But the success of the New Delhi summit will depend on how effectively it moves beyond rhetoric to address the realities of AI adoption, including the need for workforce development. To this end, on January 23, the Atlantic Council hosted an official pre-summit event in partnership with the Indian embassy in Washington, DC. The event opened with remarks by Ajay Kumar, minister (commerce) at the Indian embassy in Washington, DC, as well as Tess DeBlanc-Knowles, senior director of the Atlantic Council’s Technology Programs. This was followed by a panel discussion with Martijn Rasser, vice president for technology leadership at the Special Competitive Studies Project; Nicole Isaac, vice president for global public policy at Cisco; and Peter Lovelock, chief consultancy and innovation officer at Access Partnership. Below are some of the key takeaways from that discussion, as well as several of the panelists’ recommendations for how to approach these issues heading into the AI Impact Summit. The discussion underscored that while the potential for AI-driven growth is immense, the hurdles, ranging from a global talent shortage to fragmented labor data, require more than just market forces to overcome.

The global AI talent gap

The current global AI talent landscape can be viewed as a pyramid, according to Rasser. At the apex, he said, sits a cohort of around ten thousand elite PhD-level researchers and machine learning engineers. While the United States and China currently dominate this top layer of researchers, the real opportunity for emerging powers lies at the applied level. India possesses significant depth in its service sector, but the true challenge is building institutional readiness, ensuring that organizations can effectively channel available talent into high-value applications.

The most underappreciated deficit is not in raw coding but in AI-adjacent skills. There is a pressing need for product managers and domain experts who can bridge the gap between technical tools and organizational needs. For emerging economies, said Lovelock, the goal should not be to replicate Silicon Valley’s research labs, but to build an ecosystem where AI is “burned into” industrial applications such as supply chain management and export-import calculations.

AI infrastructure as workforce policy

“At its core, AI is designed, built, and deployed by humans,” noted Knowles. Indeed, a persistent theme for the global majority is that connectivity cannot be separated from workforce policy. Without reliable digital access, Isaac noted, billions remain excluded from the transformative benefits of AI. Security is another foundational layer; as AI environments become more complex, training in cybersecurity and digital resilience becomes essential to protect vulnerable populations from bad actors.

Kumar, the Indian embassy official, laid out India’s strategy for a comprehensive five-layer “AI stack,” including sovereign models, semiconductors, and data centers. By providing compute power to educational institutions at a fraction of the global market rate, he argued, the government aims to democratize access across smaller cities. However, the widening digital divide remains a threat. If certain segments of the population are left behind, the resulting “have and have-not” divide could persist for generations, he said.

The other data problem

We cannot manage what we cannot measure. Policymakers, said Lovelock, are currently operating with “static” data that looks in the rearview mirror. Traditional labor statistics, often based on outdated surveys, are ill-suited for a fast-moving technology. Furthermore, labor data is often fragmented across various ministries, making it difficult to understand where the actual skill gaps lie.

Standard adoption metrics are increasingly irrelevant because individual AI use is highly varied. Instead of tracking who is using the technology, said Lovelock, governments need a “diffusion framework” that measures the actual impact of AI use on the economy. Only then can they make the strategic bets required for a long-term return on investment.

Four pillars for the summit’s AI talent agenda

Following from the panelists’ insights, the AI Impact Summit can deliver a scalable and inclusive AI talent framework by coalescing the global community around four primary actions:

• Modernize education through personalized AI tools. Rather than sticking to the “one-to-many” broadcast model of traditional schooling, curricula should be reformed to put AI tools directly in the hands of students. This shift allows for personalized learning and ensures that students learn by doing, preparing them for a rapidly changing job market.
• Create an AI Diffusion Index to measure actual adoption. Policymakers should move away from static adoption statistics and toward real-time data signals that measure how AI is being embedded into industrial and public services. This requires supplementing government surveys with nontraditional data sources to better align educational output with actual labor market demand.
• Treat connectivity and security as foundational workforce issues. Investment in fiber and satellite infrastructure must be paired with training in digital resilience and cybersecurity. This ensures that the benefits of AI are shared broadly and that new users are protected from the heightened risks of an AI-ready environment.
• Position government as the “first user” of new technologies. The public sector should take the lead in adopting AI for the delivery of public services in agriculture, healthcare, and education. By demonstrating the usefulness and accessibility of these tools within government, the state can send a powerful signal to the broader population and help accelerate national adoption.

The success of the AI Impact Summit will be measured not just by the declarations its participants make, but by the structural cooperation that survives past February. The summit offers a rare opportunity to pool global resources to solve the AI workforce crisis, replacing anecdotal evidence of AI adoption with rigorous data and flexible approaches to meet shifting workforce needs. At the summit, New Delhi has the opportunity to transform a week of dialogue into a sustained, collaborative framework that can help enable emerging economies to tap the benefits of AI adoption.

Trisha Ray is an associate director and resident fellow at the Atlantic Council’s GeoTech Center.

New Atlanticist Nov 24, 2025

Safety should be front and center in India’s vision for its AI Impact Summit

By Trisha Ray

Despite the headline attention on impact, safety needs to be fundamental to India’s vision for artificial intelligence that engenders trust, inclusion, and empowerment.

Artificial Intelligence India

GeoTech Cues Jul 21, 2025

Navigating the new reality of international AI policy

By Evi Fuelle, Courtney Lang

To reach their goals of national AI adoption, governments must continue to advance the global policy discussion on trust, safety, and evaluations.

Artificial Intelligence Digital Policy

The GeoTech Center champions positive paths forward that societies can pursue to ensure new technologies and data empower people, prosperity, and peace.

Learn more

The post How India’s AI talent playbook can provide a blueprint for aspiring AI powers appeared first on Atlantic Council.

Throughout the year, technological breakthroughs from both the United States and China ratcheted up the competition for AI dominance between the superpowers. Countries and companies raced to build vast data centers and energy infrastructure to support AI development and use. The scramble for cutting-edge chips pushed Nvidia’s valuation past five trillion dollars—the first company to reach that milestone—even as concerns mounted over circular financing and the question of how much the AI boom is founded on hype versus reality. Meanwhile, policymakers grappled with the balance between safety, security, and innovation and how to manage possible labor disruptions on the horizon.

As 2026 begins, rapid AI integration threatens to inject even more unpredictability into an already fragmented global order. Below, experts from the Atlantic Council Technology Programs share their perspectives on what to expect from AI around the globe in the year ahead.

Click to jump to an expert prediction: 

Emerson Brooking: AI poisoning goes mainstream

Tess deBlanc-Knowles: The US pushes AI tech exports to counter China

Konstantinos Komaitis: AI governance turns global

Ryan Pan: The US-China AI race intensifies in a multipolar world

Esteban Ponce de León: AI challenges human judgment

Trisha Ray: Countries go all in on ‘sovereign AI’

Mark Scott: The battle of the AI stacks escalates

Kenton Thibaut: China doubles down on AI-powered influence operations

AI poisoning goes mainstream

Russia’s Pravda network of websites has published millions of articles targeting more than eighty countries. These sites launder and amplify content from Russian state media, seeking to legitimize Russian military aggression while casting doubt on Western support for Ukraine. Most of these articles will never be viewed by a human. Instead, they seem intended to target the web crawlers that scour the internet for training data to feed to insatiable AI models.

And the strategy is working. Last year, the Atlantic Council’s Digital Forensic Research Lab (DFRLab) and CheckFirst demonstrated how mass-produced Pravda articles were cited in Wikipedia, X Community Notes, and responses from major chatbots. Parallel research by Anthropic and the United Kingdom’s AI Safety Institute has shown how trace amounts of faulty data can effectively “poison” even very large models. People increasingly turn to AI systems to understand current events. If an AI model’s knowledge has been altered by sources intended to deceive, then the users’ will be, too.

In 2026, the issue of AI poisoning will break into the mainstream. Because of a roughly two-year lag in AI training data (many AI models are still waiting for the results of the 2024 US presidential election, for instance), these AI-targeted propaganda campaigns are about to start manifesting more often. And because one cannot reliably audit what’s inside a deployed AI model, the result will be a staggering research and policy challenge.

Digital policy experts, including the DFRLab, have spent a decade learning to identify, explain, and expose online disinformation where people can see it. This is online disinformation where they can’t.

—Emerson Brooking is the director of strategy and a resident senior fellow with the Atlantic Council’s Digital Forensic Research Lab.

The US pushes AI tech exports to counter China

In 2026, the United States will double down on exporting the US tech stack as the cornerstone of its international AI strategy. In December 2025, US President Donald Trump set the tone with his decision to allow Nvidia to export its advanced H200 chips to China, a clear endorsement of the view that the United States wins when the world builds and deploys AI using US technology.

Published days before the Nvidia decision, the Trump administration’s National Security Strategy makes this explicit: “We want to ensure that US technology and US standards—particularly in AI, biotech, and quantum computing—drive the world forward.” This framing echoes the AI Action Plan the administration released in July 2025, which stated that the “United States must meet global demand for AI by exporting its full AI technology stack,” warning that a failure to do so would be an “unforced error.”

In 2026, expect to see the United States sign more AI-focused partnerships like those forged with Saudi Arabia and the United Arab Emirates in 2025, alongside efforts to counter China’s growing influence in emerging markets. But as the United States makes this push, China holds some key advantages. Its lead in open-source AI models and focus on applied AI could prove to be the winning formula for capturing global market share with free models and deployment-ready technologies.

—Tess deBlanc-Knowles is the senior director of Atlantic Council Technology Programs.

AI governance turns global

In 2026, AI governance enters its first truly global phase with the United Nations–backed Global Dialogue on AI Governance and Independent International Scientific Panel on AI. For the first time, nearly all states have a forum to debate AI’s risks, norms, and coordination mechanisms, signaling that AI has crossed into the realm of shared global concern.

Yet this ambition unfolds amid acute geopolitical tension: The European Union pushes a rights- and risk-based regulatory model, while the United States favors voluntary standards to preserve innovation and security flexibility. For its part, China promotes inclusive cooperation while defending state control over data and AI deployment. Smaller and developing states gain a voice but remain structurally dependent on the major powers that control the bulk of AI talent, capital, and computing power.

The result is a fragile, uneven global framework. States converge on scientific assessments, transparency norms, and voluntary principles, but they avoid binding limits on high-risk AI uses such as autonomous weapons, mass surveillance, or information manipulation. Coordination emerges, but the core strategic competition remains unresolved, producing a governance architecture that manages risks at the margins while leaving rival models largely intact.

By the end of 2026, the Global Dialogue will likely have made AI governance global in form but geopolitical in substance—a first test of whether international cooperation can meaningfully shape the future of AI or merely coexist alongside competing national strategies. This juncture offers states an opportunity to demonstrate leadership by strengthening institutional capabilities and collaborative mechanisms, fostering a global AI governance framework that is more coherent, equitable, and universally engaged.

—Konstantinos Komaitis is a resident senior fellow with the Atlantic Council’s Democracy + Tech Initiative.

The US-China AI race intensifies in a multipolar world

The year ahead will see an even fiercer competition over AI dominance between the world’s two largest powers—the United States and China—while middle powers gradually close the gap in the race. China’s DeepSeek started off this year with a research paper on a new AI training method to efficiently scale foundational models and reduce costs. This publication comes almost exactly a year after the headline-making paper it released in January 2025, which was followed by the launch of DeekSeek-R1. The timing of this year’s new publication signals that the company will launch new models and continue shaping the world’s AI industry this year.

In 2026, expect China to double down on its open-source AI strategy to influence the world’s AI infrastructure. (Several major US tech companies are already using Chinese large language models in their applications.) The United States and China may also engage in further trade retaliation in the AI supply chains in light of recent developments in Venezuela, from which Chinese companies had gained access to rare earth minerals crucial to developing the AI stack. The Trump administration’s recent claims regarding Colombia, from which China also sources rare earth elements, could make Latin America the next technology battleground between the two powers.

But what about powers beyond the United States and China? In 2026, look for Europe to increase its AI defense investments even more than it did in 2025. Middle powers, notably India, will see their AI capability greatly improved this year, as US tech giants have recently pledged billions in investments in India’s AI capabilities. 

The AI race in 2026 will still be defined by a multipolar order. Nevertheless, the United States and China will continue to yield the greatest influence.

—Ryan Pan is a program assistant with the Atlantic Council’s GeoTech Center.

AI challenges human judgment

In 2026, human–AI interaction will likely challenge human judgment and identity more deeply than in any year to date. This is not only because AI models are demonstrating increasingly complex capabilities, but also because AI-generated content can be so emotionally charged in today’s polarized information environment.

Online sources and social media have shown how polarization can be deliberately targeted, and the use of AI to generate fabricated or distorted content adds a new layer to how social and political events are interpreted. AI content is reshaping the dynamics of both manipulation and what could be described as a “misinformation game,” in which techniques such as the deployment of AI slop and the memeification of events are used to mock adversaries and amplify key propaganda narratives. For example, in June 2025, amid the Israel-Iran escalation, AI became the new face of propaganda. This included graphic and sensational AI-generated fake content, such as fabricated missile strikes, military hardware, religious and national symbols, and memes. But it also included more sophisticated fabrications of CCTV footage that became increasingly difficult to debunk.

In the first days of 2026, as the Trump administration captured Venezuelan strongman Nicolás Maduro, the use of AI to generate media content increased drastically. While much of this content was humorous or satirical in nature, it nonetheless illustrates emerging usage patterns, as playful AI-generated media can still shape perceptions of power and blur the line between satire, manipulation, and propaganda. Whether fabricated content aims to provoke humor or confusion, human judgment will face new challenges in the year ahead.

This challenge to human judgment and identity extends beyond misinformation. In 2026, the AI landscape may begin to show early signs of benchmark saturation, in which models converge at near-maximum scores on established capability tests, collapsing the measurable differences between them. This matters for the information environment because the same logic applies: If distinguishing real from fabricated content becomes difficult, then so too does distinguishing what humans uniquely contribute from what AI can replicate. The implications extend to professional identity and how to understand individual value and competence.

—Esteban Ponce de León is a resident fellow with the Digital Forensic Research Lab.

Countries go all in on ‘sovereign AI’

There are unprecedented amounts of capital flowing in to meet the anticipated demand for AI. Last year, for instance, kicked off with Trump’s announcement of Stargate, with the aim of investing $500 billion in AI infrastructure over five years. The principle driving this trend is straightforward: Countries think they must control AI before it controls them. Consequently, there was a wave of sovereign AI announcements in 2024 and 2025.

That momentum will only grow in 2026, starting with the launch of India’s sovereign large language model at the AI Impact Summit in February. Nations are seeking sovereign AI to strengthen their domestic economies, protect national security, mitigate geopolitical shocks, and reflect national values. However, there’s a catch: Not every country can, or should, try to build every part of the AI stack on its own. Trying to recreate from scratch everything from data centers to models is expensive, redundant, and impractical. Nations will need to choose what to build, what to buy, and where partnerships make more sense than going solo.

—Trisha Ray is an associate director and resident fellow with the GeoTech Center.

The battle of the AI stacks escalates

As AI becomes more central to countries’ economic prospects, national policymakers will likely seek to impose greater control over critical digital infrastructure. This infrastructure includes compute power, cloud storage, microchips, and regulation, and it is central to how emerging AI technology will develop in 2026. For the world’s largest digital powers—the United States, the European Union, and China—the push to control this infrastructure will likely evolve into a battle of the “AI stacks”—increasingly opposing approaches to how such core digital AI-enabling infrastructure functions at home and abroad.

The White House’s AI Action Plan, published in July 2025, made it the stated policy of the federal government to export the US stack to third-party countries, including via potential funding support from the US Department of Commerce for other governments to purchase offerings from the likes of Microsoft, OpenAI, and Nvidia. The European Commission has earmarked billions of euros for so-called AI gigafactories, or high-performance computing infrastructure, from Estonia to Spain, while national leaders also vocally called for a “Euro stack.” The Chinese Communist Party is urging local firms to forgo Western AI know-how and rely instead on domestic alternatives from companies such as Alibaba or Huawei.

The rest of the world will have to navigate these increasingly rivalrous approaches to AI infrastructure at a time when all countries seek greater control of so-called digital public infrastructure—that is, the underlying hardware and, increasingly, software needed to power complex AI systems. How these different AI stacks interact with each other will be critical to how the technology develops over the next twelve months.

—Mark Scott is a senior resident fellow with the Atlantic Council’s Democracy + Tech Initiative.

China doubles down on AI-powered influence operations

In 2026, the People’s Republic of China’s (PRC’s) AI-enabled disinformation efforts are likely to intensify in scale, persistence, and technical sophistication, particularly those targeting Taiwan. PRC actors are already using AI-generated audio, video, and text, distributed through networks of fake accounts and contracted private firms, to conduct “cognitive warfare” campaigns aimed at shaping political perceptions and voter behavior. These campaigns prioritize volume, localization, and algorithmic exploitation, and they are increasingly designed to be continuous rather than episodic. As AI-generated content is blended with human-curated messaging and commercial infrastructure, PRC-linked operations will become harder to detect and attribute, reflecting a shift toward more deniable, adaptive, and professionalized influence operations.

At the same time, Beijing is expected to pair these activities with defensive diplomatic messaging that rejects allegations of PRC-linked disinformation or cyber operations and reframes such claims as politically motivated attacks. This pattern reinforces a broader hybrid strategy in which AI-enabled influence operations, cyber activity, and diplomatic signaling are tightly integrated. In 2026, PRC disinformation campaigns are likely to focus less on overt propaganda and more on shaping narratives around crises and cyber incidents, contesting blame, eroding trust in attribution, and influencing strategic decision-making outcomes.

—Kenton Thibaut is a senior resident fellow with the Democracy + Tech Initiative. 

The post Eight ways AI will shape geopolitics in 2026 appeared first on Atlantic Council.

Executive summary

Financial-sector policymakers and financial service providers are facing both a real challenge and unique opportunity to drive economic inclusion for about three billion people and spur growth toward the Sustainable Development Goals (SDGs).

The good news from the World Bank’s Global Findex Database 2025 is that 79 percent of adults globally and 75 percent in low- and middle-income economies (LMIEs) now have a financial account of some kind. Mobile phones are even more ubiquitous, with 86 percent of adults globally and 84 percent in LMIEs having one, which in most contexts can be used to access financial services. This means about four out of every five people have the potential to save safely and borrow prudently to meet their financial needs and the potential to pay and be paid digitally. This is good news for the individuals, their families, and for these economies because, as the IMF has found,
financial inclusion serves as a catalyst for both economic participation and inclusive growth.

However, the majority of adults in LMIEs that have a financial account do not yet fully engage with the formal financial sector. Only 40 percent of adults in LMIEs (on average) saved formally and only 24 percent of adults in LMIEs (on average) borrowed from a formal financial service provider in the last year and even they do not necessarily have the type of credit they need.¹ There are, therefore, about three billion people who could actively engage in the formal financial sector, and they present both a challenge for financial sector leaders and an opportunity for accelerating inclusive growth.

The main reasons adults in LMIEs do not use formal digital financial services are affordability, lack of trust in service providers, and lack of products to meet their needs. Rapid advances in digital public infrastructure (DPI) and artificial intelligence (AI) have the potential to directly tackle these challenges. Together they can reduce costs, increase trust, and tailor products for individuals, thereby improving lives and driving growth:

• DPI has been endorsed by the Group of Twenty since India’s presidency in 2023.² Ninety-seven countries now have DPI-like digital payments; sixty-four countries have digital IDs, and 103 have data exchange—together reducing costs and increasing trust.³
• AI, by cheaply analyzing massive data sets, is turbocharging cost reduction and product tailoring, which translates into greater affordability and access for people on lower incomes.⁴

Yet, there are potentially problematic aspects to these exciting innovations. DPI has the potential for loss of data privacy (if privacy by design is not embedded), for rent extraction (if not an open-source platform), and for government surveillance (if DPI safeguards are not central).⁵ AI has the potential to turbocharge fraud, scams, and identity theft and compromise trust.⁶

Therefore, government financial-sector regulators and policymakers have urgent and important decisions to make about how to enact and enforce responsible guardrails in the financial ecosystem. These guardrails are essential so new customers have affordable, appropriate products, can trust their money and data are safe, and have effective recourse mechanisms if problems occur. National coordination at the highest level is essential, regional approaches including policy harmonization can be cost-effective, and urgency is imperative. Financial-service leaders also have key decisions to make about how to design affordable and responsible financial products that build trust, enable resilience, and foster financial well-being and economic growth. There is now a unique opportunity for financial-sector leaders to unleash economic potential for three billion people and accelerate inclusive growth.

Ruth Goodwin-Groen is a nonresident senior fellow with the Atlantic Council’s GeoEconomics Center. Goodwin-Groen brings thirty years of strategic and technical leadership in financial-sector development and financial inclusion in emerging markets to her current consulting practice, Goodwin-Groen Consulting. Her focus is on responsible digital financial inclusion and equality in financial services for women.

Goodwin-Groen is best known as the founding managing director of the United Nations-hosted Better Than Cash Alliance, which created a global movement from cash to responsible digital payments to achieve the Sustainable Development Goals. Alliance members and partners include over 113 governments, 229 companies, and most of the UN—accounting for over 90 percent of global gross domestic product.

Goodwin-Groen has a PhD in financial-sector development from the University of Bath, an MBA with distinction from Harvard Business School, and a Bachelor of Science with Honors from the University of Western Australia.

The author extends special thanks to those providing expert input on this paper: Isabelle Carboni, Expert Consultant; Eric Duflos, CGAP; Nicole Goldin, United Nations University-Centre for Policy Research & Atlantic Council; Leora Klapper, World Bank; David Porteous, Integral: Governance solutions; and Camilo Tellez-Merchan, Gates Foundation. She also deeply appreciates the input of Atlantic Council colleagues Josh Lipsky, Sophia Busch, and Juliet Lancey as well as those who contributed to the findings and recommendations of this report through their participation in two roundtable discussions at the Atlantic Council in April and October of 2025. See the Appendix for a list of the participants. This report was made possible in part by a grant from Tala.

New Atlanticist Oct 15, 2024

Advancing a twenty-first century approach to remittances

By Alisha Chhangani, Ananya Kumar

Valued at nearly $900 billion each year, global remittances have become a large portion of many nations’ gross domestic product. But transaction costs remain too high—a problem that policymakers should tackle at upcoming meetings in Washington and Rio de Janeiro.

Africa Americas

Issue Brief Sep 20, 2024

Toward a financial inclusion agenda for the global majority

By Nicole Goldin

Policymakers, investors, and innovators must advance a new financial inclusion agenda designed for the global majority.

Economy & Business Fiscal and Structural Reform

Issue Brief Nov 2, 2023

Asking the right questions: Can digital currency enable financial inclusion?

By Ananya Kumar

Cryptocurrencies and CBDCs have the potential to enhance financial inclusion. However, the lack of quantitative data makes it challenging to evaluate their impact. To assess their financial inclusion capacity, this paper builds a rubric for policymakers which includes layers of consideration.

Digital Currencies Economy & Business

At the intersection of economics, finance, and foreign policy, the GeoEconomics Center is a translation hub with the goal of helping shape a better global economic future.

Learn more

The post A three-billion-person challenge: The rising global market for financial leaders appeared first on Atlantic Council.

• Defining the terms of the debate
• Europe’s missing Silicon Valley
• Geopolitics and the rise of tech sovereignty
• Trump actions spur renewed calls for greater independence
• Key issues:
  • Snowden’s revelations and the ‘kill switch’
  • US law enforcement access to data on European servers
  • The US u-turn on data flows
  • A single European data market
  • EU content moderation and free speech
  • Cybersecurity and cloud services
• Looking ahead: Transatlantic tensions will persist
• Seven recommendations for Brussels and Washington

Introduction

Over the past several years, the concept of digital sovereignty has become ever more central to European notions of competitiveness and economic resilience. Formerly a niche idea within the digital policy community, it has now gone mainstream with major European leaders, from European Commission President Ursula von der Leyen to former head of the European Central Bank Mario Draghi, calling for the European Union to achieve digital sovereignty.¹ It has also become integral to European debates about technological sovereignty and strategic autonomy, and even to trade policy. And as digital sovereignty has become more prominent in European discussions, it has shifted from being a vague aspiration to a concept that EU policymakers increasingly seek to put into operation—raising the possibility of future EU restrictions on procurement from companies outside Europe, as well as other regulatory measures.

Yet, despite its growing centrality in European digital debates, digital sovereignty still does not have a clear definition.² At times, it seems to have been encompassed by the broader term of tech sovereignty, which reflects the EU’s desire to boost its industrial capabilities—not only in the digital space, but also in renewables and other green and future technologies. European policymakers also regularly refer to data sovereignty and cloud sovereignty, which can be seen as focused on particular aspects of digital sovereignty.

What all these definitions share, however, is the notion that Europe and its economy should be less dependent on others and more capable of protecting its own interests, including its interests in the digital sphere. That leads to the key unresolved questions at the heart of digital sovereignty. Does sovereignty require an economic approach that is exclusively European or, at minimum, favors European companies? Is ownership or effective control over key companies important, or is a risk-based system more appropriate? Is it desirable to limit sovereign requirements to certain sectors of the economy? Can Europe achieve a measure of sovereignty as part of a common enterprise among international partners? And if the partnership model is acceptable, who are the partners?

The transatlantic relationship is, in turn, entangled with Europe’s internal debate about digital sovereignty. Until recently, this has been an evenly divided contest, with some European experts calling for Europe to strategically decouple from the dominance of US companies, while others—including most member-state governments—have noted the lack of local alternatives and hesitated to discriminate against US and other non-EU companies.

But the Trump administration’s initial open hostility to the EU and continuing general unpredictability have caused even the most transatlantic of EU leaders to question the reliability of the United States. The July 2025 US-EU trade deal provided some temporary clarity and predictability in transatlantic commercial relations, although digital issues were addressed in only limited ways. President Donald Trump’s Truth Social post a few weeks later, threatening additional tariffs on countries with “Digital Taxes, Digital Services Legislation, and Digital Markets regulations [that] are all designed to harm, or discriminate against American Technology,” was immediately criticized by the European Commission, France, Germany, and others as a violation of Europe’s sovereignty.³ Nevertheless, during a November 2025 visit to Brussels, Commerce Secretary Howard Lutnick directly linked the removal of EU digital regulation with a potential US-EU agreement on steel and aluminum tariffs.⁴

Given Trump’s close connections with leading tech executives, the US administration’s combative posture toward European tech regulation is likely to continue being a point of transatlantic friction. Whether a continued focus by the Trump administration on Europe’s digital rules will create an even stronger push in Europe for an exclusive form of digital sovereignty is not yet evident. What is clear is that without some guidelines, such as those offered in the conclusions to this report, the European Union and United States might find that their differences regarding digital sovereignty and digital rules make creating and maintaining an open transatlantic digital marketplace much more challenging.

Defining the terms of the debate

One reason why digital sovereignty has become an increasingly inflammatory label across the Atlantic is that the lack of a clear definition allows everyone to define it in ways that support their own arguments. Its rise has also coincided with the European embrace of strategic autonomy in foreign and security policy—a notion that has predictably ruffled some US feathers, especially in the defense community. Further confusion has developed as similar terms (i.e., tech sovereignty, cloud sovereignty) have emerged in related areas. To introduce some clarity into this discussion, it can be useful to categorize these different notions.

• Strategic autonomy: First arising in the context of foreign and security policy, strategic autonomy refers primarily to Europe developing defense and foreign policy capabilities that would allow the EU to play a more independent geopolitical role. Aside from a few defense funding efforts, the idea has not yet inspired major legislative initiatives. To indicate that partnership and autonomy were not contradictory, the EU later adopted the related idea of open strategic autonomy in trade policy. More recently, the EU has begun to embrace the concept of regulatory autonomy—the idea that “the Union’s values, interests, and regulatory autonomy underpin EU action, including in the digital sphere.”⁵ In these notions, autonomy is a more ambiguous and flexible concept than sovereignty, which implies a legal order backed by legislative initiatives.
• Technological sovereignty: While the first European Commission headed by von der Leyen focused largely on legislation related to the online world, the importance of technologies—and Europe’s reliance on Chinese and US technologies—had come to the fore by the end of that mandate. This was not only about the digital world, but crucially about the European Green Deal. While the commission argued that carbon reduction would be key to the future EU economy, it became woefully clear that Europe remained dependent on others for many essential technologies: solar panels, wind turbines, semiconductors, electric vehicle batteries, etc.
  
  Thus, in the second von der Leyen commission, the position of executive vice president for tech sovereignty, security, and democracy was created to oversee the development of EU capabilities to support the digital agenda. Others in the commission, including Executive Vice Presidents Teresa Ribera and Stéphane Séjourné, were tasked with strengthening EU technological capabilities across the Green Deal and industrial strategy generally. In June 2025, a key European Parliament committee defined tech sovereignty as “the ability to build capacity, resilience and security by reducing strategic dependencies, preventing reliance on foreign actors and single service providers, and safeguarding critical technologies and infrastructure.”⁶ Unlike strategic autonomy, however, tech sovereignty underlies significant legislative initiatives, from the Net Zero Industry Act and the Critical Raw Materials Act to the Public Procurement Directives. It also entails a strong focus on industrial policy, including state aid, competition policy, and other means of boosting key tech-related industries.
• Digital sovereignty: While often used interchangeably with tech sovereignty, digital sovereignty focuses primarily on the online world. Legislation such as the General Data Protection Regulation (GDPR), Digital Services Act (DSA), Digital Markets Act (DMA), and Artificial Intelligence Act (AIA) have sought to establish a comprehensive system of governance for the online world, especially by regulating corporate behavior vis-à-vis individual or business users. With the exception of semiconductors and the EU Chips Act, much less attention has been paid to the technologies that enable the online world. However, recent proposals for a Eurostack—a European capacity to provide all elements of digital infrastructure, from cables to cloud—are indications of growing European concern about both governance and technologies.⁷

• Data sovereignty: This subset of digital sovereignty—one of the earliest variants—initially focused primarily on protection of personal data under the GDPR. However, with the Data Act and other initiatives, increased attention is now paid to the re-use of industrial data that are either sensitive or commercially valuable, and to safeguarding the capacity of EU businesses and governments to exploit data generated in Europe.
• Cloud sovereignty: The proliferation of data requires enhanced storage capabilities and increased focus on cloud storage and the security of data stored in the cloud. An increasingly sharp debate has centered on whether Europeans’ data should be stored exclusively within the EU, or whether they can be stored outside the EU by non-EU providers considered trustworthy and secure. This discussion has accelerated with the growth of artificial intelligence (AI) and its enormous requirements for cloud services and data centers. Cloud sovereignty also poses questions about how Europeans’ data can be accessed by foreign law enforcement and intelligence agencies.
• Sovereignty over speech: Users of online services today confront a wide array of illegal or undesirable content, from child sexual abuse material to advertisements for illegal products to political disinformation. EU efforts to regulate platforms’ responsibility for illegal content and systemic risks have recently sparked criticism from the Trump administration, which regards aspects of these efforts as violations of free speech.⁸ Who has the right to determine allowable speech available online in a jurisdiction other than where it was produced?
• Cybersecurity: Given the ever-growing number of cyberattacks, both in Europe and globally, the protection of the online world has become a growing element in digital sovereignty. In the past, cybersecurity had not been central to the debate about digital sovereignty, but since the Russian full-scale invasion of Ukraine in 2022 there has been a rapidly growing understanding that resilience against such attacks is an essential part of sovereignty. Europe in particular has faced numerous attacks from Russia and related online actors. The EU effort to establish standards for cybersecurity has already led to US-EU tensions, but there will likely be even more attention paid to cyber-proofing as the EU operationalizes its concept of sovereignty.

As part of the growing effort to operationalize digital sovereignty, both EU institutions and member states have initiated efforts to elaborate the meaning of this elusive concept. The European Council, in formal conclusions to its October 23 meeting, declared, “It is crucial to advance Europe’s digital transformation, reinforce its sovereignty, and strengthen its own open digital ecosystem,” adding that “this requires reinforced international partnerships and close collaboration with trusted partner countries.”⁹

On November 18, 2025, the French and German governments convened a Summit on European Digital Sovereignty. The summit identified several areas for building digital sovereignty, including AI, data, and public infrastructure, and launched a joint task force on European digital sovereignty to report in 2026.¹⁰ Its final declaration underscored the EU member states’ “shared ambition to strengthen Europe’s digital sovereignty in an open manner as a cornerstone of our economic resilience, social prosperity, competitiveness and security.”¹¹

The European Commission, for its part, issued a Cloud Sovereignty Framework in September 2025 that identifies eight types of sovereignty-related objectives to be considered in the government procurement context. In a stab at precision, the framework encourages contracting authorities to assign each objective a sovereignty effective assurance level (SEAL). The results of that assessment should provide a mathematically derived sovereignty score.¹² But as EU discussions on this topic progress, there are still key differences among the member states about the choice between strict autonomy or international partnerships, and whether the model should be based on exclusive EU control or on risk management.

Europe’s missing Silicon Valley

While many non-European observers would say that the EU’s regulatory power already gives it significant influence domestically and externally, the EU’s sovereignty in the European digital arena is vulnerable at best. Despite its role as a regulatory superpower, Europe finds itself reliant on non-EU companies for many essential elements of the digital world. A European Parliament report estimates that “the EU relies on non-EU countries for over 80% of digital products, services, infrastructure, and intellectual property.”¹³ This perception of dependency is at the heart of the EU push for digital sovereignty.

The EU has failed to develop a tech sector with either the vibrancy of Silicon Valley or the growing capabilities of China’s industry. In particular, Europe has not seen the emergence of world-leading new companies based on digital technologies. Indeed, while the US industry has created six companies with a market capitalization of €1 trillion or more, the EU has created none.¹⁴ In 2021, three US cloud companies supplied 65 percent of the EU cloud market, while EU-headquartered companies had less than 16 percent.¹⁵ As a consequence, European consumers and businesses must rely on non-EU companies—mostly US and some Chinese enterprises—for basic digital services. Initially, this largely applied to software, social media, search engines, and a wide array of shopping services. More recently, the importance of cloud, encryption, and AI, along with the prospective emergence of super-fast quantum computing, has made Europeans realize that this dependence on others has significant and potentially long-lasting effects on their own industries and economies, including those far beyond the tech sector. 

Of course, a few European companies are exceptions to these trends. Nokia and Ericsson were already leaders in the cables and fiber optics that are key to connectivity. They became even stronger in the market as concerns rose about the security of Chinese components. The Dutch company ASML has been a leader in the machines required to make the semiconductors that guide and manage so much of the digital world. SAP is the world’s largest vendor of enterprise resource planning software. But these European companies are not in the same league as their US equivalents in terms of market capitalization. For example, ASML has a market capitalization of $376 billion, while Nvidia is at $4.3 trillion and Microsoft is at $3.8 trillion.¹⁶

One consequence of Europe’s struggle in the digital marketplace has been the emergence of an EU-wide debate on competitiveness, as represented most prominently by the reports by former Italian Prime Minister Enrico Letta and former head of the European Central Bank Mario Draghi.¹⁷ Draghi specifically underlined the importance of Europe’s failure to develop an innovative tech sector by noting the increasing productivity gap between the EU and the United States, with European labor productivity falling to 80 percent of US productivity. He concluded that this was mainly due to “Europe’s failure to capitalise on the first digital revolution led by the internet—both in terms of generating new tech companies and diffusing digital tech into the economy.”¹⁸

The competitiveness debate has also sought to identify the causes of Europe’s lack of digital champions. Europe has a vibrant startup community, as demonstrated by the growing role of venture capital.¹⁹ But many of these innovative enterprises end up moving to the United States or elsewhere, while others fail to commercialize entirely. The most popular rationale for this failure to scale—cited by US and European analysts, including Draghi—is overregulation.²⁰ Other suggested reasons include a chronic lack of indigenous capital, overly strict bankruptcy laws, and a culture that fears failure.²¹ Whatever the reason, Europe’s inability to provide the resources and capabilities for its innovative companies to become continental champions, let alone world leaders, means it must rely on companies from elsewhere.

This was already the case in 2018, when the GDPR—the first major piece of EU digital legislation—came into force. During the next five years of von der Leyen’s first term as commission president, the EU passed several other pieces of digital legislation, most notably the DSA, DMA, and AIA. These measures made progress in harmonizing diverse member-state laws, both existing and anticipated. But while EU leaders saw this body of legislation as protecting their citizens from the excesses of data collection and illegal social media content, many outside the EU, especially in the US tech community, viewed these laws as overly burdensome at best and discriminatory at worst. Some EU policymakers, such as Member of the European Parliament (MEP) Andreas Schwab, early on were open about their desire to counter the dominance of US firms.²² Others, however, saw Europe as offering a positive alternative to the lightly regulated environment tech companies faced elsewhere. EU rules inevitably had the most impact on US companies, which provided the overwhelming majority of digital services in the EU market. Chinese companies also came to feel the impact of EU regulations as their market share grew over time, especially in shopping and social media.

Throughout this period of intense legislative activity, there were clear voices calling for greater digital sovereignty in Europe. The body of legislation passed in the first von der Leyen commission can certainly be viewed as an effort to place limits on the US companies that dominate Europe’s digital space—and as a way for Europe to regain some control, or sovereignty, over that market. But as competitiveness emerged as a top EU priority in 2023, the discussion about digital sovereignty became part of a much broader discussion about innovation and economic security.

Geopolitics and the rise of tech sovereignty

The earliest indication of a geopolitical element to EU digital sovereignty came during the first Trump administration, when the United States protested the use of Huawei components in European digital networks. Reluctantly at first, Europeans came to understand the risk of a Chinese capability to disrupt those networks and developed the EU Toolbox for 5G Security, a list of best practices released in January 2020. The toolbox identified states and state-backed actors as the most serious threats. It also set out criteria for identifying trusted versus untrusted vendors, including closeness to a foreign government, lack of democratic accountability in that government, lack of a data protection agreement with the EU, and ability of the third country to exercise pressure on the EU.²³

The toolbox was the first real effort to identify foreign companies and governments that might threaten Europe’s digital sovereignty and those that might not. There was clearly a focus on China and Chinese companies, as demonstrated by the criteria for vendors. But it should be noted that the toolbox is primarily voluntary guidance developed by the member states for themselves, with progress tracked by regular EU Commission reporting.

In 2019, the EU identified China as both an economic competitor and a “systemic rival,” but initially with little consequence, especially in terms of economic relations.²⁴ Over the next few years, the EU would increasingly focus on China and the dangers posed by its investments in the European economy, especially in critical European infrastructure. By March 2023, when von der Leyen called for de-risking Europe from China,²⁵ commission officials had identified a number of EU dependencies on China—including in critical raw materials, solar panels, and batteries—that had the power to disrupt European industry.²⁶ In June 2023, the commission reported that it considered Huawei and ZTE “materially higher risks” than other fifth-generation (5G) suppliers.²⁷

The EU also initiated a few measures to address those vulnerabilities: heightened screening of inward foreign investment, primarily at the member-state level; enactment of the European Chips Act, providing funding for advanced semiconductor manufacturing in Europe; adoption of the Critical Raw Materials Act, which established goals for EU production of key materials; and passage of the Net Zero Industry Act, which sought to build EU manufacturing capacity in clean technologies such as solar, batteries, and hydrogen. While these measures were not aimed only at China, concerns about that country’s ambitious global plans were a main motivation. Moreover, they had the effect of broadening the initially limited discussion of digital sovereignty beyond the realm of digital governance to include both digital and green technologies, resulting in a broader focus on technological sovereignty.

This European debate regarding the geopolitical dimensions of sovereignty—both digital and tech—intensified significantly following the Russian invasion of Ukraine in February 2022. Along with a focus on territorial security, as seen in the increased defense spending of most EU member states, the EU realized that it needed to address other vulnerabilities. Most urgently, the invasion led to a swift and drastic shift in Europe’s energy supply, as Russia went from providing 45 percent of Europe’s oil and gas in 2021 to 19 percent in 2024.²⁸ But the digital arena was also vulnerable: Russian cyberattacks and apparent sabotage against undersea cables demonstrated the dangers facing Europe’s digital infrastructure, while Russian-origin disinformation flooded European social media.

Perhaps the most important consequence of the Russian invasion, however, was the realization that Europe was vulnerable and that preserving its sovereignty—digital and otherwise—would require concrete actions. Many of the green technology initiatives mentioned above were still in the legislative process when the invasion began but moved to enactment by mid-2023 as the commission’s term began to close and as Europeans became even more conscious of those vulnerabilities. Competitiveness, resilience, and sovereignty became linked together in the concept of economic security as the EU sought to reduce its external dependencies, especially on Russia and China.

By the end of 2024, the tech sovereignty impulse in Europe had become a key policy priority, as demonstrated by the appointment of Henna Virkkunen to the new position of European Commission executive vice president for tech sovereignty, security, and democracy. But before the second von der Leyen commission could get its program under way—or make progress in implementing the Draghi report—Trump’s reelection as US president pushed the impulse toward European digital sovereignty into hyperdrive.

Trump actions spur renewed calls for greater independence

European suspicions about US intentions and capabilities in the digital world have existed since 2013, when Edward Snowden revealed the extent of US National Security Agency interception of Europeans’ communications. Nevertheless, the United States and EU enjoyed relatively open trade in digital services. The advent of the second Trump administration, however, has energized the transatlantic debate over digital sovereignty. While Trump’s focus during the 2024 campaign was on the EU’s trade in goods surplus with the United States, once back in office he frequently criticized the EU’s digital regulations as a whole, despite the US surplus in services trade driven by the success of US tech companies.

Only a month after Trump’s January 2025 inauguration, the White House issued a memorandum on “Defending American Companies and Innovators from Overseas Extortion and Unfair Fines and Penalties,” calling for tariffs and other responses in cases “where a foreign government, through its tax or regulatory structure, imposes a fine, penalty, tax, or other burden that is discriminatory, disproportionate, or designed to transfer significant funds or intellectual property.”²⁹ The memo specifically highlighted “regulations imposed on United States companies by foreign governments that could inhibit the growth or intended operation of United States companies.”³⁰ It also called for the US trade representative to determine whether to renew Section 301 investigations of several digital service taxes (DSTs), including those adopted in France, Austria, Italy, and Spain. The fact sheet accompanying the memo made clear that the target was the European Union and specifically “regulations that dictate how American companies interact with consumers in the European Union, like the Digital Markets Act and the Digital Services Act, will face scrutiny from the Administration.”³¹

Such an aggressive approach brought the issue of digital sovereignty to the fore, as it seemed to disregard the EU’s right to regulate its own market. As the United States and EU pursued a trade agreement, there were conflicting reports as to whether the DSA and DMA (as well as other EU regulations) were on the negotiating table.³² In the end, the joint statement published on August 21, 2025, did not mention either regulation or the DSTs adopted by several EU member states.

