EU technology resilience and autonomy

This marks a paradigm shift from a very open investment policy, focusing on the flow of capital to support a competitive edge, to a more restrictive policy addressing geopolitical concerns about the future distribution of power. This shift will force the EU to consider difficult questions relating to both inbound and outbound investments.

"No de-coupling but de-risking" is now the mantra of the European Union (EU) as it strives to handle a situation of technological dependency and vulnerability. A new awareness has emerged. This development has been underway for some years already, but even the most cursory glance at EU policy initiatives and decisions in recent years will reveal that a new acuteness has emerged in the thinking about these issues.

Speaking in general terms, the “de-risking” part of the new mantra relates to states which remain outside of the Organisation for Economic Co-operation and Development (OECD). This is not set in stone – even a few EU member states have yet to join the OECD – but this remains a guiding principle when EU officials are asked to explain who the “de-risking” covers. This will include, for instance, China, India, Russia, Indonesia, and Brazil, all of which are among the ten largest economies in the world.

The EU debate and policy formulation have developed along two separate, yet also closely related, tracks. Both tracks aim to strengthen the EU as a whole as new technologies are being weaponised in a way which is both wider and deeper than ever before. One track is to reduce or eliminate dependence on new technologies – for instance 5G technology – produced in “non-Western” states. This has a relatively immediate focus. The other track is to follow and possibly restrict the flow of investments into the EU and even out of the EU in order to slow down technology transfer to or development in “non-Western” states. This has a more long-term perspective.

Investment screening I

To follow investment to and from the EU, The EU Foreign Direct Investment (FDI) screening mechanism was established in 2019 through a new regulatory framework, which came into force in 2020. The Regulation rests on the possibility of the EU as a whole as well as the individual member states to “adopt restrictive measures relating to foreign direct investment on the grounds of security or public order” (Preamble (3)). The European Parliament and the European Council both recognise the value of FDI in “creating jobs and economies of scale, bringing in capital, technologies, expertise (..) and opening new markets for the Union’s exports” (Preamble (1)). Even with this in mind, the European Parliament and the European Council decided to introduce restrictive measures against FDI in order to safeguard the European economy and to invest in future political autonomy.

Participation is voluntary. As noted in the Regulation, “the decision on whether to set up a screening mechanism or to screen a particular foreign direct investment remains the sole responsibility of the Member State concerned”. In 2023, when the European Commission released its third annual report on the screening of FDI into the Union, 21 member states had introduced a national screening mechanism, while six had yet to do so. This lack of legislative action is unfortunate, as “the weakest investment link” may undermine the collective effort to strengthen the EU as a whole. Otherwise, unwanted FDI may find a door into the EU.

When designing their respective screening mechanisms, several member states could draw on existing regimes, while others had to introduce entirely new legislation. One of these latter states is Denmark, which passed a law on “the screening of certain foreign direct investments” in May 2021. The law stipulates that a foreign investor operating within “particularly sensitive sectors and activities” will have to apply for approval with the Danish authorities before making the investment. The “sensitive sectors and activities” mentioned all fall within the defence sector, IT security or the handling of classified information, dual-use products or other types of critical technology as well as critical infrastructure. Decisions made by the Danish authorities in this regard cannot be appealed.

Investment screening II

Outbound investment screening mechanisms are another possible key component of the EU's strategy for technological resilience and autonomy. As indicated by recent policy developments, the EU is strongly considering the adoption of an outbound FDI screening regime, following in the footsteps of the United States of America (USA). This move is intended to address the increasing concerns about the acquisition of critical technologies by non-Western states through outbound investments.

To enhance resilience against potential risks associated with outbound investments, technical measures such as the assessment of intellectual property (IP), proprietary software, hardware, data and other valuable technological assets should be considered before permission is granted. The introduction of further data protection measures will strengthen the prevention of unauthorised access, and these should include access controls, secure data transmission protocols and encryption. National authorities should observe a regime of flexible, yet adequate audits.

Considerations should be made, moreover, to establish, at the national levels initially, agencies for digital forensics and monitoring to track the flow of data as well as unauthorised access to and transfer of technology and to investigate such cases promptly. This will help increase supply chain security and should include a standardisation for the vetting of suppliers and other third parties involved in the outbound investment.

