Foreword
In today’s rapidly evolving digital landscape, regulation and policy frameworks play a crucial role in shaping the responsible use of technology. The European Union (EU) has introduced an unprecedented wave of regulation to build a values-based data economy and a single digital market that covers all 27 member states. However, as these regulations are extensive and together form a complex picture, questions arise as to how smaller companies in particular can comply without compromising their ability to innovate and compete.
This memorandum explores the concept of Regulatory Technology, or RegTech, as a solution to the challenges posed by the extensive regulation of technology and data. Drawing parallels with the financial sector in the aftermath of the 2008 global financial crisis, this report highlights the transformative potential of RegTech in the technology sector. Just as RegTech solutions emerged as a catalyst for responsible growth in the heavily regulated financial industry, they can empower companies to navigate complex policy landscapes and grow responsibly in the digital age.
By providing a conceptual definition of RegTech and analysing its market potential in the context of the five new regulations stemming from the European Data Strategy of 2020, this report aims to stimulate discussion and drive action among policymakers, entrepreneurs, investors, and businesses. It offers concrete recommendations on how to accelerate the development of a thriving RegTech innovation ecosystem that enables the responsible use of technology at scale, ultimately driving the twin transition towards a sustainable future in the EU and beyond.
We would like to thank Paul Fehlinger, the author, whose unique blend of understanding of technologies, digital governance and innovation ecosystems made him the ideal contributor to this report. In addition, we are grateful for the invaluable input from participants representing the European Commission, member states, public authorities, NGOs, and companies at the roundtable event co-hosted with the European Policy Centre in Brussels, in June 2023. This collaborative effort, part of our Data Strategy 2.0 initiative, has greatly enriched the development of the report by providing insights and recommendations to advance European data policy.
This discussion paper is a call to action, inviting stakeholders to explore the potential of RegTech and create the necessary innovation ecosystems. It is our hope that by embracing RegTech, Europe can remain attractive and competitive in the global digital economy while ensuring the responsible and compliant use of technology for the benefit of us all.
27 September 2023
Laura Halenius
Project Director, Roadmap for a Fair Data Economy, Sitra
Summary
The European Union (EU) is embarking on a historic wave of regulation to govern digital technologies responsibly. The Digital Services Act (DSA), the Digital Markets Act (DMA), the Artificial Intelligence Act (AIA), the Data Act, and the Data Governance Act (DGA) will create unprecedented rules for the development, deployment, and governance of technologies and digitally stored information. These ‘Big Five’ regulations aim to shape the framework for a trustworthy and human-centred digital decade.
This new regulatory environment is complex and poses a pressing challenge: how will companies of all sizes that fall into the scope of application of the Big Five regulations implement these ambitious rules while remaining innovative and competitive? Regulatory Technology (RegTech) is a new field of software and infrastructure solutions that can power a regulated digital economy at scale.
This memorandum shows that RegTech solutions have the potential to become the enabling backbone spurring digital innovation and growth in Europe’s regulated digital economy. Just as RegTech revolutionised financial services after the 2008 global financial crisis by absorbing regulatory complexities, it can now catalyse responsible and cutting-edge software and technology development in data, Web 3.0, extended reality or artificial intelligence.
If there are two major challenges in the 21st century – climate change and digitalisation – then RegTech is to responsible technology what ClimateTech, such as carbon capture or fusion technology, is to climate change: the enabler of regulatory impact at scale.
RegTech solutions can achieve regulatory efficiency at scale, create regulatory fairness by giving smaller players the tools to be highly innovative yet compliant, and increase regulatory agility by reducing the cost of regulatory experimentation for cutting-edge innovations through sandboxes and other approaches. They are both a vector for regulatory enforcement and for building a highly innovative and high-performing digital economy.
We define five key RegTech categories for the digital economy:
- Risk and Operations Tech: Internal tools for organisations to manage compliance under new regulations.
- Compliance and Reporting Tech: Tools for organisations to report to and interact with regulators.
- Supervisory Tech: Tools for regulators to oversee organisations under new regulations.
- Ethical Tech: Tools to help organisations navigate ethical grey areas and unregulated technologies.
- Enabling Infrastructure Tech: Infrastructure tools to absorb and enforce legal requirements by design and enable responsible services to be built on top.
Enabling responsible growth and innovation in Europe requires coordinated action by governments, investors, entrepreneurs, and experts. This memorandum makes four concrete recommendations that can be taken now:
- Shape a common European vision on the potential of RegTech for the implementation of the European Data Strategy and the new era of responsible technologies.
- Coalesce a European RegTech ecosystem and create federated multi-stakeholder structures to enable innovation.
- Create the necessary funding structures to support RegTech solutions.
- Inform innovators earlier about upcoming regulations and potential business opportunities.
This memorandum aims to stimulate policy, business and investment discussions on the potential of enabling RegTech and ultimately create innovation ecosystems to catalyse the emergence of RegTech solutions to power the European economy.
There is a window of opportunity for Europe to become a global leader in the development and use of RegTech for the digital economy, demonstrating how technological solutions can enable companies across sectors to be responsible, highly innovative, and globally competitive.
1. Introduction
Under European Commission President Ursula von der Leyen, the agendas “A Europe fit for the digital age” (2020a) and the “European Data Strategy” (2020b) initiated a globally unprecedented wave of regulation of the use of digital technologies and services. The agendas aimed to lay the foundations for a values-based data economy and digital single market inscribed in the larger strategic goal of the ‘twin transition’ to create a sustainable future for Europe.
Only a few years after the 2016 General Data Protection Regulation (GDPR), the Digital Services Act (DSA), Digital Market Act (DMA), Artificial Intelligence Act (AIA), Data Act, Data Governance Act (DGA) (the so-called ‘Big Five’ proposals for the data economy) and other initiatives stemming from the European Data Strategy create groundbreaking rules for the fair and responsible use of data and digital technologies in the 27-member bloc (see Bräutigam et al. 2022).