But the joint statement was hardly the last word. On August 25, Trump posted on Truth Social: “As the President of the United States, I will stand up to Countries that attack our incredible American Tech Companies. Digital Taxes, Digital Services Legislation, and Digital Markets Regulations are all designed to harm, or discriminate against, American Technology.”³³ Meanwhile von der Leyen, in her September 2025 State of the Union speech, defended the trade deal but also stated: “Whether on environmental or digital regulation, we set our own standards. We set our own regulations. Europe will always decide for itself.”³⁴

The Trump administration has continued criticizing EU digital regulation. For example, on December 16, US Trade Representative Jamieson Greer posted on X (formerly Twitter) that the EU had “persisted in a continuing course of discriminatory and harassing lawsuits, taxes, fines, and directives against U.S. service providers,” and suggested that the United States would retaliate.³⁵ It would be relatively easy for the administration to renew the Section 301 investigations of DSTs. The US government might also look for a mechanism to counter the impact of the DSA and DMA, especially if US companies are fined significantly under those laws. On April 23, 2025, the European Commission fined Apple and Meta €500 million and €200 million, respectively, for noncompliance with the DMA.³⁶ In September, Google was fined €2.95 billion for “distorting competition in the advertising technology industry,” although this case was pursued under the European Commission’s long-time competition authorities rather than under the DMA.³⁷

The commission is also investigating X as well as Meta’s Facebook and Instagram for alleged violations of the DSA, along with separate probes of the Chinese firms AliExpress, Temu, and Tiktok, and several European-based online pornography platforms. On December 5, 2025, the Commission fined X €120 million under the DSA for issues related to its blue checkmarks and advertising repository.³⁸ Beyond these specific cases, the growing criticism of Europe from the US executive branch and parts of Congress, which claim it is censoring “free speech,” is an indication that an influential segment of the Republican Party in the United States will continue to push for action against European efforts to moderate digital content. The EU has been a key target, as has the United Kingdom with its Online Safety Act.

At the same time, the European Commission has embarked on a process of simplifying some regulations as part of an effort to make the EU economy more competitive. A digital omnibus—a legislative package designed to amend several regulations across a sector simultaneously—was presented on November 19, 2025.³⁹ As with other commission proposals for simplifying regulations, the digital omnibus focuses on reducing requirements for small and medium-sized enterprises (SMEs), along with streamlining reporting in cases of cybersecurity incidents. It also proposes delaying implementation of AIA requirements for high-risk systems until relevant guidance has been issued and calls for “targeted amendments” to the GDPR to boost innovation, including that related to AI training.⁴⁰ While simplification is likely to reduce the regulatory burden on tech companies in Europe—including large US companies—it has not yet addressed issues related to digital sovereignty.

Apart from potential revisions to existing legislation, the commission plans to move forward on two tracks. First, the second von der Leyen commission anticipates deploying more financial resources to support research on emerging technologies such as AI and quantum. Early in 2025, von der Leyen announced InvestAI, an initiative to raise €200 billion in investment capital.⁴¹ The EU also plans, through the 2025 EU Startup and ScaleUp Strategy, to support startups in their search for the funding that will allow them to grow.⁴² While these funds should be viewed with some caution—it is unclear whether sufficient private funds will join this public-private effort—they demonstrate the EU’s commitment to building its own capabilities.

Second, the commission has made clear that it will continue to pursue new rules governing activities and companies in the digital arena. The Financial Data Access (FiDA) regulation, now in the final stage of negotiations, is intended to allow greater sharing of financial data among financial institutions in order to develop new digital financial products for consumers. European legacy banks have launched an effort to exclude those companies designated as gatekeepers under the Digital Markets Act from participation in FiDA; this effort will primarily affect US tech companies.⁴³

The EU Cloud and AI Development Act (CADA) will attempt to address the EU’s shortcomings in cloud and AI capacity by encouraging the permitting of new data centers and other infrastructure, and by providing greater computational capacity and resources to startups, especially those focused on AI. But it is also expected to establish EU-wide eligibility requirements for cloud service providers, along with harmonized procurement processes, in ways that could restrict participation by non-EU companies. It is not clear yet whether CADA will address concerns through risk-based assurance models or ownership restrictions. It has reportedly been delayed until the first quarter of 2026 as the commission considers the concept of European effective control as a way of supporting EU digital sovereignty.⁴⁴

The Digital Fairness Act, expected to be introduced in mid-2026, will be the EU’s flagship legislation for business-to-consumer relations and will address protection of minors online, transparent online pricing, the abuses of manipulative and addictive design, and marketing by influencers—all of which are likely to be of significant interest to US platforms. Other initiatives expected to be launched in the next eighteen months include the ICT Supply Chain Toolbox, the Quantum Europe Strategy, and the Digital Networks Act. Finally, the European Data Union Strategy, released on November 19 along with the digital omnibus, establishes the ambition of “safeguarding the EU’s data sovereignty through a strategic international data policy.”⁴⁵ It aims to do this by “making fair conditions for data access and cross-border transfer . . . protecting sensitive EU non-personal data . . . and deepening cooperation with trusted partners.”⁴⁶ While a strategy is not a legislative document, we can expect that it will help guide EU policy on international data flows.

The European Parliament is also active in the digital sovereignty debate. MEP Axel Voss, one of the parliament’s leaders on these issues, wrote in an October 2025 post on LinkedIn: “We need immediate decisions to regain a digitally competitive and sovereign EU. Eurostack, deregulation, venture capital, chips, energy, access to quality data and a flourishing environment for Start Ups and creators are crucial for our sovereignty.⁴⁷ He proposes a number of measures, from digital special economic zones to using only EU programs within EU institutions to integrating “buy and deploy European tech” in public procurement.⁴⁸

These initiatives will undoubtedly continue to have an impact on the transatlantic relationship, as they will affect the major actors in the market, most of them American. Even with the best of intentions—and no ambition to exclude those companies—EU adoption and implementation of such rules will likely raise questions about the openness of its future market and the participation of non-EU firms.

The next section explores how the United States and EU have wrestled with the competing pressures of sovereignty and open markets, as presented by a set of key issues relating to government access to data.

Snowden’s relevations and the ‘kill switch‘

More than a decade has passed since the Snowden revelations, but the topic continues to shadow transatlantic digital relations. Many in Europe hailed Snowden as a hero for revealing Europe’s vulnerability to US signals intelligence, and the European Parliament invited him to appear and speak at a plenary meeting. The Obama administration, which charged Snowden under the Espionage Act, objected vehemently to the invitation and, in the end, Snowden addressed the parliament only by video link.⁴⁹ Now, however, US domestic sentiment regarding Snowden’s actions has begun to shift, at least in Republican circles, as several of Trump’s advisers have called for him to be pardoned.⁵⁰

Snowden’s disclosures started a chain of legal proceedings in Europe that generated substantial uncertainty among companies about the legality of their indispensable transfers of personal data to the United States. The Court of Justice of the European Union (CJEU) twice invalidated EU-US international transfer arrangements, judging them insufficient to protect Europeans’ fundamental rights. In 2015, the court struck down the EU-US Safe Harbor Framework, and a successor arrangement, the Privacy Shield, met the same fate in 2020.⁵¹ Meta, the object of the litigation both times, took the issue seriously enough that it publicly conceded to US securities regulators that it might need to withdraw Facebook and Instagram from Europe if it could not legally transfer data to the United States.⁵²

A third arrangement, the EU-US Data Privacy Framework (DPF), concluded in 2023, put significant additional safeguards in place for Europeans’ personal data when they are transferred to the United States. It has stabilized the situation, at least for the time being. On September 3, 2025, the EU General Court rejected a challenge to the DPF brought by Philippe Latombe, a French parliamentarian.⁵³ The case tested the sufficiency of US legal reforms made to overcome the CJEU’s 2020 judgment on the Privacy Shield. The court rejected claims that a redress mechanism created by the agreement lacked independence within the US legal system. It also validated the sufficiency of US safeguards relating to the collection of bulk data for intelligence purposes. Latombe has appealed the General Court verdict to the Court of Justice, however, so a definitive verdict on the fate of DPF has yet to be issued.⁵⁴

The European privacy advocacy organization None of Your Business (NOYB)—headed by well-known Austrian privacy activist Max Schrems, who brought the 2015 and 2020 CJEU cases—reacted with disbelief to the Latombe ruling. Schrems drew attention to Trump administration actions against the independence of the US Privacy and Civil Liberties Oversight Board (PCLOB) and the Federal Trade Commission (FTC). He also said that he is mulling bringing a second challenge to the DPF in EU courts.⁵⁵

US cloud service providers, including Amazon Web Services and Microsoft, have responded to European unease over data transfers to the United States by introducing service features that allow enterprise customers to store certain types of data exclusively on servers located on the continent.⁵⁶ Offering to localize data in this fashion can reassure European customers concerned about the long arm of US government’s potential access to their data.

However, the Trump administration exacerbated European anxiety over data flows to and from the United States by briefly cutting off Ukraine from US intelligence sharing in early 2025.⁵⁷ The specter of a US government kill switch—in the form of an order to US cloud providers to stop commercial data transfers to Europe—has spurred further efforts by US cloud providers to reassure their European customers. Brad Smith, Microsoft’s vice chair and president, went so far as to issue a public statement in April that, “In the unlikely event we are ever ordered by any government anywhere in the world to suspend or cease cloud operations in Europe, we are committing that Microsoft will promptly and vigorously contest such a measure using all legal avenues available, including by pursuing litigation in court.”⁵⁸

In response, some European companies have spied a business opportunity. For example, the German company Ecosia and its French counterpart Qwant announced their intention to build a European web index called European Search Perspective (ESP) to compete with Google’s search engine.⁵⁹ Ecosia’s chief executive officer (CEO) cited concern about the political winds blowing in the United States: “With the US election turning out as it has, I think there is an increased fear that the future US president will do things that we as Europeans don’t like very much . . . We, as a European community, just need to make sure that nobody can blackmail us.” He also emphasized Europe’s current dependence on Google’s services: “If the US turned off access to search results tomorrow, we would have to go back to phone books.”⁶⁰

The European dream of regaining data sovereignty by generating companies that can compete with the US cloud giants has a long history of failure. Our 2022 report chronicled the ambitious Franco-German effort to develop GAIA-X, a federated data and cloud ecosystem.⁶¹ In the years since, the vision of an interoperable network of trusted European cloud providers has had limited success. Its major output is a series of standards, specifications, and labels for European cloud providers, rather than a transformation of the commercial landscape.⁶²

Draghi’s 2024 report on the single market effectively conceded defeat in this area of endeavor. “It is too late for the EU to . . . develop systematic challengers to the major US cloud providers,” Draghi wrote.⁶³ Nonetheless, European anxiety over the possibility, however small, that dominant US platform services could withdraw from the continent, be blocked from serving it by the US government, or be a mechanism for channeling EU data to the US government, will continue to power a push for European sovereign alternatives.

A second continuing impetus is an awareness in Europe—thanks to Snowden—that the dominance of US digital services in Europe offers US intelligence agencies a strategic advantage. The Biden administration even boasted of this during the 2023 congressional debate to reauthorize Section 702 of the Foreign Intelligence Surveillance Act (FISA), a principal authority for collecting intelligence information on non-Americans. The pervasiveness of US digital service providers worldwide, the administration noted, allows US intelligence agencies to “leverage this national advantage to collect foreign intelligence information . . . in order to protect America from its adversaries.”⁶⁴

US law enforcement access to data on European servers

US intelligence collection in Europe is not the only challenge to data sovereignty that the EU sees emanating from the United States. Another is the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), a 2018 US law. This statute confirmed that US law enforcement can unilaterally order cloud service providers with a presence in the United States to turn over personal data they host on servers in Europe and other foreign locations for criminal investigations and prosecutions. Although several EU countries, including Belgium, give their law enforcement authorities similar extraterritorial criminal evidentiary powers, this part of the CLOUD Act is seen in Europe as singularly intrusive. When EU legislators call for companies to be immune to foreign law, they are often referring to the CLOUD Act.

However, the CLOUD Act also contains a conciliatory dimension. Part II of the act authorizes the US Department of Justice to negotiate binding international agreements under which criminal investigators and prosecutors can obtain foreign-located electronic evidence directly from providers. Because CLOUD Act agreements are consensual, they do not violate a foreign state’s judicial sovereignty by commanding that a legal measure be taken on its territory. Instead, they remove legal obstacles that companies otherwise face in voluntarily assisting foreign law enforcement. This new type of international agreement can substantially reduce reliance on mutual legal assistance treaties (MLATs), which can be too slow and cumbersome for obtaining e-evidence in fast-moving investigations.

The United States has concluded CLOUD Act agreements with the United Kingdom (UK) and Australia, and negotiations are under way with Canada, all of which are members of the Five Eyes intelligence collective.⁶⁵ The UK agreement, the first to be concluded, has had a positive effect for that country’s law enforcement agencies.⁶⁶ According to the US Department of Justice, UK agencies have already made more than twenty thousand direct requests to companies holding electronic evidence in the United States, including many for real-time interception of communications.⁶⁷ The results “provided UK Law Enforcement and Intelligence Agencies with critical data to tackle the most serious crimes facing UK citizens including terrorism; child sexual exploitation; drug trafficking; and organised crime,” a UK government minister said in late 2023.⁶⁸

Prosecutors from EU member states have looked across the channel jealously as their UK counterparts have made use of this powerful new investigative tool. In 2019, the EU authorized negotiation of an e-evidence agreement with the United States.⁶⁹ Talks began in earnest after the EU finalized its controversial counterpart to the CLOUD Act, the 2023 E-Evidence Regulation.⁷⁰ Progress has been slow and painstaking. In June 2024, senior EU and US home affairs and justice officials issued an optimistic joint statement welcoming “further progress” in the negotiations and looking “forward to advancing and completing” them.⁷¹

The Trump administration has paused EU-US negotiations without explanation. It might have concluded that CLOUD Act agreements operate overwhelmingly to the advantage of foreign partners—the inevitable consequence of most relevant data being housed on servers located in the United States. As the Trump administration has demonstrated in trade negotiations with foreign countries, it is singularly focused on agreements that it can present as bringing more benefits for the United States. However, such a narrow focus overlooks other benefits of CLOUD Act agreements—sparing cloud providers conflicts of law, deterring data localization measures, and reducing the burden on the mutual legal assistance process.

In mid-2025, the UK government added an element of controversy to the use of CLOUD agreements by allegedly serving a request to Apple that it globally disable security features on its products.⁷² If the UK successfully required Apple to remove security from a product (for example, by building in a backdoor to data that would otherwise be end-to-end encrypted), it could then use the CLOUD Act agreement to request the now-vulnerable data directly from the company. Apple challenged the request in a UK administrative court proceeding and issued a public statement warning customers about the measure’s impact.⁷³ In addition, the White House and Congress sharply criticized the reported UK measure.⁷⁴ In August, the UK government withdrew its demand for access to Apple US customers’ encrypted data, effectively conceding to the US objection.⁷⁵ It recently confirmed that the order had been reissued to apply only to UK users.⁷⁶ The US government could well demand that any EU e-evidence agreement include a similar commitment safeguarding US persons’ data from surveillance by member states’ authorities.

A US-EU e-evidence agreement would be an important advance in calming Europe’s sovereign sensitivities about how US law enforcement authorities collect foreign-located evidence, just as the Data Privacy Framework has at least temporarily allayed Europe’s concerns about US national security agencies’ collection practices. Taken together, the two agreements would neutralize much of the political tension that has prevailed in these realms for more than a decade.

The US u-turn on data flows

After decades of the United States propounding unrestricted international commercial data flows—and bemoaning Europe’s privacy impediments to them—the Biden administration made a dramatic course correction in late 2023.⁷⁷ Through parallel legislation (the Protecting Americans from Foreign Adversary Controlled Applications Act) and executive action, it imposed controls on certain categories of data exports to China, Russia, and other “foreign adversaries” citing national security reasons.⁷⁸ Subsequently, the Department of Justice issued a final rule and guidance to companies on compliance and enforcement.⁷⁹ Both the legislation and regulatory actions were spurred by reports that data brokers were collecting publicly available bulk data on US persons and selling them to foreign governments, which could enable them to—among other things—track the location of US military personnel.⁸⁰

In addition to enacting domestic measures to limit certain international commercial data flows, the United States reversed course internationally. In the fall of 2023, the Office of the US Trade Representative withdrew its proposal to include in the Joint Statement Initiative on Electronic Commerce (JSI)—a World Trade Organization negotiation—a guarantee of the free flow of data across borders.⁸¹ The final text of the JSI, announced in July 2024, not only lacks such an obligation but allows parties essentially unlimited scope to restrict data flows for data protection reasons, precisely as the EU had sought.⁸² Even with these changes, the United States declined to join the JSI because it regarded the agreement’s national security exception as insufficiently flexible, a move that some European Commission officials found puzzling.⁸³

In contrast to the United States—and despite its long history of controlling data exports through the GDPR—the EU has moved slowly to evaluate the risks of data transfers to authoritarian states such as China and Russia. In 2021, the European Data Protection Board commissioned an outside report from academics that confirmed both countries’ governments have access to individuals’ personal information without commensurate rule-of-law protections, but it took no further action.⁸⁴ Even Russia’s full-scale invasion of Ukraine has not served to entirely staunch the flow of European data to Russia. The Finnish and Dutch data protection authorities investigated data transfers by Yango, a subsidiary of the Russian search engine Yandex, but have not yet imposed restrictions.⁸⁵

The past year, however, has seen a gradual shift in European regulators’ thinking regarding data transfers to China. In May 2025, the Irish Data Protection Commission (DPC) fined TikTok €530 million after discovering it was transferring data to China without requisite data protection safeguards.⁸⁶ In July, the DPC broadened its TikTok inquiry into whether the Chinese government could access such data when they are stored in China.⁸⁷ The Finnish data protection authority began a separate investigation into possible Chinese government access to health data that a Finnish university had shared with a Chinese genetic analysis company.⁸⁸

Even Schrems, who has long challenged European data transfers to the United States, has turned his attention to China. Early in 2025, he filed complaints with European data protection authorities against six major Chinese consumer companies, including Shein, Temu, and WeChat, alleging government access to Europeans’ personal data by an “authoritarian surveillance state.⁸⁹

Recent moves by European data protection authorities to question whether China’s government has impermissible access to Europeans’ personal information mirror the rise in geopolitical tensions between Brussels and Beijing. Ireland’s inquiry into TikTok data transfers, for example, can be read as asserting European data sovereignty against a geopolitical rival. The data dynamics are, in effect, a microcosm of Europe’s larger dilemma with China—deep commercial dependency, but also a recognition that a degree of sovereign control is needed.

A single European data market

Brussels has recently expanded its laws promoting the secondary use of data for commercial, research, and government purposes, in hopes that these innovative legal measures will give homegrown companies a much-needed advantage in competing with data-rich foreign tech giants. However, the transfer of such data to non-EU companies has raised concerns about potentially protectionist restrictions. The Data Governance Act, the Data Act, and the European Health Data Space regulation—all enacted during the first von der Leyen commission—seek to stimulate a market for the secondary use of European data for commercial purposes.⁹⁰ These measures are based on the recognition that data collected by—and locked within—governmental or commercial organizations can have societal and economic benefits if made available for reuse by other entities.

The 2022 Data Governance Act grew out of a post-pandemic recognition of the potential for reuse of government-held data. It facilitates reuse by the private sector, for both commercial and non-commercial purposes, of government-held data (G2B), including data originally collected by public health, environmental, and transport authorities. Then Commissioner Thierry Breton hailed it as a step toward “an open yet sovereign European Single Market for data.”⁹¹

The Data Governance Act was followed a year later by the even more ambitious Data Act, which concentrated on expanding business-to-business sharing of non-personal data, such as the industrial data generated by connected devices. The Data Act sought to ease legal issues that arise with reuse by third parties, such as intellectual property protection and trade secret rules. Both laws insisted upon additional safeguards for transferring data to companies in third countries, such as the United States, where that data could become subject to governmental access. The European Commission further envisaged a series of sector-specific European data spaces, each requiring separate legislation.⁹² They would cover sectors—from agriculture to energy to transportation—that generate large amounts of industrial data ripe for reuse. The European Health Data Space regulation is the first of this series to be enacted.

At the start of the current commission mandate, von der Leyen’s mission letter to Virkkunen instructed her to deepen focus on the reuse of data. She was asked to “present a European Data Union Strategy drawing on existing data rules to ensure a simplified, clear and coherent legal framework for businesses and administrations to share data seamlessly and at scale, while respecting high privacy and security standards.”⁹³ The commission duly launched a public consultation process, articulating as its aim “expanding the availability and use of data to support AI development.”⁹⁴ Published on November 19, 2025, the Data Union Strategy seeks to safeguard the EU’s data sovereignty by ensuring fair conditions for cross border flows of non-personal data; “linking EU data ecosystems with those of like-minded partners;” and “boosting the EU voice in global data governance.”⁹⁵ This is intended to build a comprehensive legal regime for secondary data access that will enable European industry to catch up with the US tech giants that already enjoy access to vast pools of proprietary data.

EU content moderation and free speech

One of the EU’s proudest recent legislative accomplishments is the 2023 Digital Services Act, a sprawling and complex framework regulating online platforms’ accountability for illegal content, including illegal hate speech.⁹⁶ It imposes the most onerous requirements on very large online platforms, half of which are US companies. The Trump administration and the Republican-led Congress have sharply criticized the DSA, viewing it as a tool for the suppression of right-wing populist political speech.⁹⁷ On the contrary, the EU views certain DSA provisions, such as transparency tools and safeguards against arbitrary content moderation, as intended to protect free speech.

Trump singled out the DSA for criticism in the February 2025 official memorandum on preventing the “Unfair Exploitation of American Innovation,” while the Republican chair of the Federal Communications Commission called it “incompatible with both our free speech tradition in America and the commitments that these technology companies have made to a diversity of opinions.”⁹⁸ The US State Department began a diplomatic campaign, alleging, “In Europe, thousands are being convicted for the crime of criticizing their own governments.”⁹⁹ A leaked August 2025 cable to European posts directed US diplomats to advocate for a narrowing of the DSA’s definition of illegal content, among other ambitions. The European Commission firmly pushed back, describing the censorship allegations as “completely unfounded” and insisting that its digital legislation “will not be changed.”¹⁰⁰

The Republican majority on the House of Representatives Judiciary Committee also weighed in with a strongly worded staff report describing the DSA as an “anti-speech, Big Brother law.”¹⁰¹

The report identified a handful of examples of how the act could function to restrict speech extraterritorially. For example, in an August 2024 letter, then Commissioner Breton warned Elon Musk’s X platform that the effects of a campaign interview it hosted with Trump could spill over into the EU and spur commission retaliatory measures under the DSA.¹⁰² The committee also cited a request to X by the French national police that the platform remove a post originating from a US-based account suggesting France’s immigration and citizenship policies were to blame for a 2023 terrorist attack a Syrian refugee committed in that country.¹⁰³

The chairman of the US FTC launched a further salvo in August, warning US companies that their very compliance with the EU’s DSA, or with the UK’s similar Online Services Act or its surveillance authorities, could constitute a violation of the FTC Act, which prohibits unfair or deceptive commercial acts or practices. FTC Chairman Andrew N. Ferguson suggested, “It might be an unfair practice to subject American consumers to censorship by a foreign power by applying foreign legal requirements, demands, or expected demands to consumers outside of that foreign jurisdiction.”¹⁰⁴

This transatlantic dispute over the DSA and similar content moderation laws reflects differing US and European historical traditions on speech regulation.¹⁰⁵ The US Supreme Court has identified only speech creating a “clear and present danger” of inciting violence or other illegal conduct as suitable for restriction. Many European judiciaries, informed by their countries’ twentieth century histories of hate speech, take a more cautious view. For example, Germany bans speech glorifying or denying the Holocaust, while Denmark makes it illegal to burn the Quran. The DSA is the EU’s attempt to ensure that platforms remove content deemed illegal, both offline and online, but the act’s lack of definitions leaves a door open to abuse.

On December 23, 2025, the Trump administration raised the stakes in its free speech campaign against European content moderation laws. Secretary of State Marco Rubio issued determinations under the Immigration and Nationality Act barring from entry into the United States five Europeans associated with content moderation.¹⁰⁶ The headliner was Thierry Breton, an architect of the DSA; the others hail from European non-governmental organizations that track hate speech and disinformation on the internet. The European Commission quickly issued a statement that it “strongly condemns” the US actions, reiterating its “sovereign right to regulate economic activity in line with our democratic values.”¹⁰⁷ As the Trump administration continues its ideological campaign against the DSA, the transatlantic dispute over free speech seems bound to escalate.

Cybersecurity and cloud services

In 2022, the European Union Agency for Cybersecurity (ENISA) began an effort to harmonize member-state cybersecurity requirements for government data processing contracts. The European Commission averred that cloud services were a “strategic dependency” on a handful of large providers headquartered in the United States.¹⁰⁸ Several EU member states, led by France, argued for including sovereignty requirements in the envisaged EU Cybersecurity Scheme (EUCS).

A leaked 2023 ENISA draft proposed that the EU impose sovereignty requirements similar to those in France’s domestic security certification and labeling program, SecNumCloud, for contracts involving the most sensitive government data. SecNumCloud has an announced goal that, in order to obtain a trust certificate, cloud service providers must be “immune to any extra-EU regulation.”¹⁰⁹ ENISA proposed incorporating this requirement into EU law as well, adding restrictions on foreign ownership and insisting on localization of cloud services operations and data within the EU.

EU member states divided over whether to adopt such cybersecurity requirements, which could have the effect of disqualifying large foreign cloud service providers from sensitive government data processing contracts. In addition, some European companies, especially in the financial sector, argued that the foreign providers offered greater cybersecurity as well as a superior technical product.¹¹⁰ The Office of the US Trade Representative formally questioned whether the potential EUCS restrictions were consistent with the EU’s obligations under the World Trade Organization’s Government Procurement Agreement (GPA).¹¹¹

In 2024, the Belgian EU presidency put forward a compromise proposal that discarded the foreign ownership restrictions in favor of data labeling and localization requirements.¹¹² French authorities and technology companies expressed dismay at the prospect of EU-level cybersecurity certification rules weaker than France’s own.¹¹³ ENISA has yet to issue the final implementing measure, and this debate could well reemerge in the context of the anticipated CADA.

Looking ahead: Transatlantic tension will persist

The European debate over digital sovereignty—now firmly linked to the wider debate over technological sovereignty—is likely to be a continuing point of tension in the US-EU relationship. For many years, this has been a rhetorical exercise with few real consequences for non-EU firms, especially US companies. But the shift in geopolitics and the increasing drive to support EU industries to build a more competitive economy have led many European policymakers to conclude that now is the time to act. Moreover, the geopolitics are not just about Russia’s aggression or China’s export domination. They are also about the shifts and inconsistencies in US policy that have made many in Europe believe that it must now begin to fend for itself, in terms of both defense and the economy. 

As a result, the debate over digital sovereignty has moved from a discussion of whether there should be limits on non-EU companies to a discussion of how many restrictions there will be, and of what type and in what sectors of the economy. That discussion is likely to be pursued through several key legislative initiatives planned for late 2025 and 2026. CADA is already expected to identify requirements—including sovereign requirements—for cloud services.

Perhaps most relevant, the public procurement directives are already under internal review, with a proposal for revision expected from the commission in 2026.¹¹⁴ Because much of the debate is about who can sell which products and services to whom (including to governments), procurement policy will be a key instrument in imposing sovereign requirements. EU and member-state procurement rules currently privilege price as the key selection criteria but, in the Net Zero Industry Act and other new measures, other considerations have been introduced into the procurement calculation.

As the EU pursues these initiatives, it will face a dilemma: To what degree does sovereignty require autarky? Or does the EU require partnerships, despite the risk of dependencies, because of the current lack of key capabilities? Some in Europe have argued that the right way forward is to develop end-to-end EU capabilities in the form of a Eurostack.¹¹⁵ From fiber-optic networks and computing hardware to software development and cybersecurity capabilities, all would be provided by EU companies.¹¹⁶ Others have pointed to the difficulties with this, asking whether the lack of EU-owned capabilities in cloud, AI, search, and other key functions would doom such an effort to be inferior and thus push Europe farther behind in the race to innovate essential digital technologies for the future. They also fear that European companies will not be able to compete internationally if they are cushioned by sovereign requirements.¹¹⁷ Some see no contradiction between sovereignty and being open to non-EU firms; indeed, they see access to the most innovative global companies as essential, especially given Europe’s competitiveness challenge.¹¹⁸ For others, the key element is timing. The EU tech sector currently lags in innovation but, with proper support and time, it should be fully capable of growing world-leading firms and technologies.¹¹⁹ Indeed, the EU’s International Digital Strategy emphasizes the importance of partners in boosting EU competitiveness and innovation, and the EU’s ambitions in global governance for data can hardly be accomplished without cooperative partners.¹²⁰

But in all these versions of digital sovereignty, as well as in the larger arena of tech sovereignty, there is a central question: who owns the companies involved, and does it matter if they are not EU firms as long as they abide by EU laws and regulations? The recent negotiations over an EU-wide cloud certification system stalled on exactly this point (see the above discussion of EUCS). The Toolbox for 5G Cybersecurity put forward the concept of a “high-risk supplier” to warn against non-EU companies that were insufficiently independent of their home governments. While this was aimed at Chinese companies—especially Huawei—concerns have more recently focused on the United States and its companies.

The EU’s concerns are not only about the dominant position of US platforms in the European digital market, but also the potential actions of the US government—especially the Trump administration. The administration’s inconsistency on Ukraine, highlighted by its threats in July 2025 to cease sending weapons and other military supplies to Ukraine (reversed shortly after), alarmed many in Europe.¹²¹ Reports that the Trump administration threatened to block Ukraine’s access to the vital communications network Starlink during negotiations over critical minerals also raised European concerns.¹²² While these instances were primarily about defense, not the digital arena, they have created a heightened sense of insecurity in Europe. Coupled with the experience of the trade negotiations, they put into question the reliability of the United States as a partner in any undertaking.

In this environment, the EU will need to make choices about how best to ensure it has sufficient sovereignty over its digital market. Will the answer be found in more restrictions on non-EU companies, or with a more open arrangement that also boosts European economic growth and competitiveness?

Seven recommendations for Brussels and Washington

Given the economic stakes involved for both parties, the EU should engage the United States as it moves forward, and should keep the following guidelines in mind.

Competitiveness is key to innovation and economic success.

Throughout the coming debates over sovereign requirements, the EU must balance the need for security and for its own industrial and digital capabilities with the efficiencies and productivity required for a globally competitive economy. Settling for a more expensive and less capable product or service because it is European owned is not the way to grow the economy. There are times when it is necessary, but these instances should be rare and well considered, not routine.¹²³

Heated rhetoric on either side does not help the economy.

As the EU moves forward with legislation, both Washington and Brussels should seek to lower the temperature. While some US executive orders and statements from top officials have seemed to decry any EU regulation that impedes US companies, the reality is that Europe has the right to regulate as it sees fit in its own market, as does the United States. At the same time, European threats of broad sovereign restrictions do not encourage needed investment. It should not be forgotten that the US-EU trade and investment relationship is the largest such partnership in the world, worth around $1.5 trillion in goods and services trade in 2024, and with mutual investment worth several times that.¹²⁴ As both parties establish regulatory or investment requirements intended to boost domestic capabilities and add resilience to their economies, there will inevitably be tensions and misunderstandings. Creating barriers to trade and investment is sometimes necessary in limited circumstances, but careful consultations can ameliorate their impact.

Agreed legal frameworks in key areas can ease the need for sovereign protections.

As the discussion of data policy demonstrates, the transatlantic economy is not just about products and services, but also the data generated by them. Sharing those data—and being able to use them to generate revenues—is key to success in the digital economy. Of course, those transferring and using data must comply with local laws, including the GDPR. But the US and EU regulatory regimes collide at times, offering inconsistent or even conflicting requirements. Negotiated arrangements, such as the US-EU Data Privacy Framework, can overcome those differences and provide a stable context for business. A US–EU agreement on law enforcement access to data likewise could provide the protections and access both parties need. Similarly, an agreement that facilitates transfers of non-personal data might be useful in response to the Data Act and Data Union Strategy. Now is the time to make sure the United States and EU are developing compatible regimes.

Ringfencing can be a valuable strategy, as can trusted vendors.

Not all suppliers and customers are equal. Arrangements among allies and partners can lessen risks while preserving as much of the open, prosperous economy as possible, even in sensitive sectors. It makes no sense for Europeans to focus more on the transfer of data to the United States than to Russia or China. Using criteria such as those in the EU Toolbox for 5G Cybersecurity to identify foreign companies that can partner in key sectors will provide clarity and ease transactions. Similarly, a proposal floated in the EUCS negotiations that the trusted circle of cybersecurity providers be based on NATO membership might be appropriate. The Group of Seven (G7) could also offer a starting point for developing a set of compatible, interacting regulatory regimes in the digital economy, as it has done to some degree through its discussion of data free flow with trust and the AI principles and code of conduct.¹²⁵

Certain sectors of the economy are more sensitive than others.

Digital sovereignty requirements should not be imposed on broad swaths of the economy. There are two main reasons for such requirements: national security and creating an indigenous capability in those areas where national economic resiliency is required. Policymakers should carefully identify the areas of the economy where these two reasons apply. Cybersecurity for essential government operations and protecting critical infrastructure are good examples. Management of more prosaic, but still sensitive government data—including where they are stored and who has access—might not need such stringent requirements. Because digital elements—data, cloud, software, and increasingly AI—exist across the economy, it might be more helpful to think about specific functions and make a risk-based assessment of the consequences of failure. Sovereign requirements should be limited to those areas in which a failure or breach will have consequences across society and the economy.

The type of sovereign requirement can vary with the economic sector and even particular conditions.

Among European policymakers, the sovereign requirements currently under discussion can be divided into two types: those that require a supplier to adhere to specific rules and those that involve restrictions relating to the ownership of the company supplying a particular service or product. The first might involve data localization or restricting access to data or use of a particular technology, such as AI. The second, which has been applied in the French SecNumCloud, is far more restrictive and affects the ability of any US-based company to provide the service in question. In some cases, an ownership restriction might exclude companies with the best capabilities from providing the service, and could even expose those using the service to more risk. Thus, ownership restrictions are unlikely to be worthwhile except in rare cases. In the United States, these exist in areas of defense contracting, in which companies dealing with US classified material must set up a US company with US governance and employees. But most government digital contracts, both in the United States and in Europe, are not defense related and would not require such far-reaching ownership rules.

Instead, for those functions in which a breach or disruption would cause significant harm, creating a category of trusted vendors might be appropriate. This could apply to sensitive government functions, as well as to critical infrastructure provided by private-sector enterprises. A system based on trusted vendors could balance the desire to boost local providers while also securing access to top-quality services from non-EU companies. The EU might consider whether there are lessons to be learned from the US government’s FedRAMP system, which certifies companies (including non-US companies) to provide cloud services to different government customers. Companies need to meet criteria that become more restrictive and complex through the three levels of certification (low, moderate, and high).¹²⁶ While FedRAMP applies across most of the US government, individual agencies have the ability to impose their own requirements, allowing national security and intelligence agencies to impose further restrictions on those involved in classified functions. Despite these exceptions, FedRAMP’s graduated approach—matching certification level to sensitivity of the data—is much more tailored than some European proposals in matching certification requirements to the risk level of the cloud service required.¹²⁷

Sovereign requirements should be implemented in a consistent manner, including at the member-state level.

One of the persistent challenges of EU policy is ensuring that implementation is the same throughout the union. Both the Draghi and Letta reports cited differences in member-state requirements for businesses (or implementation of those requirements) as a key factor slowing EU competitiveness. The US trade representative has cited as trade barriers numerous instances of different requirements among EU member states, meaning that companies must follow multiple sets of rules even within the single market.¹²⁸ The European Commission recognized this problem when it decided that, under the DSA, very large online platforms (VLOPs) should be regulated at the EU level, not by member-state authorities. As the EU develops sovereign requirements in the digital sphere, it should be alert to efforts by member states to toughen criteria in ways that add unwarranted restrictions.

While the EU certainly has the right to decide on its own digital sovereignty requirements, those measures will undoubtedly affect access of non-EU companies to the market as well as the capabilities that are accessible to the EU and its member states. There will be costs for the EU, especially as it tries to build a more competitive economy. For that reason, any restrictions should be focused on those circumstances in which risks are high and security is necessary. This exercise should not be about denying access to non-EU companies, but instead about building a secure digital environment and resilient European capabilities. The EU should engage with its partners—not only the United States, but also Japan, South Korea, the UK, and others—to ensure that the fewest possible frictions arise. This will be a test for the transatlantic relationship, but one that can lead to greater cooperation rather than continued angst. 

Fellow

Frances Burwell

Distinguished Fellow

Europe Center

Central Europe Digital Policy

Fellow

Kenneth Propp

Nonresident Senior Fellow

Europe Center

European Union Digital Policy

The authors would like to thank James Batchik, Emma Nix, and Jack Muldoon for their tireless support on the report’s editing, research, and data visualization.

Issue Brief Dec 4, 2025

Improving transatlantic cooperation on digital competition

By Zach Meyers

Greater dialogue between US and EU regulators would reveal similar priorities on digital competition, mergers, and antitrust issues, and could lead to greater alignment on key digital competition issues.

Digital Policy Economy & Business

Issue Brief May 29, 2024

Who’s a national security risk? The changing transatlantic geopolitics of data transfers

By Kenneth Propp

The geopolitics of data transfers is changing. How will Washington’s new focus on data transfers affect Europe and the transatlantic relationship?

Cybersecurity Digital Policy

Report Nov 2, 2022

Digital sovereignty in practice: The EU’s push to shape the new global economy

By Frances Burwell, Kenneth Propp

What does the European Union’s push for “digital sovereignty” mean in practice? Frances Burwell and Ken Propp provide an update to digital sovereignty and its transatlantic impacts.

Digital Policy Economy & Business

The Europe Center promotes leadership, strategies, and analysis to ensure a strong, ambitious, and forward-looking transatlantic relationship.

Learn more

The post Digital sovereignty: Europe’s declaration of independence? appeared first on Atlantic Council.

Executive summary

While US and European Union (EU) policies differ in their approaches to online safety and the regulation of the internet, there is agreement about the need to protect children online. That is one high-level takeaway from a recent round of US-EU dialogue hosted by the Centre on Regulation in Europe (CERRE) and the Atlantic Council.

Such dialogue helps to identify common policy approaches for the protection of minors and common approaches to enforcing rules. Ultimately, it can also help facilitate faster and more efficient rollout of technologies to protect users. Dialogue will also help global platforms develop services to comply with rules and expectations on both sides of the Atlantic.

At the recent roundtable hosted by CERRE and the Atlantic Council, the synergies and differences in regulatory approaches and philosophies on both sides of the Atlantic centred on four themes. For each theme, some common threads seemed ripe for further discussion and cooperation.

• New legislation and approaches to enforcement: In terms of the overall governance landscape, legislation has a key role to play in Europe and in the United States, where long-standing federal rules have been supported by an increasing number of state laws.The bulk of legislation in the EU—such as the Digital Services Act (DSA)—is adopted at the EU level, while some member states are adopting supplementary rules. In the United States, most legislation is now being adopted at the state level. Public enforcement by regulators plays a big role in the EU and the United Kingdom (UK). In the United States, state attorneys general are taking action to enforce rules, with powers similar to those of regulators in Europe. More alignment and cooperation on enforcement would be beneficial. Private enforcement through courts is also possible but, while this is already widespread in the United States, it is just emerging in Europe.
• The harms from which children should be protected: On both sides of the Atlantic, there is a large degree of alignment on the harms from which children need to be protected. A strong commonality is that rules in Europe and the US both require compliance by design to avoid particularly harmful conduct, such as unwanted contact by unknown adults. Other common design elements include data minimization, which is a central component of the European Commission’s guidelines on protecting minors under Article 28 of the DSA and in the UK Office of Communication’s (Ofcom) age-appropriate design code and guidance under the Online Safety Act (OSA).
• Balancing rights: To balance the protection of fundamental rights (in particular, privacy and freedom of expression) against the need to protect children, there is widespread agreement that everyone—not just children—deserves protections online. The EU, UK, and United States are all cautious about dictating which content is acceptable online and are instead converging on approaches that require platforms to use processes and systems to ensure safety by design. Ensuring the protection of fundamental rights is a common concern and, ultimately, a matter of balance, including at the enforcement level.
• Age verification: Current debates about banning access to social media and about age verification are critical in Europe and in the United States, both in general and in relation to certain types of platforms (particularly those that host pornographic content). There is no agreement on a single type of technology that should be used, but there are prototypes and guidance on the high-level principles that the technologies should reflect. There are similar discussions on both sides of the Atlantic about how to attribute responsibility for age assurance across the supply chain—i.e., where in the supply chain age verification should take place—and how the division of responsibilities between players in supply chains could work in practice.

Introduction

The EU has put in place important legal building blocks to protect children online. These include the DSA and the European Commission’s guidelines on Article 28 of the DSA, which require providers of platforms accessible to minors to “put in place appropriate and proportionate measures to ensure a high level of privacy, safety, and security of minors.”¹ They also include the Audiovisual Media Services Directive (AVMSD), which contains rules to safeguard minors’ personal data and to protect children online, and the General Data Protection Regulation (GDPR), which provides rules on collection and processing of minors’ data. Other proposals yet to be finalized include the pending Digital Fairness Act (DFA) proposal and the Regulation on Child Sexual Abuse Material (CSAM).² Member states retain certain powers to enact national laws to protect minors online.³

In the United States, the protection of minors online is an important consideration at both the federal and state levels. At the federal level, the Kids Online Safety Act (KOSA) proposal, the Children’s Online Privacy Protection Act (COPPA) and the COPPA 2.0 proposal all seek to address certain aspects of children’s safety online (in particular, privacy, advertising, and CSAM).⁴ At the state level, California’s Age-Appropriate Design Code (CAADCA) has been challenged in court on First Amendment grounds.⁵ Other states, including Nebraska and Vermont, have recently adopted similar codes that they hope will withstand First Amendment scrutiny.⁶ Utah has also recently enacted a law to protect content-creating minors from financial exploitation and privacy violations.⁷

News headlines focus on apparent differences between US and European policies, which are spiraling into growing transatlantic tension. However, there is a large degree of alignment on the need to protect children online while also safeguarding fundamental rights such as privacy and freedom of expression.

The overall governance landscape

The European and US approaches are fairly aligned on some governance aspects of regulating child protection online. Since the adoption of its rules for video sharing platforms in 2018, the EU has embraced a legislative path to protect minors online.⁸ This legislative framework was strengthened in 2022 with the adoption of the DSA. Both the video sharing platform rules and the DSA are largely principle based and rely on a form of collaboration with the industry,placing the onus on the platforms themselves to decide what constitutes an appropriate and proportionate level of protection for minors. The UK has also adopted a legislative path with the OSA and the detailed guidance produced by Ofcom.⁹ Like the DSA, the OSA adopts a risk-based approach, with the larger and riskier platforms subject to stricter measures. The UK regulator, Ofcom, has supplemented the legislation with detailed guidance.

The European Commission recently adopted guidelines to help online platforms understand and comply with their obligations under Article 28 of the DSA, including setting out a list of recommendations for platforms, but these are nonbinding. Safety by design is at the heart of the guidelines. The EU’s legislative approach focuses on ensuring platforms put in place systems and processes, while steering away from regulating the type of content that should be outlawed.

