I. Introduction
“Digital is the make-or-break issue [and] there is no digital without chips.”Footnote 1 Such was the pronouncement of Commission President von der Leyen at the 2021 EU State of the Union. EU digital policies have increasingly moved away from a binary between economy-and-internal market initiatives on the one hand, and cybersecurity initiatives on the other. The Union has seen itself increasingly beset by a range of geopolitical instabilities and global shocks, from pandemic to conflict on its borders. Its place in the world, and its responses to these insecurities, have resulted in a more assertive agenda, moving from traditional liberal economic approaches to approaches based in the merging of economic and security goals. The EU’s “strategic autonomy,” its ability to act independently and free of dependencies upon external actors, has expanded beyond military and defence issues to become its response to global upheaval generally, as a response to great-power rivalries reemerging, technological disruptions and the increasing use of leveraged interdependence,Footnote 2 in trade as much as in war. Semiconductors, the chips that power all modern electronics, and the security of their supply chains, serve as an excellent case study for exploring these dynamics, identifying the ways in which economic concerns and security concerns are brought together, justifying increased regulation on the basis of preserving and furthering strategic autonomy. This article takes an approach of considering the regulation of the semiconductor supply chain, from the harvesting of raw materials, through the research and design, manufacture, and use of these critical components. It demonstrates the economy-security nexus in EU digital policy, and how strategic autonomy as much as market integration, serves as a basis for the furthering of EU laws in technology sectors. In doing so, it serves to make a broader, generalisable case about the EU as a geopolitical actor that goes beyond the immediate case study.
II. Semiconductors, geopolitical vulnerability and strategic autonomy
In considering the merging of security and economic concerns and goals in technology governance, it is useful to begin with some definitions and explanations of the interrelated technologies at the centre of this article’s analysis. The first is semiconductors. Semiconductors are materials with the capacity to conduct electricity at a value between that of traditional conductive metals such as silver or copper, and traditional insulators, such as glass (and thus have electrical resistivity above those conductors, but below that of insulators).Footnote 3 Semiconductors are useful insofar as their electrical conductivity increases with heat, rather than decreasing as traditional metal conductors do.Footnote 4 In terms of materials relevant for the microprocessor industry, the two most important semiconductors are silicon and germanium as “elemental” semiconductors, upon which the commercial processor markets depend.Footnote 5 Central to their function is their crystalline structure, which allows for reproduction at an atomic level of their lattice composition.Footnote 6 Ultimately, semiconductors are materials that have properties that make them essential; they are the key component in microchips, which power all modern electronics, from fridges to cars, smartphones to autonomous weapons systems. Microchips are generally described in terms of the number of transistors on a chip. The number of transistors on a chip can number in the millions or even billions – this of course requires they are incredibly small, nanometres (nm) in size. Therefore, the smaller the semiconductor transistor, the more can fit on a chip, and the more advanced the processing that the chip can perform. “Commodity” chips tend have transistors larger than 7nm in size (and thus less can fit on a single chip), whereas high-end processing in advanced fields of computing use chips with transistors smaller than 7nm in size, with chips as small as 3nm becoming available in 2022, allowing for far greater computational capacity.Footnote 7
The above discussion also helps to highlight why semiconductors, and by extension chips, are important. In the 21st Century, our lives are dependent upon chips. This is not hyperbole – microchips are integrated into technologies that provide water sanitisation and electricity delivery, power our medical technologies and agricultural systems, connect us in our social and professional lives, and equip our security and defence systems. Historically, however, they have received comparatively little attention from social science scholars until relatively recently,Footnote 8 and for European policymakers, their relevance even in the context of technology policies was relatively minimal. This changed dramatically, as with many things, during the COVID-19 pandemic. With supply chains facing heavy disruption due to closed factories and mining operations, while consumer demand increased substantially due to an increased desire for personal computing during periods of government-mandated home isolation,Footnote 9 semiconductor research and supply moved from a tangential issue to technology policies more generally, to