Moreover, as with the “Brussels effect” of the GDPR, these new requirements for digital services, technologies, and data uses are set to serve as inspiration for governments around the world to pass similar new and far-reaching regulatory frameworks for digital technologies.
But this historic wave of new rules for the responsible use of technologies begs crucial questions:
- How will unprecedented regulation of this scale work in practice?
- How will companies of all sizes, and not only the world’s largest multinational corporations, be able to be both responsible and compliant with the new rules and highly innovative at the same time?
- How will small and medium-sized enterprises – the powerhouse of Europe’s economy and now faced with a multitude of highly complex new digital regulatory requirements – be able to use cutting-edge technology and scale to operate in multiple markets simultaneously?
- How will compliance and enforcement work in practice, and how will the European Commission and national regulators be able to supervise thousands of complex businesses?
This historic wave of new rules for the responsible use of technologies begs crucial questions, such as: how will unprecedented regulation of this scale work in practice?
This new era of regulated technology poses unprecedented challenges for both companies and regulators.
As the EU takes the lead in regulating the responsible use of technology, it must find the right solutions to remain attractive and competitive in the global digital economy. European providers of technology solutions and services, as well as their clients, must now demonstrate how to develop, deploy and use technology responsibly while being highly performant. This will require agile approaches to the implementation of the Big Five regulations, ranging from public-private partnerships and better-funded regulators to experimental sandboxes.
But to enable the responsible use of technology easily, efficiently and at scale, initiatives to impose regulatory standards on technology must be driven by the technology itself – a concept known as Regulatory Technology or RegTech.
RegTech is an emerging field of innovative start-ups that provide ethical, risk management, compliance, and supervisory services as software tools. It also involves the development of novel standards and enabling infrastructures that businesses need to operate their digital services, AI systems, or data spaces effectively and responsibly.
If there are two major challenges in the 21st century – climate change and digitalisation – then RegTech is to responsible technology what ClimateTech, such as carbon capture or fusion technology, is to climate change: the enabler of regulatory impact at scale.
As this report will show, for businesses to flourish in the digital decade of regulated technologies, we can learn from parallels with the financial sector in the aftermath of the 2008 global financial crisis. Almost 15 years ago, Europe and other regions of the world gradually adopted far-reaching new financial regulatory frameworks for the banking sector. The highly digitalised financial industry suddenly looked for new solutions to operate competitively and responsibly in a fast-paced, highly regulated, cross-border environment. In response to this demand, RegTech solutions emerged as a major enabling innovation catalyst in the burgeoning financial technology (fintech) sector, enabling companies to navigate a complex cross-border policy and compliance landscape and to grow and operate responsibly in a highly regulated market.
This report aims to stimulate policy, entrepreneurial, and investment discussion on the potential of enabling RegTech to drive the technology sector in Europe and globally, and how to create corresponding innovation ecosystems to catalyse its emergence.
This report begins with a conceptual definition of RegTech for the digital economy and draws historical comparisons with the emergence of RegTech in the fintech sector following the 2008 global financial crisis. For each of the five new digital regulations in the EU (Big Five), it analyses the potential of RegTech solutions to address the challenges of their implementation from the perspective of different actors in the data economy. The report also presents case studies of RegTech providers of relevant solutions.
The report concludes with concrete recommendations on what European stakeholders, including the EU institutions, member states, venture capital investors, and businesses, can do to accelerate a thriving RegTech innovation ecosystem that enables the responsible use of technologies at scale to drive the twin transition.
2. The emergence of RegTech: from the financial sector to the responsible use of digital technology
While one can argue that regulation has always been enabled by technology – from the invention of paper that allowed the spread of administrative rules at scale, to punch cards, or digital spreadsheets to report on risks and compliance – RegTech is a fairly new phenomenon.
RegTech as a term is mainly associated with a subcategory of financial technology, fintech, that emerged in the 2010s and encompasses the use of digital technologies in financial services. With the advent of stricter financial regulations after the 2008 financial crisis, which coincided with the mainstream adoption of such new technological innovations, RegTech established itself as a fast-growing fintech vertical.
2.1. Lessons from the RegTech solutions in the financial sector
The 2008 global financial crisis, also known as the Great Recession, was a severe economic downturn caused by the collapse of the US housing market, which led to a domino effect of financial institution failures, credit freezes, and widespread job losses, triggering a global recession with lasting impacts on economies worldwide. The crisis exposed vulnerabilities in the global financial system and raised concerns about the adequacy of regulatory oversight and risk management practices.
After the 2008 crisis, the financial sector saw two major developments in the EU: the rise of regulation to increase stability in the financial system through extensive new reporting and compliance requirements and the emergence of fintech. The latter has blended traditional financial services with big data, artificial intelligence, digital identity or blockchain technologies to create new applications and services in both B2B and B2C segments, thereby creating new risks through the use of new disruptive technologies in financial services.
In the EU, major regulatory initiatives since the 2010s have created extensive compliance requirements for the developers, providers and users of financial services.
Figure 1: The main regulatory initiatives adopted in the financial services industry in the EU in the past decade.
These regulations, further enhanced by the EU’s General Data Protection Regulation (GDPR), have led to a growing need in the financial services industry to search for technological solutions to manage the implementation of new and far-reaching regulatory reporting requirements and corresponding risk and compliance management. Likewise, regulators had to find solutions to collect and analyse ever-increasing amounts of financial data in order to audit the industry.
The confluence of the data-heavy and digitalised financial services industry and the new regulatory requirements in the aftermath of the financial crisis thus made it possible for RegTech software solutions to emerge and be adopted, leading to the rise of a thriving financial RegTech ecosystem in Europe.