So far, the EU’s legislative framework has not led to a full harmonization of approaches to protect minors, and some member states have adopted more restrictive approaches. For example, France, Germany, Ireland, and Italy have adopted supplementary legislation to protect minors from harmful content such as online pornography.¹⁰

In the United States, the federal government has adopted legislation such as the COPPA to tackle some problematic areas such as the need to protect minors’ personal data.¹¹ Despite heightened partisanship in Congress, leaders of both the Republican and Democratic Parties have expressed interest in supporting additional bipartisan legislation to protect children online.¹² Although there is less appetite for federal legislation with binding obligations on platforms in terms of platform liability, there is appetite at the state level to embrace the legislative path, and safety by design is the cornerstone of many of these initiatives.¹³ That being said, the Kids Online Safety Act (a federal initiative) received the support of sixty co-sponsors at the federal level, which shows that this is an area with some bipartisan support. The EU and the United States are also converging on some important aspects: more obligations are placed on larger platforms; there is an emphasis on protection and safety by design; and there is no “one size fits all” solution.

There is broad consensus among experts that, irrespective of geopolitical tensions, there has never been so much space for alignment at the policy level between different jurisdictions—and between Europe and the United States in particular. This is partly because Europe (with the DSA at the EU level and the OSA in the UK) takes a systemic risk approach and does not focus on moderating individual pieces of content. That places responsibility on the platforms to have processes and systems in place to design safe spaces at the outset.

There are also similarities in public and private enforcement of norms. In the EU and the UK, regulators play an important role in making sure that industry complies with the DSA, the AVMSD, and the OSA. In the United States, even if new federal laws are adopted, the creation of a dedicated federal regulator to publicly enforce the legislation is unlikely, though existing agencies such as the US Federal Trade Commission already have a remit over some of these issues. At the state level, attorneys general are empowered to enforce COPPA via civil actions despite it being a federal law. State attorneys general have many enforcement tools at their disposal, including the power to undertake industry-wide investigations. These are broadly in line with the enforcement powers of national competent authorities and the European Commission under the DSA (and Ofcom under the OSA). On both sides of the Atlantic, private enforcement through courts is also set to play an important role, though, to date, it has been more common in the United States than in either the EU or UK.

Harms against which children should be protected

In the EU, the harms against which children should be protected are potentially very wide and are not specifically defined in the DSA, which refers only to protecting minors’ “privacy, safety and security.”¹⁴ Furthermore, member states are free to set their own rules provided they are in the line with EU legislation.

Some harms are outlawed at the EU level, such as the sharing of child sexual abuse material, dark patterns (i.e., deceptive techniques used by online platforms to manipulate users’ behavior), the processing of minors’ personal data without the consent of parents, and the sending of targeted advertising to children based on profiling.¹⁵ US policy initiatives at the state and federal levels also identify these harms as targets for regulation. The dissemination of child sexual abuse material, for example, is already a criminal offense.

A strong focus of legislation to protect minors on both sides of the Atlantic is to make sure that children cannot be contacted on platforms by unknown adults. At the state level (Vermont in particular) lawmakers frame these as safety bills to avoid framing them as content regulation, which could bring challenges on First Amendment grounds. These design architecture elements, such as default settings that prevent children being findable, are also central in the European Commission’s guidelines on Article 28 of the DSA in the UK Information Commissioner’s Office’s age-appropriate design code and in Ofcom guidance under the OSA.¹⁶

Data minimization (meaning only a minimum amount of data can be gathered and processed) is seen as critical to mitigating harms in general, because there is a strong correlation between collecting vast amounts of data about children’s behavior online and using the data to target minors with harmful content. Also, data minimization could lead to stronger protection for all users. While enforcing data minimization principles is a challenge, it can be done. In the UK, for example, Ofcom is required to work closely with the data protection authority. Operational coherence and cooperation between regulators are crucial in this area.

Balancing fundamental rights

The debate about balancing the need to protect children against the protection of certain fundamental rights (especially privacy, freedom of expression, and the rights of the child) is critical in the United States and in Europe. Initiatives in Europe and the United States tend to focus on tools and processes to protect minors, but steer away from regulating content on the platforms. Despite this, there is mounting debate regarding whether laws are creating a form of censorship or unlawfully constraining free speech, limiting users’ choices, or infringing on the rights of children. The question is wider than the need to protect children online, in the sense that some content can be inherently dangerous for some individuals whereas that same content might not be harmful for another person (minor or adult). This need to protect users from harmful (but legal) content is the most difficult to reconcile with the need to protect freedom of speech and the need for data minimization.

In the United States, the question is being argued in court. Some federal courts have ruled that laws requiring age verification are unconstitutional because they undermine the US Constitution’s First Amendment and threaten privacy rights.¹⁷ Age verification laws are being challenged by NetChoice (a coalition of tech companies) and by free speech coalitions. The Supreme Court recently ruled that the age verification law in Texas does not violate the First Amendment because it only requires proof of age to access content that is obscene to minors; it does not directly regulate adults’ speech.¹⁸ In both the EU and the United States, a considerable amount of policy work and research is being conducted on how to balance safety and privacy, especially in the context of age assurance requirements.¹⁹

At the EU level, the debate about balancing rights was not prominent while the DSA and the AVMSD were being adopted, probably because the rules were principles based and did not mention bans or age verification per se. Furthermore, the DSA contains safeguards to protect fundamental rights, such as giving users’ the right to challenge content moderation decisions (such as removals of posts, demotions of content, and account suspensions). The central article on the protection of minors in the DSA (Article 28) assumes that there cannot be safety for minors unless other rights, such as privacy, are protected as well.

Now that the DSA is being enforced, the protection of minors has become an enforcement priority for the European Commission, and some member states are calling for bans on children accessing social media platforms, some political parties are questioning the legislation and the push for age verification solutions on free speech grounds. This debate is particularly intense in the context of the regulation on the fight against CSAM, which the European Parliament and the Council of the EU are amending in an attempt to reduce the impacts of CSAM detection mechanisms on privacy, particularly in the context of end-to-end encryption.

The ultimate goal should be to protect everyone online, not just minors. This would avoid the need to put in place age assurance and age verification.

A “digital age of consent” and age verification

The debates on getting the balance right on the need to protect minors online and the need to protect some fundamental rights are crystallizing on age verification and on proposals for an outright ban on access to social media for children.

To date, there is no outright ban at the EU level on children accessing social media. Commission President Ursula von der Leyen had pledged to examine the questionwith the help of a panel of experts originally scheduled to be set up before the end of 2025.²⁰ Some member states are also discussing the option of a social media ban for children.²¹ There is a strong call in the commission’s recently adopted guidelines under the DSA for certain platforms (such as adult content platforms) to prevent children from accessing them. Also, the Danish presidency of the EU and ministers from twenty-five member states recently adopted the Jutland Declaration, which welcomed “assessments” of a digital majority age.²² This assessment could help to determine the age at which minors should be allowed access to social media and other digital services—“giving them more time to enjoy life without an invasive online presence.”²³ This question is also high on the agenda in the United States, with some states requiring social media to ban minors from accessing them (or requiring parental consent for a minor to have an account).²⁴

On age verification, there is no mandatory technology at the EU level, but the EU guidelines on the protection of minors adopted under the DSA set out principles that age verification technology used by online platforms should meet.²⁵ In particular, the systems should be based on the “double anonymity” principle. According to this principle, the platform knows the age of users without identifying them, whereas an external site—which carries out the age verification by issuing a token—does not know which site the user will visit. The EU is also about to launch an EU mini-wallet as a temporary solution, pending the adoption of national solutions.²⁶ Some member states have also set requirements on age verification that are enforced by national regulators.

In the UK, the OSA has just entered into force, and the biggest and most popular adult platforms such as Pornhub must now deploy age checks for users based in the UK. Other platforms—including Bluesky, Discord, Reddit, and X—have also announced that they will deploy age assurance in the UK as a result of the act. This has led to a surge in virtual private network (VPN) downloads, which shows the importance of global alignment where possible.

In the United States, as noted above, state legislation imposing age verification is subject to frequent court challenges.²⁷ As in Europe, there is little agreement among the states on the methods and tools to use when verifying the age of online users. Also, like in Europe, states seem to recognize that age assurance alone is not the solution.

On both sides of the Atlantic, the debates are similar in practice, including debates regarding how to attribute responsibility for age assurance across the supply chain (i.e., at what level age verification should take place, whether at the app store layer or by individual applications or websites). Questions about where verification happens raise additional questions about the extent to which other players in the chain can rely on this, or whether relying on a single point of verification could undermine safety by discouraging applications and websites from making their own assessments.

Michèle Ledger is a researcher at the Research Centre in Information, Law and Society (CRIDS) of the University of Namur where she also lectures on the regulatory aspects of online platforms at the postmaster degree course. She has been working for more than twenty years at Cullen International and leads the company’s Media regulatory intelligence service.

This issue brief benefits from the insights of discussants at an online roundtable on EU-US regulatory co-operation hosted jointly by CERRE and the Atlantic Council. However, the contents of this brief are attributable only to the author.

Providing high-quality studies and dissemination activities, the Centre on Regulation in Europe (CERRE) is a not-for-profit think tank. It promotes robust and consistent regulation in Europe’s network, digital industry, and service sectors. CERRE’s members are regulatory authorities and companies operating in these sectors, as well as universities.

CERRE’s added value is based on

• its original, multidisciplinary, and cross-sector approach covering a variety of markets (e.g., energy, mobility, sustainability, technology, media, and telecommunications);
• the widely acknowledged academic credentials and policy experience of its research team and associated staff members;
• its scientific independence and impartiality; and
• the direct relevance and timeliness of its contributions to the policy and regulatory development process impacting network industry players and the markets for their goods and services.

CERRE’s activities include contributions to the development of norms, standards, and policy recommendations related to the regulation of service providers, to the specification of market rules, and to improvements in the management of infrastructure in a changing political, economic, technological, and social environment. CERRE’s work also aims to clarify the respective roles of market operators, governments, and regulatory authorities, as well as contribute to the enhancement of those organizations’ expertise in addressing regulatory issues of relevance to their activities.

The Atlantic Council promotes constructive leadership and engagement in international affairs based on the Atlantic community’s central role in meeting global challenges. The council provides an essential forum for navigating the dramatic economic and political changes defining the twenty-first century by informing and galvanizing its uniquely influential network of global leaders. The Atlantic Council—through the papers it publishes, the ideas it generates, the future leaders it develops, and the communities it builds—shapes policy choices and strategies to create a more free, secure, and prosperous world.

The Atlantic Council’s Europe Center conducts research and uses real-time analysis to inform the actions and strategies of key transatlantic decision-makers in the face of great-power competition and a geopolitical rewiring of Europe. The center convenes US and European leaders to promote dialogue and make the case for the US-EU partnership as a key asset for the United States and Europe alike. The center’s Transatlantic Digital Marketplace Initiative seeks to foster greater US-EU understanding and collaboration on digital policy matters and makes recommendations for building cooperation and ameliorating differences in this fast-growing area of the transatlantic economy.

Issue Brief Dec 4, 2025

Improving transatlantic cooperation on digital competition

By Zach Meyers

Greater dialogue between US and EU regulators would reveal similar priorities on digital competition, mergers, and antitrust issues, and could lead to greater alignment on key digital competition issues.

Digital Policy Economy & Business

New Atlanticist Aug 15, 2025

Talking past each other: Why the US-EU dispute over ‘free speech’ is set to escalate

By Kenneth Propp

Republican-led US lawmakers and the White House are likely just getting started in critiquing the European Union’s Digital Services Act.

European Union Internet

New Atlanticist Aug 4, 2025

As the US retreats from internet governance, Europe must step up

By Konstantinos Komaitis

If Europeans do not actively defend their digital rights model abroad, then they risk seeing the global system drift toward norms that contradict their own.

European Union International Norms

The Europe Center promotes leadership, strategies, and analysis to ensure a strong, ambitious, and forward-looking transatlantic relationship.

Learn more

The post Transatlantic cooperation on protecting minors online appeared first on Atlantic Council.

Executive summary

From classrooms to farming communities, generative artificial intelligence (gen AI) holds great potential for Africa. The key question is whether its promise of abundance will reach everyone—or only those already well-connected.

The technology should be regulated with both its strengths and weaknesses in mind, and approached with a healthy dose of skepticism toward corporate advocates; but ignoring the obvious value and use of gen AI makes little sense. Those concerned with development in Africa must engage with the technology and consider its potential for reducing poverty and strengthening education, alongside other priorities such as digitizing and preserving languages.

Gen AI poses real risks and requires guardrails, especially for young people. Yet disengagement carries risks of its own: if gen AI is not actively shaped and governed, the very youths and communities it could benefit—or harm without proper controls—risk being left behind. Not engaging with gen AI would be not only harmful but also patronizing. More conversation is needed between those inventing and implementing gen AI models and those who work in development assistance, including actors involved in shaping and advancing the UN Sustainable Development Goals (SDGs). Two of these SDGs—ending poverty and providing quality education—closely mirror gen AI’s promise, or boast, of future “abundance” and human or even superhuman intelligence. The SDG and gen AI camps must explore what each can realistically offer the other.

Issue Brief Apr 24, 2025

The Millennium Challenge Corporation could prove essential in the race for critical minerals. Reform it, don’t shut it down.

By Aubrey Hruby

As the Trump administration aligns foreign aid with core strategic interests, the MCC represents an underutilized asset.

Critical Minerals Energy & Environment

Issue Brief Jul 21, 2025

Atlantic piracy, current threats, and maritime governance in the Gulf of Guinea

By Maisie Pigeon

A drop in attacks in the Gulf of Guinea does not necessarily mean piracy has been resolved. Pirates have adapted their tactics, and the potential for resurgence remains high; this issue remains a critical security and development concern. It is not just a regional priority—it is an international imperative.

Africa Economy & Business

Issue Brief Jun 10, 2025

Marine energy: Harnessing the power of the Atlantic

By William Yancey Brown

In partnership with the Policy Center for the New South, the Atlantic Council’s Africa Center is launching a new series of publications and events dedicated to the power of the Atlantic ocean with an inaugural policy brief on energy and mineral potential.

Africa Critical Minerals

The Africa Center works to promote dynamic geopolitical partnerships with African states and to redirect US and European policy priorities toward strengthening security and bolstering economic growth and prosperity on the continent.

Learn more

The post Engaging generative artificial intelligence in African development appeared first on Atlantic Council.

Executive summary

President Donald Trump’s policies are substantially reshaping prospects for transatlantic cooperation across a range of policy areas. In digital competition, the picture is complex. The Trump administration opposes Europe’s competition regulation, but both the European Commission and US federal and state competition enforcers have similar priorities when it comes to competition in digital markets.

US-European Union (EU) dialogue could help make interventions to promote digital competition more effective. It could boost consistency (helping firms adopt the same remedies across both sides of the Atlantic) and help regulators share knowledge and best practices. Beyond technical alignment, EU and US authorities can coordinate on narratives and messaging, ensuring that regulatory measures are perceived as fair and mitigating the risk of digital competition policy fueling foreign policy disputes.

At a recent roundtable hosted by the Centre on Regulation in Europe (CERRE) and the Atlantic Council, we identified the following recommendations for competition enforcers on digital antitrust.

• The European Commission and national competition authorities should continue to cooperate with US federal agencies and strengthen their cooperation with US state attorneys general, given their important role in US digital antitrust cases.
• To effectively learn from each other’s experience with remedies, and to enhance mutual learning and correct remedies when needed, competition agencies in both the EU and the United States should have a robust, evidence-based assessment about how their remedies have performed.
• The European Commission needs to improve its communication strategy when pursuing antitrust cases. Antitrust enforcement must be closely linked to consumer welfare, competitiveness, and economic growth. Enhancing its legitimacy can help ensure European competition enforcers withstand any political pressure.
• Europe needs to better highlight how open and competitive markets foster innovation. Tools to open competition are therefore important ways to support US and European global technological leadership.

In relation to merger policy, competition authorities on both sides of the Atlantic are evolving to better tackle the role of innovation in digital markets. Recommendations include the following.

• EU and US authorities should develop consistent guidelines setting out how they will assess a merger’s impacts on innovation capabilities (such as chips and computing power, skills, data, and risky and patient capital) and incentives to innovate. Pro-innovation merger control should promote the new innovators and not protect the old ones.
• The Directorate-General for Competition (DG-Comp) should aim to learn from the US merger guidelines and US authorities’ recent practices to inform the EU’s current exercise of revising its own guidelines.
• As with antitrust remedies, competition authorities in both the EU and the United States must be honest and clear about how their merger remedies have performed, so that different authorities can become better by learning from each other’s successes and mistakes.

Introduction

Trump’s policies have challenged the transatlantic relationship and are reshaping prospects for transatlantic cooperation. On digital competition, the picture is particularly complex. The president and some of his appointees to the Federal Trade Commission (FTC) and the Department of Justice (DOJ) Antitrust Division oppose Europe’s competition regulation, the Digital Markets Act (DMA)—and the president recently threatened to investigate the EU’s nearly €3 billion fine imposed on Google as an unfair trade barrier under Section 301 of the Trade Act of 1974. Despite this, when it comes to ex post digital antitrust cases, US federal and state competition enforcers and the European Commission have similar priorities. More broadly, competition authorities on both sides of the Atlantic are grappling with how to adopt consistent, principled, and predictable approaches in digital markets. This can better take innovation, investment, and firms’ capabilities into consideration during competitive analysis, and a consistent approach is key for global corporations.

US-EU dialogue could help improve the efficiency and effectiveness of interventions to promote digital competition. It could do the following.

• Facilitate mutually consistent approaches to common regulatory challenges, reducing burdens on regulators and making it easier for global firms to adopt the same business models across both sides of the Atlantic.
• Even where consistency is not possible, help regulators by sharing knowledge and best practices, or even help authorities to divide and conquer in areas such as ex post antitrust cases in which authorities on both sides of the Atlantic are pursuing similar goals.
• Mitigate the risks of foreign policy disputes as digital competition interventions increasingly have cross-border impacts, and as the Trump administration bristles at foreign governments enforcing competition law and pro-competitive regulation against US champions.

But how can this mutually beneficial cooperation be maintained? In 2021, the EU and United States established a Joint Technology Competition Policy Dialogue, supplementing established agreements between the European and US competition agencies, and there is still dialogue between antitrust enforcers. However, given the growing perception of a difference in values between the EU and the United States, and tensions on a range of topics from trade to defense, prospects for cooperation risk becoming narrower in the future.

Cooperation on digital antitrust

European and US authorities have a significant degree of alignment on ex post antitrust enforcement in the digital sector. In digital markets, large firms have often argued that highly innovative digital markets had natural “winner take all” characteristics, but there is nevertheless competition for the market. These firms argue they are subjected to significant competitive pressure from those who might displace them with disruptive innovation and, therefore, have strong incentives to keep innovating. This implies a marginal role for competition agencies. In practice, however, many digital markets have seen little displacement of incumbents in recent years. Effective antitrust remedies not only enforce competition law but also create space for innovation, enabling new entrants and disruptive technologies to challenge incumbents and thrive. While, until recently, innovation in some markets appeared to have slowed, there is an open question about how much artificial intelligence (AI) could disrupt the architecture of digital ecosystems—and whether that implies antitrust authorities should step back or play a role in keeping this possibility open.

In the meantime, competition authorities in the EU and United States have become more assertive. On the US side, the FTC and DOJ are pursuing cases against tech firms brought under previous administrations, despite the Republican Party’s traditional light-touch approach to antitrust. The FTC and DOJ’s approach is fueled by a view that conservative antitrust must not allow “private tyranny,” just as it is opposed to government tyranny.¹ In particular, FTC Chairman Andrew Ferguson has applauded that “this administration . . . is rediscovering the wisdom of taking competition enforcement seriously.”²

In Europe, although there have been few new antitrust cases under the new European Commission, a number of ongoing cases are being pursued against the same firms, on similar timeframes and in relation to similar conduct. These cases have been supplemented by enforcement action under the DMA. Some of these cases might have different underlying motivations—with US authorities more concerned with the potential role of large technology firms in stifling plurality of voices online, and the EU more concerned with ensuring market contestability. But they nevertheless illustrate authorities’ common challenges, particularly how to design remedies for highly complex and fast-moving digital markets.

EU and US competition policies increasingly interact. For example, in a case brought by the US DOJ and some states against Google regarding its conduct in the search market, the DOJ sought an extensive list of potential remedies, including data-sharing rules that looked similar to obligations in the EU’s DMA. In September 2025, the district court decided to apply a narrower data-sharing remedy. A similar question about alignment of remedies will arise in the EU and US cases concerning Google’s digital advertising technologies.

However, challenges remain in coordinating antitrust actions on both sides of the Atlantic.

A first challenge is ensuring that the tenets of antitrust analysis remain synchronized. Protecting disruptive innovation in digital markets, for example, might require identifying robust theories of harm closer to market realities and moving away from reliance on static market definitions. However, the US legal system—in which the FTC and DOJ must convince a judge of their case—makes EU-US alignment difficult. Even if EU and US competition authorities agree on a common approach to a particular case, judges might take a different approach. In particular, competition cases in the United States go before generalist US judges, some of whom might be relatively conservative about government intervention. For example, European competition agencies are exploring how large firms can stymie disruptors by preventing their access to inputs to innovate or impacting their access to customers. They have used these concerns to rework the essential facilities doctrine and the tests for when discrimination is anticompetitive (with EU courts often sympathetic to their approaches, as in the Google Shopping and Android Auto cases).³ However, there is limited evidence that US courts are as willing to see principles evolve.

A second challenge is remedy design. Ex post antitrust remedies can have global impacts—for example, by raising costs of operating different business models in different countries, or by requiring structural changes to large firms or technical changes that cannot be implemented at a regional level. Conversely, for firms that can benefit from remedies, a consistent approach to remedy design in the EU and United States could lower costs and allow innovative firms to scale faster. Securing consistent approaches to remedies between the EU, the United States, and third countries such as the United Kingdom could therefore have widespread benefits. There is acceptance that past remedies in tech antitrust cases have sometimes not been very effective, and that innovation seems to have played more of a role than antitrust remedies in promoting competition in digital markets. Both sides seem to be learning from these past experiences, but they have adopted different lessons. The EU has sought to front-end tougher remedies in the DMA while, in the US Google Search case, the judge adopted a narrower set of remedies and instead put more faith in possibilities for AI to disrupt online search markets. Both European and US authorities can benefit from robust and transparent evaluations of past remedies, learning from successes and failures to design more effective interventions in the future.

Thirdly, the EU and United States also take different approaches to the merits of ex ante digital competition regulation. Europe’s DMA has few influential friends among the current US administration. Trump has implied he sees the law as an attack on “the growth or intended operation of United States companies,” and FTC Chair Andrew Ferguson has described the DMA as a “tax on American companies” and one which is “overly rigid,” despite most of the beneficiaries of the DMA being US firms.⁴ The EU’s objectives with the DMA were to foster a competitive and fair digital market, creating opportunities for challenger firms from both Europe and the United States, and supporting the West’s global technological leadership. From a European perspective, there is no appetite to rescind or water down the DMA; Commissioner Teresa Ribera has signaled the European Commission would take a “brave” approach to enforcement and has fined Apple and Meta for noncompliance.⁵ However, there is a widespread perception that the commission is tailoring its enforcement approach to reflect the current environment. For example, the Apple and Meta fines came only after the commission missed its own self-imposed deadlines, seemingly to avoid torpedoing EU-US trade talks.⁶

There is also a question of how European and US regulatory authorities can best cooperate and coordinate in practice, given the different timeframes and processes of their respective cases and concerns in the United States about Europe taking the lead on antitrust matters. Ferguson, for example, has argued, “If we think that Americans are suffering from anticompetitive conduct at home, we should address it here at home . . . I don’t want the Europeans doing it for us.”⁷ The EU and United States have a positive comity agreement, which allows one party affected by anticompetitive behavior originating in the other party to request that said party address the conduct. But this agreement has never been used in practice. Under the Trump presidency, the European Commission has shown a desire to allow the United States to take the lead. For example, in the Google AdTech case, the European Commission has found that Google breached competition law. However, the US federal court also considered remedies in its case regarding the same conduct. The commission has therefore delayed a final decision on remedies, stating that it wanted to “ensure that Google puts in place an effective remedy on both sides of the Atlantic . . . It is in everyone’s interest to achieve a joint outcome, including for Google itself, and for citizens worldwide.”⁸ While in principle such an approach might lead to harmonization, and would provide the EU with political cover, it poses the risk of delaying the imposition of remedies or encouraging the EU to accept remedies that might prove ineffective in the European context.

The broader political backdrop remains challenging. Trump has challenged the independence of numerous public authorities, including the FTC—and there is a risk of the president seeking to change the direction of US digital antitrust policy in the future. On the European side, while the EU secured a trade deal with the United States without needing to change its digital antitrust or digital regulation, the European Commission’s enforcement of the DMA and competition law—both procedurally and substantively—already appears to have been influenced by fears of triggering retaliation by the United States. It is difficult to see how the EU can adopt a rigorous and independent approach while remaining dependent on the United States for its security.

These challenges suggest several lessons for competition enforcers.

• The European Commission and national competition authorities should continue cooperating with the US federal agencies and strengthen their cooperation with US state attorneys general, given their important role in US digital antitrust cases.
• To effectively learn from each other’s experience with remedies, and to enhance mutual learning and correct remedies when needed, competition agencies in both the EU and the United States should have a robust evidence-based assessment of how their remedies have performed.
• The European Commission needs to improve its communication strategy when pursuing antitrust cases. Antitrust enforcement must be closely linked to consumer welfare, competitiveness, and economic growth. Enhancing its legitimacy can help ensure European competition enforcers withstand any political pressure.
• Europe needs to better highlight how open and competitive markets foster innovation instead of protection of national champions. Tools to open competition are therefore important ways to support US and European global technological leadership.

Merger policy and innovation

The discussion on antitrust enforcement naturally leads to questions about how merger policy can also protect innovation and competition in digital markets. Both EU and US approaches to competition policy are evolving to better tackle the role of innovation in digital markets. In particular, there is growing unease that competition authorities need to improve how they approach the impacts of a merger on innovation.

Reflecting these concerns, the United States updated its merger guidelines in 2023 after a two-year process. Merger guidelines are traditionally intended to describe the FTC and DOJ practices to the public, businesses, and courts—such as setting out important questions to which the agencies seek answers during the review process, including what type of evidence they are looking for and how that evidence is typically analyzed. However, the updated guidelines have been perceived by some as a more political document and a statement of the agencies’ intent to toughen merger policy, with more mergers likely to be presumed anticompetitive and the introduction of novel theories of harm. These guidelines remain in place for now, despite changes of leadership at the DOJ and FTC.⁹

The European Commission is still in the process of updating its merger guidelines, a process that it aims to finalize in 2027. Recently, both Mario Draghi and Commission President Ursula von den Leyen have pushed for the process to speed up. Much of the debate has centered on the importance of scale. Draghi’s report on European competitiveness—often interpreted as reigniting discussion about the merits of allowing EU firms to merge to create more innovative “European champions”—also proposed an innovation defense to allow mergers that would otherwise be prohibited. While some consider the report to be misunderstood, Draghi’s subsequent speeches have contributed to the perception that he is arguing for a loosening of merger policy. However, the extent to which new guidelines will (or can) represent a significant evolution in approach is unclear.

• First, in Europe, different stakeholders have vastly different objectives when they argue that innovation (and other factors such as resilience) should play a bigger role in merger review. For enforcers, taking innovation into account might imply being able to intervene in more mergers; it is difficult to argue that EU merger policy has been too lax given that only a tiny proportion of mergers have ever been prohibited. For other stakeholders, the objective of giving innovation a stronger role in merger policy is to allow more deals. It is unclear how the guidelines can promote European champions while preventing foreign competitors from engaging in similar large-scale mergers.
• Second, the recommendations in Draghi’s report are modest. His report has been understood to propose relaxing EU competition law constraints on mergers of major industrial companies. In fact, he acknowledges that a dominant firm would still be precluded from making use of the innovation defense, which would make it inapplicable in almost all cases in which a merger is blocked today. It would also be accompanied by strict safeguards and investment commitments by the merging parties. If Draghi’s proposal is adopted, there might not be much difference from today’s efficiency defense, which has never changed the outcome of a merger review process in Europe (though that might be, in part, because so few mergers are challenged in the first place or because the efficiency defenses have not been clearly articulated or sufficiently convincing). Therefore, there is a significant gap between some of the political rhetoric surrounding the review and the technical reality.
• Third, the EU’s existing merger guidelines have already been superseded by changes in the commission’s practices, so the urgency of a new set of guidelines can be overstated. In reality, the guidelines should not be a statement of intent but, rather, a description of current practices and approaches. This means they might not fundamentally change case-specific analysis.
• Fourth, it is difficult to see how changes in merger review alone will significantly alter the EU’s innovation trajectory. In the absence of further development of the single market, and greater availability of venture capital, highly innovative European firms will remain more likely to move to the United States or be acquired by foreign companies rather than remain European.

This might mean that—despite the call for a fundamental change in approach in Europe—the EU and the United States will stay relatively aligned.

One area in which divergence remains a risk is adopting predictable approaches to assessing the impact of a merger on capabilities and incentives to innovate, particularly in relation to disruptive innovation. Competition authorities have pursued theories of harm based on how a merger might impact innovation, even in the absence of immediate impacts on price or quality in particular markets. For example, innovation and innovative capabilities (or access to assets considered essential for innovations) featured heavily in cases such as Dow-DuPont, Amazon-iRobot, Facebook-Giphy (in the UK), and Google-FitBit. However, these cases have often (but not exclusively) focused on sustaining innovation rather than disruptive innovation. Where competition authorities have taken disruptive innovation into account (such as the UK authority in Facebook-Giphy) or examined markets for research and development (as the US and EU authorities did in the Illumina/Grail merger) they were highly criticized for making the results of merger reviews unpredictable.

Authorities will need to make decisions when the evolution of markets is not fully certain. An insistence on only acting when the anticompetitive outcome is undeniable will, on the whole, lead to less competition. On one hand, this suggests authorities should be humble. Sources of disruptive innovation are hard to identify beforehand, which suggests some firms might have more vulnerable positions than static markers of market power might imply. On the other hand, if authorities take the need to protect possibilities for disruptive innovation seriously, this might help illuminate previously under-identified types of anticompetitive effects, such as mergers that stymie potentially disruptive firms even if they appear to be in an unconnected market. This might require defining markets for innovation or focusing more on firms’ capabilities, their management practices, and their strategies in merger review.¹⁰ While the outcomes might not always be predictable, EU and US authorities could work together to try to ensure more transatlantic consistency when identifying the impact of a merger on innovation and incentives to innovate. This could increase certainty about the process and framework that competition authorities will adopt.

A second area of potential conflict is whether competition authorities should seek to promote certain types of innovation over others. In line with the Trump administration’s broader deregulatory approach, US competition authorities appear to be taking an agnostic and free-market approach to this question. In contrast, European authorities have emphasized how merger control can contribute to innovation in the area of sustainability and protect incentives for green innovation.¹¹ This includes reflecting customer and government preferences for sustainable products when defining markets. For example, when the European Commission prohibited the Hyundai-Daewoo merger in 2022, it took into account the parties’ incentives to invest in lower-emission liquefied natural gas (LNG) vessels.

A third area of divergence risk relates to politicization of the merger process in both the EU and United States. More than ever, there is a perceived risk of US merger policy and practice being influenced by industry lobbying and top-down political influence. The lack of an institutionally independent competition regulator at the EU means this also remains a risk in Europe. Industry capture could happen at the level of guidelines—where there is a risk of helping today’s largest European companies rather than promoting the growth of disruptive and innovative firms—or on a case-by-case basis. There have been previous merger cases in which the formal technical analysis did not align well with the final decision reached. In this respect, updating the EU’s merger guidelines—by reducing the European Commission’s room for maneuver in response to political pressure—could provide significant cover for taking difficult decisions.

Lessons for merger review authorities include the following.

• EU and US authorities should develop consistent guidelines setting out how they will assess the impacts of a merger on innovation capabilities (such as chips and computing power, skills, data, and risky and patient capital) and incentives to innovate. A pro-innovation merger control should promote the new innovators and not protect the old ones.
• DG-Comp should aim to identify and adopt positive aspects of the revised US merger guidelines and US authorities’ recent practices to inform the EU’s current exercise of revising its own guidelines. For example, adopting the US approach by combining horizontal guidelines (which signal how a competition authority examines mergers between direct competitors) and vertical guidelines (which signal the approach to mergers between players at different points in the supply chain) would prove useful to ensure the European Commission thinks holistically about the impact of mergers on innovation, including in digital ecosystems in which horizontal and vertical concerns can be closely related. On the other hand, the EU guidelines still need to follow and reflect DG-COMP’s practices and should avoid becoming politically charged or signaling major changes to the EU approach.

As with antitrust remedies, competition authorities in both the EU and the United States must be honest and clear about how their merger remedies have performed, so different authorities can become better by learning from each other’s successes and mistakes. This will be especially important if there is increasing use of long-term investment commitments as a merger remedy (as in the UK with the Vodafone-O2 merger, and as recommended by Draghi). Such an approach can help ensure authorities across the Atlantic can work with each other. DG-COMP’s previous retrospective studies on remedies are an excellent starting point.

Zach Meyers is the director of research at the Centre on Regulation in Europe (CERRE). Previously the assistant director of the Centre on European Reform, Meyers has a recognized expertise in economic regulation and network industries such as telecoms, energy, payments, financial services and airports. In addition to advising in the private sector, with more than ten years’ experience as a competition and regulatory lawyer, he has consulted to governments, regulators, and multilateral institutions on competition reforms in regulated sectors.

This issue brief benefits from the insights of discussants at an online roundtable on EU-US regulatory co-operation hosted jointly by CERRE and the Atlantic Council. However, the contents of this brief are attributable only to the author.

Providing high-quality studies and dissemination activities, the Centre on Regulation in Europe (CERRE) is a not-for-profit think tank. It promotes robust and consistent regulation in Europe’s network, digital industry, and service sectors. CERRE’s members are regulatory authorities and companies operating in these sectors, as well as universities.

CERRE’s added value is based on

• its original, multidisciplinary, and cross-sector approach covering a variety of markets (e.g., energy, mobility, sustainability, technology, media, and telecommunications);
• the widely acknowledged academic credentials and policy experience of its research team and associated staff members;
• its scientific independence and impartiality; and
• the direct relevance and timeliness of its contributions to the policy and regulatory development process impacting network industry players and the markets for their goods and services.

CERRE’s activities include contributions to the development of norms, standards, and policy recommendations related to the regulation of service providers, to the specification of market rules, and to improvements in the management of infrastructure in a changing political, economic, technological, and social environment. CERRE’s work also aims to clarify the respective roles of market operators, governments, and regulatory authorities, as well as contribute to the enhancement of those organizations’ expertise in addressing regulatory issues of relevance to their activities.

The Atlantic Council promotes constructive leadership and engagement in international affairs based on the Atlantic community’s central role in meeting global challenges. The council provides an essential forum for navigating the dramatic economic and political changes defining the twenty-first century by informing and galvanizing its uniquely influential network of global leaders. The Atlantic Council—through the papers it publishes, the ideas it generates, the future leaders it develops, and the communities it builds—shapes policy choices and strategies to create a more free, secure, and prosperous world.

The Atlantic Council’s Europe Center conducts research and uses real-time analysis to inform the actions and strategies of key transatlantic decision-makers in the face of great-power competition and a geopolitical rewiring of Europe. The center convenes US and European leaders to promote dialogue and make the case for the US-EU partnership as a key asset for the United States and Europe alike. The center’s Transatlantic Digital Marketplace Initiative seeks to foster greater US-EU understanding and collaboration on digital policy matters and makes recommendations for building cooperation and ameliorating differences in this fast-growing area of the transatlantic economy.

New Atlanticist Aug 15, 2025

Talking past each other: Why the US-EU dispute over ‘free speech’ is set to escalate

By Kenneth Propp

Republican-led US lawmakers and the White House are likely just getting started in critiquing the European Union’s Digital Services Act.

European Union Internet

New Atlanticist Aug 4, 2025

As the US retreats from internet governance, Europe must step up

By Konstantinos Komaitis

If Europeans do not actively defend their digital rights model abroad, then they risk seeing the global system drift toward norms that contradict their own.

European Union International Norms

Issue Brief May 29, 2024

Who’s a national security risk? The changing transatlantic geopolitics of data transfers

By Kenneth Propp

The geopolitics of data transfers is changing. How will Washington’s new focus on data transfers affect Europe and the transatlantic relationship?

Cybersecurity Digital Policy

The Europe Center promotes leadership, strategies, and analysis to ensure a strong, ambitious, and forward-looking transatlantic relationship.

Learn more

The post Improving transatlantic cooperation on digital competition appeared first on Atlantic Council.

Transnational represssion (TNR) represents a growing threat to democratic societies worldwide, as authoritarian regimes extend their repression beyond borders, utilizing covert and overt influence operations to advance their political objectives. Over the past decade, the term “transnational repression” has been used to describe the actions of states that seek to control populations living outside their borders. University of Notre Dame Professor Dana M. Moss coined the term to refer to “the repression of diasporas by home-country regimes,” which aims to “punish, deter, undermine, and silence activism in the diaspora,” thereby preventing these populations from completely exiting authoritarian control. 

State, state-affiliated, and non-state actors employ a range of coercive strategies to silence critics, alienate opposition, and control diaspora communities via intimidation. TNR manifests into a sophisticated blend of operations, including surveillance, cyberattacks, disinformation campaigns, legal and judicial harassment (sometimes called lawfare), and even physical and psychological assault. As these operations often exist in legal gray zones, they exploit vulnerabilities within liberal democracies, challenging the international rules-based order below the threshold of major pushback from the international community. Despite growing efforts and attention toward the issue, democracies have struggled to counter these extraterritorial repression tactics effectively.  

When foreign governments conduct surveillance, intimidation, or enforcement actions—including through the exercise of extraterritorial police power by authoritarian regimes inside the nations they target—they undermine state sovereignty and threaten to erode public trust in institutions, representing a significant national security threat.  

A strategic framework on transnational repression is urgently needed to confront this rapidly evolving global threat. While the body of research and policy responses has been slowly developing over recent years, these actions remain largely fragmented, reactive, and uncoordinated. What is lacking is a unifying, practical framework that consolidates these efforts and provides a comprehensive, proactive approach to understanding, disrupting, preventing, and countering transnational repression.  

As resources to support activists, journalists, and diaspora communities targeted by TNR come under increasing strain— exacerbated by the growing absence of sustained US leadership and funding in this domain—the need for a common strategic framework is more urgent than ever. In this context, a unified framework to guide Western democratic allies will foster greater coherence and coordination, while also supporting the accelerated development, implementation, and effectiveness of policies and countermeasures. By providing a shared foundation for identifying threats, protecting vulnerable communities, and confronting the foreign regimes that engage in TNR, such a framework would strengthen collective democratic resilience at a time when it is most critically needed. Ultimately, the goal is to establish a global, whole-of-society approach that fosters collective responses across like-minded democracies.  

Rather than reinventing an entirely new architecture, the objective of this framework is to extend and enhance the utility of existing frameworks by tailoring their components to the specific dynamics of global TNR. This includes integrating elements that account for current policy gaps, diaspora vulnerability mapping, coordinated policy responses, and civil society resilience.  

By understanding the objectives and TTPs of transnational repression, this project aims to propose actionable countermeasures to disrupt, deter, and prevent future TNR operations at various stages through a comprehensive framework. 

Marcus Kolga is a journalist, human rights activist, and a Canadian analyst of foreign disinformation and influence operations. Kolga founded DisinfoWatch.org in 2020 to monitor and analyze foreign disinformation targeting Canada. He is a senior fellow at the Macdonald-Laurier Institute Center for Advancing Canada’s Interests Abroad, The CDA Institute, and the Raoul Wallenberg Center for Human Rights.
 
Sze-Fung Lee is an independent researcher specializing in Chinese hybrid warfare, including Foreign Information Manipulation and Interference (FIMI), Grand Strategy, Gray Zone Tactics, and Cognitive Warfare. Zir research also focuses on Indo-Pacific security policy, challenges posed by emerging technologies, and the politics of Hong Kong. 
 
Iria Puyosa is a senior research fellow at the Atlantic Council’s Democracy+Tech Initiative. She specializes in the complex interplay between technology and political dynamics. For over a decade, Puyosa has investigated information operations that undermine democratic institutions and fuel political instability. Her work uncovers the multifaceted threats of digital authoritarianism and contributes to a deeper understanding of the challenges facing democracies in the digital age.

Kenton Thibaut is a senior resident China fellow at the Atlantic Council’s Digital Forensic Research Lab (DFRLab), where she leads China programming for the Democracy + Tech Initiative, and a resident senior fellow at the Atlantic Council’s Indo-Pacific Security Initiative (IPSI) at the Scowcroft Center for Strategy and Security.

Lisandra Novo is the senior law & tech advisor for the Strategic Litigation Project at the Atlantic Council. The Strategic Litigation Project works on prevention and accountability efforts for atrocity crimes, human-rights violations, terrorism, and corruption offenses around the world. 

Report Jul 16, 2025

Digital occupation: Pro-Russian bot networks target Ukraine’s occupied territories on Telegram

By Yuliia Dukach, Iryna Adam, and Meredith Furbish

New analysis of 3,634 automated accounts spreading pro-Russian propaganda on Telegram channels used by Ukrainian populations in occupied territories shows Russia’s attempts to extend its occupation into digital spaces.

Conflict Disinformation

Report Jul 22, 2024

How Venezuela became a model for digital authoritarianism

By Iria Puyosa, Andrés Azpúrua, Daniel Suárez Pérez

As Venezuelans head to the polls on July 28, the massive online surveillance apparatus developed under incumbent Nicolás Maduro watches street video, monitors social media and phone communications, and gathers data from online movements. What’s behind this digital repression—and will it spread?

Corruption Latin America

The Atlantic Council Technology Programs comprises five existing efforts—the Digital Forensic Research Lab (DFRLab), the GeoTech Center, the Cyber Statecraft Initiative, the Democracy + Tech Initiative, and the Capacity Building Initiative. These operations work together to address the geopolitical implications of technology and provide policymakers and global stakeholders necessary research, insights, and convenings to address challenges around global technology and ensure its responsible advancement.

learn more

The Atlantic Council’s Digital Forensic Research Lab (DFRLab) has operationalized the study of disinformation by exposing falsehoods and fake news, documenting human rights abuses, and building digital resilience worldwide.

learn more

The Democracy + Tech Initiative creates policy practices that align global stakeholders toward tech and governance that reinforces, rather than undermines, open societies. It builds on the DFRLab’s established track record and leadership in the open-source field, empowering global communities to promote transparency and accountability online and around the world.

Learn more

The post Authoritarian reach and democratic response: A tactical framework to counter and prevent transnational repression appeared first on Atlantic Council.

Unfortunately, when it comes to human talent, AI or digital adoption action plans—be they national or multilateral—tend to focus on reskilling for younger populations. The importance of digital reskilling for older populations to empower their productivity, health, and social welfare should be a strategic priority, as well. Attention to this population segment is increasingly paramount considering that people aged sixty-five and older compose the fastest-growing demographic group in the world, especially in low-and-middle-income countries.

