.
3. See, e.g., République Française, Revue Stratégique de Défense et 26. DW, Germany admits hackers infiltrated federal ministries, Russian
de Sécurité Nationale, 2017. group suspected, 2018.
4. Supply risk, as defined by DG GROW, reflects the risk of a disruption 27. Ericson, The missing puzzle piece in Europe’s bid for tech
in the EU supply of the material. It is based on the concentration leadership, Politico, 2018.
of primary supply from raw materials producing countries,
considering their governance performance and trade aspects. It 28. European Commission, Critical Raw Materials, 2018.
considers the ‘bottleneck’ stage of the material (extraction or 29. European Commission, Report on critical raw materials and the
processing) as presenting the highest supply risk for the EU, while circular economy, 2018, p. 34.
substitution and recycling are considered risk-reducing measures. 30. European Commission, Critical Raw Materials, 2018.
5. In acknowledgement of this, the European Commission since 2011 31. Based on Eurostat data.
curates a list of critical raw materials, subject to regular review
32. European Commission, ‘Boosting Electronics Value Chains in
and updates. While not specific to digital technologies, the list
Europe’, June 2018.
encompasses those raw materials of high importance to the wider
EU economy that are also of high risk associated with their supply. 33. International Data Corporation, Smartphone Market Share, 2018;
See European Commission, Critical Raw Materials, 2018. Business Insider France, Here are the companies that sell the most
PCs worldwide, 2017.
6. Operators of essential services are private businesses or public
entities with an important role to provide security in healthcare, 34. High-level representatives of companies and research and
transport, energy, banking and financial market infrastructure, technology organisations, Boosting Electronics Value Chains in
digital infrastructure and water supply. Europe - A report to Commissioner Gabriel, June 2018.
7. European Commission, Commission Recommendation of 26 March 35. Much of this production is in fact for US-headquartered
2019 on Cybersecurity of 5G networks, March 2019. semiconductor companies, which produce close to 40% of the
world market – but only partly in the US.
8. Cimpanu, Catalin, Cisco removed its seventh backdoor account this
year, ZDNet, 7 November 2018. 36. Synergy Research Group, Cloud Growth Rate Increased Again in Q1;
Amazon Maintains Market Share Dominance, April 2018.
9. Whittaker, Zack, Juniper confirms leaked NSA exploits affect its
firewall, ZDNet, 23 August 2016. 37. See, for instance, Delcker, J., German watchdog says Amazon cloud
vulnerable to US snooping, April 2019.
10. Government of the United Kingdom, Huawei cyber security
evaluation centre oversight board: annual report 2019, March 38. Technavio Blog, Top 21 Industrial Robotics Companies in the World
2019. 2019, February 2019.
11. Lepido, Daniele, Vodafone Found Hidden Backdoors in Huawei 39. Interagency Task Force in Fulfillment of Executive Order 13806,
Equipment, Bloomberg, 30 April 2019. Assessing and Strengthening the Manufacturing and Defense
Industrial Base and Supply Chain Resiliency of the United States,
12. Fields, Ziska, Handbook of Research on Information and Cyber
September 2018.
Security in the Fourth Industrial Revolution, IGI Global, 2018.
40. Kay, Amanda, Top Rare Earth Mining Reserves by Country, Rare
13. Graham, Chris, Cyber attack hits German train stations as hackers
Earth Investing News, 2018.
target Deutsche Bahn, May 2017.
41. McBride, James, Is ‘Made in China 2025’ a Threat to Global Trade?,
14. Cloudflare, Inside the infamous Mirai IoT Botnet:
Council on Foreign Relations, 2018.
A Retrospective Analysis, December 2017.
42. The Economist, Chip wars: China, America and silicon supremacy,
15. Fiott, Daniel & Lindstrom, Gustav, Artificial Intelligence: What
December 2018.
implications for EU security and defence?, EUISS Brief, 2018.
43. Feng, Emily, How China acquired mastery of vital microchip
16. Foremski, Tom, IBM warns of instant breaking of encryption by
technology, Financial Times, January 2019.
quantum computers: ‘Move your data today’, ZDNet, 2018.
44. Le Parisien, Intelligence artificielle : Macron annonce un plan à 1,5
17. Boddy, Sarah et al., The Hunt for IoT: Multi-Purpose Attack
milliard d’euros, March 2018.
Thingbots Threaten Internet Stability and Human Life, F5 Labs,
2018. 45. Reuters, China’s city of Tianjin to set up $16-billion artificial
intelligence fund, May 2018.
18. Bell, Lee, Europe is the world’s biggest target for DDoS attacks, F5
Networks claims, ITPRO, 2018. 46. European Commission, 2018 Industrial R&D Scoreboard: EU
companies increase research investment amidst a global
19. Naming & Shaming Web Polluters: Xiongmai, October 2018.
technological race, December 2018.
20. Shi-Kupfer, K., Ohlberg, M., China’s Digital Rise: Challenges for
47. World Intellectual property Organisation, China Drives International
Europe, Mercator Insitute for China Studies, April 2019.
Patent Applications to Record Heights; Demand Rising for
21. Bloomberg News, Huawei Personnel Worked With China’s Military Trademark and Industrial Design Protection, March 2018.
on Research Projects, 27 June 2019.
48. World Intellectual Property Organisation, Who filed the most PCT
22. Riley, M. and Robertson, J., Russian Hacks on U.S. Voting System patent applications in 2017?, March 2018.
Wider Than Previously Known, June 2017.