RegTech has fundamentally transformed the financial services market. The mainstream availability of RegTech solutions to businesses has become a key enabler of responsible behaviour in the financial industry at scale and across different jurisdictions. Without the RegTech solutions, financial services as we know them today would not be able to operate, as the next section shows.
Table 1: Three main areas for RegTech solutions in the financial sector can be identified
RegTech Verticals | Users | Solutions |
---|---|---|
Risk and Operations Tech | Businesses or other organisations internally to navigate compliance exposure in day-to-day operations | – Helping to identify and manage regulatory risks through dashboards and data integration – Conducting data analytics to enhance corporate decision-making – Monitoring corporate transactions – Maintaining and organising obligatory know-your-customer data – Deploying fraud and anti-money laundering detection solutions – Staying up-to-date on regulatory requirements |
Compliance and Reporting Tech | Businesses or other organisations to structure their interaction with governments or regulatory bodies to fulfil their legal compliance obligations | – Structuring of the data collection and compliance reporting – Automated internal audits that can be electronically submitted to supervisors |
Supervisory Tech | Regulatory and supervisory bodies to analyse data from businesses and other organisations | – Conducting data-driven audits of businesses – Scrutinising real-time financial markets data |
RegTech has become a major investment focus for venture capitalists, triggering the emergence of specialised incubation and acceleration structures in the fintech ecosystem across Europe. According to a market study, there were over 140 RegTech solutions in the financial sector in Europe in 2019 (Franco-German VC XAnge 2019). For example, the annual industry compliance cost of the EU Markets in Financial Instruments Directive II was estimated at €689 million in Europe, which explains why RegTech and process automation solutions are in high demand.
In 2022 alone, an estimated €17 billion was invested worldwide in RegTech companies specialised in solutions for the financial sector through venture capital, private equity, or mergers and acquisitions investments, up from €10.8 billion the year before, despite the overall decline in fintech investment (Statista, 2023). In the financial sector, regulation in multiple jurisdictions worldwide has de facto generated the need and demand for a new RegTech market, which forecasters estimate will grow into a €183 billion sub-industry of the financial sector by 2026 (Juniper Research, 2022).
2.2. The potential of RegTech in enabling the responsible use of digital technology at scale
With its vision of the digital decade that is “human-centric” and “sustainable” and empowers both “citizens and businesses”, the European Union, under the Commission’s leadership of President Ursula von der Leyen, has created an unprecedented and globally pioneering comprehensive regulatory framework for the digital economy (European Commission, 2021).
The Digital Services Act (DSA), Digital Markets Act (DMA), Artificial Intelligence Act (AI Act), Data Act, and Data Governance Act (DGA) will create groundbreaking guidelines and obligations for the digital economy to operate responsibly in a similar way to what the General Data Protection Regulation (GDPR) of 2016 has already done in the past in the field of privacy.
Figure 2: The main regulatory initiatives adopted in the EU digital services industry following the Data Strategy of 2020
If we compare the financial market with the digital economy, the potential for RegTech is of both political and economic importance. Politically, enabling the responsible use of digital technologies at scale is a current priority in the EU. Economically, the scale of European innovation and productivity that could be responsibly driven by RegTech is considerable.
As for the financial sector, many companies deploying or using digital technologies will find it prohibitive to develop complex internal processes from scratch, let alone streamlined and robust corresponding software or technology solutions. Concerns about complexity, fears of high legal consulting costs and insufficient resources for additional staff members to manage risk and compliance are therefore creating a strong demand for RegTech solutions that enable the responsible use of technology at scale.
The digital services, data, and artificial intelligence sectors, ranging from developers and providers to their corporate users, have the potential to surpass the fintech sector. The combined Gross Value Added (GVA) of the finance and insurance sectors to Europe’s economic growth was EUR 588 billion in 2022 (Atomico, 2022). The technology sector already surpassed these traditional European powerhouse industries in 2017, contributing €735 billion to EU GVA in 2022. The value of the data economy in the EU27 alone is estimated to be 5.8 per cent of EU GDP or €829 billion by 2025 (European Commission, 2020c). We are thus witnessing the historic regulation of a market larger than the financial services industry.
2.3. Identifying potential areas for RegTech
Before analysing each of the new digital regulations in the EU (the Big Five) in the next chapter, we will take a closer look at the five categories of RegTech for the digital economy. We can identify the same three areas for RegTech that we already know from the financial services sector, as described above (Table 1), as well as two new ones.
Table 2: Five main areas for RegTech solutions in the digital economy.
RegTech Verticals | Users | Solutions |
---|---|---|
Risk and Operations Tech | Businesses or other organisations internally to manage their compliance obligations under the Big Five | – Internal risk management – Data analytics – Data-enhanced corporate decision-making – Technology and interactions monitoring – Abuse detection – Staying abreast of regulatory requirements |
Compliance and Reporting Tech | Businesses or other organisations to structure their interactions with governments and regulatory authorities | – Collecting relevant data points for audits by regulators – Submitting reports and data to supervisors – Structuring data for transparency reporting and explainability of the functioning of systems |
Supervisory Tech | European and national supervisors alike to achieve effective regulatory oversight of businesses and other organisations to enforce new regulations in the data-driven industries at scale | – The sheer volume and technical complexity of data spaces and collaboration networks, as well as artificial intelligence systems, may make traditional human oversight impossible and controls by email communication and spreadsheet reporting untenable – For example, only for DSA compliance, the European Commission is obliged to hire dozens of experts to be able to audit Very Large Online Platforms, or VLOPs (Goujard & Scott, 2023) |
NEW: Ethical Tech | – Navigating the risks of yet unregulated uses of new technologies, such as computer-brain interfaces or quantum computing – Navigating the grey zone areas of existing regulations (for example moderating illegal content under the DSA) | |
NEW: Enabling Infrastructure Tech | – A multitude of infrastructure platforms, tools and services ranging from for-profit RegTech companies to non-profit public-interest technology solutions – Absorbing regulatory complexities – Automatically enforcing new legal requirements by design – Proprietary or open-source technological infrastructure protocols – Application programming interfaces – Data-sharing solutions – Blockchain and smart-contract solutions – Digital ID systems – Foundational ethical AI models |
A defining dynamic of the data-driven economy is the rapid pace of innovation and the constant new ethical challenges related to potentially disruptive uses of new technologies. Cutting-edge companies find themselves in situations where, as private actors, they have to set norms and rules in the absence of clear and granular public regulation. The time between disruptive technologies entering the markets and the design of ex-post regulation is a recurring and well-known challenge for both policymakers and innovative enterprises, to which RegTech tools (see Ethical Tech) could provide a partial solution.