the centre of a realignment of EU strategy around ensuring security of supply.Footnote 10 This has all happened, however, in the context of broader geopolitical competition. Faith in the liberal international economic order appears shaken, to the extent that we appear to be seeing a retreat from globalisation and an assumption that free and open markets are something to be desired.Footnote 11 The World Trade Organization appears powerless to combat the increased trade tensions and sanctions between large economic players,Footnote 12 and the increased trade nationalism and protectionism that predates Covid.Footnote 13 This has been argued as constituting a form of de-globalisation that has significantly reconfigured global value chains, increasing levels of policy risk.Footnote 14 These policy risks include the increasing fragmentation of the international order through expanding protectionist policies, efforts to sideline or minimise the influence of bodies such as the WTO, and an increased focus on regional and bilateral trade agreements.Footnote 15 This is something that causes considerable consternation on the part of the EU as the two biggest trade powers signal their lack of commitment to a free-trade based order; as Friedberg has stated, “China’s rulers do not have any theoretical or moral commitment to freely functioning markets […] economics must always be subordinate to politics.”Footnote 16 China’s trade policies have been described as mercantilist,Footnote 17 emphasising the link between economic activity and power, with the “plenty” of wealth providing for the power that ensures the security of the state, and the power that can be exercised externally in turn furthering the accumulation of wealth.Footnote 18 As will be discussed in later sections, China has made semiconductor research and manufacture central to its technology policies. The US has engaged in similar policies, significantly increasing the direct subsidisation and funding of large projects in the field of semiconductor manufacture, with large new plants being built in states such as Arizona, Texas, and Ohio, based on new legislative initiatives to boost demand.Footnote 19
It is in this febrile environment that the EU has revisited its approach to semiconductors, once largely non-existent, and now central to what the EU refers to as its digital or technological sovereignty.Footnote 20 Digital sovereignty acts in EU policy as a nexus for economic and security issues, seen as increasingly interdependent and inextricably linked. It is framed by the Commission as “ensuring the integrity and resilience of our data infrastructure, networks and communications. It requires creating the right conditions for Europe to develop and deploy its own key capacities, thereby reducing our dependency on other parts of the globe for our most crucial technologies.”Footnote 21 Digital sovereignty is about strategic autonomy, and the ability of the EU to be self-sufficient and resilient to external shocks, motivated by a sense of vulnerability as the result of geopolitical instability and a less trusting international order.Footnote 22 In particular, there is a recognition on the part of the Commission that cybersecurity goes beyond the security of end-user applications and the protection of critical infrastructure, to having relevance for the entirety of a given technology’s life-cycle, from securing of resources and know-how as discussed in Section III and IV, through to its implementation and manufacture, discussed in Section V, and eventual obsolescence, as is discussed in more detail in Section VI. The legal responses that the EU have taken can be framed as “regulatory mercantilist” in natureFootnote 23 – seeking to respond to the perceived external threats through engaging in initiatives that seek to bring security and economic interests together in order to secure strategic autonomy, with sovereignty claims lying at the basis of these initiatives. In doing so, the EU is designing an industrial policy in which objects of technological importance are attempted to be brought into the territory of the EU, and if this is not possible, by extending its regulatory influence beyond its borders. This is framed as the furthering of the EU’s “Geopolitical Union” by Commission President von der Leyen,Footnote 24 in which the EU exercises regulatory power as a means of securing strategic autonomy. This is being applied in a range of different sectors, such as in the approach taken to content moderation onlineFootnote 25 and the development of standards for AI.Footnote 26 The regulation of the semiconductor supply chain serves as another key example of the digital sovereignty initiative being put into practice,Footnote 27 with the linking of security and economic goals across the entire supply chain, as the next sections of this article will demonstrate. The analysis of these linkages and the creation of an economy–security nexus are operationalised through identifying how economic and security goals are aligned in the policy documents motivating regulatory initiatives in the fields of semiconductors, and how they then result in specific legal obligations placed upon Member States and private sector operators.