It is encouraging that the World Social Summit’s Doha Political Declaration, which will be officially adopted at the Summit, acknowledges the importance of digital and social inclusion encompassing older populations. But policymakers should also incorporate adequate training and trust frameworks for reskilling aging populations into their infrastructure development goals. Countries are making considerable investments to ramp up their digital infrastructure. If these efforts are not paired with a reskilling capacity, leaders risk excluding a growing older adult population from full societal and economic participation. How effectively the summit addresses this issue will help determine countries’ preparedness for major forthcoming technological and demographic shifts.

Digital literacy for older populations: A super-determinant of social development

For older adult populations to benefit from new applications of AI and digital technologies in healthcare, digital and AI literacy is essential. Research indicates that AI healthcare tools could potentially improve the detection and diagnosis of chronic diseases and help medical professionals make swifter clinical decisions.

While global life expectancy has increased over the decades, individual healthspan (or the number of years lived disease-free) has lagged behind life expectancy, with a gap of 9.6 years. A major driver of this gap is the pervasiveness of noncommunicable diseases (NCDs), including Alzheimer’s, dementia, cancer, and heart disease, which are most prevalent in populations older than fifty. The capacity of an individual to use technologies to manage their own health, referred to as digital health literacy, is characterized as a super-determinant of health. Digital health literacy may play a role in extending both life expectancy and healthspan related to NCDs management, particularly among older populations.

The triple barrier: Challenges to digital health adoption

Policymakers must grapple with three interlocking barriers that make it difficult to engage older populations with digital tools: insufficient infrastructure, low trust, and inadequate design.

Globally, the digital divide remains stark. In developed economies, 90 percent of people have internet access, while only 27 percent of those living in developing economies do. This gap is exacerbated for aging populations ages sixty and over, who are disproportionately offline compared to their more connected younger counterparts. Digital health literacy is a prerequisite for a population to benefit from AI-driven healthcare. The absence of this literacy can cause severe complications, including delayed diagnoses, poor adherence to treatment plans, and patient absenteeism.

Another barrier to the adoption of digital health services is trust. Older adults often view digital healthcare with skepticism, fearing data breaches, unclear terms of use, or inadequate quality control. In the United States, 60 percent of patients that consider using a health app decide not to over privacy concerns. Overcoming this lack of trust requires transparent communication, the reinforcement of safety protocols, and endorsements from trusted authorities.

Even with digital connectivity and training, digital health tools will not be widely adopted if they are poorly designed. User experience research shows that technical jargon, cognitive overload, impersonal interfaces, and mismatched engagement methods reduce uptake. By contrast, personalization—such as tailoring messages to a patient’s context and communication preferences—has been shown to significantly increase adherence to preventive behaviors.

Lessons from national initiatives to increase digital health literacy

Here are four approaches policymakers and civil society actors at the World Social Summit can look to when implementing the commitments to digital inclusion outlined in the Doha Political Declaration:

• Promote the rollout of national digital health literacy programs for older adults. Such programs can help older adult populations access the benefits of digital health tools. India’s Understanding of Lifelong Learning for All in Society, a government-sponsored literacy program for citizens aged fifteen and above who missed the opportunity to attend school, is one example of such an initiative. Through virtual modules and volunteer support, citizens are trained in general skills, including digital and health literacy. This program could serve as a useful model for the creation of more targeted literacy programs focused on providing older adults with digital health literacy skills they may not be able to learn elsewhere.
• Encourage local governments to tie digital skills training to digital infrastructure investments. This approach can help make the most of technology deployment by combining it with community-based engagement projects. With a bottom-up approach, in Kebbi State, Nigeria, the Medicaid Cancer Foundation-Patience Access to Cancer Care, began increasing awareness about the importance of early detection and prevention of cancer with community leaders and a peer-to-peer outreach model. Once this network of trust was established, the program was able to effectively strengthen patient management through the digitalization of follow-up care and the establishment of a State Cancer Registry to systematically track cases.
• Promote national programs that train community leaders to be digital skills educators. Trusted community leaders can help overcome negative perceptions of digital health tools. In the United Kingdom, the National Health Service’s BP@Home program trained community health workers to empower patients with home blood pressure management. BP@Home has reached over 220,000 participants since 2020. Using a step-by-step approach with phone calls, leaflets, and a dedicated app, this model ensures that patients, especially older adults, not only have the technology but also the skills and confidence to manage their blood pressure.
• Incorporate user perspectives in the elaboration of AI skilling policies. Building trust in AI technologies demands multisector collaboration with older adults as the end users. A transdisciplinary trust framework can help bridge these perspectives, linking scientific insights on ethics and reliability with the experiences and concerns of older populations. By embedding trust-building into digital health strategies, such frameworks can ensure that AI tools are not only technically sound but socially legitimate, culturally sensitive, and aligned with the values of their users. This approach is especially vital in lower- and middle-income countries, where skepticism, lower digital literacy rates, and infrastructural gaps intersect most acutely.

***

Policymakers at the World Social Summit should commit to skilling aging populations—from infrastructure investment to user design, from trust-building to training—to achieve sustainable and resilient social protection systems. The action plans of today will shape the health equity landscape of tomorrow. If leaders fail to act, the digital and health divides will grow. If they act decisively, advances in AI and digital health technologies could become powerful equalizers in global health for decades to come.

Vijeth Iyengar is a nonresident senior fellow at the Atlantic Council’s GeoTech Center. The views reflected in the article are the author’s views and do not necessarily reflect the views of his employer.

Zainab Shinkafi-Bagudu is a senior advisor at the Federal Ministry of Health Nigeria and president-elect of the Union for International Cancer Control.

Héctor Pourtalé is a global public health consultant and former executive director of Movement Health Foundation.

Frank Krueger is a professor at the School of Systems Biology, George Mason University and honorary professor at the University of Mannheim.

GeoTech Cues Jan 21, 2025

Aging populations are being ignored in global tech agreements. That comes at a cost.

By Vijeth Iyengar, Gunay Kazimzade

The omission of aging populations in agreements at the UN and elsewhere is a missed opportunity to harness societal and economic gains.

Artificial Intelligence Resilience & Society

GeoTech Cues Jul 21, 2025

Navigating the new reality of international AI policy

By Evi Fuelle, Courtney Lang

To reach their goals of national AI adoption, governments must continue to advance the global policy discussion on trust, safety, and evaluations.

Artificial Intelligence Digital Policy

Report May 29, 2024

Generational AI: Digital inclusion for aging populations

By Caroline Thompson

Recommendations on improved inclusion and empowerment of older adults in the age of artificial intelligence.

Artificial Intelligence Digital Policy

The GeoTech Center champions positive paths forward that societies can pursue to ensure new technologies and data empower people, prosperity, and peace.

Learn more

The post For aging populations to benefit from advances in healthcare technology, countries must promote digital health literacy appeared first on Atlantic Council.

The Donald Trump administration’s “Winning the Race: America’s AI Action Plan” outlines a vision of AI as a decisive frontier of global economic and security competition. The first pillar advocates for a deregulated, private-sector-led environment by reducing regulations, promoting open-source AI models, and fast-tracking AI deployment in industries such as healthcare, while tackling some questions about workforce transition. The second pillar addresses energy capacity by upgrading the electric grid, restoring domestic semiconductor manufacturing, building secure data centers, and establishing cybersecurity measures including incident response capabilities. The third pillar on international diplomacy and security, seeks to counter Beijing’s growing influence in international governance bodies and export the full stack of US AI to allies and partners. The plan also identifies financial services as both an opportunity and a vulnerability. AI is viewed as a driver of financial innovation and efficiency, but also as a channel for risks including misinformation, cyber fraud, and systemic instability.

The European Commission’s AI Continent Action Plan was unveiled in April 2025, and is part of a long series of reports and regulations undertaken by the EU to bolster its competitiveness in AI. It lays out a five-pronged plan to scale up computation models through new AI factories, innovation hubs, and pooled resources, improve access to and availability of high-quality data, accelerate application of AI through public services and industrial activities, enable the Draghi report’s ambition to “exceed the US in education” when it comes to training and retaining skilled talent, and further fortify the European single market for AI.

Both the approaches aim to buttress domestic adoption and application of AI—often through nudges from the state when it comes to exploring applications in public services, and encouragement for many kinds of commercial activities. China has come to a similar conclusion, with its continual emphasis on using local government action plans to diffuse AI into public service provisions, and all kinds of industrial activities through its “AI Plus” initiative. There are few references to China in the EU’s latest AI document, while Washington’s approach has both implicit and explicit connotations of a largely two-way race between itself and Beijing.

Approaches from the United States and the EU are both likely to face issues regarding capital and financing of these action plans. While US private-sector investments in AI are many-fold those in the EU and China, the scale and focus of spending make a big difference. In the United States, the Trump administration has put AI contracts front and center in its broader deregulation approach—recent quarters have seen dozens of venture capital rounds above $100 million, and large megadeals (one of about $40 billion in the first quarter of 2025 alone aside) are becoming more common. Major players like Microsoft have committed to $80 billion this year for AI-capable data centers, and overall US tech capital expenditure for AI and infrastructure is being projected in the hundreds of billions over the next few years.

Meanwhile, across the EU, fiscal rules constrain deficit and debt levels: member states are required to keep deficits below 3 percent of gross domestic product (GDP) (though some exceed this threshold) and debt below 60 percent. The EU’s budget amounts to about 1 percent of GDP, and key instruments such as the Recovery and Resilience Facility are set to expire in 2026—leaving a gap in large-scale funding. The EU is currently negotiating its next seven-year budget (2028–2034), which is expected to place strong emphasis on large-scale investments, including a proposed Competitiveness Fund. In China, while growth targets remain and fiscal policy is being kept “flexible,” debt burdens, weak investment returns in sectors such as property and manufacturing, and slowing external demand limit what Beijing can unilaterally spend without risking macroeconomic instability.

These differences mean that even when headline figures like “$500 billion investments” are floated, much of that tends to flow into private capital for infrastructure, cloud and chip production, startup rounds, and acquisitions. They are not distributed evenly or necessarily aimed at building strategic domestic capabilities. Europe and China risk being unable to match the pace of US capital expenditure, not only because of absolute capital constraints but because of institutional, regulatory, and macro-fiscal drags.

Challenges to US-EU alignment on AI

These structural spending imbalances are compounded by inconsistent US policy decisions that leave European partners scrambling to adapt. For example, Joe Biden administration’s AI diffusion rule in January 2025 left many countries in Europe with restrictions on importing advanced chips from the United States, and led to a call for maintaining a “secure transatlantic supply chain on AI technology and super computers, for the benefit of our companies and citizens on both sides of the Atlantic.” The Trump administration repealed this rule and, in its place, the EU committed to purchasing $40 billion of US-made chips as a part of its trade agreement with the United States.

This interaction lays bare the two tensions complicating the US-EU alignment on AI strategies. The first concerns the strategies’ time horizons and the enabling actions undertaken by each jurisdiction. The EU’s approach has been solidified with years of iterative public discussion amid the market transformation from AI—starting with the Draghi report, the AI Act and even Ursula von der Leyen’s European Commission presidency campaign. In contrast, the US AI strategy has seemed reactive and temperamental—shifting focuses between administrations on important issues such as risk and safety, open-source models, and export controls. Recent partnerships with the Gulf states and lifting of controls on NVIDIA’s H20 chips sale to China have also demonstrated a deal-making approach to AI, which is often at odds with the stated US strategy.

The EU has embraced binding rules such as the AI Act, in line with its broader tradition of digital regulation. By contrast, US administrations have favored light-touch, voluntary frameworks, and sectoral oversight rather than comprehensive law. This reflects a bipartisan reluctance to over-regulate the industry. This divergence in regulatory culture means that even when Washington and Brussels agree on broad goals, they often diverge on the instruments used to achieve them,

The second tension in the US and EU strategies concerns the EU’s own complicated motivations in the context of its present economic interdependence on the United States and China. This reliance is visible across the entire AI input stack. At the software level, European firms overwhelmingly depend on US-developed foundational models, cloud platforms, and AI tools provided by companies such as Microsoft, Google, and OpenAI, reflecting the absence of a globally competitive European alternative. In 2025, the United States produced about forty large foundation models, China around fifteen, and the EU only about three. At the infrastructure and cloud level, the “big three” US cloud hyperscalers are estimated to power about 70 percent of European digital services. At the hardware level, the EU remains structurally reliant on advanced semiconductors designed in the United States and fabricated in Asia, with Europe’s domestic semiconductor sector making up less than 10 percent of global production. Supply chains for critical minerals and legacy chips further reinforce exposure to Chinese producers, which control a significant share of upstream inputs and mid-tier manufacturing. Chinese companies dominate the refining of critical minerals such as rare earths and graphite, essential for chipmaking and AI datacenter equipment. They are also leading suppliers of mid-range GPUs, networking hardware, and AI server components, which European firms may increasingly source to diversify away from US vendors. Chinese technology companies, including Baidu and Alibaba, are also emerging players in foundation model training and deployment, reinforcing Europe’s reliance on external providers. These dependencies complicate the EU’s sovereignty ambitions and its ability to balance relations with the United States.

Recognizing these vulnerabilities, the EU launched initiatives to expand domestic capacity, raising about €20 billion to build “AI gigafactories.” These factories would be capable of hosting large-scale compute infrastructure, with the aim of catching up to the US and China. While these projects signal a commitment to reduce dependency, they remain long-term efforts. Even as Europe invests in its own infrastructure, there is still high exposure to non-EU supply chains for the critical inputs into AI. The European Central Bank noted that about half of Euro area manufacturers sourcing critical inputs from China report being exposed to supply chain risk.

These two tensions—uncertainty in US policy actions and the gap between the EU’s ambitions of sovereignty and its reliance on US and China for critical inputs—will continue to play out over the next few years.

The financial services sector and AI action plans

For financial services in particular, AI adoption is accelerating—banks now flag AI as core to transformation. JPMorgan reports hundreds of production use cases across fraud, marketing, and risk in its shareholder communications, while Bank of America’s “Erica” virtual assistant has logged more than 2 billion client interactions—evidence that AI is reshaping front-, middle-, and back-office processes from customer service to underwriting to treasury operations. This brings opportunities including cost and error reduction, real-time risk sensing, and new AI-enabled products like cash flow intelligence for corporate treasurers.

But financial services also represent one of the highest-risk sectors for AI adoption, given the direct societal impact of errors or bias in lending, risk modeling, or compliance monitoring. The AI Index 2025 shows that measurable gains remain modest, with most firms reporting less than 10-percent cost savings or revenue growth below 10 percent. AI adoption for financial services also lags in key areas. Many institutions remain in pilot phases, data quality and legacy infrastructure limit deployment, and regulatory uncertainty combined with talent shortages slows uptake in high-risk applications such as credit scoring and underwriting. Regulatory divergence sharpens these trade-offs: The United States leans on voluntary risk-management tooling (the National Institute of Standards and Technology – Artificial Intelligence Risk Management Framework) that gives firms latitude to innovate, whereas the EU’s binding AI Act and sectoral guidance from the European Securities and Markets Authority impose high-risk classifications and board-level accountability for AI in investment services—raising documentation, testing, and oversight burdens for cross-border finance.

Ultimately, the private sector and business in both jurisdictions need to adapt to these tensions and, in some cases, even begin to view them as productive in their journey of AI adoption and diffusion across various functions. What the AI action plans have done is provide a broad framework of AI strategy. But for financial services companies and the broader commercial sector, the devil is in the details and will require closing the transatlantic gap in the regulatory approach to AI. This seems more difficult than it would have a year ago.

Ananya Kumar is the deputy director, Future of Money, at the GeoEconomics Center.

Alisha Chhangani is an assistant director at the GeoEconomics Center

Flagship Event Mon, September 29, 2025 • 6:30 am ET

2025 Transatlantic Forum on GeoEconomics

The Transatlantic Forum on GeoEconomics is an annual conference convening economic and financial leaders from both sides of the Atlantic.

Digital Policy Economy & Business Europe & Eurasia European Union

At the intersection of economics, finance, and foreign policy, the GeoEconomics Center is a translation hub with the goal of helping shape a better global economic future.

Learn more

The post What drives the divide in transatlantic AI strategy? appeared first on Atlantic Council.

On September 28, Switzerland will vote in a national referendum on the introduction of a state-recognized electronic proof of identification, or e-ID. This referendum could fundamentally transform how Swiss residents access government services and engage with private sector platforms in an increasingly digital world. The new draft solution comes after the rejection of the e-ID Act in a March 2021 referendum, largely due to the control the Act would have given to the private sector. Under the proposed legislation, the federal government will be responsible for both issuing e-ID cards and operating the necessary technical systems, an approach designed to maximize privacy and data security.

Switzerland’s evolving approach to digital identity reflects a broader, global conversation about the intersection of technology, governance, and trust.

Earlier this summer, Switzerland was already at the center of global digital policy conversations. From July 8-10, Geneva hosted the AI for Good Global Summit, the United Nations’ flagship platform for leveraging artificial intelligence (AI) to address global challenges, organized by the International Telecommunications Union. The summit convened a diverse group of policymakers, researchers, industry leaders, and civil society to promote the development of AI standards, foster innovation, and maintaining robust safeguards for equity and inclusion.

While thousands gathered in Geneva, the Atlantic Council’s GeoTech Center hosted a more focused convening in Lausanne called “Bridging AI & digital policy: Global perspectives for a trustworthy future.” Held on July 10 at the Swiss security-printing company SICPA’s unlimitrust campus, the event brought together experts from government, industry, and academia for a half-day of dynamic discussions on AI and digital trust.

Shaping AI and digital trust

As technologies such as AI and digital identity systems shape the future of governance, security, and social services, ensuring their trustworthy development and equitable deployment is critical, particularly as nations weigh major policy decisions such as Switzerland’s upcoming e-ID vote. While much technological innovation is led by the Global North, the global majority, the world’s largest and most diverse population, holds the key to unlocking inclusive, ethical, and impactful digital solutions. This half-day event explored regulatory frameworks, innovations, and challenges for these technologies across both developed and emerging economies.

Philippe Amon, chairman and chief executive officer of SICPA and member of the Atlantic Council’s International Advisory Board, opened the event by highlighting the importance of AI today, stating that “AI is like oxygen.” His words set the tone for an afternoon of engaging and impactful dialogue on how AI and digital policy are reshaping trust, innovation, and global cooperation.

The first panel, “Swiss partnerships on AI: Innovating for a trusted future” was moderated by Graham Brookie, vice president of technology and strategy programs at the Atlantic Council. The panel examined how Switzerland is advancing digital trust and secure AI development. The panelists emphasized the importance of regional and global partnerships to advance the trusted, secure development and deployment of AI. They explored practical steps and the need for robust regulatory standards, sharing examples of Swiss initiatives and international partnerships that are driving innovation while remaining secure and trustworthy. One example included panelist Leila Delarive’s software development company, hoopit.ai, which was co-founded by Swiss and American partners with a shared focus on making knowledge more trusted, more secure, and more human. Speakers agreed that innovation must be tied to real-world outcomes, with one panelist, Jean-Christophe Makuch, head of digital research and innovation at SICPA, noting, “The question is not what are you doing, it’s what problem are you solving?”

In my capacity as an assistant director at the Atlantic Council’s GeoTech Center, I moderated the second panel, “Global digital ID landscape.” This panel examined current trends, barriers to adoption, and opportunities for a more inclusive and interoperable digital ID ecosystem, drawing from the GeoTech Center’s July report, “Exploring the global digital ID landscape.” Panelists discussed issues including public trust and interoperability challenges to gaps in digital access across emerging economies. The conversation also highlighted Switzerland’s upcoming referendum on the national e-ID, underscoring how the vote could establish a model for trust, privacy, and usability in digital identity systems. A major theme of the dialogue centered around usability of digital ID systems. Anantha Ayer, CEO of SwissSign said, “Why do we need a digital identity? I think if we answer that question and people see that, the adoption rate will go up.”

The final panel, “AI in the Global South,” was moderated by acting senior director and senior fellow at the Atlantic Council’s GeoTech Center, Raul Brens Jr.. The panelists discussed regional advancements, challenges, and opportunities for AI-driven development in emerging economies. Panelists highlighted the use of AI as a tool to enhance efficiency and emphasized the need for government and public-private collaboration. The panelists underscored that implementing AI in emerging economies will require capacity-building, robust data governance, and inclusive digital access. Kira Intrator, a principal at Civic Strategy Group, underscored the need for increased investment in AI development across the Global South, asking: “With the potential of AI, how can funders and donors think really creatively and really commit to making a difference?”

Reflections ahead of Switzerland’s e-ID vote

As the September 28 referendum approaches, the insights shared in Lausanne are increasingly important to consider. The conversations emphasized how both artificial intelligence and digital identity systems are increasingly shaping the future of how governments approach inclusion, equity, security, and interoperability in the digital age. From lessons learned in the Global South to evolving frameworks across Europe, it’s clear that collaboration between governments, industry, and civil society will be crucial to advancing these technologies effectively. Public trust is also at the forefront of shaping inclusive policies, and it will be essential to enhance transparency across the development and implementation processes. The future of AI and digital identity systems will be defined not just by how these technologies are used, but how securely and inclusively they are deployed.

Coley Felt is an assistant director at the Atlantic Council’s GeoTech Center.

Report Jul 10, 2025

Exploring the global digital ID landscape

By Coley Felt, Will LaRivee

The worldwide adoption of digital identity systems varies significantly across regions and implementation approaches.

Africa Digital Policy

GeoTech Cues Jul 21, 2025

Navigating the new reality of international AI policy

By Evi Fuelle, Courtney Lang

To reach their goals of national AI adoption, governments must continue to advance the global policy discussion on trust, safety, and evaluations.

Artificial Intelligence Digital Policy

GeoTech Cues Jun 6, 2025

G7 leaders have the opportunity to strengthen digital resilience. Here’s how they can seize it.

By Sara Ann Brackett, Coley Felt, Raul Brens Jr.

At the upcoming Group of Seven Leaders’ Summit in Canada, member state leaders should advance a coherent, shared framework for digital resilience policy.

Artificial Intelligence Cybersecurity

The GeoTech Center champions positive paths forward that societies can pursue to ensure new technologies and data empower people, prosperity, and peace.

Learn more

The post Global perspectives on AI and digital trust ahead of the Swiss e-ID referendum appeared first on Atlantic Council.

• Introduction
• Part 1: Identity in the United States
• Part 2: Existing digital IDs in Japan and the EU
• Part 3: Policy recommendations for the United States

Introduction

The proliferation of public and private services online has necessitated the creation of verifiable and usable digital IDs globally. These electronic, reusable, and portable representations of identity can not only improve convenience for those accessing services but also reduce cost, waste, and fraud, especially when applied in the provision of benefits by federal and state authorities. Importantly, if designed with intention, they can improve access and enhance the inclusion of those with limited or no access to traditional and analog identities. Digital IDs also can be imbued with technological capabilities that both reduce the burdens on government providers and citizens and the privacy harms, especially to personal data, and enhance the security of our data ecosystem.

Digital identity is often fraught with controversy however due to implications for the privacy of individuals, both in the United States and elsewhere. It can spur new risks of state surveillance and cyberattacks, and lead to the exclusion of social groups. These harms are indeed serious and require clear governance standards for the responsible deployment of digital identity, strong provisions to protect consumer rights, and mechanisms to redress violations.

To that end, our paper is divided into three sections. In part 1, we begin with the stakeholders responsible for identity use and credentialing in the United States, followed by an overview of the landscape of benefits provision and its pain points, leading to an overarching assessment of the United States and its use of digital ID in benefits provision currently. In part 2, we look at Japan and the European Union (EU), which are slightly ahead in both their deployment of digital identities and governance frameworks that aim to ultimately impact global standards for digital identity. Given the lessons for the rollout of digital identity in Japan, the EU, and our initial US assessment, in part 3, we provide four key policy recommendations for the responsible development of digital identities for benefits provision in the United States.

Part 1: Identity in the United States

Citizens in the United States usually have multiple identity documents, issued by both state and federal authorities for various purposes such as access to public services, tax identification, and travel. In 2005, Congress passed the REAL ID Act, requiring state-issued identity cards like driver’s licenses to adhere to a similar format and convey the same information.¹ Under this act, the Department of Homeland Security (DHS) was given federal authority to implement and enforce REAL IDs. In recent years, the DHS Transportation Security Administration (TSA), in partnership with states, has also introduced mobile driver’s licenses, which are verifiable at limited airports throughout the country.² Other forms of verifiable credentials, such as ID.me, can link multiple federal and state agencies, such as the Internal Revenue Service (IRS) and the Social Security Administration (SSA), with private companies (such as those that provide health insurance) through one form of identity. In parallel, Login.gov is an another secure single sign on service developed by the General Services Administration (GSA) that allow users to access multiple government services using a single account.

Further analysis of seventy-two unique programs and services delivered by thirty-five High Impact Service Providers (HISPs) show a multitude of additional login options that are being used. Most notably, thirty programs and services require an applicant to call or email the agency as the only option available to access benefits. These findings highlight how there are still outstanding challenges to adopting digital identity and the increased citizen burden associated with navigating a fragmented landscape of technology options.

US benefits provision and improper payments

Benefits to individuals are the largest federal expenditure for the US government. By category, they amounted to the following in 2024: Social Security ($1,454 billion), Medicare ($1,031 billion), Medicaid/Children’s Health Insurance Program/Other Medical Care ($810 billion), Veterans benefits ($319 billion); and other benefits ($634 billion) (for Temporary Assistance for Needy Families, or TANF; Supplementary Security Income, or SSI; housing assistance; child tax credit, etc.)³ The SSA administers Social Security and SSI as well as Medicare enrollment.⁴ The Centers for Medicare and Medicaid Services (under the Department of Health and Human Services) oversees Medicare and Medicaid reimbursements. HHS also distributes TANF block grants.⁵ The US Department of Agriculture (USDA) funds the Supplemental Nutrition Assistance Plan (SNAP) and free/reduced lunch; the Department of Housing and Urban Development (HUD) provides funding for housing assistance; and the Department of Labor is responsible for unemployment insurance (UI), workforce development programs, and employment-related benefits.

In 2022, one in three Americans were enrolled in at least one public assistance program. Social Security and Medicare each cover 20 percent of Americans, and Medicare is the largest benefits program by enrollment,⁶ followed by SNAP (11.7 percent), and free and reduced lunch (8.8 percent).⁷ Beneficiaries of Medicare, Social Security, and the Department of Veterans Affairs benefits program interface directly with the federal government in benefits disbursal and access, but other forms of public benefits are mostly administered at the state level. All agencies are required to utilize direct deposits to transmit federal funds. However, there is some limited use of checks across benefits disbursal. Payment Processing Centers calculate benefits and process payments, but actual disbursal is conducted by Treasury payment systems.⁸

In July 2024, the Office of the Inspector General of the Social Security Administration released a report citing $71.8 billion in improper payments between Fiscal Year 2015 and FY 2022. This figure is less than 1 percent of all the benefits payments made by the SSA.⁹ More broadly, a study by the Government Accountability Office (GAO) estimated losses of $162 billion in improper payments across sixty-eight programs in 2024.¹⁰ This has come down from pandemic-period highs of $281 billion.¹¹ Of the $162 billion in 2024, $85 billion were improper payments in Medicare and Medicaid.¹² While this reflects self-reported improper payments, the GAO also estimates that the government loses between $233 billion to $521 billion annually to fraud and improper payments.¹³ While recommendations from the GAO have primarily included enhancing existing reporting, data sharing, and analytics to prevent fraud and improper payments, we explore the status of digital identities in benefits provision in the United States below; later in the paper, we explore  lessons learned in other jurisdictions.

Using digital IDs for benefits in the United States

Login.gov (under the General Services Administration’s purview) is a government provided ID-verification service that allows approval of credentials across websites from various partner federal agencies. As of September  2024 (i.e., the end of FY 2024), Login.gov reported seventy-two million active users and 3.3 million identity-verified accounts at the Identity Assurance Level (two of three), or IAL2-level.¹⁴ Login.gov is used by over fifty agencies, most notably the VA and SSA. Enabling verification methods on a Login.gov account requires state-issued ID, a Social Security number (SSN), and a phone number. ID.me is a market-provided ID-verification service that is also used across various federal agencies in a similar capacity. In April 2025, ID.me had 145 million users, including seventy million IAL2‑verified individuals.¹⁵NIST provides the IAL as a guiding framework of digital identities in the United States. Both Login.gov and ID.me are considered to meet criteria for IAL2. The SSA accepts both Login.gov and ID.me as credentials for creating mySocial Security account. Through mySocial Security account, individuals can apply for benefits and manage their payments. While funded federally, Medicaid, TANF, SNAP, and housing assistance (among others) are administered at the state level and thus verification processes can differ substantially. ID.me’s single sign-on (SSO) service is used by Arizona as means of accessing a beneficiary’s AHCCCS (Arizona’s Medicaid provider) account. Similarly, various states allow the use of the ID.me-provided SSO to access unemployment insurance. This was a result of a boom in applicants during the COVID-19 pandemic. Use of the SSO service outside of housing benefits is very limited at the state level. Several states, such as Illinois, Colorado, and California, have centralized benefits under a common web portal.

Login.gov was widely implemented as a response to a 2017 federal mandate requiring agencies to implement an SSO platform for accessing an agency’s websites.¹⁶ While it has been widely adopted by federal agencies, there have been complaints and concerns about the service. While the IRS allows taxpayers to use ID.me to access services, it has not implemented Login.gov for services, citing Login.gov failure in meeting the IAL2 standard.¹⁷ The IRS uses the service at the IAL1 level, but recent data breaches continue to raise questions about the service’s security and reliability.

In a GAO investigation, nine of twenty-one participating agencies cited issues with Login.gov’s lack of fraud controls and visibility into authentications.¹⁸ Another twelve reported concerns over IAL2 noncompliance. The current director of GSA’s Technology Transformation Services has previously thrown his support behind Login.gov and hopes to “accelerate Login’s roadmap.”¹⁹

The above sections on the benefits provision, related fraud, waste, and abuse and the rollout of digitization lead to the following overarching assessment of the US model:

• The federal government is an important player in the identity issuance, credentialing, verification, and data-management system. However, it does so in partnership with private players, and both sectors face similar vulnerabilities and risks, especially related to personal data transfer, storage, and use.
• The identity landscape in the United States is highly fragmented across individual holders, issuers, and those that accept verifiable credentials. Multiple standards, both technological and regulatory, exist across states, agencies, and private issuers and verifiers of identities.
• A related lack of interoperability and the failure to recognize that individuals often interact with different layers of the identity ecosystem lead them to be the least able to bear and use their own identity.
• The costs of transition from analog to digital forms of identity are large but surmountable. They often do not include the frictions and delays associated with adoption by identity users and providers.
• Improper payments are the biggest challenge for benefits service providers in the United States. Therefore, ID improvements in the provision of benefits need to be designed with the purpose of reducing improper payments and substantively impacting waste, fraud, and abuse.
• The refinement of technology, including blockchain and privacy-enhancing technology (PET), presents new opportunities to create IDs that can be used across various functions and be linked to multiple verifiers. On the other hand, use of technology can also heighten the risk environment for identity holders and issuers and should be an important consideration when developing digital IDs.

The next section of this paper puts these assessments in context with the developments in the EU and Japan on digital identity.

Part 2: Existing digital IDs in Japan and the EU

Japan launched its digital identity platform, the My Number Card (MINC), in 2016. The MINC features an integrated circuit chip that stores personal information and simplifies interactions with government and financial institutions, supporting services like social insurance applications, tax filings, job assistance, and bank-account setup. Since its launch, around a hundred million cards have been issued. The Digital Agency, established in 2021, also oversees the implementation and regulation of digital transformation initiatives, including digital ID systems.²⁰ The cards themselves are issued by the Japan Agency for Local Authority Information Systems (which is jointly organized at the municipal and prefecture level).²¹

The European Digital Identity (EUDI) Wallet is a digital ID solution designed to enable EU citizens, residents, and businesses to securely identify themselves and verify personal information both online and offline. It builds on the foundation of the eIDAS (Electronic Identification, Authentication, and Trust Services) regulation.²² Developed by the European Commission, its main functions are cross-border recognition and harmonization. The European Commission is investing in four large-scale pilot projects to test and develop the wallet’s functionality.²³ These pilots involve approximately 360 entities, including private companies and public authorities from twenty-six member states and Norway, Iceland, and Ukraine.²⁴

Digital ID governance and implementation framework

Digital ID creation in both the EU and Japan follows a layer-based framework that consists of a highly centralized governance and implementation effort led by the federal authorities within the respective jurisdictions. The first layer is ID issuance by a government agency. The second layer is ID creation, governance, and implementation and comprises trust and verification intermediaries, such as providers of the personal ID, qualified electronic attestation of attributes, electronic seals, and other authentic sources. The third layer is entirely implementation based, consisting of “relying” on ID-accepting institutions, which are the private and public institutions that enable ID use. The fourth layer is made up of software and hardware. The final layer is made up of participants: In both cases below, these are individuals or small and medium enterprises holding digital IDs.

Outside this layer-based framework are the European Commission or Japan’s Digital Agency, respectively, along with supervisory and regulatory authorities, and various schemes for the governance of the trust layer.

Standards creation and gaps

EU’s eID framework is part of a larger packet of regulatory standard-setting action on data sovereignty and privacy. Japan is similarly aligned with its G7 presidency action plan for the free flow of data with trust and wider push for digitalization of services. Regulatory actions have emphasized privacy protection, data management and flow decisions, and ID harmonization/mobility/interoperability. Generally, across both jurisdictions, there is an emphasis on governance and assessment frameworks over technical standards on verification, privacy, and cybersecurity.

Additionally, the EU and Japan have established an MoU with each other for collaboration in exploring use cases and mutual recognition.²⁵

Identity theft-based benefits

Across the EU, identity-theft-specific benefits fraud statistics are limited, but individual member states have published figures that provide useful context. In Finland, the Social Insurance Institution (Kela) reported 1,104 suspected benefit fraud cases in 2024 totaling €7.15 million—about 0.43% of all benefits paid, down from 0.45% in 2023 and 0.79% in 2020.²⁶ While these figures cover all detected benefit fraud rather than identity-theft cases alone, Kela attributes part of the reduction to stronger digital verification, such as the national Incomes Register, which enables real-time income checks. Estonia, often cited as Europe’s digital identity pioneer, maintains low fraud rates through integrated verification across multiple government services. Although EU-wide identity-theft-specific data is not available, evidence from countries further along in the digital identity pathway, like Finland and Estonia, suggests that robust, integrated systems can help drive overall fraud down. The upcoming European Digital Identity (EUDI) wallet, set for implementation by 2026, could further standardize and strengthen verification measures across member states.

In Japan, fraudulent public assistance cases—including all forms from undeclared income to misrepresentation—account for less than 0.5% of total payouts.²⁷ No public data isolates identity-theft-driven cases, and Japan’s reporting on fraud statistics is generally limited. While the My Number digital identity system is fully deployed, there is no evidence to confirm a measurable decline in identity-theft-specific benefits fraud.²⁸ Digital identity systems can contribute to benefits fraud reduction, but effectiveness depends heavily on implementation quality, system integration, and supportive legal frameworks.

Use and expansion

The EU is still in the pilot phase. Meanwhile, 75 percent of the Japanese population (93.08 million citizens as of September 2024), has a My Number ID card.²⁹ This uptake is in line with the growth of other digital services provided by the Japan Agency and with growth in favorable attitudes toward digitalization in Japan. This agency conducts annual assessments and evaluations of the system, and communicates expansion plans along with new use cases (e.g., entertainment, most recently) and community management.

Policy goals

Both jurisdictions are attempting two tiers of policy goals. On the ID user and holder level, the policy goals are associated with reducing administrative burden and time, enabling efficiency and reducing cost. The second tier of goals has to do with national digitalization priorities, built on actions to realize economic benefits from better use and management of private data and public services. In addition to this, the EU has a goal of ID harmonization and portability across its member states, in line with its long-term policy goal of integration.  

Putting these learnings from the EU and Japan in context with the overarching assessments in Part 1 of the paper, the next section provides policy oriented recommendations for the development of digital IDs for benefits provision in the United States.

Part 3: Policy recommendations for the United States

Given the lessons from the rollout of digital identity in the EU and Japan (Part 2), and with the context of the current use of digital identities in benefits provision in the United States (Part 1), we conclude this paper with appropriate policy recommendations to responsibly prompt the next generation of digital IDs in the United States. These recommendations, calibrated with appropriate regulations to protect the personal data of US citizens and residents, can effectively resolve existing friction in the use of digital identities in the United States, and enable the creation of an innovative ecosystem of financial products, ultimately positively impacting the financial health of the public sector, corporations, and individuals.

Policy goal 1: Incentivize private sector in the identity governance and implementation framework by creating a technology sandbox

There is an important aspect of incentivization in digital identity that drives its uptake among users and holders and broader deployment across a range of functions. Jurisdictions like the EU, Japan, and emerging markets like India, have each given a central role in this to the public sector, making access to public services the main incentive to drive ID use. The US private-sector-driven innovation model and strong foundations of individual privacy offer an alternative governance model, which can now be provided through the maturation of privacy-enhancing technologies. A governance framework should build on strong foundations for privacy, data management, as well as reciprocity and portability in digital ID for holders. Importantly, we recommend the creation of a public-private sandbox that can incentivize private-sector participants to test out new technologies and create models that address existing gaps and new risks in the cyber domain. The purpose of this sandbox should be to inform future technological and governance standards needs, reduce pain points of improper payments, and maximize digital ID deployment in the United States.

Policy goal 2: Create innovative, federated technological models that combine benefits delivery and digital identity

What is clear in our assessment of the EU and Japan is their global standards-setting ambition, largely seen in governance frameworks. Moreover, through regulatory actions they have been able to mandate interoperability requirements and have embraced verifiable credentials based digital identity technologies to address coordination challenges. To help further the state of the art, the United States has an opportunity to develop models for a federated technology stack for benefits delivery that integrates digital identity and novel payment solutions for use by the government and the private sector alike . This requires investment in research and development, especially incorporating new technologies for decentralization in pilot projects. Emerging regulatory clarity in digital assets can also inform these pilot projects and explore the feasibility of using self-hosted wallets and payment stablecoins.

Policy goal 3: Minimize ID based threat vectors in benefits disbursement

Part 1 of this paper puts into perspective the role of improper payments in benefits disbursal in the US, as well as the highly fragmented verification process used by US agencies and their private sector partners. This enables scaling of phishing attacks and other scams, with innovation by fraudsters outpacing security in our public infrastructure and private sector services. Quantifying the problem is difficult due to a lack of transparency about fraud attack data, which undermines public trust in both government and private sector services. Put in context with the lessons from the EU area digital ID roll-outs, we see a clear need for robust and integrated system of verifications, used across agencies, for a variety of end purposes. These should be aimed at reducing the duplication of efforts, beginning at the verification stage, as well as the costs associated with detection. Furthermore, law enforcement agencies and public benefit service providers should engage periodically to assess the continuously evolving threat landscape and create information sharing strategies that can help provide early indicators to inform mitigation options.

Ananya Kumar is the deputy director, Future of Money, at the GeoEconomics Center.

The author would like to thank Sanith Wijesinghe and Alisha Chhangani for their research and support on this paper. 

This work was supported by the MITRE Independent Research & Development Program

Issue Brief Nov 2, 2023

Asking the right questions: Can digital currency enable financial inclusion?

By Ananya Kumar

Cryptocurrencies and CBDCs have the potential to enhance financial inclusion. However, the lack of quantitative data makes it challenging to evaluate their impact. To assess their financial inclusion capacity, this paper builds a rubric for policymakers which includes layers of consideration.

Digital Currencies Economy & Business

Report Jul 10, 2025

Exploring the global digital ID landscape

By Coley Felt, Will LaRivee

The worldwide adoption of digital identity systems varies significantly across regions and implementation approaches.

Africa Digital Policy

Issue Brief Oct 21, 2024

How digital public infrastructure can support financial inclusion

By Katherine Hadda and Anit Mukherjee

As digital transformation accelerates, Digital Public Infrastructure (DPI) is at the forefront of the global push for financial inclusion. This paper examines how DPI frameworks, particularly those pioneered in India, are bringing financial services to previously underserved populations.

Digital Policy Financial Regulation

At the intersection of economics, finance, and foreign policy, the GeoEconomics Center is a translation hub with the goal of helping shape a better global economic future.

Learn more

The post Trustworthy digital identities can set the standards for secure benefits provision in the US appeared first on Atlantic Council.

Nearly two years ago, the India–Middle East–Europe Economic Corridor (IMEC) emerged as a potential alternative to the existing volatile sea routes. When it was announced, IMEC offered partner countries, including the United States, the promise of a more secure and reliable trade route across the Arabian Peninsula. But the route itself is not IMEC’s only selling point. Additionally, participating countries stand to benefit from more streamlined, efficient, and transparent trade processes—deepening economic engagement and connectivity across regions.

The plans for IMEC envision it running from India and the United Arab Emirates (UAE) through Saudi Arabia, Jordan, and Israel, eventually reaching Europe. While political tensions have delayed progress on the Jordan-Israel segment of the transportation corridor, other components of the corridor continue to move forward, especially when it comes to economic cooperation between India and the Gulf states. This includes various port upgrade initiatives in India and the announcement of the India–UAE Virtual Trade Corridor (VTC) in September 2024.

With bilateral trade between India and the UAE reaching $100 billion in 2024–25 following the signing of the Comprehensive Economic Partnership Agreement (CEPA) in 2022, the VTC represents a timely and strategic boost to this growing economic partnership. This VTC is based on the Master Application for International Trade and Regulatory Interface, known as MAITRI. This platform seeks to integrate multiple digital systems and enable the seamless exchange of documents and trade-related information among regulatory stakeholders through a unified interface.

The India–UAE VTC, through the MAITRI platform, should be a starting point for building a seamless regional digital trade ecosystem across the IMEC countries. By enabling real-time data exchange, aligning customs procedures, and reducing paperwork, MAITRI and similar digital platforms can enhance trade efficiency along the corridor. Expanding this model across IMEC partner countries would help lay the foundation for a digitally integrated trade network that complements the physical trade corridor.

Linking MAITRI to IMEC

In the current global trading ecosystem, digital connectivity infrastructure has become as critical as physical connectivity infrastructure. There are many important aspects to track in cross-border trade, including duty assessments and payments managed by customs authorities, regulatory certificates, testing reports, and real-time cargo tracking and notifications by shipping lines. The India–UAE VTC through the MAITRI platform helps address these needs bilaterally. Extending MAITRI across IMEC could unlock far greater efficiencies by integrating partner countries into a unified digital trade interface.

A similar approach has worked farther east. The Association of Southeast Asian Nations (ASEAN) Single Window, ASW for short, stands as the benchmark for the digitalization of cross-border paperless trade within a regional bloc. Since its full operational launch in 2018, the ASW has made significant progress, with over 800,000 ATIGA e-Form D exchanges occurring in 2020 alone, demonstrating the scalability of digital trade solutions. The ATIGA e-Form D is an electronic document used in ASEAN trade, allowing for the exchange of data among member states. According to recent research, comprehensive digital trade facilitation measures can reduce costs by over 8 percent within ASEAN. This substantial benefit highlights why expanding the MAITRI VTC along the IMEC corridor should be a strategic priority.