3. RegTech potential in the context of the EU’s Big Five regulations
This section presents each of the Big Five regulations and the potential for the different types of RegTech tools outlined in the previous section. The potential is linked to the provisions introduced by the Big Five, further highlighted with use cases.
The Big Five refers to the legislative proposals that emerged from the European Data Strategy of February 2020 (Bräutigam et al. 2022): the Digital Services Act (DSA), the Artificial Intelligence Act (AIA), the Data Governance Act (DGA), the Data Act, and the Digital Markets Act (DMA).
3.1. The Digital Services Act
The DSA, which updates the rules governing digital services in the EU two decades after the 2000 e-Commerce Directive, was first tabled in December 2020 and adopted in October 2022. Providers of a wide variety of digital services in the European market will have to comply with the DSA from February 2024 onwards.
The DSA aims to clarify the responsibilities and obligations of online platforms with regard to the provision and moderation of content and the offering of products for sale on online marketplaces while retaining the key principles of the e-Commerce Directive (Bräutigam et al. 2022). To achieve its goal of a safer and more trustworthy online environment, the DSA introduces specific responsibilities for different types of providers of digital services:
- online intermediaries such as Internet access providers and domain registrars that transfer data between users;
- hosting providers such as cloud services and hosting companies that store information
- online platforms such as social media platforms or marketplaces that distribute user-generated content;
- very large online platforms (VLOPs) or very large online search engines (VLOSEs) with at least 45 million active service recipients per month, as identified by the European Commission.
The supervision of the DSA is a shared responsibility between member states and the European Commission.
Table 3: The DSA and the potential for different types of RegTech solutions
RegTech Verticals | RegTech Potential |
---|---|
Ethical Tech | The DSA establishes several notice and take down obligations for illegal content. However, it does not define what constitutes illegal content, leaving this definition to each of the 27 member states in (potentially diverging) national legislation. It also leaves to national discretion how illegal content is to be detected and moderated. This creates a demand from online intermediary service providers for ethical tech solutions to help them run their content moderation processes and absorb the complexity of developing transnational standards to comply with multiple jurisdictions at the same time. |
Risk and Operations Tech | The DSA imposes fines of up to 6 per cent of global turnover for non-compliance by digital service providers covered by the scope of the DSA. Providers of online intermediary services therefore have to establish internal monitoring and management systems to analyse their risk exposure. |
Compliance and Reporting Tech | The DSA requires online platforms and online search engines to report information on the average monthly active recipients of their services in the EU on their online interface every six months, in addition to a myriad of transparency requirements and the implementation of notice-and-action systems. This creates a demand from online platform and search engine providers for technical solutions to manage compliance and reporting processes. |
Supervisory Tech | Enforcement of the DSA is shared between the European Commission and member states. The Commission is responsible for monitoring and sanctioning VLOPs and VLOSEs, while a digital services coordinator appointed by each respective member state is responsible for the providers of all other types of intermediary services. Debates about the capacity of the Commission staff to effectively monitoring the conduct of some of the world’s largest companies using data submitted via email and spreadsheets demonstrate the innovative potential for supervisory technology solutions. |
Enabling Infrastructure Tech | The DSA introduces new measures to protect minors using digital services and other types of sensitive categories of data. For example, online platforms may not target advertising to minors or based on sensitive personal data. This will create demand from online platform providers for innovative infrastructure solutions for age verification of users. This could trigger the development and widespread deployment of appropriate digital identity systems. One could also imagine the emergence of public interest recommender algorithms that incorporate ethical and legal requirements by design into their architecture, or other infrastructure solutions that will emerge as the DSA is enforced and the platform industry, as well as their users look for new ways to ensure that content is complies with the DSA. |
3.2. The AI Act
In April 2021, the European Commission published the proposal for a framework for trustworthy AI, the Artificial Intelligence Act (AIA). This aims to ensure the human-centred and ethical development of AI by striking a balance between the security of citizens and the development of new, innovative technologies. The AIA aims to ensure that AI systems placed on the market or put into service in the EU are safe and respect existing laws on fundamental rights and European values (Bräutigam et al., 2022).
If adopted, the AIA will introduce requirements for the providers, deployers, importers, distributors and users of AI systems in the EU to adhere to strict rules on data quality, accountability, human oversight and transparency. The AIA is notably based on a technology-neutral definition of AI systems, and its obligations distinguish between the uses of AI that create:
- an unacceptable risk, such as social scoring, subliminal manipulation as a way of exploiting vulnerabilities of children and specific groups of persons, and ‘real-time’ remote biometric identification for law enforcement. All of these would be banned under the AIA; however, negotiations are ongoing in the autumn of 2023;
- a high risk, such as AI systems in the fields of critical infrastructure, education, employment, law enforcement, justice or credit scoring, as well as access to other essential public services which would have to pass a third-party conformity assessment;
- limited risk, such as chatbots, which would be subject to transparency requirements and the like; and
- minimal risk, such as spam filters, which would not face any special new obligations.
The supervision of the AIA is managed in each member state by competent authorities. In addition, the Commission has proposed the formation of an AI Board as an additional governance structure to assist member states in the implementation of the Act.
