European Security Expert Calls Out Digital Markets Act
Tech companies must comply with the European Union’s Digital Markets Act (DMA), a sprawling competition law, by March 3. Privacy advocates have long warned that the DMA would seriously damage users’ cybersecurity. For example, the law would require companies to enable their devices to allow sideloading (the process of downloading apps outside of vetted app stores).
In a recent piece for Politico, Benedikt Franke (the vice-chairman and CEO of the Munich Security Conference) argues that “that regulations and policies seeking to address new realities need to be ‘security proofed’ before they’re passed.” The DMA, he writes, fails to meet this standard. “[T]here’s plenty of evidence that it comes with serious side effects, putting millions at risk by overriding central safeguards on the pretense of consumer choice,” he states.
Moreover, Franke continues, “a recent European Commission tender, which requests technical guidance on assessing the security implications of regulations, suggests concerns weren’t sufficiently considered when legislation like the [DMA] were being developed.”
To promote consumer choice and purported economic benefits, the EU overlooked foundational cybersecurity issues. Bad actors worldwide (both state-affiliated and private criminals) will exploit network and system weaknesses. The U.S. government fell victim to hacks curtesy of Russian and Chinese cybercriminals in 2023, and, as Franke notes, Russia’s ongoing invasion of Ukraine increase the risk European nations face.
Nor do these criticisms emanate exclusively from analysts who object to the DMA’s economic ends. “[T]he DMA may be great from a competition or taxation perspective,” Franke writes – a dubious statement from the App Security Project’s perspective. But, he continues, “somebody needs to ensure [re don’t lose sight of…keeping Europe’s citizens safe.”
For many American lawmakers, the DMA has served as an aspirational model for stateside regulatory proposals. They should heed the Europe’s warnings and avoid repeating Europe’s cybersecurity errors.
As the March 3rd deadline passes, the App Security Project will continue to monitor the consumer and technological fallout from the DMA.
Published on February 22, 2024