The road ahead   

The operationalization of the India–UAE VTC has been smooth, largely due to the CEPA between the two countries. CEPA has eliminated duties on most traded product categories and streamlined regulatory compliance and documentation requirements, enabling a more efficient implementation of the digital corridor. But extending the VTC to the broader IMEC region presents several challenges.

The system will need to accommodate the diverse combinations of bilateral and regional trade agreements of which the IMEC countries are a part. Saudi Arabia and the UAE, for example, are members of the Gulf Cooperation Council, which means they have standardized economic policies and customs regulations while other IMEC countries may not follow the same trade protocols. Additionally, the multimodal nature of the IMEC corridor—encompassing rail, road, and maritime transportation—adds further complexity. Each participating country follows distinct customs procedures, regulatory processes, and documentation requirements, contributing to a fragmented and less harmonized regional trade ecosystem.

To enable the extension of a MAITRI-based VTC across multiple IMEC countries, policymakers should take the following five steps.

1. Establish a Joint Working Group on Digital Integration. IMEC partners should establish such a group to focus on extending MAITRI to the remaining IMEC countries. This group could be co-chaired by India’s Ministry of Ports, Shipping, and Waterways and the UAE’s Ministry of Economy, with relevant ministries from other IMEC countries as core members. The working group would be responsible for developing a roadmap for the phased implementation of the MAITRI platform across the corridor. Key stakeholders from the private and public sectors could contribute valuable technical expertise to this initiative.
2. Launch a comprehensive trade process mapping. The key elements of this exercise should include identifying stakeholders involved in trade processes within each country; outlining benefits and concessions available under bilateral and regional trade agreements; cataloging existing digital systems used by stakeholders (such as Port Community Systems or customs platforms); and understanding differences in trade process nomenclatures and terminologies. Ultimately, achieving a harmonized trade ecosystem across IMEC countries will be critical for the successful implementation of a unified digital trade platform like MAITRI. The secretariat of the IMEC envoy in each country, whenever designated, could lead this initiative to better coordinate among domestic as well as cross-country stakeholders.
3. Create a technology interoperability plan. This should include the use of common Application Programming Interfaces, harmonized data fields for cargo information, and standardized data formats aligned with international trade standards. The partners’ respective ministries of information technology, together with customs authorities, could lead this initiative, in coordination with the ministries of ports and railways in each IMEC country.
4. Operationalize mutual recognition agreements (MRAs). This would ensure the cross-border validity of critical documents, such as testing certificates, rules of origin, and health certificates. India and the UAE have already operationalized bilateral MRAs for digital certificates under the CEPA framework, setting a precedent for broader regional adoption. Customs authorities and the ministries of commerce in each country should serve as the coordinating agencies for MRA implementation.
5. Hold technical and capacity-building workshops. India and the UAE should jointly organize these workshops to familiarize IMEC partner countries with the technical and regulatory frameworks of the VTC and the MAITRI platform. These efforts will support the training of key stakeholders—including customs authorities, regulatory and testing agencies, port operators, and industry associations—across the IMEC region, laying the groundwork for effective implementation of the VTC.

As global trade corridors evolve to redefine cargo movement routes, robust digital infrastructure will be instrumental to ensuring connectivity. It will play an important role in consolidating new trade routes and encouraging the global trade community to adopt emerging corridors, such as IMEC. A digitally integrated IMEC will enable seamless cargo movement with faster clearances, strengthening economic partnerships among participating nations—particularly US partners such as Israel, the Gulf states, Europe, and India.

Given the deep economic linkages between the United States and IMEC countries, this integration will advance US trade and strategic interests by creating transparent and predictable supply chains, reducing shipping delays, and lowering shipping costs and time for US exporters and importers in Asia and the Middle East. Moreover, strengthened economic ties among partners in volatile regions could reduce the risks of disruption to US manufacturing supply chains. That relies on the digital world just as much as the physical.

Afaq Hussain is a nonresident senior fellow at the N7 Initiative within the Atlantic Council’s Middle East Programs. He is also co-founder and director of the Bureau of Research on Industry and Economic Fundamentals (BRIEF), New Delhi.

The post IMEC must be more than a trade route. Digital integration should be a priority. appeared first on Atlantic Council.

The post CBDC Tracker cited by VISA on the status of CBDC development across the world appeared first on Atlantic Council.

The Chip Security Act (CSA), a bipartisan bill introduced in May as H.R.3447 in the House of Representatives and S.1705 in the Senate, seeks to do just that. The CSA would provide a low-burden, high-impact policy solution to a problem that current enforcement tools have failed to solve: the illicit transshipment and diversion of AI chips to adversarial nations. In doing so, the CSA would also support the objectives of the White House’s AI Action Plan and the broader commercial goals of growing US full-stack AI market share overseas while simultaneously securing the semiconductor supply chain.

A growing and persistent threat

AI chips are the cornerstone of economic and military power in the twenty-first century. From autonomous weapons and cyber defense platforms to next-generation surveillance systems, these chips power the technological edge of modern warfare. China is actively working to erode this advantage by circumventing US export controls through elaborate smuggling networks. In 2024 alone, an estimated 140,000 high-performance GPUs—billions of dollars’ worth—were smuggled into China. And the problem is only getting worse—in May, 50 percent of the GPUs shipped to Malaysia were ultimately transshipped to China.

Current enforcement tools have clearly proven inadequate, largely due to the antiquated nature of the export control enforcement regime. The US Department of Commerce’s Bureau of Industry and Security (BIS), the federal agency responsible for enforcing chip export controls, remains under-resourced and lacks the cutting-edge tools required to counter China’s transshipment and illicit evasion networks. The BIS’s limited in-region capacity—there is only a single export-control officer assigned to cover all of Southeast Asia—stands in stark contrast to the billion-dollar smuggling operations it seeks to monitor and disrupt.

Why the Chip Security Act is different

The CSA doesn’t attempt to surge BIS personnel to Southeast Asia or rebuild the export control system from the ground up. Instead, it would introduce a surgical fix: location verification for chips exported abroad. If a chip shows up outside its authorized destination, the exporter would be required to notify the BIS. This automation would enable global, scalable export control enforcement—helping to augment and partially replace archaic Cold War-era end-use inspection systems that have historically inspected less than 1 percent of goods for end-use violations.

It is important to recognize that location data alone cannot fully determine end use. This is especially the case for dual-use goods such as advanced chips, where the true strategic risk lies in the computational and analytical capabilities they enable. Therefore, location information must also be paired with complementary intelligence and continuous monitoring. Other critical factors to determine the potential for harmful end use include corporate ownership, the composition of senior leadership, operational behavior, known diversion patterns, and the strength of cloud access controls at the data centers in question. These additional factors are especially vital to ensure that chips approved for export to third countries such as Malaysia do not ultimately end up in data centers owned by adversarial entities operating within those jurisdictions.

Crucially, though, the CSA is not overly prescriptive on how to achieve these objectives. For example, the CSA avoids mandating a specific location verification technology. Instead, it allows for industry-led implementation using already available methods, such as firmware-based geolocation checks or Delay-Based Location Verification systems. These tools offer privacy-preserving and nonintrusive methods to confirm a chip’s location without monitoring user activity or enabling surveillance. It’s an approach that balances security with commercial viability—and it’s deployable today.

Learning from past failures

The CSA builds on the hard lessons of previous legislative and regulatory efforts. Export controls under the Export Control Reform Act and the CHIPS and Science Act have failed to address transshipment and empower the BIS with the resources and technology needed to enforce its global mission. Moreover, past proposals to hardwire chips with geofencing capabilities or mandate “kill switches” faced strong industry resistance due to concerns over cost, reliability, and the potential effect on international sales. These ideas either stalled or were watered down beyond usefulness. In contrast, the CSA reflects feedback from both national security experts and chipmakers, emphasizing modularity, cost-effectiveness, and scalability.

Expanding US and Western AI dominance through trusted trade

The misuse of advanced chips is not just a US concern—it poses a global threat. When semiconductors are diverted to unauthorized end users, they can fuel authoritarian control, destabilize markets, and erode allied innovation ecosystems. Recognizing this, key US allies such as Japan and the Netherlands have taken steps to restrict high-end semiconductor and equipment exports to China. Yet enforcement across jurisdictions remains porous due to a lack of verifiable, end-to-end visibility. The CSA methodology can address this gap in the allied export control system by enabling continuous, software-based location verification and lifecycle tracking—empowering companies to demonstrate responsible export behavior without sacrificing speed, scale, or profitability.

The CSA provides an alternative to the false binary often facing policymakers: either impose broad restrictions that hinder legitimate commerce or tolerate unchecked smuggling that threatens national security. Instead, the CSA would deliver precision enforcement, targeting violators without penalizing compliant firms. By embedding continuous supply chain visibility into the post-export phase, it would equip both industry and regulators to detect and address illicit diversions before they escalate. This would strengthen US leadership in AI and semiconductor innovation while giving allies a replicable model.

The CSA’s technology-neutral compliance framework opens the door to future coordination under multilateral tech alliances—ensuring chips produced across democratic nations are not funneled into hostile hands. The United States and its allies could help realize this vision by offering technical assistance to help partners and transshipment-prone countries establish robust export control and supply chain surveillance systems. Such capacity-building would close enforcement gaps and ensure harmonization across allied secure trade frameworks. These measures would help lay the groundwork for a coalition of democracies to secure critical technologies and expand Western AI dominance without stifling innovation.

A better path forward

The CSA has steadily gained bipartisan traction, signaling rare alignment in Congress on a forward-looking export control strategy. But like most major policy shifts, it still faces predictable obstacles on the path to implementation. For the CSA to be effectively implemented, Congress and the executive branch should ensure that the BIS has the additional resources, staff, and technologies needed to monitor and implement the trusted trade program. Once location verification systems are deployed, for example, the BIS will be required to continuously monitor the millions of data points the system collects from chips around the world each day. Dedicated staff will be needed to respond to suspicious activities and engage with industry and foreign governments when questions arise.

In addition to the CSA, US supply chain security could be further strengthened if the executive branch requires the BIS to monitor which foreign companies access the cloud and compute capabilities associated with geotagged chips through screening and end-use checks. This policy would buttress the CSA and enable the BIS to finally field a cost-effective, scalable export control enforcement regime for AI that is not cumbersome for industry.

On the business side, industry groups remain wary of potential regulatory overreach in the law’s implementation phase. A public-private partnership with a trusted third party (meaning BIS, a semiconductor company, and a third party that would serve as a “monitor”) could help resolve conflicts and build mutual trust between industry and the government. Public pressure is growing on US companies to cut ties with China, and this type of trusted trade monitorship under the auspices of a public-private program would be a welcome step toward an economic policy and national security consensus.

A call to action

The global contest for AI leadership is not just a race for innovation—it’s a race for control over the infrastructure that will shape economies, militaries, and governance systems worldwide. If passed and implemented effectively, the CSA would strengthen the United States’ position in that contest by enabling US companies to scale exports of advanced chips without losing visibility or control over where those chips end up. Rather than ceding ground to Chinese firms through uncontrolled diversion and black-market transshipment, the CSA would equip US industry to lead. Passing this bill would send a clear signal that the United States is committed to winning the global AI competition not just by building the most advanced technology—but also by ensuring that technology is deployed on terms that reflect US interests and values.

Kit Conklin is a nonresident senior fellow at the Atlantic Council’s GeoTech Center and the senior vice president for risk and compliance at Exiger.

The views expressed are solely those of the author and do not necessarily reflect the views of the Atlantic Council or Exiger.

GeoTech Cues Jul 21, 2025

Navigating the new reality of international AI policy

By Evi Fuelle, Courtney Lang

To reach their goals of national AI adoption, governments must continue to advance the global policy discussion on trust, safety, and evaluations.

Artificial Intelligence Digital Policy

Issue Brief Apr 3, 2025

Sovereign remedies: Between AI autonomy and control

By Trisha Ray

Sovereign AI has gained a foothold in several capitals around the world.

Artificial Intelligence International Norms

New Atlanticist Nov 15, 2024

AI safety concerns transcend borders. To meet the challenge, US efforts need to go global.

By Will LaRivee

Will the United States work with partner nations to take the necessary steps at the upcoming International Network of AI Safety Institutes meeting in San Francisco?

Artificial Intelligence Internet

The GeoTech Center champions positive paths forward that societies can pursue to ensure new technologies and data empower people, prosperity, and peace.

Learn more

The post How the Chip Security Act could usher in an era of ‘trusted trade’ with US partners appeared first on Atlantic Council.

Ukrainians have a long record of rising up against non-democratic moves in times of need. This latest example mirrored much larger and equally successful protest movements in recent decades such as the 2004 Orange Revolution and the 2014 Revolution of Dignity. The Ukrainian public are well aware that their hard-won democratic freedoms cannot be taken for granted.

The Ukrainian authorities would be wise to treat the recent protests as a serious indication of mounting public dissatisfaction with the current government. While Ukrainians have rallied behind Zelenskyy as the country’s wartime leader, this should not be confused with blanket approval for all his policies. Indeed, more protests cannot be ruled out. Next time, public anger might not be as easily appeased.

In any healthy democracy, elections are always the best pressure valve for public discontent. However, due to wartime security concerns, logistical obstacles, and martial law restrictions, elections are not currently possible in Ukraine. In 2024, the country postponed scheduled presidential and parliamentary ballots. More recently, Ukraine’s Central Election Commission confirmed that local elections would not go ahead later this year.

As the world watches the Russian invasion of Ukraine unfold, UkraineAlert delivers the best Atlantic Council expert insight and analysis on Ukraine twice a week directly to your inbox.

The reasons for the lack of elections are clear and mandated by Ukraine’s Constitution. In fact, a consensus has crystallized that any public calls for wartime elections in Ukraine could help legitimize Russian efforts to portray the country as a dictatorship. However, there is no escaping the fact that the absence of elections hurts Ukraine’s credibility as an emerging democracy. This risks undermining international support for Ukraine and could potentially lead to a reduction in military aid.

While it has often been pointed out that Britain postponed all elections throughout World War II, many Americans have noted that the United States was able to hold both congressional and presidential elections during the nineteenth century American Civil War. Indeed, Abraham Lincoln’s main opponent was one of his own generals.

Ukrainian safety concerns amid the largest European invasion since World War II are obviously valid. At the same time, holding local votes in parts of Ukraine situated far from the front lines such as Uzhgorod, Lviv, and Chernivtsi could theoretically be possible with the necessary security measures in place.

With millions of voters currently living as refugees outside Ukraine and others displaced or serving in the military, voter turnout would almost certainly be significantly below the average for Ukrainian elections. This is regrettable but should not be decisive. After all, any free and fair election would help revive domestic and international confidence in Ukraine’s democratic credentials.

Of course, even local elections could not be safely staged in cities closer to the front lines like Kharkiv, Zaporizhzhia, and Kherson. The solution to this problem may lie in Ukraine’s sophisticated tech sector and the widespread adoption of digital tools throughout Ukrainian society.

Since 2022, Ukraine has earned an international reputation for battlefield innovation and now is recognized as a world leader in drone warfare. If this same spirit is applied to the country’s democracy, it could be possible to hold local or national elections while avoiding the risks associated with large groups of people gathering for campaign rallies and at polling stations.

Eurasia Center events

Online Event Fri, January 30, 2026 • 9:00 am ET

How Russia’s winter warfare strategy targets Ukrainian civilians

Conflict Europe & Eurasia Geopolitics & Energy Security Human Rights

Following his election as Ukraine’s sixth president in 2019, Volodymyr Zelenskyy established the Ministry of Digital Transformation and identified digitalization as one of his strategic priorities for Ukrainian society. The Ukrainian government then launched the Diia app as a key e-governance tool that makes it possible for Ukrainians to hold a wide range of official documents in digital format. By late 2024, the Diia app had over 21 million users, representing a majority of the Ukrainian electorate.

It is worth exploring whether the Diia app could serve as the basis for secure digital voting. If Diia is not suitable, other digital options should be identified and developed. This approach could address election security concerns while also preventing the disenfranchisement of the millions of Ukrainians currently living abroad or defending the country against Russia’s invasion.

Skeptics may argue that the Diia system or any other digital voting platform would be vulnerable to hacking. This would undoubtedly be the key issue to address before proceeding with digital elections. At the same time, it is important not to overstate the challenges this represents. Fraud is always possible in any election, but the transparency of digital tools may actually reduce the risk when compared to paper ballots. Indeed, Ukraine’s digitalization experience suggests that the introduction of digital platforms actually reduces the scope for abuses.

Ukrainians are not yet demanding elections, but there are signs that public distrust of the authorities is mounting and may soon reach alarming levels. At a time when national unity is so crucial for the country’s survival, this mood of frustration must be taken seriously.

With no end in sight to the Russian invasion, Ukraine cannot afford to postpone all elections indefinitely. It is therefore time to start the process of digitalizing Ukraine’s democracy and employing the same kind of innovative thinking that has proved so effective on the battlefield. The technologies to do so already exist. The Ukrainian government must now demonstrate that they also have the political will to find the right solutions.

Brian Mefford is a senior nonresident fellow at the Atlantic Council. He has lived and worked in Ukraine since 1999.

Further reading

UkraineAlert Jul 24, 2025

Ukraine is now an indispensable security partner for the US and Europe

By Oleksiy Goncharenko

Ukraine’s million-strong army and unique experience of the twenty-first-century battlefield makes it an indispensable security partner for the United States and Europe, writes Oleksiy Goncharenko.

Conflict Defense Industry

UkraineAlert Jul 29, 2025

Trump offered Putin victory in Ukraine. Why did Putin refuse?

By Peter Dickinson

Trump thought he could get a peace deal in Ukraine by offering Putin generous terms that amounted to a Russian victory. But Putin rejected Trump’s offer because he cannot accept anything less that Ukraine’s complete capitulation, writes Peter Dickinson.

Conflict Disinformation

UkraineAlert Jul 14, 2025

A Western-funded drone surge could end Russia’s invasion of Ukraine

By Mark Boris Andrijanič

Ukraine has the technology, talent, and industrial potential to prevail in the war with Russia, but currently lacks the funding to scale drone production to the necessary levels, writes Mark Boris Andrijanič.

Conflict Defense Technologies

The views expressed in UkraineAlert are solely those of the authors and do not necessarily reflect the views of the Atlantic Council, its staff, or its supporters.

Read more from UkraineAlert

UkraineAlert is a comprehensive online publication that provides regular news and analysis on developments in Ukraine’s politics, economy, civil society, and culture.

The Eurasia Center’s mission is to enhance transatlantic cooperation in promoting stability, democratic values, and prosperity in Eurasia, from Eastern Europe and Turkey in the West to the Caucasus, Russia, and Central Asia in the East.

Learn more

The post Digital democracy is the key to staging wartime elections in Ukraine appeared first on Atlantic Council.

As India prepares to host the next AI Impact Summit in New Delhi next February, there is an opportunity for national governments to advance discussions on trust and evaluations even amid tensions in the policy conversation between ensuring AI safety and advancing AI adoption. At next year’s summit, national governments should come together to encourage a collaborative, globally coordinated approach to AI governance that seeks to minimize risks while maximizing widespread adoption.

Paris: The AI adoption revolution begins

Initial momentum for policies focused on ensuring AI safety and its potential to pose existential risks to humanity began at the first UK-hosted AI Safety Summit in Bletchley Park in 2023. This discussion was further advanced in subsequent international summits in Seoul, South Korea, and San Francisco, California, in 2024. Yet, as France held the first AI Action Summit in Paris in February of this year, shortly after US President Donald Trump was sworn in for his second term and Prime Minister Keir Starmer took the helm of a brand-new Labour government in the United Kingdom, these discussions on AI risks and safety appeared to lose momentum.

At the AI Action Summit in Paris, French President Emmanuel Macron declared that now is “a time for innovation and acceleration” in AI, while US Vice President JD Vance said that “the AI future is not going to be won by hand-wringing about safety.” As the summit concluded, the United States and the United Kingdom opted not to join other countries in signing the Statement on Inclusive and Sustainable AI for People and Planet. Days later, the United Kingdom renamed its AI Safety Institute to the AI Security Institute, reflecting its shift toward focusing on the national security-related risks stemming from the most advanced AI models as opposed to addressing broader concerns around existential risks to society that AI systems might pose. This approach has also been adopted by the United States, which rebranded the US AI Safety Institute to the Center for AI Standards and Innovation in June.

The Paris AI Action Summit was an early indicator of what the first six months of 2025 would further reveal: a shift away from focusing on the potential existential risks and societal harms posed by AI. Instead, more countries have doubled down on AI research and development investments and the development of secure AI data centers, further increased their focus on extended training for large language models (LLMs), developed national AI adoption mandates, and made proposals to slow down or prevent additional regulation that may inhibit AI adoption.

AI investment and adoption mandates

The United States has taken several steps in this new direction. The Trump administration repealed several Biden-era executive actions on AI during the first few weeks of January, including repealing the “Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence.” In February, the administration issued a request for information to develop a new “AI Action Plan,” pursuant to an executive order signed in January called “Removing Barriers to American Leadership in Artificial Intelligence.” The Trump administration’s AI executive order calls for the reduction of administrative and regulatory burdens to AI development and adoption, as well as a further alignment of US AI strategy with national security interests and economic competitiveness goals. Taken together, these actions emphasize an approach that views deregulation as essential for US global leadership in AI.

Simultaneously, a policy debate has emerged in the United States over whether the federal government should preempt state-level AI legislation that would impose regulations on the industry. The industry has been concerned that the numerous and varying approaches to AI legislation being developed at the state level could create a patchwork of regulations that would render the compliance environment complicated and overwhelming.

But even as the debate over federal preemption continues, state-level proposals on AI risk management and governance have stalled. Virginia’s proposed High-Risk Artificial Intelligence Developer and Deployer Act was vetoed by Governor Glenn Youngkin in March. Meanwhile, the Texas Responsible Artificial Intelligence Governance Act was significantly slimmed down before it was signed into law last month, with all references to high-risk AI systems and corresponding prohibitions removed.

Across the pond, the European Union (EU) continues to take steps to identify ways in which the implementation of its cross-cutting EU AI Act can be simplified as part of its AI Continent Action Plan. Industry expressed growing concern over the ability to meet enforcement deadlines without additional guidance and clarifications from the EU AI Office, with forty-four European CEOs calling for a delay in its implementation. This focus on adoption over safety concerns was also reflected at the Group of Seven (G7) Leaders’ Summit held in Canada last month. At the summit, G7 leaders issued a statement on AI for Prosperity, which highlighted the ways in which AI can drive economic growth and benefit people, in addition to laying out a roadmap for AI adoption.

Adapting to this shift in global AI policy

Given this marked shift in the tone of global AI policy discussions, some might wonder whether there are still opportunities to advance conversations on AI trust and safety. Yet, businesses crave certainty and trust remains paramount to creating an ecosystem that supports adoption. Moreover, the AI landscape continues to evolve, requiring continued discussions on “what good looks like” when it comes to AI models used in a variety of enterprise applications and scenarios. Emerging technologies such as agentic AI—AI systems designed to act autonomously, making decisions and taking actions to achieve specific goals with minimal human intervention—as well as evolving enterprise deployment challenges, make it clear that 2025 does not represent the dusk of international AI policy aimed at evaluating and mitigating risks, but a potential dawn.

The upcoming AI Impact Summit in New Delhi presents an opportunity to continue conversations about how creating a robust AI testing and evaluation ecosystem can drive innovation and foster trust, furthering AI security and adoption. There are four key areas that national governments should individually prioritize in their efforts to advance AI adoption while also collaborating on a global level.

1. Assess and address regulatory gaps based on new evolutions in AI technology. Agentic AI is the next evolution of AI technology. Like other iterations of the technology, it can offer significant benefits, but at the same time, either amplify existing risks or introduce new risks because it can execute tasks autonomously. Governments should undertake an assessment of existing regulatory frameworks to ensure they account for any new risks related to agentic AI. Additionally, to the extent that gaps are identified, they should consider the creation of flexible, future-proof frameworks that can be adapted to future evolutions of AI technology.

2. Advance industry-led discussions around open-source and open-weight models, including specific considerations for national security concerns. Transparency and access vary widely across open-source and open-weight models, and researchers and businesses should understand the extent to which models and data sets remain open. Stakeholders—including national governments—need to understand not only what constitutes an open-source or open-weight model, but also what elements of those models are necessary to share downstream. Additionally, enterprises and industry players need certainty around any relevant fault lines for these considerations when choosing partners and third-party vendors when open-source or open-weight models could impact national security. Such discussions will allow enterprises to determine which models and markets offer safe and secure foundations for experimentation and what transparency measures can reasonably be expected.

3. Foster trust by encouraging the development and adoption of AI testing, benchmarks, and evaluations. Governments should encourage the adoption of globally recognized, consensus-based AI testing, benchmarks, and evaluations. Frontier model developers need to be able to understand, analyze, and iterate on their LLMs with the help of detailed performance and safety evaluations. Governments should support the development of robust testing and evaluation frameworks to ensure that such frameworks are fit for purpose, address issues such as a lack of consistency and reliability in how evaluation results are reported, and improve the availability of high-quality and trustworthy evaluation datasets. These frameworks should also be built to further understand and iterate on evaluation results to improve models without overfitting, or creating models that match the training set so closely that they fail to make correct predictions on new data.

4. Drive public-private collaboration across borders to promote AI adoption and drive risk management. The technological conversation is not bound by national borders. Thus, it is important that both public-sector and private-sector stakeholders recognize and harness the interdependence of the AI value chain while engaging in conversations about AI governance and transparency. It is also vital that policymakers and different actors in the AI value chain have a clear understanding of their roles and responsibilities. Enterprises and national governments should continue to use international fora such as the Organisation for Economic Co-operation and Development, the Global Partnership on Artificial Intelligence, the International Network of Safety Institutes, and the United Nations to facilitate public-private collaboration across borders. This will help ensure that different approaches are interoperable and that countries and organizations are best leveraging their own strengths.

***

The world must not lose the gains already made by researchers, policymakers, and enterprises that have been working to address AI risks over the past several years by over-indexing on adoption alone. The answers required to address the challenges and risks associated with AI are intertwined with the ability to capitalize on the opportunities AI presents and can ensure the accountability and security of these technologies for years to come. If AI adoption is the objective, then AI testing, evaluations, and governance are the methods. A collaborative effort to advance AI policy that reflects this fact should be every nation’s priority.

Evi Fuelle is a nonresident senior fellow at the Atlantic Council’s GeoTech Center.

Courtney Lang is a nonresident senior fellow at the Atlantic Council’s GeoTech Center.

Issue Brief Apr 3, 2025

Sovereign remedies: Between AI autonomy and control

By Trisha Ray

Sovereign AI has gained a foothold in several capitals around the world.

Artificial Intelligence International Norms

GeoTech Cues Apr 1, 2025

DeepSeek shows the US and EU the costs of failing to govern AI

By Ryan Pan, Kolja Verhage

The West must urgently consider what DeepSeek’s R1 model means for the future of democracy in the AI era.

Artificial Intelligence China

New Atlanticist Feb 4, 2025

Five AI management strategies—and how they could shape the future

By Kieron O’Hara and Wendy Hall

To ensure the benefits of artificial intelligence (AI) are realized while minimizing the anticipated evils, it’s important to understand the different ways to approach AI governance.

Artificial Intelligence Technology & Innovation

The GeoTech Center champions positive paths forward that societies can pursue to ensure new technologies and data empower people, prosperity, and peace.

Learn more

The post Navigating the new reality of international AI policy appeared first on Atlantic Council.

This emerging US-Gulf tech partnership is not only a response to regional instability, but also a platform for global influence. For Ukraine, it presents a strategically exciting opportunity to deepen engagement with both Washington and the Gulf nations, while also advancing the country’s own recovery and integration into established international innovation networks.

As the world watches the Russian invasion of Ukraine unfold, UkraineAlert delivers the best Atlantic Council expert insight and analysis on Ukraine twice a week directly to your inbox.

The Gulf’s recalibration following the unprecedented recent escalation in hostilities between Israel and Iran has reinforced the urgency of technological self-sufficiency and digital resilience. From Riyadh to Abu Dhabi, national strategies such as Saudi Vision 2030 and the UAE’s AI agenda are gaining new importance.

The United States, meanwhile, is seeking reliable partners to counter the rise of authoritarian tech ecosystems led by China, Russia, and Iran. These converging interests are creating a new basis for cooperation that is focused on issues such as semiconductors, AI, cybersecurity, energy transition, and space innovation.

The current shift has potentially long-lasting geopolitical implications. In contrast to China’s closed and tightly state-controlled tech model, the US-Gulf partnership emphasizes transparency, interoperability, and market access.

The Gulf’s geographic position and capital resources make it an ideal hub for restructured supply chains and next-generation infrastructure. In this context, the recent Israel-Iran conflict has served as both catalyst and justification for deeper American-Gulf integration, particularly in terms of dual-use technologies with civilian and defense applications.

For Ukraine, the relevance of this rapidly evolving geopolitical landscape is immediate and multi-dimensional. Ukrainian battlefield-tested technologies in electronic warfare, counter-drone systems, and cyber defense all directly address the concerns of Gulf nations regarding growing regional threats.

Meanwhile, Ukraine’s agritech innovation can support Gulf food security strategies in what are increasingly arid environments. The country’s globally respected software talent and cybersecurity expertize can also offer value to American firms operating in the Gulf.

Eurasia Center events

Online Event Fri, January 30, 2026 • 9:00 am ET

How Russia’s winter warfare strategy targets Ukrainian civilians

Conflict Europe & Eurasia Geopolitics & Energy Security Human Rights

Looking ahead, the convergence of US innovation, Gulf investment, and Ukrainian resilience could become an attractive blueprint for Kyiv’s postwar recovery. Ukraine’s reconstruction is set to be one of the largest rebuilding efforts of the twenty-first century. This unprecedented rebuilding process can serve as a real-world testbed for smart infrastructure, digital services, and clean energy systems co-developed by Ukrainians together with partners in the US and the Gulf region.

To take full advantage of this moment, Ukraine must adopt a targeted strategy. First, the country should identify the most strategically attractive niche sectors including cybersecurity, agritech, and defense tech. These should be areas where Ukraine’s assets complement rather than compete with American and Gulf priorities.

Second, Ukraine must invest in human capital by expanding tech education and exchange programs that connect Ukrainian talent with innovation centers in the Gulf and the United States. Thirdly, Kyiv should position itself as a proactive contributor to this emerging innovation bloc, not just as a beneficiary of international aid but as a co-creator of strategic value.

Recent shifts in the geopolitical landscape of the Middle East have accelerated existing global divisions in terms of both technology and security. The US-Gulf alliance is emerging as a stabilizing force, grounded in shared values and mutual technological ambition. Through focused engagement and smart positioning, Ukraine can become an indispensable partner in this alliance, and can help shape a more secure and innovative global future.

Anatoly Motkin is president of StrategEast, a non-profit organization with offices in the United States, Ukraine, Georgia, Kazakhstan, and Kyrgyzstan dedicated to developing knowledge-driven economies in the Eurasian region.

Further reading

UkraineAlert Jul 8, 2025

Putin is winning the drone war as Russia overwhelms Ukraine’s defenses

By Maksym Beznosiuk

Russia is now winning the drone war against Ukraine thanks to a massive increase in domestic drone production and a series of technological upgrades, writes Maksym Beznosiuk. This is enabling Putin to dramatically escalate the bombardment of Ukrainian cities.

Conflict Defense Industry

UkraineAlert Jul 2, 2025

Ukraine’s drone wall is Europe’s first line of defense against Russia

By David Kirichenko

Ukraine’s drone wall is rapidly emerging as Europe’s first line of defense against the mounting military threat posed by an expansionist Russia, writes David Kirichenko.

Conflict Defense Industry

UkraineAlert Jul 2, 2025

Russia applauds US decision to halt key weapons deliveries to Ukraine

By Peter Dickinson

The Kremlin has cheered this week’s US decision to halt the delivery of crucial defensive weapons to Ukraine as Russia continues to pursue its maximalist goal of extinguishing Ukrainian statehood, writes Peter Dickinson.

Conflict Drones

The views expressed in UkraineAlert are solely those of the authors and do not necessarily reflect the views of the Atlantic Council, its staff, or its supporters.

Read more from UkraineAlert

UkraineAlert is a comprehensive online publication that provides regular news and analysis on developments in Ukraine’s politics, economy, civil society, and culture.

The Eurasia Center’s mission is to enhance transatlantic cooperation in promoting stability, democratic values, and prosperity in Eurasia, from Eastern Europe and Turkey in the West to the Caucasus, Russia, and Central Asia in the East.

Learn more

The post Ukraine can benefit from growing tech ties between Gulf states and the US appeared first on Atlantic Council.

The post Chhangani cited in KPMG 2025 Futures Report on the market size for tokenized assets by 2030 appeared first on Atlantic Council.

Executive summary

In an increasingly digital world, digital identity systems represent a fundamental transformation in how personal information is authenticated and managed, shifting from traditional physical identification methods to electronic credentials that enable access to digital services across government and private-sector platforms. These systems utilize authenticated credentials that verify individual qualifications and personal information to establish trusted digital documentation, spanning use cases from health certificates to mobile identification for travel security and banking verification.

The worldwide adoption of digital identity systems varies significantly across regions and implementation approaches. Estonia’s comprehensive e-ID system, mandatory for all residents, demonstrates transformative societal impact by connecting organizations through distributed databases and blockchain technology. India’s Aadhaar program serves a massive population, proving that large-scale digital identity systems can operate in developing countries while bringing previously undocumented populations into formal economic systems, albeit not without criticism. The European Union’s eIDAS framework mandates that all member states offer digital identity wallets to citizens and businesses, creating interoperability across member states. The African Union has faced infrastructure and data protection challenges, while the United States remains fragmented with individual states implementing mobile driver’s licenses without federal coordination.

Digital identity systems offer a breadth of benefits including enhanced convenience, improved access for underserved populations, stronger privacy protections through data minimization principles, and significant cost savings for organizations. These systems hold tremendous potential to transform the delivery of government services and industry interactions, though there are potential risks and limitations to be considered.

Despite promising advantages, limitations across technical, political, and social spheres present an array of challenges. Technical limitations include interoperability between different systems, cybersecurity vulnerabilities, and accessibility barriers in regions with limited digital infrastructure. Political obstacles include insufficient regulatory frameworks, lack of adherence to international standards, and coordination issues between jurisdictions. Social limitations center on concerns over public trust, particularly regarding surveillance and privacy, along with unequal access that can further marginalize vulnerable populations including refugees, elderly citizens, and those with limited digital literacy.

Successful implementation of digital identity systems requires coordinated efforts across sectors. Governments must adopt user-first design principles, ensure interoperability through technical standards, tailor systems to local contexts, and establish effective public-private partnerships. Private sector actors should prioritize transparency, data security, and accessibility while implementing privacy-enhancing technologies. Civil society organizations play crucial roles in public education and representing user interests.

As digital identity systems become the cornerstone of personal identification, effective implementation depends on building systems that genuinely serve user needs while maintaining robust protections against misuse and public trust through transparency and accountability measures, particularly ensuring the protection and well-being of marginalized and disadvantaged populations.

Staff

Coley Felt

Assistant Director

GeoTech Center

Artificial Intelligence Cybersecurity

Fellow

Will LaRivee

Resident Fellow

GeoTech Center Millennium Leadership Program

East Asia Security & Defense

Report Aug 16, 2023

Digital identities and border cultures: The limits of technosolutionism in the management of human mobility

By Nanjala Nyabola

A paper to better inform the conversation around technology’s impact on democracy by evaluating technosolutionism and its application to the management of human mobility.

Afghanistan Africa

Report May 29, 2024

Generational AI: Digital inclusion for aging populations

By Caroline Thompson

Recommendations on improved inclusion and empowerment of older adults in the age of artificial intelligence.

Artificial Intelligence Digital Policy

Report Oct 5, 2022

The data divide: How emerging technology and its stakeholders can influence the fourth industrial revolution

By Joseph T. Bonivel Jr., Solomon Wise

The Fourth Industrial Revolution is highlighted by the interconnection of devices and sensors to the internet. The computing and communication capabilities of these devices allow for roughly 2.5 quintillion byes of data to be produced, stored, and analyzed daily.

Technology & Innovation

The GeoTech Center champions positive paths forward that societies can pursue to ensure new technologies and data empower people, prosperity, and peace.

Learn more

The post Exploring the global digital ID landscape appeared first on Atlantic Council.

The post Kumar cited in The Banker on Hong Kong stablecoin legislation appeared first on Atlantic Council.

Here’s a look inside the numbers that will frame the summit.

The G7 was formed fifty years ago so the world’s advanced-economy democracies could align on shared economic and geopolitical challenges. But what happens when the cause of instability is coming from inside the G7? That’s the question confronting the leaders as they assemble this week in Kananaskis. 

US President Donald Trump is still getting to know some of his new colleagues, including German Chancellor Friedrich Merz, UK Prime Minister Keir Starmer, Japanese Prime Minister Shigeru Ishiba, and the summit’s host, Canadian Prime Minister Mark Carney. Trump will try to coordinate the group against China’s economic coercion. But the rest of the leaders may turn back to Trump and say that this kind of coordination, which is at the heart of why the G7 works, would be easier if he weren’t imposing tariffs on his allies. The chart above shows the friction points heading into one of the most consequential G7 summits in the organization’s history.

—Josh Lipsky is the chair of international economics at the Atlantic Council, senior director of the GeoEconomics Center, and a former adviser to the International Monetary Fund (IMF). 

Originally created as an economic coordination body, the G7 began to put foreign policy and national security on its agenda in the 1980s, as the Soviet Union’s political influence was waning. Soon after, Russia attended its first G7 Summit as a guest in 1991, formally joined in 1998, creating the Group of Eight (G8), and then was suspended in 2014 due to its annexation of Crimea. 

In the years since, new geopolitical rivals have entered the fray: Since the COVID-19 pandemic, G7 summits and declarations have attempted to address China’s role in the global economy. Last year’s leaders’ communiqué was especially harsh on China—which was mentioned twenty-nine times—on everything from its material support to Russia’s war against Ukraine to Beijing’s malicious cyber activities. But China was once a guest at the forum, first joining in this capacity in 2003.

Other members of the G7+5, an unofficial grouping of large emerging markets—India, Mexico, Brazil, and South Africa—have been invited as guests in recent years. If that sounds familiar, it is because India, Brazil, and South Africa, along with Russia and China, are the founding members of the BRICS group of emerging economies, which some would consider a representation of the geopolitical and economic competition the G7 faces today. 

This year, Australia, Ukraine, South Korea, Brazil, Mexico, and India were invited to attend as guests. These invitations are a signal of broad alignment among the G7 and its guests. These invitations demonstrate the importance of the guests’ economic might on the global stage, even though India has shifted away from the G7 quite significantly in the last fifty years, as seen in the graph above. In 1992, when Russia first attended the G7 as a guest, its gross domestic product (GDP) was less than 1 percent of the world’s GDP, and the combined economies of the five founding BRICS countries made up less than 9 percent of global GDP. At the time, the G7 represented 63 percent of the world’s GDP. Today, the G7’s share is now 44 percent of the world’s GDP and the founding BRICS members’ share has more than doubled to almost 25 percent. 

—Ananya Kumar is the deputy director for future of money at the Atlantic Council’s GeoEconomics Center.

In 2024, G7 countries attracted over 80 percent of global private artificial intelligence (AI) investments, led primarily by the United States. In ten years, private AI investments have grown almost fifteen-fold. This month, the US Department of Commerce rebranded its AI Safety Institute as the Center for AI Standards and Innovation (CAISI)—shifting away from an emphasis on “safety” and toward promoting rapid commercial development.

Carney has said that he plans to put AI at the top of his agenda at the upcoming G7 Leaders’ Summit. He has been a long-standing advocate of AI—dating back to his 2018 presentation on AI and the global economy while he was governor of the Bank of England.

But while the United States leads in AI innovation and investment, Europe continues to set the pace on regulation, and China strategically develops its own AI models. All this leaves Canada asking where it fits in.

That may be why Carney hopes to lead on this issue. The G7 presidency offers Canada a unique opportunity to convene democracies to work together on AI. Rather than trying to outspend the United States or out-regulate Europe, Canada can focus on building connections—creating shared standards, developing trusted public-private data hubs, coordinating strategic investments, and outlining guidelines for common learning and collaboration across borders.

—Alisha Chhangani is an assistant director at the Atlantic Council’s GeoEconomics Center.

Ten years after the first G6 meeting took place in France, another landmark meeting took place at the Plaza Hotel in New York, in September 1985. At the meeting, then US Treasury Secretary James Baker convinced his counterparts from West Germany, France, the United Kingdom, and Japan to support a significant devaluation of the US dollar—what became known as the Plaza Accord.

Today, the dollar’s value relative to its G7 counterparts is on the rise again, fueled by tight monetary policy and expansionary fiscal spending. Although the current appreciation is milder than the surge seen in the early 1980s, the Trump administration may use the G7 Summit to raise concerns about the burden of being the world’s reserve currency, especially when it comes to export competitiveness. In late 2024, the current chair of Trump’s Council of Economic Advisers, Stephen Miran, proposed a “Mar-a-Lago Accord” as an updated version of the Plaza Accord, though no real progress on this is apparent. Moreover, this time a key global player is absent from the conversation—China.

—Bart Piasecki is an assistant director at the Atlantic Council’s GeoEconomics Center.

The finance ministers and central bank governors of the G7 already held their meeting last month in the Canadian Rockies, emerging with a consensus on tackling “excessive imbalances” and nonmarket policies. While the G7’s finance ministers and central bank governors’ communiqué didn’t call out China by name, it’s clear that’s who they were referring to. Simultaneously, the US-UK trade deal called for the United Kingdom to meet US requirements on the security of supply chains, which infuriated Beijing.

Washington wants coordinated economic security partnerships to help counter China and encourage more investment in the United States. But the United States has been calling for allies to divest from China for a while now. In response, G7 counterparts could point to the data above and ask: How much more do we need to give?

Over the past five years, nearly every G7 country, with the exception of Canada, has scaled down their investments in China and scaled up their investments in the United States. For example, Japan has reduced foreign direct investment in China by 60 percent over the past decade, including shuttering a major Honda plant in Guangzhou. Meanwhile, the Japanese carmaker pledged to put $300 million into a plant outside of Columbus, Ohio. This has been the trend as the United States’ G7 partners reassess their economic dependencies on China. But amid ongoing trade wars, how much are they willing to coordinate more closely with the United States?

—Jessie Yin is an assistant director with the Atlantic Council’s GeoEconomics Center.

Foreign aid, or official development assistance (ODA), from G7 countries dropped sharply in 2024, and early projections through 2025 and 2026 suggest even steeper declines ahead for most nations. The United States has exhibited the most drastic retreat, following the effective dismantling of the US Agency for International Development. But European countries have also scaled back development budgets and are redirecting funds toward defense and domestic economic issues. While ODA briefly surged in response to the COVID-19 pandemic and the war in Ukraine, that uptick masked a longer-term downward trend in traditional development funding as a percentage of G7 countries’ economies.