Table 4: The Artificial Intelligence Act and the potential for different types of RegTech solutions
RegTech Verticals | RegTech Potential |
---|---|
Ethical Tech | Developers and data scientists developing and deploying AI systems require tools to ensure that their models are robust and meet the safety and ethical standards that emerge from the AIA, such as the detection of bias. |
Risk and Operations Tech | The AIA introduces wide-ranging obligations to relevant operators especially for high-risk AI systems in relation to quality and risk management, data governance, technical documentation, ante-market conformity assessments, post-market monitoring, and record keeping of automatically generated logs. These include potential obligations to conduct fundamental rights impact assessments on aspects such as the possible negative impact on marginalised groups or the environment, or data protection impact assessments. The above-mentioned complex processes can be digitalised, which creates demand for solutions to manage day-to-day risks and operations. |
Compliance and Reporting Tech | Operators of AI systems will have to cooperate with the competent national AI authorities and report any incidents regarding the use of the systems they deploy. They will also have to have conformity certificates for their systems and submit detailed information about their AI systems (how they are monitored, internal risk management procedures, etc.). These new requirements will drive the adoption of new AI-specific Compliance & Reporting Tech services. |
Supervisory Tech | Competent supervisory bodies at national and European level will receive a large amount of highly complex information about the detailed functioning and management of AI systems. Human oversight of complex algorithms and internal procedures of developers and users of AI systems will need to be supported by supervisory technology solutions to ensure efficient auditing. Pioneers, such as the Spanish Agency for the Supervision of AI, a first of its kind, already experiments with such solutions to automate as many processes as possible (Jiménez Arandia, 2023). |
Enabling Infrastructure Tech | Growing discussions around the Generative AI (GenAI) and the deployment of Foundation models (such as ChatGPT) and other Large Language Models (LLMs) call for more transparent approaches to the development of AI systems that are open-sourced and developed in the public interest. They would prioritise trust, safety, equity, and democracy over shareholder value and could therefore be based on alternative business models, such as public funding or hybrid structures, as well as multi-stakeholder governance models. The widespread adoption of AI tools could spur the development of new public-interest AI systems with ethical standards by design, based on which digital incumbents and entrepreneurs can build their compliant AI applications. |
3.3. Data Governance Act
In November 2020, the European Commission proposed the Data Governance Act (DGA) as a first step towards the implementation of the European Data Strategy. It aims to establish an effective governance framework for European data spaces as well as strengthen confidence and trust among stakeholders in the data market (Bräutigam et al. 2022). The DGA was adopted in June 2022 and entered into force in September 2023.
The DGA applies to protected data that is already subject to someone else’s right (for example personal data, trade secrets, intellectual property rights) and aims to create a framework within which such protected data can be used.
The DGA includes:
- conditions for the re-use of the data held by public sector bodies includeaccess to public sector data for both commercial and non-commercial uses inside the EU with EU and national information points to request data;
- data intermediation service:terms and conditions for a new class of neutral, non-profit intermediation service providers, which are monitored and supervised by national authorities;
- data altruism, including mechanisms to establish new data altruism organisations to collect data in the general public interest (for example, research on rare diseases) with a specific EU registry and obligations supervised by national authorities.
The DGA leaves the definition of sanctions and enforcement measures to member states.
Table 5: The Data Governance Act and the potential for different types of RegTech solutions
RegTech Verticals | RegTech Potential |
---|---|
Ethical Tech | The DGA establishes data altruism organisations with room for standards to be created from the ground up. Although there is great potential in the ethical Regtech market, it is unclear whether the total addressable RegTech market is large enough to trigger commercial ethical tech RegTech offerings. |
Risk and Operations Tech | The DGA establishes strict monitoring requirements for the reuse of public sector or data altruism data, as well as for the operation of data intermediation services and data altruism organisation. Requirements include technical aspects such as data standardisation, as well as risk and process management software to handle requests and data sharing efficiently. |
Compliance and Reporting Tech | Data intermediation services and data altruism organisations have to comply with a number of DGA requirements, in addition to possible national reporting and auditing requirements. This creates a demand for compliance and reporting tech solutions. Given the complexity and anticipated volume of data sets, purely human oversight may be impossible without technical tools. |
Supervisory Tech | National competent authorities tasked with enforcing the DGA require technical tools to analyse how data intermediation services and data altruism organisations operate, handle data sets, and trace compliant data reuses. Moreover, public authorities could benefit from tools to handle requests for data reuse and to grant access to data held by public authorities. |
Enabling Infrastructure Tech | The DGA has a very high potential for Enabling Infrastructure Tech. How data is structured, managed, and shared requires technical solutions ranging from technical protocols to data-sharing systems. Considering that RegTech companies are not only those that are “accidentally” triggered by regulation to help implement it, but also specific new types of companies, whose creation is envisaged by regulation itself. In the latter case, data intermediation services and data altruism organisations are themselves examples of Enabling Infrastructure Tech solutions. They will be technology companies or public-interest initiatives that build the new infrastructure for data reuse and sharing in the EU, beyond the already existing cloud service providers, which are excluded from the scope of the DGA. |
3.4. Data Act
In February 2022, the European Commission published its proposal for the Data Act. The Data Act aims to clarify the rules around sharing data from connected devices between users, providers, and third parties. This way, it aims to promote data-driven innovation and will help to unlock troves of industrial data that are currently unused as well as ensure fairness in the data value chain among all those within the data economy (Bräutigam et al. 2022).
The Data Act includes:
- common rules for the sharing of non-personal data generated by industrial machines or the cyber-physical infrastructure such as connected devices;
- fairness in data sharing contracts between businesses;
- emergency data access powers for public authorities to data held by private entities;
- switching between providers of cloud and other data-processing services;
- interoperability requirements for data processing services and smart contracts; and
- international data access and transfers
The supervision and sanctions are left for member states to determine.
