Digital Sovereignty impact on the Internet infrastructure

Event report

This session focused on a discussion of the consequences that European regulations could have on internet infrastructure. 

Ms Avri Doria (Member, ICANN Board) started the discussion by asking how digital sovereignty is compatible with the multistakeholder model of running the global network of networks.

The request for digital sovereignty is understandable for any governmental organisation, said Mr Innocenzo Genna (Managing Partner, Genna Cabinet); but the good news is that the European approach is based on a human rights framework and democratic values.  However, the bad news is that ‘there is a contradiction between the ambition for general sovereignty and the nature of the Internet, it brings lots of problems when we go to technical implementation.’ Policy makers tend to think of the internet as if it were merely telecommunications, or they believe, like big technical companies, that platforms and the internet are the same thing. ‘When we want to protect digital sovereignty, we have to realistically understand how the Internet works, how the Internet is global and the more technological measures are applied, the more other technological measures can be invented’. All proposed regulatory interventions must be proportionate and cautious of collateral damage to operators and of significant costs. 

Mr Callum Voge (Senior Government Affairs and Advocacy Advisor, Internet Society [ISOC]) said that digital sovereignty is a loose term that may mean many things. In the EU, a lot of speeches and high-level strategy documents are aimed at increasing resilience, at making infrastructure redundant, at controlling the supply chain, and at reducing dependencies. The war in Ukraine has exacerbated the impression of the fragility of the internet infrastructure. In regard to competition, ‘there may be a belief that running infrastructure could somehow bring about future innovation or prosperity’, and creating EU services. 

Voge discussed the new Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive) with the expanded scope for the Domain Name System (DNS), root name servers, and top-level domain name servers. If the goal is to update cybersecurity rules for the EU, top-down management conflicts with a community-led governance model for which ISOC advocates. ‘This can create issues of extraterritoriality, the EU could inspire others to also have similar regulations on the DNS and this could create clashing requirements, maybe creating an environment where the DNS is fragmented and there is a separate one for each jurisdiction’. Mr Lucien Castex (Co-chair, French Internet Governance Forum) added that the important point about the NIS2 directive is that it has consequences for significant actors in the technical community. It introduces several new obligations, like accurate databases with registration data, which some might have difficulties complying with.

Vogue also spoke about the DNS4EU project, where the goal is to protect the DNS against cybersecurity threats and increase reliability and availability in the EU. He noted that ISOC had checked DNS4EU against an internet impact assessment toolkit and found that the risk to the internet with DNS4EU is manageable only if it is voluntary and has rigorous safeguards against possible abuse by member states. Mandatory requirements would violate the multistakeholder model. 

Ms Tatiana Tropina (Assistant Professor in Cybersecurity Governance, Leiden University) noted that compliance with a human-centric approach when regulating infrastructure is not going to do any better than the approaches that Russia or China have taken. In addition, it is still unclear what harm EU policymakers seek to address by regulating the DNS, resolvers, and other issues.

In closing, some speakers and commentators agreed that the reaction to the DNS4EU initiative is a bit exaggerated by the technical community and that other regulations are more worrying. 

By Ilona Stadnik