Most G7 nations have failed for years to meet the United Nations Sustainable Development Goals Target 17.2, which called for allocating 0.7 percent of gross national income to ODA. As of 2024, none of them has reached this benchmark. This retreat is particularly troubling given today’s fractured geopolitical and economic landscape. In such times, investing in global partnerships and life-saving aid through ODA is not just a moral imperative—it’s also a strategic one.

—Lize de Kruijf is a program assistant at the Atlantic Council’s Economic Statecraft Initiative. 

A major focus heading into the G7 Summit will be how Carney handles his latest meeting with Trump. The two managed to have a cordial meeting in May, and Carney’s announcement this week that Canada will increase its defense spending could help to placate Trump, who has long complained about Canada’s lagging defense spending.

But Canada is also looking beyond its southern neighbor. Carney has invited the leaders of Australia, Brazil, India, Indonesia, Mexico, South Korea, South Africa, Ukraine, and Saudi Arabia to join him in Alberta. Under former Prime Minister Justin Trudeau, Canada’s relationships with both Saudi Arabia and India reached diplomatic low points. By inviting these leaders, Carney is demonstrating a willingness to reengage partners. In no area is Carney more likely to pursue new partnerships than in the defense sector. Canada stated its desire to join the ReArm Europe Initiative and has signed a major deal for an Australian radar system. Expect Carney to seek new partners as Canada rebuilds its defense capacity, potentially with some of the countries invited to this year’s G7.

—Imran Bayoumi is an associate director at the Atlantic Council’s Scowcroft Center for Strategy and Security.

Canada’s hosting of the G7 Summit in Alberta carries exceptional significance amid escalating tensions with the United States. Trump’s attendance, which will mark his first G7 Summit since 2019, signals renewed engagement with Canada. This could spark talks on renegotiating the United States-Mexico-Canada Agreement (USMCA) ahead of the trade deal’s first joint review in July 2026. The timing of the G7 Summit coincides with heightened Canadian nationalism and intense public focus on Canada-US relations, particularly around tariff disputes affecting sectors such as steel.

The Trump-Carney relationship differs markedly from previous dynamics between Trudeau and Trump, potentially enabling more productive G7 cooperation when US foreign policy dominates global conversations. The trilateral presence of Mexican President Claudia Sheinbaum, Trump, and Carney creates an opportunity for preliminary USMCA discussions. However, critical questions emerge: Will Mexico and Canada align against the Trump administration? Will Canada prioritize repairing bilateral US relations over Mexico-Canada ties? The summit’s outcome is likely to significantly shape hemispheric trade relationships and regional diplomatic strategies.

—Maite Gonzalez Latorre is a program assistant at the Adrienne Arsht Latin America Center and Caribbean Initiative.

Sophia Busch, Ella Wiss Mencke, Ethan Garcia, and Miguel Sanders contributed to the data visualizations in this article. The data visualization titled “US jobs rely on Mexico and Canada more than any other trade partner” originally appeared in an article by Sophia Busch published on January 16, 2025.

The post Seven charts that will define Canada’s G7 Summit appeared first on Atlantic Council.

Thank you Chairman Hill, Ranking Member Waters, and distinguished members of the Committee for holding this hearing continuation and the honor of the invitation to testify on the future of digital assets. I applaud your leadership in convening the Committee on this important issue and continuing the years-long efforts of this Committee across several Congresses to evaluate and build legislation around a clear, comprehensive, and competitive cryptocurrency regulatory framework. I hope my testimony will be helpful in considering some of the most important aspects of frameworks needed to drive innovation in a secure, competitive, safe, and sound digital finance ecosystem that reinforces national security interests, defends consumers, and preserves personal liberty.

I have spent my career working at the intersection of national, economic, and technological security. I have spent two tours at the National Security Council (NSC) leading cryptocurrency initiatives; led crypto and cybersecurity policy at the US Financial Crimes Enforcement Network (FinCEN), the US anti-money laundering and countering financing of terrorism (AML/CFT) regulator; and served on advisory boards for the US Commodity Futures Trading Commission (CFTC), the Idaho Department of Finance, and the New York Department of Financial Services (NYDFS). Over recent years, I have observed massive growth, collapses, experimentation, exploitation, and innovation across the digital asset market. Of course, innovation and exploitation in finance are not unique to digital assets, and the risks and benefits of one blockchain system are not equivalent across all assets — they depend significantly on the design and features of specific systems. To make best use of the benefits and mitigate the critical risks, we need to ensure that technology, operations, and policy are aligned along critical safeguards and also with driving competitive and liquid US markets.

That brings us to this critical juncture – the current alignment and implementation of protections in digital assets is not working. The status quo has not benefited consumers, markets, or national security. As just one example, the largest heist in history just occurred in February of this year targeting this sector, perpetrated by North Korean actors as part of their revenue generation to fund activities like their proliferation program. This incident also was not in a vacuum but instead was yet another cyber theft as part of a years-long building trend in this industry exploiting both pervasive cybersecurity and AML/CFT vulnerabilities. This is just one example, which sits alongside highly volatile markets that have lost trillions and defrauded consumers, but also an environment that is reportedly set to drive the best developers abroad rather than inspiring them to stay here and build to agreed upon guardrails. Inaction by both government and industry will not achieve desired outcomes for protecting consumers or businesses.

I applaud Congress for continuing to elevate the issue of digital asset legislation to ensure appropriate regulation in the United States. Despite calls from some to avoid regulation of digital assets that may seemingly legitimize an immature sector, I maintain that regulation is critical to give a north star that demands legitimate and responsible activity within an industry with many actors who aim to bring positive evolutions in finance and cryptocurrency. Regulation also provides legitimate authorities and levers to supervisors and enforcement agencies to hold accountable illicit actors that seek to defraud consumers, launder criminal proceeds, and undermine the integrity of the US financial system. As I have testified to previously, clear and comprehensive guardrails are necessary to protect consumers, national security, and US competitiveness in financial innovation. While timely progress is critical after several Congresses being unable to establish a comprehensive approach, these frameworks must also be deliberate, thoughtful, and comprehensive of the real and present risks, as well as opportunities, that we have observed in the digital asset ecosystem and broader financial system.

The stated goals of the Digital Asset Market CLARITY Act of 2025 (the “Clarity Act”) to help address regulatory gaps and to provide clarity for an industry seeking it are laudable. Unfortunately, the tenets of the proposed legislation as drafted appear to be overly complex, forging notable gaps for coverage under consumer and market protections rather than closing them; leave insufficiently or unaddressed key areas like meaningful implementation and enforcement measures, countering illicit finance, and cybersecurity; and depart from the long bipartisan-stated principles of technology-neutrality that would enable regulations to persist in the face of technological innovations.In my testimony, I briefly offer opportunities for addressing those issues and preserving a framework built on the key pillars of sound market regulation and national security interests. I draw many of these recommendations from the groundbreaking work of the Commodity Futures Trading Commission (CFTC) Technology Advisory Committee (TAC), where I co-chaired a group of 19 incredible industry, government, and academic experts to produce a first-ever comprehensive review of risks and opportunities in decentralized finance (DeFi), with outlined steps for policymakers to take build the framework for DeFi. I encourage legislators to consider these measures especially where existing digital asset market structures differ from traditional financial market structure, and urge you to be extremely deliberate when choosing to depart from long-tested principles needed to preserve integrity of markets, such as consumer protections, resilience against exploitation and shocks, and addressing separations of functions and conflict of interests.

Regulatory gaps and potential for confusion

As I mentioned above, seeking to provide regulatory clarity, in both authority and application, are important at this critical juncture. It will establish clear rules of the road for responsible actors to engage and innovate in the space as well as ensure strong footing for regulators and enforcement agencies to oversee markets and investigate wrongdoing. A clear framework will also (finally) help level the playing field for US firms that have long been more compliant than many foreign-operating cryptocurrency businesses that exploited their savings in non-compliance as a competitive advantage against more responsible US companies.

The Clarity Act as currently written attempts to provide clarity through defining regulatory jurisdictional bounds between the Securities Exchange Commission (SEC) and CFTC as well as defining key terms of assets to establish scope of coverage as securities versus digital commodities. The bill also includes some important protection measures, specifically around areas like segregation of customer assets, limited disclosures such as around token structure and conflicts of interest, and registration requirements.

However, the Clarity Act is still absent many important protections that we have observed to be critical to protect consumers and markets in the wake of a crisis. Within the 236 pages of the bill are confusing and ambiguous definitions and missing elements that pave the way for regulatory arbitrage and exploitation:

• No clear non-securities spots market authority: This bill does not appear to clearly outline authority over spots markets for assets that are not securities. The definition of “digital commodity” may be restrictive insofar as to only cover a limited set of tokens, which would leave potentially hundreds of tokens unregulated and/or without clear guidance on its applicability even if they function as financial assets.
• Unclear definitions and impacts on securities laws: There are various definitions in the bill whose challenges with clarity may subvert the drafters’ intent to provide clarity and defend against regulatory arbitrage. Some definitions may be seen to be crafted to frame large exemptions from responsibility decentralized finance, such as in defining concepts like groups and common control in a a “decentralized governance system,” which in the bill is a system where participation (not even active involvement, just the pretext of participation) is “not limited to or under the effective control of, any person or group of persons under common control.” In another example, the bill treats assets called “investment contract assets” as digital commodities, though “investment contracts” have generally been a key element of securities laws.
• Conflating decentralization and maturity: The test for decentralization in the bill is described as a test of blockchain maturity. In a sector where projects that are (or at least claim to be) decentralized are being targeted and exploited for weaknesses in their code, cybersecurity, and irrevocability of mistakes or illicitly acquired assets, it is confusing on why a greater extent of decentralization — a concept that is also vague in the bill — inherently means maturity rather than other markers of good governance and operations. The decentralization test also introduces some confusion that may challenge real-world implementation, and is unclear on how such a feature impacts an asset functioning like a commodity versus a security. Current and former regulatory leadership has warned against arbitrary carve-outs of protections like under securities laws simply based on complex issues like decentralization that so far have largely been met with convoluted definitions that risk exemption significant amounts of high-risk investment-related activity. This also threatens potentially creating the opposite of a future-proofed regulatory approach that cannot keep up with future technological innovation.

National security and the critical role of enforcement

n the wake of serious national security threats like billion+ dollar hacks by rogue nations, growing integration of cryptocurrency as a tool for transnational organized crime, market manipulation and fraud that can threaten system integrity and stability, as well as pressure from adversarial nations seeking to develop and leverage alternative financial systems to weaken and circumvent the dollar, it is clear that strong safeguards, including for US competitiveness, are needed. This framework also demands we ensure policy and enforcement approaches both domestically and internationally create a level playing field for US firms – often the most compliant firms in the world – to be able to compete fairly. Otherwise, the foundation we build these systems on risk faltering, with the potential to not only reap significant harms but also prevent us from harnessing the greatest positive potential that is possible from a secure and innovative digital finance ecosystem.

There is limited discussion of either illicit finance or cybersecurity in the Clarity Act—many more pages are honed on establishing large regulatory carve-outs than on establishing expectations, driving needed industry standards or sponsoring research and development, or appropriating necessary resources to ensure appropriately scaled and timely enforcement of these critical requirements. Also important to note, especially in light of recent changes in enforcement posture—beyond just creating the policy framework, the government and industry must work to apply and enforce the framework. A policy that isn’t enforced or implemented does nothing to benefit consumers nor US firms with stronger compliance programs that have been operating at higher costs and less competitive advantages than many foreign-operating firms.

I have testified previously to the critical needs for strengthening AML/CFT and sanctions authorities in the cryptocurrency space, which generally have been suggested to be saved for “comprehensive market legislation.” Such enhanced protections like appropriations for skilled enforcement and investigative personnel, sharpening tools like 9714/311 designation authorities, ensuring extraterritorial application of regulations and/or through designations of entities of high national security risk, creation of an enforcement strategy to scale timely enforcement against the most egregious violators, or resourcing public-private partnerships like the Illicit Virtual Asset Notification (IVAN) program are missing from the legislation but could be easily added in to help strengthen the holistic cryptocurrency framework. In the face of disbanding of the Department of Justice (DOJ) National Cryptocurrency Enforcement Team (NCET)14 and significant downsizing and weakening of enforcement offices and personnel across the US Government, the legislation could help ensure that tools are being honed to better address the worst actors in the space. Only with meaningful enforcement can policy be truly impactful and can we reward the best actors in the space, which are typically American companies.

An alternative approach for consideration – Joint, targeted, adaptable, and balanced

I support calls for a legislative solution that enables nuance and distinct treatment across various assets based on their economic function and which will ensure persistent clarity and flexibility for regulators to address significant risks of fraud, manipulation, and investor exploitation that we have seen in the space. The legislation should also guide regulators with key principles, many of which are similar to those outlined in the Clarity Act, and should be done in full view of the benefits that some aspects of digital assets uniquely provide, such as an unprecedented level of market transparency for on-chain financial activity to enable greater market surveillance and oversight.

An alternative approach may help meet the intent of the drafters while giving time for greater exploration and experimentation while meeting near-term calls for the most beneficial transparency needs of the market, which I have observed to most consistently be calls for a clear pathway to registration. I encourage policymakers to consider a much more streamlined approach if a more complex bill proves too difficult to reconcile:

• Dual rulemaking: Similar to efforts undertaken in the wake of the 2008 Financial Crisis and pursuant to the joint rulemaking efforts directed in Title VII of Dodd Frank, Congress could again direct the SEC and CFTC to jointly develop a framework and rulemakings to give greater specificity and adaptability to approaches to ensure appropriate coverage but at least one of the markets regulators.
• Mandate for sandboxes and clear registration pathways: In the interim while the SEC and CFTC craft their approach, Congress could direct a near-term establishment via sandboxes, provisional registrations, and other requirements with clear guardrails to help ensure clear near-term coverage while giving the time needed to thoughtfully evaluate the more complex issues like dual-registered entities, defining tokens, defining the jurisdictional hand-off, and how to address DeFi. Policymakers should consider looking to the United Kingdom’s current joint efforts between the Bank of England and the FCA under the Digital Securities Sandbox for inspiration.
• Clarify commodity spots market authorities: The legislation should specify clearly authority to the CFTC over commodity spots markets, or at a minimum digital commodity spots markets.
• Explicit appropriations and mandate for additional AML/CFT and cybersecurity initiatives: The legislation would also optimally integrate near-term resourcing, not just authorizations, to ensure the ability to effectively police bad actors in the system, which should include the earlier-referenced initiatives like expanded targeting authorities, appropriations, public-private partnerships, and cybersecurity and information sharing standards.
• Undertake steps to address the regulatory perimeter and controls with DeFi: Finally, legislators should direct the SEC and CFTC to jointly undertake the steps recommended by the CFTC TAC in evaluating how to evolve market structure in addressing issues like the unique constructs in DeFi. These steps include mapping ecosystem players, processes, and data; assessing compliance and requirements gaps; identifying risks; evaluating options, benefits, and costs of changes to the regulatory perimeter, and surging research and development and standards partnerships.

With guardrails established and more consistent oversight by Congress, this approach, implemented through administrative procedure and thoughtful regulation with public engagement, I think is likely the best way to achieve a comprehensive and enduring framework.

In closing, I’d like to again underscore my gratitude for the honor of the opportunity to speak with you all today. It is critical that the United States make timely progress on establishing and implementing cryptocurrency regulatory frameworks, which should leverage years of effort on defining critical holistic protections that also reinforce the central role in the financial system and as a leader in technological innovation.

Thank you.

Fellow

Carole House

Nonresident Senior Fellow

GeoEconomics Center

Cybersecurity Digital Currencies

At the intersection of economics, finance, and foreign policy, the GeoEconomics Center is a translation hub with the goal of helping shape a better global economic future.

Learn more

The post Carole House testifies to House Financial Services Committee on the gaps and opportunities for digital asset regulation appeared first on Atlantic Council.

The G7 must seize this opportunity to advance a coherent, shared framework for digital policy, one that is grounded in trust, reinforced by standards, and aligned with democratic values. To do so, it can build on some of the insights from the Business Seven (B7), the official business engagement group of the G7. The theme of this year’s B7 Summit, which was held from May 14 to May 16, in Ottawa, Canada, was “Bolstering Economic Security and Resiliency.” The selection of this theme emphasized the importance of defending against threats and enhancing the ability of societies, governments, and businesses to adapt and recover.

In the spirit of that theme, the Atlantic Council’s GeoTech Center, in partnership with the Cyber Statecraft Initiative and the Europe Center, convened a private breakfast discussion alongside the B7 in Ottawa on May 15. The roundtable brought together government officials, business leaders, and civil society representatives to discuss how digital resilience can be strengthened within the G7 framework. The participants laid out foundational principles and practical approaches to building digital resilience that support economic security and long-term competitiveness. As G7 leaders gather for the summit in Kananaskis later this month, they should consider these insights on how its member states can work together to bolster their digital resilience.

1. Develop a common language for shared goals on digital sovereignty

When developing a common framework, definitions (or taxonomy) are critical. Participants emphasized that shared vocabulary is a prerequisite for meaningful cooperation. Discrepancies in how countries define concepts such as digital sovereignty can lead to fundamental misunderstandings in critical areas such as risk, which creates friction and confusion.

For example, a G7 country might frame sovereignty in terms of national control over infrastructure while another country, such as China, defines it as regulating the digital information environment. In that case, this misalignment will hinder cooperation from the outset. Specifying precise definitions of each government’s goals, including “trust,” “resilience,” and “digital sovereignty,” would enable governments and industry to align on priorities and respond more effectively to emerging standards. This definitional clarity is crucial for policymaking and a prerequisite for compliance, implementation, and interoperability across borders.

2. Build on existing multilateral and regional frameworks

Participants stressed the importance of building on existing progress toward digital resilience, both in and out of the G7, rather than discarding it in pursuit of novelty. The G7 and its partners already possess a strong foundation of digital policy initiatives. Key milestones such as the Hiroshima AI Process, launched under Japan’s 2023 G7 presidency, established International Guiding Principles and an International Code of Conduct for the development and use of artificial intelligence (AI) systems, which included frontier models. Prior to the Hiroshima AI Process, several consecutive G7 Summits committed to developing the data free flow with trust framework, which prioritizes enabling the free flow of data across borders while protecting privacy, national security, and intellectual property.

Beyond the G7, participants cited European Union (EU) partnerships as examples of forward-leaning policy environments that balance innovation with safeguards. These included the EU AI continent action plan, which aims to leverage the talent and research of European industries to strengthen digital competitiveness and bolster economic growth, as well as Horizon Europe, the EU’s primary financial program for research and innovation.

With these partnership frameworks already in place, G7 leaders should build on existing work and avoid seeking to design unique solutions that may become time-consuming—particularly when it comes to gaining political buy-in. Even in areas like AI and the use of data, where policymakers have observed rapid changes since last year’s summit, the B7 discussion participants emphasized that governments can leverage work they’ve already completed in designing and implementing existing standards. If prior technical standards and regulations are inapplicable or insufficient, policymakers can still learn lessons from an in-depth assessment, including by taking note of where they’ve fallen short of their goals.

3. Start new initiatives with small working groups and pilot projects  

Ensuring digital resilience requires managing inevitable trade-offs between national security, economic vitality, and open digital ecosystems. As one participant remarked, “the digital economy is the economy,” so policies shaping cyberspace must consider both national security and economic impacts. The G7 provides a platform for frank discussions among allies and partners about how to get these trade-offs right. But waiting for buy-in from all like-minded partners risks missed opportunities in the short term.

Participants noted that by starting with smaller forums, policymakers can build consensus that can lead to real progress. Pilot projects and working groups among smaller clusters of G7 countries could build momentum and inform scalable solutions. Participants emphasized that despite the contentious nature of some of the issues surrounding digital resilience, such as protectionism and market fragmentation, G7 governments are operating with a shared set of values. These values can motivate collaboration across the G7 on the many areas of common ground they already share, but they can also provide the basis for projects among smaller groups within the G7 to get new ideas off the ground.

A pivotal summit for digital resilience

As G7 leaders meet in Kananaskis and work toward a common framework that balances digital security and economic growth, a few key lessons can be garnered from this B7 meeting. G7 member states should prioritize developing a common taxonomy and building on the progress made on digital resilience both inside and outside the G7, all while remaining responsive to shifting geopolitical dynamics.

Disagreements among member states should be viewed not as a barrier, but as evidence of a maturing policy landscape. Constructive tension can drive refinement so long as partners are clear about their priorities. The G7’s unique value lies in its ability to forge alignment among diverse actors. False consensus only delays progress. It will take transparency, specificity, and trust to move the digital resilience agenda forward.

Sara Ann Brackett is an assistant director at the Atlantic Council’s Cyber Statecraft Initiative.

Coley Felt is an assistant director at the Atlantic Council’s GeoTech Center.

Raul Brens Jr. is the acting senior director of the Atlantic Council’s GeoTech Center.

New Atlanticist Feb 28, 2025

Canada’s G7 presidency should prioritize health innovation

By Carl Meacham

Canada should use its G7 presidency to communicate the long-term economic benefits of investing in health innovation.

Europe & Eurasia Resilience & Society

GeoTech Cues Mar 31, 2025

Trump’s sectoral-trade pivot: What it will take to succeed

By Mahnaz Khan

The United States is now seeing the dawn of a new sectoral trade policy—one that, if harnessed effectively, has the potential to strengthen US economic resilience.

Economy & Business Technology & Innovation

GeoTech Cues Jul 26, 2024

The sovereignty trap

By Konstantinos Komaitis, Esteban Ponce de León, Kenton Thibaut, Trisha Ray, Kevin Klyman

When sovereignty is invoked in digital contexts without an understanding of the broader political environment, several traps can be triggered.

Artificial Intelligence Digital Policy

The GeoTech Center champions positive paths forward that societies can pursue to ensure new technologies and data empower people, prosperity, and peace.

Learn more

The post G7 leaders have the opportunity to strengthen digital resilience. Here’s how they can seize it. appeared first on Atlantic Council.

That’s why the world’s financial leaders are closely watching the debate playing out in Congress right now over the future of stablecoin legislation. Next week, the Senate will likely take up the GENIUS Act, which will define the responsibilities for US stablecoin issuers and clarify who is responsible for oversight. 

Stablecoins are cryptocurrencies whose values are pegged to a specific underlying asset. This makes them “stable”—at least in theory.

Currently, 98 percent of stablecoins are pegged to the US dollar, but over 80 percent of stablecoin transactions happen outside the United States. 

Countries around the world are taking notice. In April, Italy’s finance minister, Giancarlo Giorgetti, said that new US policies on dollar-backed stablecoins present an “even more dangerous” threat to European financial stability than tariffs. His argument was that access to dollars without needing a US bank account would be attractive to millions of people and could undermine the effectiveness of monetary policy not just in Europe but around the world.

In many ways, it’s an old problem with new technology. Dollarization—the situation where citizens in another country try to swap their local currency for dollars—has been a risk in emerging markets and developing economies for decades. In the early 2000s, for example, a range of countries from Ecuador to Zimbabwe to Argentina had difficulty managing the demand for dollars instead of local currency. In each situation, years of economic pain followed in these countries. 

Now stablecoins are making it cheaper and easier for people around the globe to get ahold of what is still the single most in-demand asset in the world.

Instead of the old way of having to go to a bank and exchange local currency for US dollars, which is time consuming and often involves significant fees, stablecoins make dollars seamlessly available to anyone with a cell phone.

US officials argue that this benefits the United States. When I interviewed Federal Reserve Governor Christopher Waller, who oversees payments at the central bank, about this issue in February, he said that stablecoins “could be in any fiat currency,” such as pounds or euros, “but everyone wants dollar-denominated stablecoins.” He added that “if we can get good regulation, allow these things to go out, this will only strength the dollar as a reserve currency.”

Waller’s point was that if stablecoin issuers need to back up their coins with Treasuries or other liquid assets, the increase in stablecoin usage around the world will generate even higher demand for dollars. The whole point of a stablecoin is that you can fully convert it into a dollar if you want to—meaning the issuers need to have those dollars on hand.

US Treasury Secretary Scott Bessent has put it even more bluntly. “We are going to keep the US the dominant reserve currency in the world, and we will use stablecoins to do that,” he said in March.

If so, the United States should tread cautiously. 

The global proliferation of stablecoins means that some companies will take advantage of the demand and issue stablecoins that claim they are digital versions of the dollar but in reality aren’t fully backed by dollars.   

If that company failed, it wouldn’t just cost consumers their savings. It could trigger a run on all kinds of financial assets.

Think back to the collapse of the algorithmic stablecoin TerraLuna in 2022. Over $45 billion in value for TerraLuna holders was wiped out within a week. But since that time, stablecoin volumes have increased across the world by over 60 percent. 

The current patchwork of regulations around the globe creates more confusion, more friction in payments, and ultimately higher costs for consumers. 

Already, that’s what’s happening. As new research from the Atlantic Council GeoEconomics Center shows, some countries want to create their own central bank digital currencies to compete with stablecoins, while other countries are trying to regulate the wallets that hold stablecoins. 

Instead of waiting for new regulatory fences to be built up in the coming years, the United States should show that it recognizes the concerns other countries have about dollar-backed stablecoins. The legislation in front of Congress helps domestically by creating transparency and reporting requirements, but it does little internationally.

This is where the Group of Twenty (G20) comes in. The United States has a golden opportunity to help set international standards around digital assets, including the risks and regulations associated with stablecoins, during its G20 presidency next year. A key first step would be creating a new G20 payments roadmap. 

A first roadmap was agreed to in 2020 and delivered important innovations on faster payments. But technology has rapidly changed in the past five years, and it’s time for an upgrade. 

If the United States made stablecoins a focus this year, it would raise the bar across the world and ensure that dollar-backed stablecoin users in all countries are getting what they bargain for—an actual dollar—instead of an imitation of one. 

The rest of the world will welcome US leadership in this space and will take it as a sign that, at least when it comes to the future of the dollar, the United States is not looking to export instability.

Josh Lipsky is the chair of international economics at the Atlantic Council and senior director of the Atlantic Council’s GeoEconomics Center. 

The post For dollar-backed stablecoins to be truly stable, the US needs to set international standards appeared first on Atlantic Council.

The post Cryptocurrency Regulation Tracker cited by GIR on the regulatory landscape for cryptocurrencies appeared first on Atlantic Council.

• Initial expectations
• Russia’s cyber ecosystem
• What happened to Russia’s cyber might?
• Unpacking the (cyber) nesting doll
• Conclusion
• Acknowledgements
• About the author

When the Russian government launched its full-scale invasion of Ukraine on February 24, 2022, many Western observers braced for digital impact—expecting Russian military and security forces to unleash all-out cyberattacks on Ukraine. Weeks before Moscow’s full-scale war began, Politico wrote that the “Russian invasion of Ukraine could redefine cyber warfare.” The US Cybersecurity and Infrastructure Security Agency (CISA) worried that past Russian malware deployments, such as NotPetya and WannaCry, could find themselves mirrored in new wartime operations—where the impacts would spill quickly and globally across companies and infrastructure. Many other headlines and stories asked questions about how, exactly, Russia would use cyber operations in modern warfare to wreak havoc on Ukraine. Some of these questions were fair, others clearly leaned into the hype, and all were circulated online, in the press, and in the DC policy bubble ahead of that fateful February 24 invasion.

As the Putin regime’s illegal war unfolded, however, it quickly belied these hypotheses and collapsed many Western assumptions about Russia’s cyber power. Russia didn’t deliver the expected cyber “kill strike” (instantly plummeting Ukraine into darkness). Ukrainian and NATO defenses (insofar as NATO has spent considerable time and energy to support Ukraine on cyber defense over the years) were sufficient to (mainly) withstand the most disruptive Russian cyber operations, compared at least to pre-February 2022 expectations. And Moscow showed serious incompetencies in coordinating cyber activities with battlefield kinetic operations. Flurries of operational activity, nonetheless, continue to this day from all parties involved in the war—as Russia remains a persistent and serious cyber threat to the United States, Ukraine, and the West. Russia’s continued cyber activity and major gaps between wartime cyber expectations and reality demand a Western rethink of years-old assumptions about Russia and cyber power—and of outdated ways of confronting the threats ahead.

Russia is still very much a cyber threat. Patriotic hackers and state security agencies, cybercriminals and private military companies, and so on blend together with deliberate state decisions, Kremlin permissiveness, entrepreneurialism, competition, petty corruption, and incompetence to create the Russian cyber web that exists today. The multidirectional, murky, and dynamic nature of Russia’s cyber ecosystem—relying on a range of actors, with different incentives, with shifting relationships with the state and one another—is part of the reason that the Russian cyber threat is so complex.

Policymakers in the United States as well as allied and partner countries should take at least five steps to size up and confront Russia’s cyber threat in the years to come:

• When assessing the expectations-versus-reality of Russia’s wartime cyber operations, distinguish between capabilities and wartime execution.
• Widen the circle of analysis to include not just Russian state hackers but the broader Russian cyber web, including patriotic hackers and state-coerced criminals.
• Avoid the trap of assuming Russia can separate out cyber and information issues from other bilateral, multilateral, and security-related topics—maintaining its hostility toward Ukraine while, say, softening up on cyber operations against the United States.
• Continue cyber information sharing about Russia with allies and partners around the world.
• Invest in cyber defense and in cyber offense where appropriate.

Russia’s cyber ecosystem

Russia is home to a complex ecosystem of cyber actors. These include military forces, security agencies, state-recruited cybercriminals, state-coerced technology developers, state-encouraged patriotic hackers, self-identified patriotic hackers acting of their own volition, and more. Even Russian private military companies offer cyber operations, signals intelligence (SIGINT), and other digital capabilities to their clients. Together, these actors form a large, complex, often opaque, and dynamic ecosystem. The Kremlin has substantial power over this ecosystem, both guiding its overall shape (such as permitting large amounts of cybercrime to be perpetuated from within Russia) and leveraging particular actors as needed (discussed more below). Simultaneously, decisions aren’t always top-down, as entrepreneurial cybercriminals and hackers—much like “violent entrepreneurs” in Russian business and crime, or the “adhocrats” vying for Putin’s ear to pitch ideas—take initiative, build their own capabilities, and sell them to the state as well.

The relationships that different security agencies, at different levels, in different parts of the country and world, have with Russian hackers also vary over time. A local security service office might provide legal cover to a group of criminal hackers one day (after the necessary payoffs change hands, of course), only for a Moscow-based team to recruit them for a state operation the next. While the Kremlin has a sort of “social contract” with hackers—focus mainly on foreign targets; don’t undermine the Kremlin’s geopolitical objectives; be responsive to Russian government requests—its tolerance for a specific cybercriminal group can change on a whim, too. Security officials might take a bribe from a cybercriminal, much as their colleagues do on the regular, and still find their patrons in prison and their own wrists in handcuffs.

On the Russian government side, the principal units involved in offensive cyber operations are the Federal Security Service (FSB), the military intelligence agency (GRU), and the Foreign Intelligence Service (SVR). Russia does not have a proper, centrally coordinating cyber command; it was never launched despite attempts in the 2010s. The Ministry of Defense’s initial efforts to make one happen by circa 2014 were, it came to be understood later, overtaken by the subsequent establishment of Information Operations Troops with seemingly some coordinating functions—though experts still debate its analogousness to a “cyber command” and its level of shot-calling compared to bodies like the Presidential Administration. So while it is possible for the Russian security agencies to coordinate their (cyber) operations with one another, their engagements are marked more by competition than cooperation.

The most prominent example of this potential overlap or inefficiency is when GRU-linked APT28 and SVR-linked APT29 both hacked the Democratic National Committee in 2016, making it unclear whether each knew the other was carrying out a similar campaign. This operational friction is exacerbated by the fact that the agencies’ general remits—SVR on human intelligence, for instance, and FSB mostly domestic—do not translate to the digital and online world. All three agencies hack military and civilian targets and, for example, the FSB actively targets and hacks organizations outside of Russia’s borders. Each agency approaches cyber operations differently, too, often in line with their overall institutional cultures—such as the GRU, known for its brazen kinetic operations including sabotage and assassination, carrying out the boldest and most destructive cyber operations, contrasted with the SVR, and its emphasis on secrecy, focusing on quiet cyber intelligence gathering like in the SolarWinds campaign. Still, the Russian state agencies with cyber operations remain active threats to the United States, Ukraine, the West, and plenty of others through intelligence-gathering efforts, disruptive operations, and efforts that meld both, such as hack-and-leak campaigns.

Beyond government units themselves, the state encourages patriotic hackers—sometimes just young, technically proficient Russians—to go after foreign targets through televised and online statements (such as disinformation about Ukraine). Different security organizations, such as the FSB, may hire cybercriminals for specific intelligence operations and pay them based on the targets they penetrate. Other private-sector companies pitch their own services to the state of their own volition, bid on government contracts, and support a range of offensive capability development, research and development, and talent cultivation efforts (including defensive activities and benign or even globally cybersecurity-positive activities beyond the scope of this paper). Russian private military companies increasingly offer capabilities related to cyber and SIGINT to their private and government clients around the world, too. All the while, the state retains the capability to target specific people and companies in Russia that otherwise have nothing to do with the state, apply the relevant pressure, and compel them to assist with state cyber objectives, which it can wield to extraordinary effect.

As the historian Stephen Kotkin notes, “The Russian state can confound analysts who truck in binaries.” While there are several core themes to this ecosystem—complexity; state corruption; overwhelming tolerance for and even tacit support of cybercrime; myriad offensive cyber actors in play—Russia’s cyber ecosystem neither fits into a neat box nor is a neatly run one at that.

For all the threats these actors pose to Ukraine and the West, assuming that the Putin regime controls all cyber activity emanating from within Russia’s borders is not just inaccurate (e.g., the country’s too big; there are too many players; it’s not all top down), but is the kind of assumption that serves as a “useful fiction” for the Kremlin. It makes the system appear ruthlessly efficient and coordinated, gives disconnected or tactically myopic actions a veneer of larger strategy, and puts Putin at the center of all cyber operation decision-making. Thinking as much can, intentionally or not, further feed into the idea that the Kremlin’s motives are clear and fixed or driven by some kind of “hybrid war” strategy. It also obscures the fact that—unlike many Western countries that do, in fact, publish official “cyber strategies”—Russia does not have a defined cyber strategy document, instead drawing on a range of documents and sweeping “information security” concepts to frame information, the internet, and cyber power.

On the contrary, it is the multidirectional, murky, and dynamic nature of Russia’s cyber ecosystem that makes cyber activity subject to sudden change, feeds opportunities for interagency rivalries, contributes to effects-corroding corruption and competition, and provides the Kremlin with a spectrum of talent, capabilities, and resources to tap, direct, and deny (plausibly or implausibly) as it needs. It is in part this dynamism and multidirectional nature that makes Russia’s cyber threat so complex—as mixes of deliberate state decisions, Kremlin permissiveness, entrepreneurialism, competition, petty corruption, and incompetence blend together to create the Russian cyber web that exists today. Relationships between the state proper, at different levels, in different organizations, with nonstate cyber affiliates are often shifting; ransomware groups persistently targeting Western critical infrastructure, for example, may be prolific for months before collapsing under internal conflict and reconstituting into new groups, with new combinations of the old tactics and talent. It is also the reason that what is known to date about cyber operations during Russia’s full-out war on Ukraine provides such a valuable case study in assessing the status quo of this ecosystem—and, coupled with lessons from past incidents (like Russian cyberattacks on Estonia in 2007, Georgia in 2008, and Ukraine in 2014), helps to better weigh the future threat.

What happened to Russia’s cyber might?

Cyber operations have played a substantial role in Russia’s full-on invasion of Ukraine in February 2022 and the ensuing war. These activities range from distributed denial of service (DDoS) attacks knocking Ukrainian websites offline and Ukrainian patriotic hackers’ attacks on Russian government sites (what Kyiv calls its “IT Army”) to Russia using countless malware variants to exfiltrate data and targeting Ukrainian Telegram chats and Android mobile devices. Without getting into a timeline of every major operation—neither this paper’s focus nor possible given limits on public information—it is clear that Russian and Ukrainian forces and their allies, partners, and proxies have made cyber operations part of the war’s military, intelligence, and information dimensions.

There are many ways to define cyber power, which is by no means limited to offensive capabilities. In Russia’s case, analysts could focus on anything from Russia’s national cyber threat defense system—the Monitoring and Administration Center for General Use Information Networks (GosSOPKA), which effectively brings together intrusion detection, vulnerability management, and other technologies for entities handling sensitive information—to the enormous IT brain drain problems the country suffered immediately following the full-on invasion of Ukraine. As explored in a study last year for the Atlantic Council, Russia’s growing digital tech isolationism—both a long-standing goal and increasing reality for the Kremlin—has driven more independence in some areas, like software, while heightening dependence and strategic vulnerability in others, such as dependence on Chinese hardware. This paper’s focus, though, will remain on Russia’s offensive capabilities.

Pre-February 2022 expectations in the United States and the West, as highlighted above, were dominated by those predicting extensive Russian disruptive and destructive cyber operations. In these scenarios, Russia would leverage its state, state-affiliated, state-encouraged, and other capabilities to cause serious damage to Ukrainian critical infrastructure (telecommunications, water systems, energy grids, and so forth) and cleanly augment its kinetic onslaught. Russia would “employ massive cyber and electronic warfare tools” to collapse Ukraine’s will to fight through digital means.

To be sure, some predictions were more measured. Some pointed to the 2008 Russo-Georgian War, as an illustration of Russian forces effectively using DDoS attacks (Moscow’s shatter-communications approach) in concert with disinformation and kinetic action to prepare the battlefield, and conjectured that Moscow would do the same if it moved troops further into Ukraine. Others highlighted Russia turning off Ukrainian power grids as a possible menu option for Moscow as it escalated. Cybersecurity scholars Lennart Maschmeyer and Nadiya Kostyuk, contrary to widely held positions, argued two weeks before Russia’s full-scale invasion that “cyber operations will remain of secondary importance and at best provide marginal gains to Russia,” incisively noting that press headlines talking of “cyber war” rest on “the implicit assumption that with the change in strategic context, the role of cyber operations will change as well.” The overwhelming sentiment, though, was worry and anticipation of what some considered true, cyber-enabled, twenty-first century warfare.

But the cyber operations that unfolded immediately before and after the February 2022 invasion defied what many Western (including American) commentators were predicting. Russia didn’t deliver the cyber kill strike expected (instantly plummeting Ukraine into darkness). Ukrainian and NATO defenses were sufficient to (mainly) withstand the most disruptive FSB and GRU cyber operations, compared at least to pre-February 2022 expectations. And Moscow showed serious incompetencies in coordinating cyber activities with battlefield kinetic operations. Many experts who did not expect cyber-Armageddon per se have still been surprised by the limited impact of Russian attacks, the focus on wiper attacks (that delete a system’s data via malware) and data gathering over critical infrastructure disruptions, and apparent poor coordination between cyber and kinetic moves made by the Russian Armed Forces and intelligence services.

What, then, explains the gulf between expectations—decisive moves, cleanly executed operations, and visible results—and reality, with some operations, certainly, but the overwhelming focus on kinetic activity and far less on destructive cyber movement than anticipated? Scholars and analysts have, since February 2022, put forward several buckets of hypotheses.

Various commentators argue, as National Defense University scholar Jackie Kerr compiles and breaks down, that Russia’s weak integration of cyber into offensive campaigns was symptomatic of broader problems with Russian military preparations for full-on war; that Western observers simply overestimated Russia’s cyber capabilities; that poor coordination and competition between Russian security agencies impeded operational success; or that Ukraine’s cyber defenses have been extraordinarily robust. Some have gone so far as to attribute Ukrainian cyber defenses, backed up by Western allies and partners, as the primary reason for Russian offensive failures. Russia cyber and information expert Gavin Wilde argues that Russia focused on countervalue operations (against civilian infrastructure, to demoralize political leaders and the public) more than counterforce operations (against Ukrainian military capabilities), to little effect, “a sign of highly sophisticated intelligence tradecraft being squandered in service of a deeply flawed military strategy.”

Professors Nadiya Kostyuk and Erik Gartzke write that Russia’s full-on war on Ukraine is about territory and physical control, making physical military activity far more important than cyber operations themselves. Cyber scholar Jon Bateman argues that traditional signals jamming and Russia’s cyberattack against the Viasat satellite communications system, coupled with a chaotic slew of data-deletion attacks, may have helped Russia initially—but that cyber operations from there had diminishing novelty and impact. Russia’s poor strategy, insufficient intelligence preparation, and interagency mistrust have been presented as causes for undermining Russia’s cyber-kinetic strike coordination, too. Others argue that Russians wanted to gather intelligence from Ukrainian systems more than disrupt them, that Russia’s information-focused troops have been more optimized for propaganda than cyber operations, and that cyber scholars’ and pundits’ expectations were plain wrong given that Russia wanted to inflict physical violence on Ukraine more than achieve cyber-related effects—necessitating bombs, missiles, and guns over malware, zero days, and DDoS attacks.

In reality, of course, many factors are likely in play at once. Plenty of the above scholars and commentators recognize this multifactorial situation and say it outright (although a few do push a single prevailing explanation for the war’s cyber outcomes). However, it’s worth explicitly stressing that many factors coexist, in light of occasional efforts to provide reductive explanations for complex wartime activities and effects. Concluding that Russia is no longer a cyber threat, for instance, is wrong. While Ukraine as a country has demonstrated extraordinary will and resilience, and while Ukrainian cyber defenses have been more than commendable, explanations that place the rationale solely on formidable Ukrainian cyber defenses are likewise reductive. Taking such explanations as fact simplifies the many factors involved and can veer analysis and debates away from the policy actions that are still needed, such as continued cyber threat information sharing between the United States and Ukraine.

The above, plausible, evidence-grounded explanations are not mutually exclusive. FSB officers, rife with paranoia, conspiratorialism, and a Putin-pleasing orientation, did indeed grossly misinterpret the situation on the ground in Ukraine in 2022 and fed that bad information to the Kremlin, potentially skewing assessments of cyber options as well.

Interagency competition may very well have undermined, once again, the ability of the FSB, GRU, and SVR to coordinate activities with one another, let alone with the Ministry of Defense and Russian proxies in Belarus, and therefore hampered more effective planning, coordination, and execution of cyber operations. For example, during the war’s initial stages, elements of the SVR may very well have sought to technically gather intelligence from targets that GRU- or FSB-tied criminal groups were indiscriminately trying to knock offline or wipe with malware, thrusting uncoordinated activities into tension.

Like in every other country on earth, Russian cyber operators are additionally subject to resource constraints: A hacker spending a day on breaking into a Ukrainian energy company is a hacker not spending time on spying on expats in Germany or setting up a collaboration with a ransomware group. Competition, therefore, not just between agencies—turf wars, budget fights, who gets the primary jurisdiction over Ukraine, and so forth—but within them, over who gets to spend what time and resources targeting which entities, sit within broader Russian government calculi over cyber, military, and intelligence operations. And, among others, Russia’s overall strategy did lead to bad moves, as Wilde and others have noted, with limited effect and burning away Russian capabilities (like exploits) in the process. Recognizing these many likely factors will facilitate better analysis of where Russia stands.

