Mario Draghi’s recent report on European competitiveness summarized what has long been a favorite topic of meme creators on the Internet; we are killing our companies with regulations. In the foreword to the report, Draghi writes: “we claim to favour innovation, but we continue to add regulatory burdens onto European companies, which are especially costly for SMEs and self-defeating for those in the digital sectors”. In other words, the road to poverty is paved with good risk-averse intentions.

Perhaps one of the most challenging effects of heavy regulation is how it has changed the mindset of people. Some people end up seeing new regulations as the key driver of innovation.

Governments imposing regulations as a growth driver? That’s definitely absurd.

Self-governing markets or imposed compliance driven governance?

The Internet is full of memes about bottle caps, most of them portraying Europe as a desert for ideas, whereas the U.S. is a growth and innovation paradise.

This summarizes it really well pic.twitter.com/0o2QHntn7H

— Michael A. Arouet (@MichaelAArouet) September 22, 2024

While exaggerated these memes may show a difference in how we view the world. If we trust the market to punish those who don’t act in the interest of society as a whole, we leave most risk trade-offs to be made by individuals and companies, but if we think that people won’t act in good ways without regulatory pressure, we make regulations for everything.

Regulatory pressure can drive practices in a positive direction, but they can also have serious side effects. One of those, if we take the regulatory focus too far, is that people become more concerned with compliance and auditing than with solving actual problems. In Europe, it seems that we have done so. This makes us largely unable to solve big problems requiring radical innovation, such as the changing demographics where there will be fewer tax payers and more elderly people, climate change, and handling competition from regions with higher growth and willingness to take risks in investments.

A security perspective on the whole thing

The “regulation is great” attitude is also very much present in cybersecurity. In Europe, security talks aren’t really about vulnerability research, use of AI in offense or defense, using cloud technologies to build resilient self-defending systems, or how to make sure consumers appreciate our products are safe to use. We want all those things, but our conferences are about… regulations!

• NIS-2: Are you ready for NIS-2? Beware of government fines. Act now! Probably the most common type of advertising in cybersecurity in Europe the last few years. The message is: “Buy our compliance solution to avoid fines from the regulator” – not how to actually build great security solutions.
• AI Act: this act has generated almost as many memes as the bottle caps. The intention is to avoid AI risks and abuses, but at the same time it does make it less likely that Europe is the preferred location for AI research and startups
• Cyber resilience act: hailed by many as the holy grail of security – with strict requirements for software of all sorts.

It doesn’t mean that there are no new technologies being developed here, or that people don’t do great things – but it shifts the focus of business away from the innovators and over to the regulators – also in security.

Solutions? Those are hard to find!

We are going to struggle to change our very risk-averse ways. But eventually, we will be forced to do so, if we aren’t going to significantly reduce the quality of life in Europe.

1. I think we need to remove or reduce regulations and put more trust in individuals, companies and markets. That is going to be very difficult for us.
2. Most likely we will also need to reduce taxes and transactions costs to encourage investment and growth.
3. Reducing taxes will be hard to do, we have big welfare systems to fund. But if we don’t act, we will also not be able to fund the safety nets we like to have. We need to learn to prioritize more – and that’s perhaps the hardest challenge of all.

The solutions we need will require a shift in politics. If it happens, it will take time.

Can we do something about this in the private sector, to improve growth and innovation capacity? Perhaps the most immediate solution is to use AI to minimize the regulatory burden as much as possible – in other words, focus on improving our compliance work so much that we can find some time to also work on the real problems – solving slow productivity growth, improving healthcare and finding solutions to the climate crisis?