As part of this development, the EU may benefit from the experience of the USA and Japan. The USA has a robust IP regime, characterised by stringent laws and advanced automated monitoring for infringement prevention, fostering a dynamic environment for innovation. Similarly, Japan’s use of artificial intelligence in patent processing and a focus on the enforcement of IP rights internationally illustrate the benefits of integrating advanced technology in IP management. These approaches demonstrate the significance of combining a solid legal framework with technology tools to foster innovation and safeguard innovation, trademarks and copyrights, and to ensure that EU member states’ IP is not transferred to foreign actors without proper authorisation. Raising awareness in the member states about the importance of protecting technological assets and sensitive information is an important element of this.

A pool of dilemmas

Balancing the benefits and risks of inbound and outbound FDI presents the EU with a complex set of dilemmas. While FDI can bring much-needed capital, technology, expertise and new market opportunities, it can also pose risks to national security and the autonomy of EU member states, particularly in the case of investments from non-OECD countries. The EU must carefully consider the implications of inbound and outbound investments on its technology resilience, security, and autonomy.

International law, the World Trade Organization (WTO) and the interests of the private sector further complicate the EU's efforts to regulate FDI. The EU must navigate its FDI policies within the constraints of existing international law and trade agreements as well as the interests of European companies and the potential impact on supply chains. The effectiveness of investment screening – inbound as well as outbound – is conditioned by the proper identification and mitigation of associated dilemmas, such as national security concerns on the one hand and the desirability of open market access, the need for investments and the risk of economic decoupling on the other hand.

It is crucial for the EU to understand the threat context to develop effective policies for technology resilience and autonomy. There needs to be a nuanced and highly adaptable approach to FDI screening. This screening may very well target OECD member states as well – it is important to include in the screening effort any country which could potentially leverage technology investments to gain geopolitical influence, engage in espionage or in other ways undermine EU autonomy. Member states may hold different perspectives on the states to be included in a screening process, making this a sensitive and possibly even contentious issue.

The recent surge in espionage-related incidents targeting high-profile companies within several EU member states has highlighted a still more acute vulnerability. Notable incidents, including the cyberattacks on Siemens' intellectual property assets in 2018, the 2019 breach targeting France's Alstom and the sophisticated espionage campaign against Germany's leading biotech firms in 2020, all highlight the increasing audacity and operational precision of malicious actors. These are not mere isolated incidents but part of a larger, sophisticated campaign to undermine not just the economic assets of EU member states but also the very capability of the EU as a whole to innovate and to lead.

Espionage activities such as these cast a long shadow over the FDI field. They place a heavy burden on companies seeking foreign investments, forcing them to be extremely vigilant. They may also make member states more hesitant, as they fear the consequences of failing to detect risks, leading to a situation where potentially lucrative and fully legitimate business deals are stalled.

This challenge is not handled by a strengthening of cybersecurity protocols alone. Greater confidence needs to be instilled in the entire FDI ecosystem. Given the EU-wide nature of this challenge, this requires a comprehensive response. An obvious first step would be for the EU to push for the implementation of a national FDI screening mechanism across the entire EU. A possible second step would be to introduce outbound investment screening, as is indeed being considered.  Outbound investments carry a significant risk because actors within the target state may find it easier to gain unauthorised access to data, potentially leading, for instance, to an illegal technology transfer.

As a further element, the EU may consider the introduction, at the EU level, of a specialised digital forensics and cybersecurity unit to support activities within the member states. Such an entity would specialise in identifying, investigating and, when possible, neutralising espionage attempts within the field of investments. It would do so in cooperation with national agencies, and the two levels should exchange lessons learned and best practices as well as inform each other about relevant incidents.

The EU stands at a critical juncture and is forced by external developments to delineate its path in the realm of technology resilience and autonomy. Various tools, many of which are technological, can fortify the investment screening process, but the full effect of these requires a harmonised policy environment, marrying technological prowess with legislative foresight. The delicate balancing act of welcoming innovation and shielding national interests demands a nuanced approach.

However, even with the most advanced tools and policies, the ever-evolving techniques of cyber threats and espionage, combined with the global interdependence of economies, mean that perfect security is an illusion. The EU member states must therefore develop and maintain, at all times, adequate countermeasures against the risk of unwanted technology transfer to other states. This requires a strong culture of continuous learning and adaptation.