III. Regulation at the beginning of the chain: Securing strategic natural resources
The first aspect of the semiconductor supply chain to consider is the security of the natural resources from which microprocessors are built. As discussed in the preceding section, these chips require the chemical elements silicon, gallium and germanium to act as semiconductors to be able to function. The EU finds itself heavily dependent on other countries for its supply of these materials, and as such is highly vulnerable to market shocks,Footnote 28 impacting upon its strategic autonomy. Geopolitically, this is a concern for the EU as 71% of the world’s silicon, 80% of its germanium, and 98% of its gallium is processed in China,Footnote 29 and the EU relies upon China for 11% of its silicon and 27% of its gallium imports, while being dependent on imports from outside the EU for 63% of its silicon, 31% of its gallium, and 100% of its lithium, which is also required for chip production.Footnote 30 The EU has described these vulnerabilities in explicit security terms, stating that they are central to its economic, trade, and security interestsFootnote 31 and highlighting that access to these critical raw resources is necessary for its economic competitivenessFootnote 32 and the functioning of its defence industries.Footnote 33
The focus of regulation in this field is in securing the resilience of these supply chains to guarantee European access, as well as fostering relations with third countries that are key producers of desired resources. In 2023, the Commission published a Communication on a secure and sustainable supply of critical raw materials,Footnote 34 in which it framed the security of these supply chains as essential for its strategic autonomy. It proposed that its actions in the field should include reducing single-country dependencies for resources (thereby diversifying its supply chains), increase self-sufficiency through domestic production of critical materials where possible, and adopt a global leadership position through establishing partnerships with third countries that would serve to boost their economies while securing access to their resources for the EU.Footnote 35 The Commission subsequently published a Proposal for a Regulation on Critical Raw Materials,Footnote 36 which highlighted that the aim of this legislation would be to guarantee resources important to the European economy, framing this in terms of the geopolitical security risks that could potentially threaten supply chains.Footnote 37 The Critical Raw Resources ActFootnote 38 sets out at Article 1 that its objectives are to improve the functioning of the internal market by ensuring access to a secure, resilient and sustainable supply of critical raw materials, with an emphasis on identifying and supporting strategic projects that reduce external dependencies, monitoring and mitigating supply risks. Articles 3 and 4 provide that the list of strategic raw materials (provided in Annex I, Section 1) and critical raw materials (Annex II, Section 1) shall be subject to three-yearly review, with the Commission empowered to update the lists as required. It is worth stating that all the materials listed above relevant to microprocessor development, including silicon, germanium and gallium, as well as battery-grade lithium, are all listed in the “strategic” category. Chapter 3 of the Act is titled “strengthening the union raw materials value chain” and provides for benchmarks for Union extraction capacity of at least 10% of the Union’s annual consumption of strategic raw materials, to the extent possible in light of the Union’s reserves,Footnote 39 Union production capacity at 40% of the Union’s annual consumption of strategic raw materials,Footnote 40 and recycling capacity of at least 25%.Footnote 41 The legislation also provides for the recognition of Strategic Projects aimed at contributing to the Union’s supply of strategic raw materials,Footnote 42 and providing for “enabling conditions” such as support in accelerating the implementation of Strategic ProjectsFootnote 43 and coordinating financing for such projects.Footnote 44 These actions link explicitly to the concept of the economy–security nexus, indicative of a regulatory mercantilist turn, exemplified in the Proposal for the Act, which stated that “it will allow Europe to boost industrial capacities […] creating quality jobs and boosting growth while increasing our open strategic autonomy.”Footnote 45