Table 6: The Data Act and the potential for different types of RegTech solutions
RegTech Verticals | RegTech Potential |
---|---|
Ethical Tech | RegTech services created under the Data Act could go beyond purely EU legal requirements and integrate elements of data-sharing ethics into their technical solutions. |
Risk and Operations Tech | The Data Act imposes requirements for data holders on how to manage the collection, management, and sharing of data from connected devices, as well as the management of requests from users of connected devices to access their data. |
Compliance and Reporting Tech | Companies operating in the EU will have to develop compliance and reporting capacity to demonstrate that they are meeting the obligations of the Data Act, in conjunction with the GDPR, ePrivacy Directive, Digital Services Act, Digital Markets Act, Data Governance Act and even the AI Act. |
Supervisory Tech | Supervisory authorities in member states will have to develop tools to better monitor and audit data-sharing practices in line with the Data Act and will require supervisory technology solutions. They will also require solutions to manage potential emergency access to data held by the private sector. |
Enabling Infrastructure Tech | Similar to the fintech revolution triggered by PSD2 in the banking sector, which allowed customers to switch services and provide access to third parties, the Data Act could trigger a big wave of Enabling Infrastructure Tech for the switching between data processing services such as cloud or edge providers with “functional equivalence”. To enable these new data access rights, data portability, and interchangeability of cloud services, Enabling Infrastructure Tech services will emerge to facilitate swift and compliant switching through technical platforms and standards. |
3.5. Digital Markets Act
The Digital Markets Act (DMA) was proposed by the European Commission alongside the DSA in December 2020. It was adopted in September 2022, and the so-called gatekeepers must comply with its obligations by March 2024 at the latest.
The DMA aims to restore real competition to the European single market and prevent it from being dominated by the biggest providers of digital services, often originating outside the EU with ex-ante provisions (Bräutigam et al. 2022). The DMA only applies to so-called gatekeepers, which are the largest providers of intermediary services as identified by the European Commission. Gatekeepers operate between business users and end users, provide a core platform service in at least three member states, and hold a significant and lasting position in the market. Core platform services include a long list of services, such as search engines, social media services, video-sharing platforms, instant messaging services, operating systems, smartphone app stores, cloud services, learning platforms and advertising services.
The DMA establishes several prohibitions and requirements that designated gatekeepers must comply with if they wish to offer their services to European users:
- gatekeepers may not combine personal data from core platform services and other services without the user’s consent;
- gatekeepers may not use any data that is not publicly available to compete with business users;
- gatekeepers must enable end-users to port their data to other services free of charge;
- other rules apply only to certain core platform services and are more open to detailed definition, for example in the case of an operating system, software app, virtual assistant, web browser, search engine, social media service, and non-number dependent interpersonal communication services:
- bans on bundling subscriptions or self-preferencing;
- fair, reasonable, and non-discriminatory access to search engine data and certain data from key core platform services;
- interoperability of number-independent interpersonal communication services such as digital chat and call services;
- requirements to submit general DMA compliance reports to the Commission, as well as independently audited information about profiling techniques in core platform services.
Gatekeepers risk fines of up to 10 per cent of global turnover for violations of the DMA and up to 20 per cent for repeated offences.
Table 7: The Digital Markets Act and the potential for different types of RegTech solutions
RegTech Verticals | RegTech Potential |
---|---|
Ethical Tech | Gatekeepers must not combine personal data from core platform services with other services without the user’s consent. This creates a demand for the development and use of privacy-enhancing technologies. |
Risk and Operations Tech | Gatekeepers have an interest in tools that facilitate risk management, data governance, technical documentation and record keeping to comply with the specific obligations. This creates a demand from gatekeepers for Risk & Operations Tech solutions for managing data access requests or providing data portability services to end-users. |
Compliance and Reporting Tech | Gatekeeper companies will need technical solutions for DMA reporting, for example, to track and document their profiling techniques across platform services. |
Supervisory Tech | The European Commission enforces the DMA. This creates a demand for technical solutions to facilitate complex audits of database structures, data flows, and processing workflows, as well as algorithms under the DMA. |
Enabling Infrastructure Tech | The DMA requires gatekeepers providing messaging services to ensure their interoperability. This creates demand for Enabling Infrastructure Tech solutions such as common protocols and API standards that enable for secure and inter-service communication. Similarly, the obligation for gatekeepers to provide for data portability for end-users could create a demand for new Enabling Infrastructure Tech solutions. As the DMA targets the largest corporations in the ecosystem, it is as yet uncertain whether service providers will develop proprietary solutions due to their large financial resources, or whether a dynamic Enabling Infrastructure Tech ecosystem will emerge. |
4. Why Europe needs a coordinated approach to create a RegTech innovation ecosystem that enables the responsible use of technology at scale
Now is the time for the European Union to develop a bold vision for RegTech and the future of responsible technology.
The rise of the ecosystem of RegTech solutions in the financial sector in the EU has been the result of several regulatory measures, without an overarching vision of the role of RegTech solutions prior to the introduction of the measures (Buckley et al. 2019).
With the lessons learned from the RegTech solutions in the financial sector, the 2020s as the decade of digital regulation calls for a proactive approach to harness the opportunities of RegTech to promote a responsible and innovative digital economy in Europe.
4.1. Why Europe needs RegTech
Three factors support the strategic adoption of RegTech solutions in the EU. This topic is particularly timely as the EU continues to implement the Data Strategy.
- Regulatory fairness. Compliance is expensive and can distort markets by favouring larger, well-resourced companies over smaller ones. The former tend to have better resources at their disposal to ensure compliance. A thriving RegTech market could democratise these capabilities. Competitively priced solutions can help small and medium-sized businesses, or smaller large companies, to responsibly deploy innovative digital services and products by reducing the compliance burden.