The gap between the imagined, all-out “cyber war” and the past three years’ reality also begs the question of whether the right metrics were considered in the first place. As much as cyber capabilities are inextricable from modern intelligence operations, and as much as cyber and information capabilities are embedded throughout militaries around the world, war is obviously about far more than cyber as a domain. But experts studying cyber all day, every day, may fall into the unintentional trap (as anyone can) of having their area of study become the focal point of analysis in a war with many moving pieces and considerations—hence, some of the commentary anticipated Russian destruction of Ukraine to happen through code, compared to a range of military weaponry. Academic theories, moreover, of how cyber conflict will unfold in political science-modeled simulations or think tank war games may similarly fail to map to battlefield realities, such as generalizing how cyber fits into warfare without adequately considering unique contexts in a country like Russia. Layered on top of all this—in the academies, in the media, in the data and artificial intelligence (AI) era—is a frequent desire to quantify everything, too, obscuring the fact that not everything can be effectively, quantifiably measured and that counting up the number of observed Russian cyber operations and scoring them may still not get to the heart of their inefficacy. Clearly, as US and Western perspectives on Russian cyber power shift with more information and time, it is worth rethinking Russia’s future cyber power—not just for how the West can recalibrate its assumptions and size up the threats, but in how the West can prepare to act and respond in the future.

Unpacking the (cyber) nesting doll

The takeaway from comparing predictions and reality shouldn’t be that pundits are always wrong or that Russia’s cyber operations are considerably less threatening in 2025. Nor should it be that Ukraine is propped up solely by Western government and private-sector cyber defenses, and that Russia is simply waiting to unleash a devastating cyber operation to end it all.

Russia remains a sophisticated, persistent, and well-resourced cyber threat to the United States, Ukraine, and the West generally. This is not going to change anytime soon. Kremlin-spun “crackdowns” on cybercrime (arrests that were little more than public relations stunts), frenetic talk of US-Russia rapprochement, and wishful thinking about Putin’s willingness to cease subversive activity against Ukraine do not portend, as some might suggest, that the United States can sideline Russia as a central cyber problem—and focus instead on China.

The Russian government views cyber and information capabilities as key to its military and intelligence operations, and the Kremlin still has one top enemy in its national security sights: the United States. Outside the Russian state per se, a range of ransomware gangs and other hackers in Russia will continue targeting companies, critical infrastructure, and other entities in the United States, Ukraine, and the West, too. There are at least five steps US policymakers and their allies and partners should take to size up this threat—against the full scope of Russia’s cyber web and integrating lessons learned so far from Russia’s full-out war on Ukraine—and confront it head-on in the coming years.

When assessing the expectations-versus-reality of Russia’s wartime cyber operations, distinguish between capabilities and wartime execution. Clearly, Russian offensive cyber activity during its full-on war against Ukraine has not matched up against Western assumptions that envisioned a cyber onslaught that turned off power grids, disrupted water treatment facilities, and blacked out communications. Evaluating how and why Russia did not make this happen is critical to understanding Russia’s operational motives, play-by-play planning and coordination between security agencies, targeting interests, and much more. But analysts and media must be careful to avoid thinking that Russia’s cyber capabilities themselves are weak. Clearly, when Russian hackers put the pedal to the metal, so to speak—ransomware gangs targeting American hospitals, or the GRU going after Ukrainian phones—they can deliver serious results. A better approach is policymakers and analysts in the United States, as well as in allied and partner countries, breaking out Russia’s continued cyber threats across ransomware, critical infrastructure targeting, mobile-device hacking, and so on while pairing the capabilities against where execution could fall short in practice. Doing so will give a better sense of Russia’s cyber strengths and weaknesses—and distinguish between the different components of carrying out a cyber operation.

Widen the circle of analysis to include not just Russian state hackers but the broader Russian cyber web, including patriotic hackers and state-coerced criminals. Focusing Western intelligence priorities, academic studies, and industry analysis mainly on Russian government agencies as the primary vector of Russian cyber power loses the importance of the overall Russian cyber web. Putting the focus mostly on Russian government agencies also loses, as my colleague Emma Schroeder has unpacked in detail, the role that public-private partnerships have played in cyber operations and defenses in the conflict, and the opportunity to assess similar public-private dynamics on the Russian side. Conversely, making sure to consider the roles of government contractors, military universities, patriotic hackers, state-tapped cybercriminals, and other actors as described above should help to fight the temptation to treat all Russian cyber operations as top-down—and illuminate the many ways in which Russia can build capabilities, source talent, and carry out operations against the West. Understanding these actors will allow for better tracking, threat preparation, defense, and, where needed, disruption.

Avoid the trap of assuming Russia can separate out cyber and information issues from other bilateral, multilateral, and security-related topics—maintaining its hostility toward Ukraine while, say, softening up on cyber operations against the United States. Whether the US government can or cannot separate out cyber issues vis-à-vis Russia from other elements of the US-Russia relationship (e.g., trade, nuclear security), Western policymakers should avoid the trap of assuming the Russian government is currently capable, let alone willing, of genuinely and seriously doing the same: separating out its cyber activities from other policy and security issues.

The Russian government has come to view the internet and digital technologies as both weapons that can be wielded against the state and weapons to use against Russia’s enemies. In this sense, cyber operations (as well as information operations) are core not just to Moscow’s approach to modern security, military activity, and intelligence operations but, perhaps more importantly, to the Kremlin’s conceptualization of regime security as well. Paranoia and propaganda about fifth columnists (with, sometimes, one feeding the other), persistent efforts to crack down on the internet in Russia, and a continued belief that Western tech companies and civil society groups are weaponizing the internet to undermine the Kremlin, mean that the regime will not truly believe it can put “information security” on the sidelines—and that includes not just internet control but cyber operations. Policymakers must go into diplomatic and other engagements with Russia with their eyes wide open.

Continue cyber information sharing about Russia with allies and partners around the world. For years, military and intelligence scholars and analysts have referred to Russia’s actions in Georgia, Ukraine, and other former Soviet republics as a “test bed” or “sandbox” for what Russia might do in other countries. It would be a strategic, operational, and tactical mistake to think that Russian cyber operations against Ukraine are just confined to Ukraine and that two-way information sharing with Ukraine about cyber threats is a waste of time and resources. Quite the opposite: Russia’s cyber and information activities against Ukraine today can give the United States and its allies and partners critical insights into the types of capabilities and operations that could, and very well might be, carried out against them at the same time or days or months later. Whether hack-and-leak operations designed to embarrass political figures, wiper attacks designed to destroy government databases, espionage operations, or anything in between, having real-time information about Russian cyber threats will only help the United States and its allies and partners better defend their own networks and systems against hacks and attacks.

Invest in cyber defense and in cyber offense where appropriate. Persistent, sophisticated Russian cyber threats to a range of key US and allied and partner systems—military networks, hospitals, financial institutions, critical infrastructure, advanced tech companies, civil society groups—demand continued investments in cyber defense. In addition to information-sharing, the United States and its allies and partners need to continue prioritizing market incentives for companies to enhance cyber defenses along with baseline requirements for essential measures such as multifactor authentication, detailed access controls, robust encryption, continuous monitoring, network segmentation, resourced and empowered cybersecurity decision-makers, and much more. Just as the Russians clearly possess a range of advanced cyber capabilities, any number of recent operations, including against Ukraine, show that Russian operations (like those carried out by many other powers) continue to succeed with basic moves such as phishing emails. The United States and its allies and partners need to continually increase cyber defenses. And, where appropriate, the United States and its allies and partners should ensure the right capabilities and posture to carry out cyber offensive operations—including to preemptively disrupt Russian attacks (the “defend forward” euphemism). As the Kremlin is more paranoid and conspiratorial, the notion of diplomatic talks and establishing cyber redlines is less and less realistic. Active mitigation and disruption of threats, rather than relying too heavily on diplomatic meetings or endless criminal indictments, are together a more feasible approach to protecting US and allied and partner interests against Russian cyber threats in the years to come.

Conclusion

Lessons from cyber operations—and about cyber operations and capabilities—from the Russian full-on war against Ukraine will continue to emerge in the coming years. This trickle of information may slowly dissipate some of the “fog of war” surrounding the back-and-forth hacks and shed much-needed light on issues such as coordination and conflict between Russian security agencies in cyberspace.

For now, however, the issue for the United States is clear: Russia remains a persistent, sophisticated, and well-resourced cyber threat to the United States and its allies and partners around the world. The threat stems from a range of Russian actors, and it stands to continue impacting a wide range of American government organizations, businesses, civil society groups, individuals, and national interests across the globe. As wonderful as the idea of cyber détente might be, Putin’s paranoia about Western technology, Russian officials’ insistence that the internet is a “CIA project” and Meta is a terrorist organization, and military and intelligence interest in conflict and subversion against the West will not evaporate with a wartime ceasefire or a newfound agreement with the United States. These are hardened beliefs and fairly cemented institutional postures that are not going to shift under the current regime.

Rather than dismissing Russia’s cyber prowess because of unmet expectations since February 2022, American and Western policymakers must size up the threat, unpack the complexity of Russia’s cyber web, and invest in the right proactive measures to enhance their security and resilience into the future.

Acknowledgements

The author would like to thank Brian Whitmore and Andrew D’Anieri for the invitation to write this paper and for their comments on an earlier draft. He also thanks Gavin Wilde, Trey Herr, Aleksander Cwalina, Ambassador John Herbst, and Nikita Shah for their comments on the draft.

Justin Sherman is a nonresident senior fellow with the Cyber Statecraft Initiative, part of the Atlantic Council Technology Programs. He is also the founder and CEO of Global Cyber Strategies, a Washington, DC-based research and advisory firm; an incoming adjunct professor at Georgetown University’s School of Foreign Service; a contributing editor at Lawfare; and a columnist at Barron’s. He writes, researches, consults, and advises on Russia security and technology issues and is sanctioned by the Russian Ministry of Foreign Affairs.

The Eurasia Center’s mission is to promote policies that strengthen stability, democratic values, and prosperity in Eurasia, from Eastern Europe in the West to the Caucasus, Russia, and Central Asia in the East.

Learn more

The Atlantic Council’s Cyber Statecraft Initiative, part of the Atlantic Council Technology Programs, works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.

learn more

Russia Tomorrow Oct 1, 2024

Russia’s war on Ukraine: Moscow’s pressure points and US strategic opportunities

By Ariel Cohen

A new Atlantic Council report explores Russia’s modern day domestic and international vulnerabilities.

Defense Industry Europe & Eurasia

Russia Tomorrow Feb 2, 2024

Russia Tomorrow: Five scenarios for Russia’s future

By Casey Michel

A new Atlantic Council report explores five paths that Russia future might take in its future. What forces will shape Russia’s future?

Europe & Eurasia Political Reform

Russia Tomorrow Mar 14, 2024

All the autocrat’s men: The court politics of Putin’s inner circle

By Mikhail Zygar

A new Atlantic Council report by journalist Mikhail Zygar explores how Russia’s war on Ukraine has affected Vladimir Putin’s inner circle.

Elections Europe & Eurasia

The post Unpacking Russia’s cyber nesting doll appeared first on Atlantic Council.

The post CBDC Tracker cited by the US Treasury Department on global development of CBDCs appeared first on Atlantic Council.

The post Kumar referenced in the T7 Canada Communiqué appeared first on Atlantic Council.

The post CBDC Tracker cited in Reuters on digital currency development appeared first on Atlantic Council.

First, the significant effect that government-led instant payment systems can have on citizens and the financial market transforms financial inclusion and market structures. Second, decisions made during the early stages of the process, such as system pricing and ownership structure, shape the power dynamics between local and international players, as well as incumbent and new entrants. 

These lessons are shaping an emerging framework governments can use to evaluate their need for central bank-led immediate payment systems, their potential structure, organizational features, and trade-offs involved in implementing a similar approach. The framework is composed of a three-step approach, including prerequisite weighting (i.e., “do we need this system”), the preparations needed to hit the ground running, and the process of setting up new immediate payment systems.

Pix and UPI: Initial development to growing pains

But first, it’s important to understand how immediate payment systems have developed into what they are today. 

Over the last decade, India and Brazil launched their instant payment systems, UPI and Pix, on a national scale, reshaping their payment landscapes. With 350 million UPI users and 140 million Pix users, about 25 percent of India’s population and approximately 65 percent of Brazil’s population use the systems. One of every eleven adults in the world uses either Pix or UPI to send or receive immediate payments. 

Brazil’s immediate payments policy is a payments-first approach. The Brazilian Central Bank (BCB) owns Pix and pushes it to cooperate with domestic private market players, focusing mainly on immediate payments and adjacent products. The system was launched in 2020 after a two-year ideation and development period.

Pix is the most quickly adopted immediate payment system in the world. As of the second quarter in 2024, it had reached 15.4 billion quarterly transactions. Its growth was fueled by a high degree of cooperation with the local financial ecosystem, as well as the fact that institutions with over 500,000 transacting accounts were required to participate, creating a network effect.

India developed UPI as a part of its Digital Public Infrastructure (DPI) program and implemented it as a part of a broad tech stack. Its approach to both DPI and UPI has long been for the state to develop the basic infrastructure, including a digital identity pillar, data exchange pillar, and payments pillar, allowing private sector innovation on top of the existing system.

UPI was developed under the National Payments Corporation of India, which is independent of India’s central bank and owned by various private banks. It became India’s most popular digital payment method, processing over 75 percent of the nation’s retail digital payments.

However, UPI’s growth was initially slow. It only reached 10 million monthly transactions in 2017 and took about three years to reach 1 billion monthly transactions. The growth was later expedited due to India’s demonetization, which started in 2016, the COVID-19 transition away from cash, and internationally backed payment providers entering the market.

Both Pix and UPI have significantly increased financial inclusion, supported growth in the fintech sector, and become the payment standards in their respective countries. However, their impact has not been entirely positive. Their use has also increased fraud and reshaped the power balance between different players in their markets.  

Winners and losers: Market impacts in Brazil and India 

Both systems transformed their respective markets, benefitting some players and reducing the market power of others. 

The table below provides a snapshot of the market dynamics, highlighting each of the key players, their initial power and interest mapping (green for high, yellow for medium, and red for low) and the power shifts in the market caused by Pix. Power shifts are categorized into market share and decision-making power—red with a downward-facing arrow indicates a decrease, green with an upward-facing arrow signifies an increase, and yellow represents retained power or a mixed trend.

In Brazil, Pix has transformed the financial sector by benefiting new domestic players while challenging incumbents and credit card schemes. 

Brazilian neobanks and fintech startups have grown significantly by leveraging Pix’s cost model to attract new customers. They take advantage of the optional fee structure for its value offer, including no fees for consumers and bearing the mandatory fees for businesses. Eliminated transaction fees and immediate payments increased consumer trust. It made digital payments more accessible, particularly for the previously unbanked population. Small businesses and micro-entrepreneurs have also gained access to low-cost, instant transactions, fostering financial inclusion and reducing reliance on cash. This, in turn, drove an increase in such banks’ target addressable market (i.e., relevant customer base).

However, traditional banks and credit card networks have been disrupted. Before Pix, Brazilian banks charged significant fees for interbank transfers, but Pix’s free and instant model eroded this revenue stream. As a result of Pix’s launch, traditional banks’ revenue from payments decreased by 8 percent between 2020 and 2021.

Credit card companies are seriously threatened by Pix. In 2022, BCB’s governor predicted that Pix would make credit cards obsolete. However, transaction data tells a more complicated story. With Pix introducing new consumers into the market, banks are leveraging “maturing cohorts” of consumers to offer them credit cards. Before Pix, credit card payment volumes were at a 12.7 percent annual CAGR (compound annual growth rate) between 2018 and 2020. After the launch of Pix, CAGR almost tripled, reaching 31.7 percent between 2020 and 2022.

UPI’s rapid adoption in India similarly transformed the power balance in the market and benefitted payment technology providers. 

Large-scale third-party application providers (TPAPs), particularly Google Pay and PhonePe, dominate the UPI transaction space, accounting together for over 80 percent of UPI transactions. These players leveraged UPI’s no-cost model to gain significant user adoption. Consumers and merchants have also benefited from seamless, real-time payments without additional fees. 

However, traditional banks struggle with UPI’s zero-fee structure, as it increases transaction volumes and associated costs without direct revenue gains. Some banks have pushed for the introduction of transaction fees to compensate for operational costs. For that reason, in 2022 RBI introduced subsidies for small transactions to banks, which they can share with TPAPs. In 2024, these accounted for 10 percent of PhonePe’s annual revenue. Credit card companies have also faced increasing competition. However, similar to Brazil, credit card usage volume has actually increased following UPI’s scaling. From a declining CAGR of 7.3 percent between 2018 and 2020 in payment volume, after UPI scaled, credit card growth reached a 24.2 percent CAGR between 2020 and 2022.

Big tech vs. local tech: Divergent approaches

A key distinction between Pix and UPI is their approach to global technology firms (“big tech”) and multinationals generally.

BCB has actively blocked big tech from entering the market, emphasizing the need for domestic control over digital payments. This approach is part of a general policy to strengthen the domestic ecosystem over incorporating multinational players. In 2020, for example, BCB suspended WhatsApp’s Brazilian immediate payments offering launch. It cited regulatory concerns and the potential risk to financial stability, launching Pix later that year. This strategy has helped the local fintech ecosystem and brought domestic players, mainly neobanks, to the front of the stage. 

In contrast, India’s approach has allowed big techs and multinational players to participate in the UPI ecosystem and often relied on them for last mile delivery, and consumer onboarding, driving its scaleup. Google Pay and PhonePe, respectively backed by Alphabet and Walmart, quickly dominated.They could offer payments as a loss leader (i.e., sell at a loss to attract customers to other, profitable products) while benefiting from other products over time. 

While doing so accelerated lagging adoption rates, it has also led to concerns about data privacy and market concentration. 

The Indian government has since explored regulatory measures, such as imposing a 30 percent market share cap on individual TPAPs, though enforcement has been repeatedly delayed. Another claim voiced by government officials in the debate is that, given UPI’s universal nature, providers are interchangeable, thus eliminating anti-competitive claims.

This divergence in strategies and outcomes reflects the broader debate about whether emerging economies should embrace or limit big tech’s role in financial infrastructure.

Stages of implementation

Based on Brazil and India’s experiences, a three-stage framework emerges for countries considering immediate payment systems adoption.

The first stage of weighting prerequisites involves assessing the need for a state-led payments system based on three factors: the existence of alternatives (e.g., a strong credit card presence), expected change (primarily driven by the level of financial inclusion, development costs, and the size of the economy), and state capacity. As a result, countries with low banking penetration and high reliance on cash are more likely to benefit from such systems. 

The second stage involves getting ready to hit the ground running, focusing on implementation and scaling. Understanding the existing market conditions and the shifts anticipated from the introduction of the system is crucial. Additionally, selecting an appropriate governance model—whether a central bank-led approach like Pix, a consortium-led model like UPI, or a provider model—plays a vital role in determining long-term implications. Lastly, the fee structure will also influence both adoption and market entry and should be actively established at this stage. 

The final stage involves setting up a long-term process by establishing cooperation mechanisms and managing externalities. Policymakers must implement regulatory adjustments based on market responses to address issues such as monopolization and consumer protection against fraud. They should also explore engagement mechanisms for local players through forums and bilateral consultation schemes, focusing on gaining knowledge and legitimacy as well as efficiency considerations. 

While many regions worldwide consider the future of payments, this framework can serve as an initial point of assessment. There is no perfect “one size fits all” solution. However, states’ varied ability to execute and enforce participation, the size of their economies, and the preexisting market structures significantly influence decisions concerning the “what” and the “how” of launching immediate payment systems.

Pix and UPI offer several additional insights into how state-led payment systems can reshape economies. 

While Brazil focused on domestic financial players and regulatory control, India leveraged global technology firms for swift adoption. Consequently, Brazil fostered the expansion of its local fintech ecosystem, while India established an environment with significant multinational involvement. 

In both cases, incentives for private market players aligned to support the growth of credit card provision as a subsequent step after initially introducing consumers to the financial system through Pix and UPI. While there is room for discussion about the implications of this step, it is a definitively critical point to consider when launching such systems and weighing their outcomes.

Lastly, the key lesson from these models lies in the decisions made by policymakers to initiate transformative processes. Both models illustrate the potential of such systems to enhance financial inclusion, disrupt traditional banking, and reshape economies, thereby aiding in their advancement. These lessons from UPI and PIX can be narrowly applied to public sector entities looking to create state-led systems, however, it is important to consider that market structure transformation might not be the ideal solution for every economy, especially more advanced economies which have a larger share of private sector players. Ultimately within a jurisdiction, policymakers bear the ultimate responsibility of acting to launch immediate payment systems.

Polina Kempinsky is a second-year Master of Public Policy student at the Harvard Kennedy School. This paper is part of Polina’s PAE (Policy Analysis Exercise) for her program, which explores the instant payment systems of Brazil and India.

At the intersection of economics, finance, and foreign policy, the GeoEconomics Center is a translation hub with the goal of helping shape a better global economic future.

Learn more

The post Fast payments in action: Emerging lessons from Brazil and India appeared first on Atlantic Council.

The post Cryptocurrency Regulation Tracker cited by the International Journal of Economics, Business and Management Research on global efforts to regulate cryptocurrency appeared first on Atlantic Council.

The post Kumar quoted in NewsNation on the new US crypto strategic reserve appeared first on Atlantic Council.

The post Kumar quoted by Central Banking on the Bank of Russia’s role in sanctions evasion and building alternative payment infrastructure appeared first on Atlantic Council.

Watch the full event

Public Event Thu, April 3, 2025 • 1:30 am ET

Europe’s Teresa Ribera on the EU’s clean transition and US-EU relations

AN #ACFRONTPAGE EVENT—Teresa Ribera, executive vice-president of the European Commission, shares her vision for the EU, the bloc’s competitiveness, and the US-EU relationship.

Digital Policy Economy & Business Energy & Environment Europe & Eurasia

US President Donald Trump’s sweeping tariffs, announced Wednesday, are “bad news for the whole world—including Americans,” said Teresa Ribera, executive vice-president of the European Commission for a clean, just, and competitive transition. 

“We will defend the Europeans,” from businesses to citizens, added Ribera at an Atlantic Council Front Page event Thursday. The European Union (EU) will first look to avoid a “big clash” with the United States. “We will remain firm and open,” and see if there are any avenues to “solve any type of misunderstanding and avoid conflict,” she said. 

As for what the US tariffs mean for the EU’s trade strategy, Ribera said that the bloc will “keep on developing and deepening the relationship with the rest of the world.”  

“The whole world is bigger, or larger, than the US market. So yes, of course, we will try to keep on building that,” she said. 

She added that it is “worth it to defend” the “multilateral-order-based rules,” including ones around trade, that the EU has built with its partners “during the last eighty years.” 

Below are more highlights from the conversation, moderated by Europe Center Distinguished Fellow Frances Burwell, which also touched upon the EU’s competitiveness agenda and green transition. 

All for one . . . 

• Ribera argued that in responding to the US tariffs, it will be important to have a “strong” EU that is “united” in a “common approach.”  

• “I say that we are boringly reliable, but I think that it is absolutely true,” Ribera said. She pointed to the EU remaining together against Russian President Vladimir Putin’s attempts to divide it. “This is one of the most important principles we need to stick [with],” she said. 

• She added that internal changes—such as removing barriers to trade within the European single market—could help offset losses incurred from US tariffs, seeing as internal trade barriers amount to the equivalent of a 45 percent tariff.  

• Ribera noted that the US-EU trade relationship has come to be a “story of success” in joint cooperation, so the two parties should not look to weaken the relationship, but to strengthen it. “It’s good to count on supply chains that work, markets that work and are predictable,” she said. 

• In order to address today’s challenges and address society’s demands, she said, “it is much [easier] to build bridges than to build barriers.” 

Guided by a new “Compass”

• Ribera will soon review the EU’s competition policy, which regulates mergers and acquisitions. She said the policy has been built on a global situation that “has changed” with the power of the West diminishing in its ability to set the terms of global markets. She said she will identify how the tools can actually help attain a more competitive environment, in line with the EU’s new Competitive Compass. 

• After US Federal Trade Commissioner Andrew Ferguson said that he was “suspicious” of the EU Digital Markets Act (which imposes restrictions on tech companies operating in Europe) and criticized laws that “get at American companies abroad,” Ribera argued that the act is “not intending to go against anyone.” She said, rather, it is intended to protect from the development of monopolies against new innovators in the EU market. 

Clean, green machine 

• In addressing criticism that the EU’s green push is getting in the way of achieving competitiveness priorities, Ribera said that the green framework can actually be a “main driver” of Europe’s future competitiveness. 

• Other countries have come to realize the value of the green transition and now “have a big share of the international market dealing with green equipments,” she said. “We don’t want to miss the train anymore.” 

• With the European Commission having proposed the Omnibus package of measures to simplify rules (such as those around sustainability reporting) for businesses, Ribera said that “simplification is very important.” She said she hears from businesses that they want simpler reporting obligations and more clarity from the EU to help them make the “right decisions” on investments. 

• The EU must show investors and the industrial community that it will not go “back to the past to solve the problems of today,” Ribera said. “This is clean, this is industrial, but this is a deal,” she added, explaining that the deal means the EU will be “paying attention to where the concerns may be and how we can . . . [better] bring better everybody together.” 

Katherine Golden is an associate director of editorial at the Atlantic Council.

Watch the event

The post The European Commission’s Teresa Ribera: ‘We will defend’ Europeans in the face of new US tariffs appeared first on Atlantic Council.

DeepSeek’s breakthrough has made the West reflect on its artificial intelligence (AI) strategies, specifically regarding cost and efficiency. But the West must also urgently consider what DeepSeek’s R1 model means for the future of democracy in the AI era.

That is because the R1 model shows how China has taken the lead in open-source AI: systems that are made available to users to use, study, modify, and share the tool’s components, from its codes to its datasets, at least according to the Open Source Initiative (OSI), a California-based nonprofit. While there are varying definitions of open-source, its application for AI has immense potential, as it can encourage greater innovation among developers and empower individuals and communities to create AI-driven solutions in sectors such as education, healthcare, and finance. The technology, ultimately, accelerates economic growth.

However, according to reports, R1 appears to censor and withhold information from users. Thus, democracies not only risk the loss of the AI technological battle; they also risk falling behind in the race to govern AI and could fail to ensure that democratic AI proliferates more widely than systems championed by authoritarians.

Therefore, the United States must work with its democratic allies, particularly the European Union (EU), to set global standards for open-source AI. Both powers should leverage existing legislative tools to initiate an open-source governance framework. Such an effort would require officially adopting a definition of open-source AI (such as OSI’s) to increase governance effectiveness. After that, the United States and EU should accelerate efforts to ensure democratic values are embedded in open-source AI models, paving the way for an AI future that is more open, transparent, and empowering.

How China overtook the lead

Part of DeepSeek’s success can be understood by the Chinese Communist Party’s (CCP’s) showing signs of incorporating the norm-building of open-source AI into its legal framework. In April 2024, the Model AI Law—a multi-year expert draft led by the Chinese Academy of Social Sciences, which is influential in the country’s lawmaking process—laid out China’s support for an open-source AI ecosystem. Article 19 states that the CCP “promotes construction of the open source ecosystem” and “supports relevant entities in building or operating open source platforms, open source communities, and open source projects.” It encourages companies to make “software source code, hardware designs, and application services publicly available” to foster industry sharing and collaboration. The draft also highlights reducing or removing legal liability for the provision of open-source AI models, providing that individuals and organizations have established a governance system compliant with national standards and have taken corresponding safety measures. Such legal liability would have held developers accountable for infringing the rights of citizens. This is a notable contrast to China’s past laws governing AI that explicitly stated the goal of protecting those rights. The specific provisions in the Model AI Law, albeit a draft, shouldn’t be overlooked, as they essentially serve as a blueprint of how open-source AI is deployed in the country and what China’s models exported globally would look like.

Furthermore, the AI Safety Governance Framework, a document that China aims to use as a guide to “promote international collaboration on AI safety governance at a global level,” echoes the country’s assertiveness on open-source AI. The document was drafted by China’s National Technical Committee 260 on Cybersecurity, a body working with the Cyberspace Administration of China, whose cybersecurity standard practice guidelines were adopted by CCP in September 2024. The framework reads, “We should promote knowledge sharing in AI, make AI technologies available to the public under open-source terms, and jointly develop AI chips, frameworks, and software.” Appearing in a document meant for global stakeholders, the statement reflects China’s ambition to lead in this area as an advocate.

What about the United States and EU?

In the United States, advocates have touted the benefits of open source for some time, and AI industry leaders have called for the United States to focus more on open-source AI. For example, Mark Zuckerberg launched the open-source model Llama 3.1 last year, and in doing so, he argued that open-source “represents the world’s best shot” at creating “economic opportunity and security for everyone.”

Despite this advocacy, the United States has not established any law to promote open-source AI. A US senator did introduce a bill in 2023 calling for building a framework for open-source software security, but the bill has not progressed since then. Last year, the National Telecommunications and Information Administration published a report on dual-use AI foundation models with open weights (meaning the models are available for use, but are not fully open source). It advised the government to more deeply monitor the risks of open-weight foundation models in order to determine appropriate restrictions for them. The Biden administration’s final AI regulatory framework was friendlier to open models: It set restrictions for the most advanced closed-weight models while excluding open-weight ones.

The future of open-source models remains unclear. US President Donald Trump has not yet created any guidance for open-source AI. So far, he has repealed Biden’s AI executive order, but the executive order that replaced it has not outlined any initiative that guides the development of open-source AI. Overall, the United States has been overly focused on playing defense by developing highly capable models while working to prevent adversaries from accessing them, without considering the wider global reach of those models.

Since unveiling the General Data Protection Regulation (GDPR), the EU has established itself as a regulatory powerhouse in the global digital economy. Across the board, countries and global companies have adopted EU compliance frameworks for the digital economy, including the AI Act. However, the EU’s effort on open-source AI is lacking. Although Article 2 of the AI Act briefly mentions open-source AI as an exemption from regulation, the actual impact seems minor. The exemption is even absent for commercial-purpose models.

In other EU guidance documents, the same paradox can be found. The latest General-Purpose AI Code of Practice published in March 2025 acknowledged how open-source models have a positive impact on the development of safe, human-centric, and trustworthy AI. However, there is no meaningful elaboration promoting the development and use of open-source AI models. Even in the EU Competitiveness Compass—a framework targeting overregulation, regulatory complexity, and strategic competitiveness in AI—“open source” is absent.

The EU’s cautious approach to regulating open-source AI stems from the challenge of defining it. Open-source AI is different from traditional open-source software in that it includes pre-trained AI models rather than simply source code. And, of course, the definition from OSI has not yet been acknowledged in the international legal community. The debate over what constitutes open-source AI creates legal uncertainty that the EU is likely uncomfortable to accept. Yet the real driver of inactivity lies deeper. The EU’s regulatory successes, like GDPR, make the Commission wary of exemptions that could weaken its global influence over a technology still so poorly defined. This is a gamble Brussels has, so far, had no incentive to take.

The new power imbalance in AI geopolitics 

China’s push to become technologically self-sufficient, a push which has included solidifying open-source AI strategies, is partly motivated by US export controls on advanced computing and semiconductors dating back at least to 2018. These measures stemmed from US concerns about national security, economic security, and intellectual property, while China’s countermeasures also reflect the broader strategic competition in technological superiority between both countries. The EU, on the other hand, asserts itself in the race by setting the global norms of protecting fundamental rights and a host of democratic values such as fairness and redistribution, which ultimately have shaped the policies of leading global technology companies.

By positioning itself as a leader in open-source AI, China has turned the export and policy challenge into an opportunity to sell its version of AI to the world. The rise of DeepSeek, along with other domestic rival companies such as Alibaba, is shifting the pendulum by reducing the world’s appetite for closed AI models. DeepSeek has released smaller models with fewer parameters for less powerful devices. AI development platform Hugging Face has started replicating DeepSeek-R1’s training process to enhance its models’ performance in reinforcement learning. Microsoft, OpenAI, and Meta have embraced model distillation, a technique that drew much attention with the DeepSeek breakthrough. China has advanced the conversation around openness, with the United States adapting to the discourse for the first time and the EU being trapped in legal inertia, leaving a power imbalance in open-source AI.

China is offering a concerning version of open-source AI. The CCP strategically deploys a “two-track” system that allows greater openness for AI firms while limiting information and expression for public-facing models. Its openness is marked by the country’s historical pattern that restricts the architecture of a model, such as requiring the input and output to align with China’s values and a positive national image. Even in its global-facing AI Safety Governance Framework (in which Chinese authorities embrace open-source AI), the CCP says that AI-generated content poses threats to ideological security, hinting at the CCP’s limited acceptance of freedom of speech and thought.

Without a comprehensive framework based on the protection of democracy and fundamental rights, the world could see China’s more restrictive open-source AI models reproduced widely. Autocrats and nonstate entities worldwide can build on them to censor information and expression while touting that they are promoting accessibility. Simply focusing on the technological performance of China is not sufficient. Instead, democracies should respond by leading with democratic governance.

Transatlantic cooperation is the next step

The United States and EU should consider open-source diplomacy, advancing the sharing of capable AI models across the globe. In doing so, they should create a unified governance framework and work toward shaping a democratic AI future by forming a transatlantic working group on open-source AI. Existing structures, including the Global Partnership on Artificial Intelligence (GPAI), can serve as a vehicle. But it’s essential that technology companies and experts from both sides of the Atlantic are included in the framework development process.

Second, the United States and EU should, through funding academic institutions and supporting startups, promote the development of open-source AI models that align with democratic values. Such models, free from censorship and security threats, would set a powerful contrast to the Chinese models. To promote such models, the United States and EU will need to recognize that the benefits of such models outweigh the risks in the broader picture. Similarly, the EU must also continue leveraging its regulatory advantage; it must also be more decisive about governing open-source AI, even if it means embracing some uncertainty about its legal definition, in order to outpace China’s momentum.

The United States and EU may currently have a rocky relationship. However, US-EU collaboration rather than competition is crucial with China’s ascendence in open-source AI. To take back leadership in this pivotal arena, the United States and European Union must launch a transatlantic initiative on open-source AI that employs forward-thinking policy, research, and innovation in setting the global standard for a rights-respecting, transparent, and creative AI future.

Ryan Pan is a project assistant at the Atlantic Council GeoTech Center.

Kolja Verhage is a senior manager of AI governance and digital regulations at Deloitte.

The views reflected in the article are the author’s views and do not necessarily reflect the views of their employers.

GeoTech Cues Feb 4, 2025

Did DeepSeek just trigger a paradigm shift?

By Ryan Arant, Newton Howard

The release of DeepSeek’s AI model may have far-reaching implications for global investment trends, regulatory strategies, and the broader AI industry.

Artificial Intelligence Digital Policy

Sinographs Jan 29, 2025

Is DeepSeek a proof of concept?

By Jessie Yin

Understanding how Deepseek emerged from China’s innovation landscape can better equip the US to confront China’s ambitions for global technology leadership.

Artificial Intelligence China

New Atlanticist Jan 28, 2025

What DeepSeek’s breakthrough says (and doesn’t say) about the ‘AI race’ with China

By Kenton Thibaut

DeepSeek’s achievement has not exactly undermined the United States’ export control strategy, but it does bring up important questions about the broader US strategy on AI.

Artificial Intelligence China

The GeoTech Center champions positive paths forward that societies can pursue to ensure new technologies and data empower people, prosperity, and peace.

Learn more

The post DeepSeek shows the US and EU the costs of failing to govern AI appeared first on Atlantic Council.

The post House quoted in Axios on stablecoin legislation appeared first on Atlantic Council.

The post Donovan interviewed for the Public Key Podcast on the role of cryptocurrencies in global sanctions appeared first on Atlantic Council.

For starters, the plan stems from a 2024 proposal by Senator Cynthia Lummis and largely functions as a centralized repository for assets that have already been seized by the federal government—for example, as part of criminal proceedings. That might be “budget neutral,” as the order says, but it is not a reserve in the traditional sense of a gold reserve used by central banks to redeem depositors or pay international debts. As a prominent Bitcoin thinker succinctly put it, “[t]here is no ‘strategic’ value in a crypto reserve.”

The executive order directs the government to simply hold (or later on, perhaps buy and hold) assets like bitcoins. Although the order vaguely criticizes the government’s “premature sales” in the past, “HODL’ing” (as the expression goes) may or may not be fiscally prudent, depending on whether or when to sell the assets. Separately, there are serious questions about if it is prudent for the government to essentially invest in select digital assets, as opposed to generating revenue in other ways. At the very least, the Secretary of the Treasury should develop concrete criteria and an authorization process for periodically selling or buying digital assets, to add transparency and provide an orderly means of decreasing volatility exposure. Senator Lummis’s original proposal, for example, contained some selling thresholds.

Second, the White House crypto czar David Sachs estimated that the federal government’s reserves comprised 200,000 bitcoin worth a staggering $17.5 billion at recent prices. If those numbers are still accurate, that would equal more than the total amount of gold held at almost all Federal Reserve Banks. That cannot be right as a matter of monetary policy. Even putting aside the polarizing debates about the long-term value of bitcoin (or lack thereof), the size of the new strategic reserve seems disproportionate given the risks and functions of the assets involved. Consistent with a transparent sales process, the Treasury should rightsize any digital asset reserve and use the remaining proceeds for other government programs.

Third, the cybersecurity challenges of having a centralized digital asset pool are not trivial, as the Atlantic Council highlighted in a prior report. Yet the executive order says nothing about how to start securing this new stockpile. Sacks tweeted that the pool would be akin to a “digital Fort Knox.” But Fort Knox has legendary security, is operated by 1,700 specialized employees, and adjoins a military base with 26,000 trained personnel. It is unclear what office, if any, at the Treasury could manage such a gargantuan security task for a digital asset reserve. The endeavor would be particularly difficult after the Department of Government Efficiency—or DOGE—unceremoniously disbanded teams of engineers like those in the 18F division, who were renowned for their private sector expertise. By contrast, Senator Lummis’s 2024 proposal highlighted security measures for “state-of-the-art physical and digital security” through inter-agency cooperation.

Perhaps most importantly, the ultimate risk of the executive order is that it embodies a form of crypto boosterism. Namely, it appears to tout an industry that President Trump came to embrace during the later phases of his political campaign, famously including the launch of his own meme coin just days before inauguration. To be fair, the White House revised the president’s earlier announcement that the reserve would include proactive purchases of select “altcoins,” which industry insiders worried “could be a vehicle for corruption and self-dealing.” That was a prudent move. But to many on Wall Street and main street, the order may still seem more like political maneuvering than sober monetary policy.

In a parallel universe, there could have been a thoughtful way for the Federal Reserve and Treasury to gradually study the possibility of holding digital assets on the balance sheet. They could have scrutinized the economic implications and prepared for security contingencies that might have included a bipartisan compromise around stablecoin legislation to specifically promote the strength of the dollar. But in today’s world, this executive order looks more slapdash than strategic. That may have been intended to bolster digital asset markets, but it has fallen flat on most fronts.

JP Schnapper-Casteras is a nonresident senior fellow at the Atlantic Council’s GeoEconomics Center and the founder and managing partner at Schnapper-Casteras, PLLC.

At the intersection of economics, finance, and foreign policy, the GeoEconomics Center is a translation hub with the goal of helping shape a better global economic future.

Learn more

The post What is strategic about the new digital assets reserve? appeared first on Atlantic Council.

India is taking a distinctive approach to the global race for artificial intelligence (AI) supremacy. While the United States and China focus on AI for economic dominance and national security, India’s vision revolves around AI autonomy through the development of homegrown AI solutions that are closely linked to its development goals.¹ This approach seeks to position India as a prominent global AI leader through a three-pillar strategy that distinguishes it from other major nations. India’s vision of AI autonomy is based on:

• Democratizing AI through open innovation: Leading the development of open-source models and platforms that make AI more accessible and adaptable to India’s local needs including the Bhashini platform, which incorporates Indian languages in large language model processing, and the iGOT Karmayogi online learning platform for government training.
• Public-sector-led development applications: Implementing AI solutions to address critical development challenges through government-led initiatives in healthcare, agriculture, and education, ensuring that technology meets societal needs.
• Global leadership in AI for sustainable development: Championing the integration of AI to achieve the Sustainable Development Goals² (SDGs) on a global scale while pushing ethical AI governance and South-South collaboration.

This strategy seeks to establish India as a global AI leader while addressing pressing social issues, closing economic gaps, and improving the quality of life for its diverse population of over 1.3 billion people.

India’s journey toward AI autonomy goes beyond technological independence; it creates a narrative in which innovative AI technologies drive inclusive growth. This philosophy is reflected in the “India AI” mission and its National Strategy for AI, which positions India as both an adopter and developer of AI technologies and a global hub for ethical and development-oriented AI innovation.³

India’s AI landscape: A vision of innovation and strategy

The Indian AI ecosystem is a dynamic landscape shaped by government initiatives, private-sector innovation, and academic research. There has been a notable increase in AI-focused start-ups in recent years, with the National Association of Software and Service Companies (NASSCOM) reporting over 1,600 in 2023.⁴ This growing sector highlights India’s technological capabilities and entrepreneurial spirit in tackling local challenges.

Several strategic government initiatives at the core of this ecosystem have paved the way for India’s advancements in AI. The India AI mission, launched in 2023, is a government initiative to build a comprehensive ecosystem to foster AI innovation across various sectors in India. Spearheaded by the Ministry of Electronics and Information Technology (MeitY), it focuses on developing AI applications to address societal challenges in healthcare, education, agriculture, and smart cities while promoting responsible and ethical AI development.⁵

IndiaAI reflects the country’s ambitions to become a global AI powerhouse and is supported by the National AI Strategy, created by the National Institution for Transforming India (NITI Aayog). The strategy provides a comprehensive road map for AI adoption in those sectors targeted by IndiaAI.⁶

What sets these initiatives apart from AI strategies in other countries is their emphasis on using AI for social good. For instance, the government of India organized the Responsible AI for Social Empowerment (RAISE) initiative in 2020,⁷ preceding the current AI hype. This demonstrates India’s commitment to ethical AI development, and such initiatives align with India’s National Development Agenda 2030, positioning AI as a driver of economic growth and a crucial enabler for achieving SDGs.⁸

Democratizing AI through open innovation

India is making significant progress in promoting open-source AI development, fostering inclusivity and collaboration within the global AI community. Open-source frameworks, driven by collaborative innovation, offer transparency, interoperability, and scalability—essential qualities for a diverse country like India.