Central to the economic-security nexus that these materials now represent, Chapter 4 of the Act concerns “risk monitoring and mitigation.” The Commission is required under Article 20 to monitor the risks to critical raw material access for the Union, including trade flows, demand and supply, concentration of supply, Union and global production capacities, price volatilities, bottlenecks and “potential obstacles to trade,” which can be taken to include factors that might affect supply, “including but not limited to the geopolitical situations, logistics, energy supply, workforce or natural disasters.”Footnote 46 The Commission is also expected to work with a newly created European Critical Raw Materials Board (the Board),Footnote 47 with Member States reporting to the Commission on their strategic stocks of strategic raw materials,Footnote 48 and the Commission and the Board coordinating stocks under Article 23, in order to ensure that States are holding sufficient levels of strategic raw materials. The Board is also expected to carry out coordinating functions, including for financing of Strategic Projects,Footnote 49 as well as promoting international cooperation and Strategic Partnerships with third states, “taking into account a third country’s potential reserves, extraction, processing and recycling capacities related to critical raw materials.”Footnote 50 While it is stated that any Strategic Partnerships should be consistent with the Union’s policies on emerging markets and developing economies,Footnote 51 the Act nevertheless represents a significant shift in the EU’s policies in this area; it represents moves in the direction of a technology-oriented industrial policy, triggered by “an increasingly realist and traditional security-oriented international outlook, which relies on a geopoliticization of the threat stemming from import dependencies,”Footnote 52 highlighting a link between economic and security-oriented goals. While these moves have been made in order to mitigate against these geopolitical threats, there are some concerns that increased protectionism could in fact fuel technology-dependent states to engage in trade-based resource wars, increasing geopolitical riskFootnote 53 and further exacerbating risks to the liberal international trade order.Footnote 54
IV. Regulation of R&D: Keeping secrets safe from states
Assuming that critical/strategic raw resources are obtainable, or at least brought within the EU’s sphere of influence, the next area of supply chain security of relevance is the protection of research and design (R&D) in microprocessor design. Tying into the previous section, and indeed linking to the next, while the EU is light on critical raw materials, and as will be discussed, lacks microchip physical production capacity, it does possess some limited expertise in R&D. R&D is considered highly relevant in the supply side of the semiconductor industry, particularly as it relates to funding, pilot lines (in which research is brought together from various actors in an industrial setting to use in production), and as it relates to innovation in node shrinkage to allow for the production of more high-end chips.Footnote 55 As such, intellectual property (IP) is of direct relevance to security in the supply chain, as companies on both the supply and demand side of semiconductor trade are involved in the selling of IP,Footnote 56 and how this IP is protected has increasingly become tied to effective cybersecurity. Protection of these IP assets in the supply chain is therefore important to economic security of private actors in these markets. When compared to other dimensions of the semiconductor supply chain, the EU’s legal framework for IP protection is both relatively robust, as well as broadly comprehensive. It also allows for the discussion of an area of IP that generally receives comparatively little attention, namely the sui generis protection of circuit topography. The EU’s approach to this is heavily modelled upon the US’s Semiconductor Chip Protection Act of 1984,Footnote 57 which was heavily motivated by the US–Japan Chip War of the 1980s and concerns over the competitive edge Japanese firms were demonstrating as a result of cross-licensing agreements with US-based producers (albeit on the basis of scantily evidenced claims of “chip piracy”).Footnote 58 The production of microchips on a sui generis basis was also in part due to questions over whether existing international frameworks such as the Berne Convention could provide protection for these specialised forms of technology.Footnote 59 In this respect, the US legislation served as a model upon which the EU designed its own regime.