18 EPSC Strategic Notes - Strategic Autonomy in the Digital Age

EPSC Strategic Notes

49. Desvignes, Frank, The Internet of Things – Made in China, AxA Including Google, Restrict Dealings With Huawei After Trump Order,
Group, October 2016. New York Times, May 2019.
50. European Commission, 36th Annual Report from the Commission 65. Warren, T., ARM cuts ties with Huawei, threatening future chip
to the European Parliament and the Council on the EU’s Anti- designs – A major blow to Huawei, The Verge, May 2019.
Dumping, Anti-Subsidy and Safeguard activities, 31 July 2018. 66. Johnson, K, Groll, E., China Raises Threat of Rare-Earths Cutoff to
51. Wübbeke, Jost et al., MADE IN CHINA 2025 - The making of a U.S., Foreign Policy, May 2019.
high-tech superpower and consequences for industrial countries, 67. Abedi, Maham, Canadians’ detainment in China is retaliation for
Mercator Institute for China Studies, December 2016. Huawei arrest, Trump adviser says, Global News Canada, 2018.
52. Wagner, Jack, China’s Cybersecurity Law: What You Need to Know, 68. The Guardian, Poland calls for ‘joint’ EU-Nato stance on Huawei
The Diplomat, 2017. after spying arrest, January 2019.
53. Tanner, Murray Scot, Beijing’s New National Intelligence Law: From 69. Satake, M., Europe adopts Huawei gear into 5G networks over US
Defense to Offense. Lawfare, 2017. objections, May 2019.
54. Frankfurter Allgemeine, China kauft Krauss Maffei, January 2016; 70. Based on the ’European 5G Trials’ list by the 5G PPP, accessed on
Feng, Emily, How China acquired mastery of vital microchip 21 June 2019.
technology, Financial Times, January 2019.
71. Shi-Kupfer, K., Ohlberg, M., China’s Digital Rise: Challenges for
55. KUKA ZWISCHENBERICHT Q3/17 Europe, Mercator Insitute for China Studies, April 2019.
56. Interagency Task Force in Fulfillment of Executive Order 13806, 72. Pham, Sherisse, The US is stepping up pressure on Europe to ditch
op. cit. Huawei, CNN Business, February 2019.
57. Muñoz, Carlo, Chinese rapid military advance closing gap on U.S., 73. European Commission, Commission Recommendation of 26 March
Pentagon warns, The Washington Times, 2018. 2019 on Cybersecurity of 5G networks, March 2019.
58. Volz, Dustin, Trump signs into law U.S. government ban on 74. https://eur-lex.europa.eu/legal-content/EN/
Kaspersky Lab software, Reuters, 2017 TXT/?uri=uriserv:OJ.C_.2014.188.01.0004.01.ENG
59. Denyer, Simon, Japan effectively bans China’s Huawei and ZTE 75. Noteworthy ongoing initiatives also include the ECSEL JU, a
from government contracts, joining U.S. The Washington Post, Public-Private Partnership for electronic components and systems,
2018; Vieira, Paul & McNish, Jacquie, Canada Faces Pressure which funds research, development and innovation projects for key
to Ban Huawei Equipment, The Wall Street Journal, 2018; enabling technologies, and the contractual PPP on cybersecurity
Slezak, Michael & Bogle, Ariel, Huawei banned from 5G mobile launched in 2016 with the aim of stimulating the cybersecurity
infrastructure rollout in Australia. ABC News Australia, 2018. industry in Europe and fostering cooperation between public and
60. Weinland, Don, US national security reviews to hit Chinese private actors at early stages of the research process of new
investment, Financial Times, 2018. cybersecurity solutions.
61. Meanwhile, the final report was published: Brown, Michael and 76. https://ec.europa.eu/digital-single-market/en/eurohpc-joint-
Pavneet Singh, China’s Technology Transfer Strategy: How Chinese undertaking
Investments in Emerging Technology Enable A Strategic Competitor 77. European Commission, Ethics guidelines for trustworthy AI,
to Access the Crown Jewels of U.S. Innovation, Defence Innovation April 2019; European Commission, Code of Practice against
Unit Experimental, 2018. disinformation, January 2019.
62. Wilson Sonsini Goodrich & Rosati, CFIUS in 2017: A Momentous 78. European Commission and HR/VP, EU-China – A strategic outlook,
Year, 2018. March 2019.
63. Hanemann, T., Gao, C. & Lysenko, A., Net Negative: Chinese 79. Bing, C., Stubbs, J., U.S. to press allies to keep Huawei out of 5G in
Investment in the US in 2018, Rhodium Group, 2019. Prague meeting: sources, Reuters, April 2019.
64. Satariano, A., Zhong, R., and Wakabayashi, D., U.S. Tech Suppliers,

PDF: ISBN: 978-92-76-09035-9 • DOI: 10.2872/231231 • ISSN: 2467-4222 • Catalogue number: ES-AA-19-001-EN-N
HTML: ISBN: 978-92-76-09034-2 • DOI: 10.2872/407179 • ISSN: 2467-4222 • Catalogue number: ES-AA-19-001-EN-Q

19 EPSC Strategic Notes - Strategic Autonomy in the Digital Age