- Regulatory agility. RegTech solutions can enable more adaptive and agile approaches to regulating the digital market. As regulators gain confidence that compliance and enforcement are possible thanks to a thriving RegTech ecosystem in the EU, the cost of regulatory experimentation for emerging technologies, for example through sandboxes, could be reduced. This could lead to a more agile and tailored approach to regulating technological solutions based on feedback loops between regulators and innovative companies. As a result, this could contribute positively to the overall competitiveness of the European industry and demonstrate that the responsible approach to digitalisation does not compromise the innovation power of the continent. If a flourishing RegTech ecosystem exists in Europe, regulators could even incorporate the use of such RegTech in the design of future regulatory frameworks for the use of emerging and disruptive technologies.
4.2. Key benefits of RegTech for stakeholders in the European digital economy
As shown, RegTech has important enabling benefits that should make it a key strategic vector for European tech competitiveness, innovation policy, and entrepreneurship.
Table 8: The key benefits of RegTech solutions for EU institutions and member states, regulators, SMEs, multinational corporations, investors, entrepreneurs, and end users.
EU institutions and member states | Supervisors (EU, national) | SMEs using digital technology | Incumbent tech companies | Investors | Entrepreneurs and innovators | Individual end-users |
---|---|---|---|---|---|---|
Competitiveness: Enhance global competitiveness of EU tech firms. Values: Incorporate EU values in digital economy by design and at scale. Fairness: Enable innovation by smaller actors. By design: Integrate RegTech possibility in future regulatory design. Leadership: Catalyse RegTech champions that enable a responsible global digital economy. | Oversight: Effective oversight of complex systems through Supervisory Tech tools. Automation: Automate regulatory processes with Supervisory Tech. Agility: Freed capacity of regulators enables experimentation and agile approaches to new technology. | Access: Access to cost-efficient enabling RegTech that absorbs regulatory complexity. Level playing field: Stimulate competitiveness of SMEs by removing barriers to innovation with new technology. Scale: Empower SMEs to scale across jurisdictions faster. | Efficiency: Increase compliance efficiency and reduce costs through RegTech. Accountability: Demonstrate responsible technology use. Manage: Better manage complex cross-border obligations. | Shape: Shape the enabling foundation that enables a responsible digital economy as a new investment category. Pioneer: Pioneer responsible technology investment as part of ESG efforts. Predictability: Benefit from predictable market creation. Competitiveness: RegTech tools can increase the competitiveness of exiting portfolio companies as secondary benefit | Purpose: Build impact companies enabling responsible technology. Opportunities: Seize new RegTech opportunities to build European and global champions. Demand: Benefit from predictable RegTech market created by new regulation. | Trust: Increased trust in digital services. Innovation: Benefit from cutting-edge responsible innovation and digital services from companies of all sizes. Confidence: Increase overall confidence in technology for enhancing democracy. |
4.3. Towards a fair data economy and responsible use of technology powered by RegTech
A thriving RegTech innovation ecosystem is key to ensuring the EU’s digital competitiveness and the successful implementation of the European Data Strategy. It could even produce RegTech champions in the EU who could find demand for their services in other jurisdictions around the world grappling with similar challenges and establish Europe as a global leader in the development and use of RegTech solutions.
To catalyse such a thriving ecosystem, the following recommendations should be considered:
1. Shape a common European vision on the potential of RegTech for the implementation of the European Data Strategy and the new decade of responsible technology.
European stakeholders spanning policymakers, entrepreneurs, investors and experts, need to construct a shared vision encompassing both the economic and social benefits of RegTech solutions. Policymakers should include RegTech in the design of future agile and dynamic regulatory frameworks.
2. Coalesce a European RegTech ecosystem.
So far, there are no federated structures for RegTech in Europe. For reasons of both public interest and private market incentive, stakeholders – including entrepreneurs, developers, regulators, digital companies and experts – could come together to set the entrepreneurial innovation agenda for RegTech solutions and create corresponding incubation and acceleration structures.
RegTech solutions could also benefit from trust labels, accreditation or other officially recognised solutions as this would create visibility and foster trust to better rely on the solutions.
3. Create funding structures supporting RegTech solutions.
There needs to be sufficient capital to support RegTech ventures. To achieve this, European and national authorities, such as the European Investment Fund and national investment banks, should establish competitive and lean funding vehicles specialised in enabling regulatory technology. In addition, the EU and national capitals could incentivise public and private capital providers to develop tailored early-stage and growth funding mechanisms, for example by giving such investments special recognition and visibility.
Furthermore, Europe should address the concern that certain RegTech companies in the US are experiencing faster scaling due to a historical and structural difference between the EU and US venture capital markets: higher investments, particularly in areas such as AI RegTech. As a pioneer in digital regulation, Europe has a unique opportunity to lead in the tech RegTech sector and champion responsible technology usage. However, swift action to mobilise capital is now imperative to maintain competitiveness and foster innovation.
Last but not least, in order to advance Europe’s digital economy competitiveness and innovation power in the era of regulated technology use, there may be an interest to create, especially for Enabling Infrastructure Tech, additional targeted funding vehicles that invest in public interest solutions to pre-empt the development of proprietary solutions that could be less accessible to smaller actors and new market entrants.
4. Include RegTech as part of sustainability reporting.
The responsible use of new digital technologies and data could be a sub-category of environmental, social, and governance (ESG) reporting obligations for public limited partners funding venture capital funds. This move would garner more attention to the RegTech sector and incentivise dedicated impact investment in RegTech.
5. Set an entrepreneurial agenda.
Few entrepreneurs are yet aware of the scope of digital regulation in Europe and the corresponding business opportunities that solving some complex challenges potentially entails.
European policymakers and other stakeholders can create the necessary structures so that innovators are better informed about upcoming regulations and the needs and demands of the RegTech market.