Directive 87/54/EEC on the legal protection of topographies of semiconductor products is as specific as the name suggests. Unlike the EU’s broader IP frameworks for subjects such as copyrightFootnote 60 or trademark,Footnote 61 the Directive was specifically concerned with market harmonisation for the purposes of ensuring that semiconductor technologies were protected as akin to intellectual property due to their considerable investments that could be copied at a fraction of the cost needed to develop them independently. On this basis, Article 1 provided that “semiconductor products,” defined as final or intermediate forms of any product consisting of a body of material which includes a layer of semiconducting material, arranged into more than one layer in accordance with a predetermined three-dimensional pattern and intended to perform an electronic function, would be protected. This protection extends to the “topography” of a semiconductor product, which constitutes the graphic representation of that pattern. This would allow for the exploitation of exclusive rights upon registration under Article 4, allowing for right-holders to prevent the unauthorised reproduction or a topography or commercial exploitation of a semiconductor product using that topography,Footnote 62 providing an exclusive right over the topography or semiconductor product for ten years.Footnote 63 As a form of protection, however, the protection of semiconductor product design appears to have been of little relevance for stakeholders in the EU – according to one report in the early 21st Century, “for industry, the function of an integrated circuit of architecture is more valuable to protect than the design. If the function can be patented, it means broader protection than that given to [semiconductor products and topographies…] trademark protection may also help to some extent, as will, of course, trade secret law.”Footnote 64 Hoeren is in agreement, suggesting that protection of semiconductors in IP law is really done through patents, with general approaches of cross-licensing and agreements not to sue.Footnote 65 While this is relevant to semiconductor technologies in the context of economic competition between competing firms, in terms of strategic autonomy and geopolitical vulnerabilities, this reliance on publicly disclosed patents may be less valuable.
From a security perspective, particularly vis-à-vis the world of geopolitical competition, trade secrecy is arguably of more direct relevance. Trade secrecy is governed in the EU under Directive 2016/943,Footnote 66 which affords protection to information that is secret in the sense that it is not generally known among or readily accessible to persons normally dealing with that kind of information, has commercial value because it is secret, and has been subject to reasonable steps to keep it secret.Footnote 67 Trade secrets have the advantages of not being timebound and can help to maintain global competitiveness, and may be preferred in the context of competition for technological dominance or on the basis of national security concerns.Footnote 68 While admittedly somewhat dated, a 2013 study by the European Commission into trade secrecy practices among firms found that in the semiconductor sector, 60% of respondents considered trade secrecy protection as an effective protection mechanism, compared to only 27% feeling the same way about patents.Footnote 69 In this context, however, effective protection does not only entail protection from competitor companies, but from state-based espionage, about which high-end semiconductor manufacturers demonstrate significant concern.Footnote 70 When it comes to physical products, this will be discussed in the next section. On the issue of know-how and information, effective trade secrecy protection has been linked to the issue of data sovereignty. Closely linked to the idea of digital sovereignty in the EU, data sovereignty is the understanding that “the fact that the majority of European data is stored in servers operated by non-European companies that are subject to extra-territorial legislations [sic] make such data potentially accessible by third countries.”Footnote 71 Therefore, data sovereignty is intimately connected to cybersecurity, insofar as it acts as a requirement for the effective protection of data from unauthorised access facilitated through third-state attempts to access it.
In the European strategy for data,Footnote 72 the Commission highlights its concern that “EU-based cloud providers only have a small share of the cloud market, which makes the EU highly dependent on external providers, vulnerable to external data threats.”Footnote 73 In addition to this, the threats identified by the US and China with regard to the processing of data (which the strategy makes clear goes beyond personal data to include industrial data) and the uncertainty of compliance with important EU rules and standardsFootnote 74 is seen as requiring the creation of a European data space and new rules that would encourage the storage within the EU’s territorial and regulatory control. The implementation of the Data Governance ActFootnote 75 and Data ActFootnote 76 are the legal means by which the EU is seeking to achieve this, with the Data Governance Act seeking to establish rules concerning data possessed by public sector bodiesFootnote 77 that will help to foster the creation of a European data space, including through prohibiting exclusive arrangements concerning that dataFootnote 78 and facilitating reuse.Footnote 79 The Data Act is more directly relevant to protection semiconductor-related information, as Article 1 makes clear it sets rules for safeguards against unlawful third-party access to non-personal data, and that it applies to manufacturers of connected products placed on the market in the Union and providers of related services, irrespective of the place of establishment of those manufacturers and providers. Article 11 mandates the use of technical protection measures on the unauthorised use or disclosure of data, and in particular under Article 32, seeks to ensure that all data processing services shall take all adequate technical, organisational and legal measures in order to prevent international and third-country governmental access and transfer of non-personal data held in the Union. We see again the existence of an economy–security nexus – because of the value of this know-how, the EU seeks to protect it as a security interest, but through market-development means that are intended to boost the development of “domestic” providers, in turn increasing economic value within Europe’s borders. It is hoped by the Commission that the adoption of these rules will help to facilitate the EU’s strategic autonomy in the context of data sovereignty and cloud-based services, and by extension, entities possessing semiconductor-related data will need to ensure they comply with these data security requirements to prevent third state access.Footnote 80
