In this report, the National Board of Trade Sweden highlights the challenges that digital innovation creates for technical regulation. The report questions whether artificial intelligence and cyber vulnerabilities are changing the way industrial goods, such as some smartphones, medical devices, and vehicles with embedded digital technologies, are regulated. We talked to its lead author, Heidi Lund.
Heidi, what is this analysis about?
It is not an analysis of AI or cybersecurity per se, but we want to show how digital product properties challenge the way we are used to regulating industrial goods. Regulation that is not adapted to digital innovation creates uncertainty for companies. If different markets choose to regulate products with embedded digital technologies in different ways, e.g., based on different risk assessments, this also risks resulting in regulatory fragmentation (with different technical rules in various markets) and unnecessary trade barriers. So how we regulate the digital market is an important issue for international trade and trade policy.
What are your key findings?
Digital goods that make use of AI technology and/or which are subject to cyber vulnerabilities increase regulatory complexity. The current regulatory reality within the EU could be characterised as a “bowl of spaghetti”, where it is difficult to determine where various pieces of legislation start and end. Embedded digital technologies in industrial products also challenge our existing trade policy frameworks. Most notably, the ability of businesses and regulatory authorities alike to monitor, control and verify changes in the properties of digital software-based goods over time has weakened.
So current regulations for industrial products are not adapted to digital innovation?
Current technical regulation is based on standardised product requirements and is not designed for products with embedded digital technologies where the product’s properties may change throughout the products’ life cycle, as is the case with some medical devices, smartphones, and vehicles with embedded digital technologies. Digital technologies are a strength in product development and offer continuous improvement of product characteristics for businesses, but they also bring increased vulnerabilities and uncertainties. Digital products are thus not only affected by their intended use and predictable risks but also by factors that are more difficult to predict and thus also more difficult to regulate, monitor and supervise, such as issues of personal privacy, cyber security, and resilience.
It is important to understand that a large part of digital innovation in products is very difficult to control. More focus is needed on the life cycle perspective in regulation and market surveillance. In the analysis, we have chosen to call this “continuous compliance” – new skills and tools for this will be needed.
So do you think there is a need for more controls throughout the product life cycle?
No, we take no stance on possible methods and tools for “continuous compliance” – these will vary from one product and sector to another. What we wish to emphasise is that digital product requirements too must be clear and allow for follow-up. Traceability and verifiability have become much more challenging, not least due to multiple regulatory concerns (product safety, cyber security, resilience, privacy) that hit every single product – this is a big change from the past!
What do the conclusions mean for future regulatory policymaking?
The way I see it, decision makers need to keep a cool head and avoid hasty decisions on digital regulation. We need mature digital regulations that last over time and are based on a true understanding of the digital technology and the connection between different regulations – we are not there yet.
The report also questions whether the digital market is left to “the Invisible Hand” – what do you mean by that?
An overarching question in the analysis is who has insight into and takes responsibility for goods with embedded digital technology. If neither regulations nor market surveillance are in phase, it is fair to question whether the compliance of digital goods is being left to “the Invisible Hand”. We thus face a potential scenario of a lack of regulation or regulatory guidance in the market.