Early impact assessments of regulatory proposals could already contain information about future RegTech potential across the five categories (Ethical Tech, Risk & Operations Tech, Compliance & Reporting Tech, Supervisory Tech, Enabling Infrastructure Tech), as well as clearer statistics on what type of companies will be affected by upcoming legislation and how, in a language that is understandable to a broad audience of entrepreneurs, engineers and investors, to stimulate the anticipated development of RegTech solutions that can be market-ready when regulatory instruments come into force.
European stakeholders from EU institutions, member states, investors, incumbents, entrepreneurs, and experts have the choice to either wait for the RegTech market to emerge by accident, as was the case in the fintech sector, or to actively shape a common vision and proactively create an ambitious EU-based RegTech innovation ecosystem for the digital economy.
In addition to market demand, which incentivises entrepreneurs to develop RegTech solutions that facilitate responsible technology development, deployment and regulation, there is a compelling public interest imperative for the European Union, member states, the private sector, investors, experts, and innovators to collaborate and forge an innovation ecosystem. This collaboration aims to accelerate the development of RegTech, increase efficiency and significantly reduce compliance costs. The ultimate goal is to provide the technological backbone of a responsible, highly innovative, and globally competitive digital economy.
References
1001 Lakes (2023). Building trust in data ecosystems. Retrieved on August 4, 2023.
Atomico (2022). State of European Tech 2022. Retrieved on August 4, 2023.
Bräutigam, T. & Cunningham, F., Toivanen, M., Aholainen, M., Geus, M., and Kukorelli, F. (2022).
EU Regulation Builds a Fairer Data Economy. Sitra Working Paper. Retrieved on August 3, 2023.
Buckley, R. P., Arner, D. W., Zetzsche, D. A., & Weber, R. H. (2019). The road to RegTech: the (astonishing) example of the European Union. Journal of Banking Regulation. Springer.
DSNP (2023). Delivering the Social Network as Core Internet Functionality.
Deloitte (2023). RegTech Universe. Retrieved on August 4, 2023.
Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (PSD II).
Directive 2011/61/EU of the European Parliament and of the Council of 8 June 2011 on Alternative Investment Fund Managers and amending Directives 2003/41/EC and 2009/65/EC and Regulations (EC) No 1060/2009 and (EU) No 1095/2010 (AIFMD).
Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (CRD IV/CRR). http://data.europa.eu/eli/dir/2013/36/oj
Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (MiFID II).
European Banking Authority (2021). Analysis of RegTech in the EU.
uropean Commission (2020a). A Europe fit for the digital age.
European Commission (2020b). A European strategy for data.
European Commission (2020c). The European Data Strategy. Retrieved on August 4, 2023.
European Commission (2021). Shaping Europe’s Digital Future. Retrieved on May 27, 2023.
European Commission (2022). Shaping Europe’s future – European Data Governance Act. Retrieved on August 4, 2023.
European Parliament (2023). Amendments adopted by the European Parliament on 14 June 2023 on the proposal for a regulation of the European Parliament and of the Council on laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) and amending certain Union legislative acts (COM(2021)0206 – C9-0146/2021 – 2021/0106(COD)).
Goujard, C., & Scott, M. (2023, January 17). EU looks to turn Big Tech dropouts into content-law enforcers. Politico. Retrieved August 4, 2023.
Jiménez Arandia, Pablo (2023). What to expect from Europe’s first AI oversight agency. Algorighm Watch. Retrieved August 6, 2023.
Juniper Research (2022). RegTech: Market forecasts, emerging trends & regulatory impact 2022-2026. Retrieved on May 8, 2023.
Miller, Ron (2020, December 21). OneTrust nabs $300M Series C on $5.1B valuation to expand privacy platform. Retrieved on August 4, 2023.
N.d. (2023). Tremau. Crunchbase.
OneTrust (2020). Inc. 500: OneTrust named America’s #1 fastest-growing company. Retrieved on August 4, 2023.
Proposal for a Regulation of the European Parliament and of the Council on European data governance (Data Governance Act) COM/2020/767 final.
Proposal for a Regulation of the European Parliament and of the Counc on harmonised rules on fair access to and use of data (Data Act) COM/2022/68 final.
Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act).
Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act).
Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937
Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012.
Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories (EMIR).
Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (eIDAS).
Schizas, E., McKain, G., Zhang, B. Z., Garvey, K., Ganbold, A., Hussain, H., Kumar, P., Huang, E., Wang, S., & Yerolemou, N. (2019). The Global RegTech Industry Benchmark Report. Retrieved on May 8, 2023.
Singh, Navrina (2022). Credo AI Announces $12.8M Series A Funding Round for Responsible AI. Retrieved on August 4, 2023.
Statista Research Department (2023). Global VC, PE, and M&A investment activity in regtech 2019-2022. Retrieved on May 8, 2023.
Vastuu Group (2020). A MyData Operator White Paper. Retrieved on August 4, 2023.
XAnge (2019). The State of European RegTechs. Medium. Retrieved on May 8, 2023.
About the author
Paul Fehlinger is an expert in multi-stakeholder innovation ecosystems and the governance of digital technologies at the intersection of policy, entrepreneurship and capital. He is the Director of Policy, Governance Innovation & Impact at Project Liberty’s Institute, focusing on responsible innovation and ethical governance in areas such as Web 3.0 and AI. He is affiliated with the Berkman Klein Center for Internet & Society at Harvard University and is a Senior Fellow at the Hertie School of Governance.
Previously, he co-founded and led the Internet & Jurisdiction Policy Network, involving more than 400 entities in over 70 countries and receiving endorsements from G7, UN, and OECD. His insights on the global digital economy have been featured in various media outlets and publications.
He has been appointed to advisory and expert groups by organisations such as the World Economic Forum, the Global Commission on Internet Governance, and the Council of Europe. Paul holds degrees from Sciences Po Paris, Maastricht University, and is an alumnus of the Newton Venture Program at London Business School.
Recommended
Have some more.