V. Regulation of manufacture: Semiconductor security through industrial policy?
The point of the semiconductor supply chain that presents the most concern to states is in the manufacture of the microchips. This is due to twin, interrelated concerns – the first, the availability of those chips and the trade shocks that can impact this, and the second, their potential dual use functions, in which they can be used to power systems and technologies deemed security threats to other states. These concerns are interrelated, insofar as security of supply can be negatively impacted by measures aimed at ensuring broader security aims. By way of example, the US has put an increasing number of restrictions on the export of chips to China, arguing that the risks of China achieving technological supremacy in fields such as AI could present significant security risks.Footnote 81 China has responded with reciprocal trade export restrictions, including on semiconductors such as gallium and germanium, which are subject to an export license.Footnote 82 Furthermore geopolitical tensions over the status of Taiwan, home of TSMC, the world’s foremost advanced chip producer, is taking place in the context of this increasingly hostile trade war.Footnote 83 As a result, China has announced an explicit semiconductor industrial policy,Footnote 84 with increased direct funding for semiconductor research and manufacture internally as a means of reducing dependencies on Western technology imports in the name of “technological self-reliance.”Footnote 85 Similarly, the US has invested in semiconductor industrial policy through its Chips and Science Act,Footnote 86 which provides for an industrial policy aimed at reducing dependency on semiconductors produced in Taiwan by boosting manufacturing capacity in the US, with $280 provided billion for semiconductor research and development.Footnote 87
It is in this context that the EU has made its own efforts at something akin to a semiconductor industrial policy. Compared to its global competitors, EU-based semiconductor manufacture is highly limited – it possesses few fabless production facilities, and no cutting-edge foundries producing chips with nodes of under 22nm.Footnote 88 The Commission has stated that while EU-based companies were heavily invested in semiconductor R&D, but there was insufficient investment in translating this into “industrial benefits […] many results of European R&D are industrially deployed outside the Union.”Footnote 89 The EU only had a global market share of 10%, and largely relied upon third country suppliers.Footnote 90 In order to reduce these external dependencies, and ensure strategic autonomy, the EU has set the goal of achieving a 20% market share of worldwide production for cutting-edge chips (those of 7nm and below) by 2030.Footnote 91 Increasing Europe’s manufacturing capacity is therefore a “precondition for its future competitiveness, and a matter of technological sovereignty and security,”Footnote 92 indicative of the bringing together of economic and security goals in common policy initiatives. It therefore proposed the European Chips Act, intended to achieve the twin goals of securing the resilience of Europe’s semiconductor ecosystem, as well as increasing its global market share,Footnote 93 reflecting the economy-security nexus in which semiconductors now sit. The Chips Act,Footnote 94 which entered into force in September 2023, makes clear this focus in recital 1, which states that semiconductors are essential to both the Union’s economy and its security. The measures adopted in the Act therefore reflect this approach of achieving security goals through active development of industrial policy.Footnote 95
The attempt to establish an industrial policy to ensure security of supply and strategic autonomy is made clear in Chapter II, titled “Chips for Europe.” Article 3 makes clear the strategy is to be funded through the Multiannual Financial Framework and Horizon, with Article 4 stating that the objective of the strategy is to “achieve large-scale technological capacity building and support related research and innovation activities throughout the Union’s semiconductor value chain,” through capacity building for integrated semiconductor technologies, enhancing existing and developing new pilot lines, building advanced technology capacities for production, establishing a network of European competence centres including through building new facilities, and setting up a “Chips Fund” to supply capital for start-ups, scale-ups, and SMEs in the European supply chain. Chapter III complements investment with security mechanisms, reducing external dependencies through the establishment of integrated production facilities for semiconductors,Footnote 96 and “Open Foundries” to “offer production capacity to unrelated undertakings and thereby contribute to the security of supply for the internal market and the resilience of the Union’s semiconductor ecosystem.”Footnote 97 Chapter IV concerns emergency response, which entails a strategic mapping of the EU’s semiconductor sector,Footnote 98 monitoring potential warning signs of semiconductor supply failings,Footnote 99 with the ability to enact a crisis response if supplies are deemed to be at threat,Footnote 100 which can include common purchase orders in order to guarantee supply for critical sectors.Footnote 101 While these efforts are to be lauded in terms of their ambition to guarantee security, concerns have been raised concerning the ability to rapidly scale up production capacity for high-end chips,Footnote 102 both in terms of the cost of doing so as well as the significant lead times in building foundries, taking approximately $10 billion, three years, and 6,000 skilled workers to achieve.Footnote 103 Nevertheless, the EU sees these efforts as necessary in the context of what it sees as an increasingly insecure, geopolitically unstable trade system.Footnote 104
VI. Regulation of finished products: cybersecurity in semiconductors
A final dimension of semiconductor security entails ensuring the security of the microchips once manufactured and installed on devices. Semiconductors are not standalone items, but embedded within broader technological systems and appliances, which may be subject to cyberattacks. This of course includes the technologies used in fabless design engaged in semiconductor research and fabrication foundries used to manufacture the chips. A compromised semiconductor chip can be the vector for a system-level exploit – one such example being the “Bleeding Bit” vulnerability in Bluetooth chips, which allowed for malicious firmware to be installed on devices, or to cause a memory overflow that allows for malicious code to be run.Footnote 105 Mitigating and responding to cybersecurity threats have also been positioned as being central to the EU’s digital policies, linked to the threats posed by external state and non-state actors in the context of broader geopolitical tensions over the control and use of technology.Footnote 106 This has resulted in a raft of regulatory initiatives aimed at improving the coherence and capacities of EU cybersecurity, from updating the obligations on critical information infrastructure providers under NIS2,Footnote 107 and providing for a cyber-certification regime under the Cybersecurity Act,Footnote 108 as well as proposing Regulations on Cyber-Solidarity (which includes funding and support for joint cybersecurity initiatives)Footnote 109 and Cyber-Resilience (emphasising resilience across the entire life-cycle of software and hardware),Footnote 110 both of which have received political agreement and are awaiting entry into the Official Journal.
For semiconductor supply chain security, obligations in the NIS2 Directive and Cybersecurity Act are particularly relevant, as are obligations that will be imposed through the Cyber-Resilience Act, once it is adopted. Under NIS2 Article 1, Member States are mandated to implement national cybersecurity strategies, with risk-management measures and reporting obligations for entities designated as operating in sectors of high criticalityFootnote 111 or other critical sectors.Footnote 112 Under Article 3, if public or private entities are designated as operating in these types of sector, they are subject to the requirements of this legislation, which include ensuring cybersecurity governance within their structures, including providing training and upskilling under Article 20, adoption of risk-management measures under Article 21, and working with Union level bodies such as the Cooperation Group, ENISA (the EU’s Cybersecurity Agency) and the Commission in order to identify risks to critical supply chains under Article 22, as well as report in the event of a cyber incident under Article 23. These entities are expected to engage with cybersecurity professionals as well as national authorities in order to develop and promote standards and best-practices in order to mitigate the risk of cyber-attacks, and ensure resilience in the event that such attacks are successful, with liability being based on the failure to report cyber incidents if they occur, or where an attack is successful due to a failure to follow industry standards of cybersecurity practice.Footnote 113 In the context of R&D data concerning semiconductors, cloud service providers are listed as sectors of high criticality under Annex I.8 as providers of digital infrastructure, but in the context of manufacture and supply, semiconductor producers will be regarded as falling within the “other critical sectors” designation as manufacturers of computer, electronic and optical products under Annex II.5(b). They are therefore obliged to ensure cybersecurity resilience of their production facilities, in turn guaranteeing that supply is not impacted because of incapacity due to cyber-incident. For this reason, cybersecurity requirements permeate the entirety of the microchip development chain.
Similarly, the Cybersecurity Act creates a cybersecurity certification frameworkFootnote 114 with a view to creating a digital single market for ICT products, services and processes. The purpose of the scheme is to attest that the products, services and processes have been evaluated as complying with specified security requirements, including concerning authenticity and integrity, as well as identifying and documenting known dependencies and vulnerabilities, or to verify that products, services and processes do not contain known vulnerabilities.Footnote 115 Interestingly, an update to the certification regime which has been proposed by the Commission in 2023,Footnote 116 while concerned with security, was adopted as a priority “for the industrial policy of the Union in the cybersecurity field,”Footnote 117 and proposes Article 173TFEU on the competitiveness of European industry as its legal basis, linking its security goals with an explicitly economic legal basis. For semiconductor manufacturers, making their products available on the market will not necessarily require adherence to this certification regime, as it is voluntary unless specified by the EU or Member States under Article 56. Nevertheless, obtaining this certification may be desirable both as a demonstration of product safety, as well as potentially increasing sales in the EU. However, should the Cyber Resilience Act be adopted, this may have implications for the semiconductor industry. Under the Act, which intends to ensure that hardware and software that was not necessarily regarded as falling within existing cybersecurity rules would nevertheless be subject to regulatory control,Footnote 118 mandatory requirements concerning cybersecurity and vulnerability handling are required by certain software and hardware producers under Article 1. If a product is designated as a critical product with digital elements,Footnote 119 they are subject to additional requirements. Semiconductors are included in the list of critical products in Annex III, Class I.19–21 (including microprocessors not classified as Class II, microcontrollers and integrated circuits), and Class II.5, 6, 9 and 10, which are categorised as higher risk.Footnote 120 Under Article 10, manufacturers will be subject to a number of obligations, including on essential cybersecurity requirements, risk assessment, as well as ensuring regular updates to hardware and software in order to address any identified security vulnerabilities. Article 6 states that as critical products, these classes of product will be subject to conformity assessments under Article 24, and should they not be met, they will be subject to Union-level restrictions, up to and including withdrawal from the market under Article 45. This indicates that when it comes to semiconductor security, the Commission is cognisant not only of the risks to supply, but the risks of the supply. In doing so, the EU explicitly brings semiconductors into the wider cybersecurity framework, given their embedding in hardware devices that then run applications that can all create security risks, from initial development and release through to obsolescence and technology end-of-life.
VII. Conclusions
Semiconductors have moved from the periphery of EU technology policy to being at its centre, as part of the EU’s growing perception of its own vulnerabilities, and its desires to be a geopolitical actor. Semiconductors sit at an economic-security nexus for the EU, where security is central to every aspect of the supply chain, from first mining of raw elements, through to incorporation into EU computing technologies, whether in commercial or military settings. This security is realised, however, through economic means that seek to boost industrial production in Europe, providing a boost for the EU economy while being driven by a desire for strategic autonomy. As part of this drive, coached in terms of digital and technological sovereignty, the EU’s semiconductor regulatory framework is increasingly characterised by a regulatory mercantilist turn, in which economy and security are not distinct policy areas, but interlinked and interdependent, and essential for the EU’s continued survival in the face of geopolitical instability.
Acknowledgments
I would like to take this opportunity to dedicate this paper to the memory of Professor Heike Schweitzer. Professor Schweitzer was an incredibly kind and supportive mentor during our time at the European University Institute, and it was she who encouraged me to submit my very first peer-reviewed article. It is only right that I dedicate this, my latest piece, to her.
Competing interests
The author declares that there are no conflicts of interest.
Funding statement
This work was supported by the Economic and Social Research Council (ESRC) under grant number RC-MN1164X, “Digital Sovereignty by Design.”