The Bhashini initiative, led by the MeitY, exemplifies this commitment by leveraging open-source frameworks to build natural language processing (NLP) models that support twenty-two official Indian languages and numerous dialects. This project goes beyond basic language processing; it signifies India’s dedication to AI democratization by making these models and datasets freely available to developers and start-ups.⁹

The iGOT Karmayogi platform showcases the scalability of open-source AI solutions to improve digital literacy in government. Designed to upskill twenty million employees, it utilizes open-source AI tools to provide personalized learning pathways, reducing costs while ensuring continuous improvement based on user feedback.¹⁰

Leading academic institutions like the Indian Institute of Science (IISc) in Bangalore and the Indian Institute of Technology (IIT) Madras actively contribute to open-source AI research through global public platforms such as TensorFlow and Hugging Face.¹¹ Their work encompasses various fields, including computer vision for healthcare, autonomous vehicles, and environmental monitoring.¹²

For Indian start-ups, using open-source AI models or systems provides significant benefits such as lower costs, greater customization flexibility, access to a larger developer community, the ability to tailor models to specific Indian languages and dialects, and enhanced data security by allowing deployment on premises, making it ideal for building localized AI solutions while maintaining control over sensitive data.

In August 2024, Meta’s open-source Llama model reached a significant milestone of 350 million cumulative downloads since the release of Llama 1 in early 2023.¹³. India has emerged as one of the top three markets globally for this model.¹⁴ Several Indian start-ups and well-known consumer apps, including Flipkart, Meesho, Redbus, Dream11, and Infoedge, have announced their integration of Llama into their applications.

Additionally, IBM Elxsi, a partnership between IBM and Tata Elxsi, India’s largest technology company, focuses on designing local digital engineering solutions, like using open-source models to develop AI-powered edge network solutions for rural and remote areas, enhancing AI accessibility while reducing latency and energy consumption.¹⁵

The democratization of AI through open-source initiatives is critical to India’s development trajectory and technological autonomy. This approach enables rapid, cost-effective AI adoption across India’s diverse sectors and regions, with tangible results already visible: The development cycle for AI solutions has been reduced from years to months, as evidenced by the rapid deployment of language models via the Bhashini initiative, which now serves millions in their native languages. Unlike the West, where most AI development is primarily driven by private companies with proprietary technologies, India’s adoption of an open-source-first approach has led to an independent ecosystem in which government initiatives, academic institutions, and private-sector innovations coexist.

The public-sector role in developing applications to address India’s unique challenges

The profound socioeconomic challenges that India’s 1.3 billion people face have fundamentally shaped its approach to AI.

India faces critical healthcare challenges: 70 percent of healthcare infrastructure is concentrated in urban areas serving only 30 percent of the population, and the doctor-patient ratio stands at 1:1,511, far below the World Health Organization’s recommended 1:1,000.¹⁶

The education sector struggles with fundamental gaps, as 250 million Indians lack basic literacy skills, with only 27 percent having access to internet-enabled devices for online learning, further complicated by the country’s diversity of twenty-two official languages and 1,600 dialects.¹⁷

Agricultural challenges are particularly acute, with the sector employing 42 percent of the workforce but contributing only 18 percent to gross domestic product; 86 percent are small and marginal farmers with less than two hectares of land, and 40 percent of food production is lost due to inefficient supply chains.¹⁸

Financial inclusion remains a significant barrier to development, with 190 million unbanked adults, 70 percent of rural transactions being cash-based, and a stark digital gender divide where only 33 percent of women have mobile internet access compared to 67 percent of men.¹⁹

The size and complexity of these challenges necessitate innovative technological solutions that are both scalable and relevant to India’s specific issues.

India’s development-focused AI vision strategically responds to these pressing issues. Rather than viewing AI solely as a tool for economic competition or technological advancement, India has positioned it as a transformative tool for closing fundamental development gaps.

AI is closing critical gaps in access and the quality of care in healthcare. Through the government’s eSanjeevani platform—India’s national telemedicine service offering patients access to medical specialists and doctors remotely via smartphones—has been revolutionary, with over one hundred million teleconsultations in 2023 and the aim of closing the urban-rural healthcare gap.²⁰ The platform developed AI/machine learning models to improve data collection, quality of care, and doctor-patient consultations on eSanjeevani.²¹ The Indian Council of Medical Research’s collaborations with AI start-ups for disease prediction models in tuberculosis and diabetes paved the way for preventive healthcare interventions.

The agricultural sector is experiencing an AI revolution, driven by government initiatives, particularly through two key platforms. The mKisan portal gives more than fifty million farmers personalized SMS access to critical agricultural information, while the Agristack initiative lays the groundwork for precision agriculture by providing AI-powered advisory services for crop planning, pest control, and weather forecasting. The Indian Meteorological Department’s use of AI has improved monsoon forecast accuracy by 20 percent, significantly impacting agricultural planning.²²

In education, state governments have contracted with Embibe, a company that offers AI-powered learning for basic education to bridge the learning gaps and expand access to quality education. It identifies gaps in knowledge and creates content that addresses them by studying data from student interactions. FutureSkills Prime, an initiative of the National Association of Software and Service Companies, provides AI skills training—and has developed a large AI talent pool, with more than 2.5 million technology professionals trained in AI in India. According to the 2025 Global Workplace Skills Study by Emeritus, 96% of Indian professionals are using AI and generative AI tools at work, significantly higher than the 81% in the US and 84% in the UK. This workforce advantage has made India a preferred destination for global companies seeking skilled AI professionals.

India’s public-sector-led approach to AI development uniquely integrates technology with development priorities. The government’s strategic leadership in deploying AI solutions in healthcare, agriculture, education, and finance demonstrates a unique model in which technology acts as a force multiplier for development efforts. Unlike many developed countries, where private-sector innovation drives AI advancement, India’s government-led initiatives ensure that AI solutions address fundamental development challenges on a large scale.

By combining scale, accessibility, and local relevance, India’s public-sector leadership in AI deployment is a unique model for other developing countries facing similar challenges, demonstrating that technology can effectively accelerate inclusive development when guided by clear public-policy goals.

Shaping tomorrow: India’s position in global AI leadership and development

India’s global AI leadership position is uniquely shaped by proactive government policies and collaborative initiatives. As a founding member of the Global Partnership on Artificial Intelligence (GPAI), India has used its presidency in 2024 to advance key priorities such as democratizing access to AI skills, addressing societal inequities, promoting responsible AI development, and applying AI in critical sectors such as agriculture and education.

AI plays a critical role in India’s vision to achieve all seventeen SDGs by 2030. India also aims to be one of the top three countries in AI research, innovation, and application by 2030, which reflects a larger ambition: to create a more equitable and sustainable global AI landscape. This unique approach balances technological autonomy and inclusive development, by aligning AI initiatives with socioeconomic priorities to address India’s unique challenges.

However, the expansion of India’s AI ecosystem faces several critical challenges, including the demand for an advanced AI compute infrastructure, developing accessible AI tools, ensuring data privacy, and mitigating algorithmic bias at scale. Addressing these issues requires multistakeholder collaboration between the government, local industry leaders, and academic institutions.

As India progresses in its AI journey, its experience provides valuable insights into how to use AI to drive socioeconomic development. The country’s development-focused approach to AI adoption and governance may serve as a model for other developing countries looking to capitalize on AI’s potential for inclusive growth.

Mohamed “Mo” Elbashir is a nonresident senior fellow at the Atlantic Council’s GeoTech Center, as well as Meta Platforms’ global infrastructure risk and enablement manager. With over two decades of experience, he specializes in global technology governance, regulatory frameworks, public policy, and program management.

Kishore Balaji Desikachari is the executive director for government affairs at IBM India/South Asia. With over thirty years of leadership experience at Microsoft, Intel, and Hughes, he is a recognized regional policy commentator on AI, quantum computing, semiconductors, trade, and workforce strategies.

New Atlanticist Feb 13, 2025

At the Paris AI Action Summit, the Global South rises

By Trisha Ray

The summit reflected a growing consensus that AI’s future must be both innovative and rooted in shared prosperity.

Artificial Intelligence Europe & Eurasia

New Atlanticist Feb 4, 2025

Five AI management strategies—and how they could shape the future

By Kieron O’Hara and Wendy Hall

To ensure the benefits of artificial intelligence (AI) are realized while minimizing the anticipated evils, it’s important to understand the different ways to approach AI governance.

Artificial Intelligence Technology & Innovation

GeoTech Cues Jul 26, 2024

The sovereignty trap

By Konstantinos Komaitis, Esteban Ponce de León, Kenton Thibaut, Trisha Ray, Kevin Klyman

When sovereignty is invoked in digital contexts without an understanding of the broader political environment, several traps can be triggered.

Artificial Intelligence Digital Policy

The GeoTech Center champions positive paths forward that societies can pursue to ensure new technologies and data empower people, prosperity, and peace.

Learn more

The post India’s path to AI autonomy appeared first on Atlantic Council.

Thank you Chairman Hill, Ranking Member Waters, and distinguished members of the committee, for holding this hearing and the honor of the invitation to testify on the digital payments ecosystem. I applaud your leadership in convening the committee on this important issue and continuing the years-long efforts of this committee across several Congresses to evaluate and build legislation for a stablecoin regulatory framework. I hope my testimony will be helpful in considering some of the most important aspects of frameworks needed to drive innovation in a secure, competitive, safe, and sound digital payments ecosystem that reinforces national security interests, defends consumers, and preserves personal liberty.

I have spent my career working at the intersection of national, economic, and technological security. I have had the honor of serving three tours in the White House, including recently departing from my second stint at the National Security Council leading various policy efforts on cybersecurity, emerging technology, and digital assets, to include the US Counter-Ransomware Strategy and the previous administration’s Executive Order on Ensuring Responsible Development of Digital Assets. I previously led digital asset policy initiatives at the US anti-money laundering and countering financing of terrorism (AML/CFT) regulator, the Financial Crimes Enforcement Network (FinCEN) and have served on advisory boards for the US Commodity Futures Trading Commission, the Idaho Department of Finance, and the New York Department of Financial Services (NYDFS). Through my ongoing work as a senior fellow at the Atlantic Council GeoEconomics Center and previous work as a consultant and executive at a venture capital firm, I have advised companies, academia, and policymakers in support of strategy, policy, standards, and product development ranging across areas like cybersecurity, AML/CFT, digital assets, and artificial intelligence and machine learning. The views I share are my own and do not reflect the views of the Atlantic Council.

The most important message I can underscore to this committee is the criticality of ensuring our regulatory frameworks create a foundation for providing trustworthy and affordable access to financial services for consumers while also reinforcing the centrality of the United States in the financial system and as the home for responsible, cutting-edge innovation in emerging technologies and payments. That includes the critical need for timely progress on a comprehensive stablecoin framework that supports these objectives, as well as driving broader experimentation and competitiveness in digital payments. Just as important, any framework demands more than just policy that is clear, strong, and comprehensive, but also that is implemented and enforced timely and scoped to shape the sector.

While timely progress is critical, these frameworks must be deliberate, thoughtful, and comprehensive of the real and present risks, as well as opportunities, that we have observed in the digital asset ecosystem and broader financial system. In the wake of serious national security threats like billion-dollar hacks by rogue nations, growing integration of cryptocurrency as a tool for transnational organized crime, market manipulation and fraud that can threaten system integrity and stability, as well as pressure from adversarial nations seeking to develop and leverage alternative payment systems to weaken and circumvent the dollar, it is clear that strong safeguards, including for US competitiveness, are needed. This framework also demands we ensure policy and enforcement approaches both domestically and internationally create a level playing field for US firms—often the most compliant firms in the world—to be able to compete fairly. Otherwise, the foundation we build these systems on risks faltering, with the potential to not only reap significant harms but also prevent us from harnessing the greatest positive potential that is possible from a secure and innovative digital payments ecosystem.

Background: Exigency for competition, security, and liberty

Stablecoin features, uses, benefits, and risks

Stablecoins, a class of cryptoassets that maintain a stable value in relation to another asset, most predominantly fiat currencies, hold potential to help drive needed innovations in our digital payments ecosystem. Stablecoins with proper protections can help improve efficiency in delivery of financial products and services, promoting greater transparency for monitoring of various risks in financial services, enhancing resiliency within the financial system, dismantling barriers to financial access and inclusion, and promoting innovation and competition that can strengthen US markets and leadership. With the current stablecoin market cap sitting at over $227 billion, use cases are growing across areas like dollar settlement for financial services firms, cross-border remittances, relief efforts like to Ukrainian refugees, and even for inflation hedges in places like Venezuela. However, stablecoins are largely still used as settlement in trading activity on cryptocurrency platforms—wide adoption in exchange for goods and services is not yet a reality, though it’s possible that a clear regulatory framework to enable greater trust and accountability may facilitate higher adoption.

Most of the core features for any cryptocurrencies apply to stablecoins—including their ability to transfer significant value peer-to-peer (i.e., from user to user without the need for a typical custodial role of a third-party financial intermediary), pseudonymously, immutably (or irreversibly), with global reach, with increased speed and cost efficiencies—though we must note that these are all features that are attractive to both licit and illicit actors. Challenges in mitigating risks in cryptocurrency are especially driven by by lagging AML/CFT compliance as well as broader prudential standards across the sector internationally, reinforced by the absence or reduction of financial institution intermediaries and central points of control in more highly decentralized cryptocurrency systems that can obscure clear lines of responsibility and accountability within cryptocurrency ecosystems. While stablecoins are used across more decentralized networks, in most cases stablecoins generally at least central administrators and issuers that can ease establishing lines of responsibility.

Where there is an absence of clear responsible parties, compounded by the immutability or unchangeability of cryptocurrency ledgers, it can be extremely challenging to provide mechanisms for victim recourse as well as timely adaptation to take measures to stop movement of illicit funds or patch security vulnerabilities in networks and smart contracts. However, in contrast to SWIFT, FedWIRE, and cash movements that do not publish transactions to public ledgers, on-chain stablecoin transactions include a lot of public transparency that can be beneficial to market surveillance and crypto investigations. Though ultimately the benefits presented by this transparency can be difficult to leverage with earlier-mentioned challenges with compliance, acceptance of accountability, and expertise across both public and private stakeholders.

Risks that can be presented by stablecoins without proper controls in place generally reflect the same kinds of risks that can exist in traditional finance (or “tradfi”). For example, fraud, market manipulations, and conflicts of interest across stablecoin leaders or public officials can present risks to investors and consumers. Pump-and-dump schemes and front-running capabilities enabled through maximal extractable value (MEV) schemes can endanger market integrity, and complex interconnections, concentration risks, and hardwired procyclicality in stablecoin or any other decentralized finance (“defi”) systems can present risks to financial system stability. Failures like that of Synapse Financial Technologies and of stablecoin Terra underscored the consequences of insufficient oversight of regtech and stablecoin platforms, and the devastating consequences to consumers without access or ability to recover some or all of their funds.

The risks to national security on getting the stablecoin framework wrong—either by being too lax on controls or by overly restricting companies and driving innovation offshore—are also important to evaluate. If stablecoins present the greatest potential for at-scale adoption for cross-border payments in cryptocurrency, then national security concerns of losing sanctions and AML/CFT tool efficacy can present in several ways: either from failing to drive US stablecoin competitiveness compared to other national currency denominated stablecoins or payment systems; or risks that could present from stablecoins and other defi diminishing reliance or need for US correspondent banking relationships in foreign exchange (FX) transactions or other cross-border funds flows.

The need for a framework

The United States does not yet have a comprehensive framework for regulation of stablecoins. Instead, existing authorities are fragmented at the federal level largely only via AML/CFT regulation and then across certain states like New York that cover stablecoins. In the absence of leveraging existing bank and trust charter authorities; using Dodd-Frank payment, clearing, and settlement activity designation authorities; setting up a Federal payments charter; or taking any other action to create a framework, the United States lags behind many other jurisdictions like the European Union, Singapore, Japan, and the United Arab Emirates that have established requirements and most importantly clear pathways to registration and supervision for stablecoins operating within their jurisdictions.

The United States must prioritize establishing a stablecoin framework during this Congress. Similar in many functions and operations to more traditional financial assets, stablecoins and associated deposit and payments activities are things that we understand how to regulate and protect. This framework is achievable, able to build on years of bipartisan efforts working across the aisle to construct a truly comprehensive approach. With Congress and the administration positioned to prioritize this legislation, we are at a critical juncture to get a law passed in 2025.

We need strong prudential and consumer protection regulations to ensure that stablecoins are truly “stable,” allowing any user to trust in its value and avoid losses from the issuer’s default or illiquidity. In this way, a clear regulatory framework that fosters trust can actually help set conditions that could help drive broader adoption and competition. We also need to have strong AML/CFT protections in place for stablecoin ecosystems. These different regimes do not operate in silos, but instead mutually reinforce each other and address vulnerabilities that are being exploited by illicit actors targeting the cryptocurrency sector. For example, in the case of Democratic People’s Republic of Korea (DPRK) hacks of cryptocurrency platforms, like the recent $1.5 billion Bybit hack, are exploiting both cybersecurity weaknesses and vulnerabilities as well as AML/CFT deficiencies in their crypto heists and subsequent laundering activities. In crypto heists, stablecoins have been targets as well as laundering tools exploited by hackers. Only through a comprehensive framework can we ensure that measures across the spectrum of areas like cybersecurity and AML/CFT are holistically addressed in these important ecosystems.

Though also important to note, especially in light of recent changes in enforcement posture—beyond just creating the policy framework, the government and industry must work to apply and enforce the framework. A policy that is not enforced or implemented does nothing to benefit consumers nor US firms with stronger compliance programs that have been operating at higher costs and less competitive advantages than many foreign operating firms.

Proposed stablecoin legislation:Ensuring sufficient protections

There has been a great amount of attention paid to stablecoin legislation in recent years with various stablecoin bills introduced, including the McHenry-Waters bill and Lummis-Gillibrand Payment Stablecoin Act developed last Congress, as well as the STABLE Act and GENIUS Act introduced so far this Congress.

I am very glad to see the level of support within Congress for elevating stablecoin legislation to a priority this year, something I spoke to as essential in my testimony to the Subcommittee on Digital Assets, Financial Technology, and Inclusion last year. I am also pleased to see many elements included in the STABLE Act referenced for this hearing that I support, such as high-quality reserves on at least a 1:1 basis, envisioned roles for both state and Federal regulators, and restrictions on rehypothecating reserve assets as well as stablecoin issuer activities. However, the STABLE Act appears to walk back a lot of the hard work done for years across the aisle to develop the negotiated text between then Chair McHenry and Ranking Member Waters in 2024. It is unclear why some of those critical protections, especially the prudential framework and clear AML/CFT and sanctions applicability to US dollar-denominated stablecoin activity, are absent in the STABLE Act and the GENIUS Act or if the associated risks are otherwise being addressed.

Here I outline some areas for the Committee’s consideration in hopes that the legislation for stablecoins issued this year can be truly comprehensive:

• Ensuring federal line-of-sight for supervision on issues of systemic importance: The STABLE Act, in some ways similar to the existing banking regime, provides for both federal and state authorities to charter stablecoin issuers. However, the STABLE Act does not include any coordination between the federal and state regulators. Rather, the current draft permits a system where a trillion-dollar nonbank stablecoin issuer, engaging in globally reaching payments activity that would typically place an institution under the oversight of federal authorities, without any sufficient line of sight by the Federal Reserve of activities and risks that rise to systemic importance. Unclearly defined “exigent” circumstances, especially in the way of Loper-Bright, as the only context for certain additional regulatory authorities severely restrict a regulator’s ability to monitor for and intervene to mitigate risks for assets that operate 24/7 around the world and with no concerns for borders.

I agree with many others who have testified before you all that state authorities provide an important chartering and oversight capability, including agility and expertise that can help scale appropriate supervision. State regulators with strong prudential, AML/CFT, and consumer protection frameworks are critical partners on the front lines of regulating the cryptocurrency industry, and I am sympathetic to the desire to preserve the states’ regulatory authorities. Though, it stands to reason that when these issuers are operating systems, especially large platforms, that are administering a substitute for the US dollar in international payments, some federal regulator—like the Federal Reserve Board, with its responsibility for monetary policy and financial stability, or the Office of the Comptroller of the Currency (OCC) with its chartering and supervision authority—should have the ability to monitor for their critical risks and have a say in the standards that stablecoin issuers need to meet, at a minimum when they are of a large enough size. The STABLE Act, as it currently stands, raises serious questions around the ability of federal authorities to have visibility of and ability to respond timely to moments of financial crisis and address systemic risks that may arise.

• Scope of risk coverage and enforcement regime: The STABLE Act references risks to mitigate around operational and cybersecurity risks, but otherwise is severely lacking in reference to credit risk, market risk, concentration risk, and even limitations on additional management of capital and liquidity risk beyond the 1:1 reserve collateralization requirement. There is no clear articulation of responsibility for rules or implementation of requirements under privacy regimes like Gramm-Leach-Bliley Act or the AML/CFT framework of the Bank Secrecy Act (e.g., if Treasury/FinCEN would have sole AML/CFT rulemaking authority for payment stablecoin issuers or if they would be issued jointly). Additionally, the enforcement framework is unclear, with no references to specific penalties or enforcement provisions, including no clarity on extraterritorial operations of US dollar-denominated stablecoins.
  
• Affiliate controls and application of the Bank Holding Company Act and Bank Services Company Act: The STABLE Act does not address affiliate relationships and restrictions for nonbank payment stablecoin issuers to preserve separation of activities like banking and commerce. In this new bill, it is unclear to what extent controls like from the Bank Holding Company Act as well as authorities for oversight and delegation of functions as delineated under the Bank Services Company Act apply to payment stablecoin issuers.
  
• AML/CFT and sanctions: While the STABLE Act and GENIUS Act delineate that payment stablecoin issuers are financial institutions under the Bank Secrecy Act, it is not clear (especially to the degree needed in the wake of Loper-Bright) to what degree rulemaking can cover different parts of stablecoin ecosystems and which agency would be responsible for the rulemaking and oversight. Stablecoins have been exploited by illicit actors ranging from cartels to sanctions evaders to terrorism financiers, especially leveraging the absence of sufficient compliance across international operations and defi platforms. The United States Treasury has underscored the benefit for Congress to clarify that any US-dollar denominated stablecoin must comply with US sanctions policy, including extraterritorial applicability, and also make clear the expectation to maintain and assert freeze and recovery capability for illicit proceeds across the stablecoin. We should not find it acceptable for a US dollar stablecoin to be leveraged in transactions to designated actors and jurisdictions that present threats to US national security.

While unlikely in this round of legislation, Congress should start solidifying its views and drafting legislation to expand the regulatory perimeter to help mitigate risks across more decentralized applications of the assets. Expanding such a perimeter would generally involve considering what other entities would be of greatest utility to cover due to visibility and control of the assets, and ensuring that a risk-based approach properly scopes the obligations and does so in full understanding of what is technologically and operationally possible. While there are many differing views on how to approach defi controls, it is encouraging to see that within the defi community there are actors who are trying to implement responsible innovative fixes, even if they are not yet successful, as we saw recently in the unsuccessful attempt by several THORChain developers to try to stop DPRK money laundering on their platform.

• Bankruptcy and resolution measures: Bankruptcy protections are one of the last lines of defense for fostering consumer trust in a product—building comfort for the customer that they will be able to get access to or redeem their assets held by the platform or issuer at any time on demand. The US Bankruptcy code, if applied to stablecoins in the wake of a failure, could be disastrous for token holders who would be treated equivalently to all other unsecured creditors. The McHenry-Waters bill outlined a potential alternative resolution process to help expedite recovery of assets for token holders that could work across federal and state levels and provide critical recourse for consumers.
  
• Fed master accounts and broader payments framework: There is no reference in the STABLE Act or GENIUS Act to the authority of the Federal Reserve to grant access for stablecoin issuers to a master account, something that likely will continue to be sought especially as stablecoins get more regulated and attain higher assurance of their safety and soundness. With this legislation aiming to serve as the comprehensive construct of guardrails and authorities to enable innovation and protect payments, it should include provisions like this to ensure the capability exists with the Federal Reserve for any issuer it deems to be appropriate to grant access.
  

More broadly, stablecoin legislation would optimally be pursued as part of a holistic approach to regulation and supervision of all payments platforms, which are growing enough in complexity and adoption. Many of the risks for stablecoins are similar to those for broader payments, and given the desire to ensure critical protections for consumers regardless of the denomination of their asset or which app they happen to be using, Congress should keep an eye toward how to evolve regulatory frameworks to capture any of these activities regardless on if it is blockchain-based or not.

Again, I applaud the committee’s work on this issue and the continued leadership on these issues by key leaders like Chair Hill and Ranking Member Waster. I encourage the Committee to consider working from the previously negotiated McHenry-Waters bill, which includes bipartisan-vetted provisions that address many of the outstanding issues for the desired comprehensive stablecoin framework. I hope that my views on key missing elements will be helpful to the Committee in its thoughtful efforts to build out and implement a competitive, comprehensive stablecoin framework that addresses risks while promoting responsible innovation.

Proposed CBDC legislation: Privacy as paramount in retail CBDC

The new proposed CBDC Anti-Surveillance State Act bans CBDC experimentation. Innovations in digital payments and across digital forms of both public and private money can also take many forms—whether wholesale or retail CBDCs, stablecoins, tokenized deposits, digital payment applications, etc.—each of which carry a spectrum of diverse implementations and associated risks. Ultimately, it is likely that a mix of modernizations of public and privately-administered rails, such as with the current financial system, will be needed to achieve a future of vision like global instantaneous reach and accessibility of the dollar.

This legislation is pointed specifically at addressing concerns around privacy specific to CBDCs, which is a greater point of concern around retail CBDC implementations rather than wholesale payments that are not associated with specific consumers and related sensitive personal data. The bill proposes to address the privacy concerns by banning even experimentation to even assess if there are technological and governance implementations that could achieve desired privacy outcomes, whether in the US or even just for templates that partner nations could implement. The bill also does not address privacy issues presented by private cryptocurrencies, such as privacy concerns exacerbated by public unobscured records of financial transactions and challenged cybersecurity practices across the sector.

An apparent improvement on this bill from earlier versions appears to be amending the prohibition to only retail CBDCs. Concerns around privacy for a retail CBDC are understandable and very important, especially in the United States given sentiments of Americans around making information available to the government and even challenges that have existed in trying to adopt digital identity infrastructure. Many feel that given such concerns in the United States, focus on wholesale CBDCs as an initial area for innovation in cross-border settlement could be ripe for nearer-term exploration.

The kinds of building blocks that could enable privacy preservation and security in technologies like CBDCs—innovative technologies like digital identity infrastructure and privacy enhancing technologies like homomorphic encryption, multiparty computation, and zero-knowledge proofs—are also building blocks that can enable privacy and security in private cryptocurrency implementations as well. Even if specific development of a US retail CBDC is not likely, broader research and development and experimentation across the more nascent and underlying technologies and components can be helpful to identify mechanisms to achieve desired objectives across a variety of future forms of public and private money innovations.

This bill could further exacerbate a growing gap for the United States in digital payments innovation, as over one hundred countries representing 98 percent of global GDP continue to explore CBDCs and conduct cross-border pilots. The United States remains the only member of the G20 to not be in advanced stages of CBDC exploration. CBDC experimentation is at the heart of significant research and development across the international community trying to shape what the future of the financial system looks like, experimentation that without a major US leadership presence is in some ways both a symptom and a driver towards interest of potential rails less reliant on the dollar, and something in which we cannot idly forsake leadership.

In the interests of safeguarding capabilities for experimentation and ensuring that the United States remains at the forefront of digital payments innovation, I outline here some areas for consideration for this proposed anti-CBDC legislation:

• Narrowing the prohibition to retail CBDCs: Recent updates to the proposed CBDC Anti-Surveillance State Act appears to narrow the prohibition of research and development, testing, or issuance to retail CBDCs only with the addition of the feature “widely available to the general public” into the definition of CBDC. If that is the intent, this avoids several significant challenges presented by the previous House-passed version of the bill, as well as that referenced in the recent executive order prohibition, that even the Congressional Budget Office (CBO) noted included such broad definitions that it was unclear if they could be interpreted to ban existing digital forms of central bank reserves and impact the ability to conduct monetary policy. However, if this bill is aimed at prohibiting wholesale digital payments innovation, or other forms of digital payments innovations like tiered or intermediated innovations like in certain implementations of stablecoins or tokenized deposits, additional concerns would remain related to stifling the ability to modernize the US financial system.
  
• Legal necessity unclear: The necessity of this legislation to prohibit any experimentation and research and development in CBDCs appears unnecessary if the ultimate concern is to ensure against the issuance of a retail CBDC without Congressional approval. The Federal Reserve already published its own analysis highlighting that the Federal Reserve Act does not authorize direct Federal Reserve accounts for individuals. Both the Fed and Treasury have also voiced that they would only move forward with issuance of a CBDC with clear support from both Congress and the executive branch. With Congressional approval already assessed as a precondition to issuance of at least retail CBDCs, and supported as necessary by the lead executive authorities, this prohibition appears unnecessary to achieve the policy outcome when Congress could just withhold authorization. If the refocus of this updated proposed legislation is only prohibiting retail CBDCs, research and development as well as operations to optimize and conduct of digital wholesale payments and settlement activities by central banks would hopefully not affected by this legislation as the Congressional Budget Office assessed could have been impacted by previously proposed versions.
  
• Adjusting framing: The US government fully supports privacy in any democratic CBDC: This bill’s title and corresponding messaging unfortunately present an inaccurate picture that CBDCs must inherently intimate an authoritarian “surveillance state.” CBDCs do not have to mean “Big Brother” just as cryptocurrencies do not have to mean anarchy. The implications for privacy are vastly different for wholesale versus retail CBDCs. Just as with privately administered cryptocurrencies, inherent features like privacy and discoverability are completely dependent upon the specific design of the systems. The Federal Reserve, the US Treasury and prior Administrations have been extremely consistent in messaging, including alongside the G7, that “rigorous standards of privacy” and accountability for that privacy are critical for any retail CBDC implementation. The CBDC discussion warrants nuance, just as the cryptocurrency discussion does.
  
• Refocusing on impactful privacy measures: Rather than this legislation barring pilots and experimentation of implementations and building blocks to preserve privacy for some future possible CBDCs likely at least a decade away (research that could also help provide building blocks for other digital assets like stablecoins), Congressional action could instead pivot to focus on long-existing challenges presented by the absence of comprehensive consumer data privacy legislation. Especially given the low likelihood and far-off reality of cross-US government and public interest in a US retail CBDC (which the Federal Reserve, US Treasury, and potentially Congress have all agreed would require Congressional approval to issue if there ever were such an interest), Congressional focus on privacy legislation would be a more impactful area for focus.
  
• Needed clarity on the protections meant for private stablecoins: It is unclear exactly what protections are being offered under section 4, which defends from prohibition only “any dollar-denominated currency that is open, permissionless, and private, and fully preserves the privacy protections of United States coins and physical currency.” This is oddly framed and could place significant prohibitions on industry cryptocurrency implementations, if this intimates that there are intended to be restrictions here placed on certain industry cryptocurrency implementation, such as private stablecoins that aim to get a master account with the Federal Reserve. It is unclear if this intimates that permissioned stablecoin implementations may be barred from direct or indirect relationship with the Fed. It is also unclear what fully preserved privacy protections means in this context, given that the privacy features of cash (e.g., can move value without a third party, is not posted to any ledgers) do not exactly equate to the privacy features of any existent cryptocurrency (e.g., value movements generally require certain types of third parties—even if unregulated intermediaries—such as miners and validators, and transactions post on public ledgers). It would be important to clarify which privacy features of cash they desire, or what the specific balance of discoverability versus obfuscation is desired in the cryptocurrency system, as part of broader clarity on what this section is intended to achieve.

In closing, I would like to again underscore my gratitude for the honor of the opportunity to speak with you all today. It is critical that the United States make timely progress on establishing and implementing a comprehensive stablecoin regulatory framework that leverages years of effort on defining critical holistic protections that also reinforce the central role in the financial system and as a leader in technological innovation.

Thank you.

Fellow

Carole House

Nonresident Senior Fellow

GeoEconomics Center

Cybersecurity Digital Currencies

At the intersection of economics, finance, and foreign policy, the GeoEconomics Center is a translation hub with the goal of helping shape a better global economic future.

Learn more

The post Carole House testifies to House Committee on Financial Services on regulation and security in stablecoins and digital payments appeared first on Atlantic Council.

Executive summary

Africa is increasingly asserting its participation in the advancement of emerging technologies by engaging in active dialogues and devising roadmaps for the development, deployment, and regulation of these technologies. However, strategies to employ emerging technologies vary widely both in levels of progress as well as regulatory mechanisms. This report explores how five African countries—South Africa, Kenya, Nigeria, Ghana, and Zambia—are strategically navigating the governance of new technologies to enrich their citizens’ lives while mitigating potential risks. It focuses on three key emerging technology domains, namely: connectivity, digital public infrastructure, and artificial intelligence (AI).

Beginning with an analysis of the foundational digital technology policies around data protection and governance and cybersecurity, the country reviews highlight the current landscape of laws, and strategies governing each of the emerging technologies of interest. By exploring the strengths and weaknesses of each country’s policy landscape across these technology domains, the report offers insights into prospects and challenges in harnessing emerging technologies for societal good.

The report finds that governments are generally optimistic about the potential impact of emerging technologies on economic development in their respective countries. This is reflected in the large public investment in technology infrastructure, promotion of innovative ecosystems, and the integration of information and communication technologies (ICTs) into e-governance and e-services toward a holistic digitalized economy and society. The countries’ multistakeholder approaches highlight the need for responsible governance while promoting active private-sector engagement for the public good.

Nigeria, South Africa, Kenya, and Ghana were found to have comparatively robust policies for each emerging technology examined, or at least—as is the case with Kenya—documentation or drafts in the form of gazettes and public consultation documents. Government efforts are more prominent in the AI domain, given the increased attention it has garnered lately. However, these frameworks are hampered by limited implementation capacities, poor infrastructure, policy fragmentation and overlap, low digital literacy levels, and a growing digital divide. Zambia on the other hand, while having strong aspirations to become an ICT-enabled knowledge economy, lacks dedicated policies pertaining to emerging technologies. Although the country’s data-protection laws, intellectual property, cyber security, and consumer protection provide a foundational framework, more updated regulations are required to keep pace with the speed at which emerging technologies are playing an increasingly pivotal role in citizens’ daily lives.

A SWOT (i.e., strengths, weaknesses, opportunities, and threats) analysis of the broader digital-technologies sector across these countries reveals some universal themes. Strengthwise, governments are generally proactive and enthusiastic about engaging new technology issues, and ICT authorities tend to adapt quickly to new developments by publishing subsidiary laws, releasing draft statements, or convening multistakeholder workshops, where national policy frameworks are absent. An overarching rather than specific sectoral or technology-domain approach also drives national technology pursuits, where for example, all the five countries examined have a national ICT/digital economy strategy which predates and already makes foundational provisions for emerging technology policies. Policy-formulation processes were driven by stakeholder engagement and public consultations, as seen in regular calls for contributions and multistakeholder convenings leading up to policy enactment. Yet huge disparities were observed within countries, where rural and marginalized urban communities, as well as women, are left behind by governmental technology ambitions. This calls for updated policy frameworks and strategies that emphasize inclusion and other sociopolitical considerations to avoid deepening inequities.

For Africa to leverage emerging technologies for socioeconomic development while maintaining accountable and transparent systems, legislative frameworks must be streamlined alongside strong institutional integration to ensure effective enforcement. It is imperative that policymakers develop a strong understanding of emerging technologies to enhance their capacities for developing comprehensive policies to address them. Equally important is raising public awareness to protect the African people’s digital rights and foster safe digital environments.

Ayantola Alayande is a Researcher at the Global Center on AI Governance. There, Ayantola works on the African Union Continental AI Strategy and the African Observatory on Responsible AI. He is also a researcher at the Bennett Institute for Public Policy at the University of Cambridge, where he focuses on industrial policy and the future of work in the public sector.

Samuel Segun, PhD is a Senior Researcher at the Global Center on AI Governance. He is also an AI Innovation & Technology consultant for the United Nations Interregional Crime and Justice Research Institute (UNICRI), where he works on the project ‘Toolkit for Responsible AI Innovation in Law Enforcement’.

Leah Junck, PhD is a Senior Researcher at the Global Center on AI Governance. Her work explores human-technology experiences. She is the author of Cultivating Suspicion: An Ethnography and Like a Bridge Over Trouble: An Ethnography on Strategies of Bodily Navigation of Male Refugees in Cape Town.

The Atlantic Council’s Digital Forensic Research Lab (DFRLab) has operationalized the study of disinformation by exposing falsehoods and fake news, documenting human rights abuses, and building digital resilience worldwide.

learn more

The post Emerging technology policies and democracy in Africa: South Africa, Kenya, Nigeria, Ghana, and Zambia in focus appeared first on Atlantic Council.

While Ukrainian President Volodymyr Zelenskyy has sought to maintain strong ties with the United States, the current shift away from aid-based diplomacy signals that Ukraine must further demonstrate its economic value. In this context, the thriving Ukrainian IT industry is a key asset. This sector not only drives domestic economic resilience, but also offers tangible benefits to American businesses through investment, technological innovation, and cybersecurity expertise.

Since the onset of Russia’s full-scale invasion three years ago, Ukraine’s IT industry has proven to be a resilient and dynamic force. Despite the ongoing war with Russia, the sector has demonstrated remarkable adaptability. In 2024, Ukraine’s IT services exports reached $6.45 billion, contributing 4.4 percent of the country’s GDP and accounting for approximately 38 percent of Ukraine’s total service exports. This strong performance has been possible despite the challenges posed by the largest European invasion since World War II, underscoring the Ukrainian IT sector’s ability to operate under extreme conditions.

Beyond its financial contribution, the Ukrainian IT industry also plays a crucial role in employment. By 2024, Ukraine’s IT workforce had grown to more than 300,000 specialists, solidifying its position as a major employer and a pillar of Ukrainian economic stability in today’s wartime environment.

As the world watches the Russian invasion of Ukraine unfold, UkraineAlert delivers the best Atlantic Council expert insight and analysis on Ukraine twice a week directly to your inbox.

The United States is already an important partner for Ukraine’s IT industry. In 2023, the US was the largest importer of Ukrainian IT services, accounting for $2.39 billion or 37.2 percent of the industry’s total exports. This presents opportunities for intensified bilateral collaboration in both the private and public sectors that have the potential to transcend the kind of aid-based relations found elsewhere in the region.

Ukrainian IT companies are not seeking handouts but are actively investing in the US market. Rather than displacing American jobs, they are creating new opportunities and fostering technological advancements. Importantly, these companies are not appropriating US technologies but are in many cases sharing their own advanced developments. This cooperative approach could strengthen both economies, reinforcing a business-driven relationship that aligns with the Trump administration’s strategic vision.

Eurasia Center events

Online Event Fri, January 30, 2026 • 9:00 am ET

How Russia’s winter warfare strategy targets Ukrainian civilians

Conflict Europe & Eurasia Geopolitics & Energy Security Human Rights

The knowledge-based economy benefits immensely from such international partnerships. Unlike resource-dependent models, this framework ensures a two-way exchange of expertise. Ukraine’s IT professionals are already playing a significant role in cybersecurity, actively defending against digital threats and ensuring the integrity of critical infrastructure. From the early days of Russia’s full-scale invasion, they have consistently delivered in even the most difficult of circumstances and have enhanced Ukraine’s global reputation as a leading tech nation.

Moreover, the war has propelled Ukrainian engineers to the forefront of innovation in autonomous systems including aerial, maritime, and other drone technologies. Many of Ukraine’s most recent innovations in the drone sphere leverage AI. The depth of experience gained in developing and deploying these systems under real combat conditions is unparalleled worldwide. For the US defense industry, collaboration with Ukraine in this domain could be invaluable, offering access to battle-tested innovations that have the potential to redefine modern warfare.

The obvious synergies between the US and Ukrainian tech industries extends beyond the private sector. Cooperation in areas such as dual-use technologies should be prioritized by both governments to enhance security and drive innovation. Strengthening this partnership could contribute to a safer and more prosperous future for both nations.

By leveraging Ukraine’s IT expertise, the United States can improve its own technological capabilities while supporting a partner nation at a critical time. This partnership can bring further economic and strategic benefits to both parties. As the Trump administration moves toward a business-driven approach to US foreign policy, strengthening ties with Ukraine’s IT sector could boost innovation and security while also offering a range of business opportunities.

Anatoly Motkin is president of StrategEast, a non-profit organization with offices in the United States, Ukraine, Georgia, Kazakhstan, and Kyrgyzstan dedicated to developing knowledge-driven economies in the Eurasian region. Hanna Myshko is regional director for Ukraine, Moldova, and the Gulf at StrategEast.

Further reading

UkraineAlert Feb 25, 2025

Will a new Russia reset prove more successful than earlier attempts?

By Leah Nodvin

The Trump administration is seeking to reset relations with Russia as part of a comprehensive shift in US foreign policy, but successive past Russia resets have ended in failure, writes Leah Nodvin.

Conflict Financial Sanctions and Economic Coercion

UkraineAlert Dec 19, 2024

Five things Russia’s invasion has taught the world about Ukraine

By Peter Dickinson

Vladimir Putin’s brutal invasion of Ukraine has thrust the country into the global spotlight and transformed international perceptions of Ukraine in ways that will resonate for decades to come, writes Peter Dickinson.

Defense Technologies Disinformation

UkraineAlert Feb 27, 2025

The Finlandization fallacy: Ukrainian neutrality will not stop Putin’s Russia

By Brian Mefford

Donald Trump seeks to broker a peace deal with Vladimir Putin but any attempt to impose neutrality on Ukraine could set the stage for further Russian aggression, writes Brian Mefford.

Conflict European Union

The views expressed in UkraineAlert are solely those of the authors and do not necessarily reflect the views of the Atlantic Council, its staff, or its supporters.

Read more from UkraineAlert

UkraineAlert is a comprehensive online publication that provides regular news and analysis on developments in Ukraine’s politics, economy, civil society, and culture.

The Eurasia Center’s mission is to enhance transatlantic cooperation in promoting stability, democratic values, and prosperity in Eurasia, from Eastern Europe and Turkey in the West to the Caucasus, Russia, and Central Asia in the East.

Learn more

The post Ukraine’s IT sector offers opportunities for pragmatic partnership with the US appeared first on Atlantic Council.

The post Samaan in Institut Montaigne: AI: United Arab Emirates, key partner of France or risk for its digital sovereignty? appeared first on Atlantic Council.

The post CBDC tracker and event with Fed Governor Waller cited in CoinGeek appeared first on Atlantic Council.

The post Tran cited in paper on Chinese technological influence published by the Carnegie Endowment for International Peace appeared first on Atlantic Council.

The post Event with Fed Governor Waller featured in Business Insider on how stablecoins can promote the dollar’s global use and status appeared first on Atlantic Council.

Few were surprised, therefore, when President Trump began his second term with an executive order that prioritizes stablecoins as the preferred mechanism for safeguarding both the global role of the US dollar and financial stability. The executive order also stated that CBDCs create financial stability threats. In contrast, the monetary policy minutes from the December 2024 European Central Bank rate-setting meeting took the opposite position and proposed that crypto assets could create financial stability threats for the eurozone.

The 2025 reserve currency policy landscape: Four key issues to watch

Legislation: Despite their policy differences, European Union (EU) and US policymakers all face the same hurdle. CBDCs can not be issued without legislation.  Lawmakers in Brussels, London, and Washington are each declining to move forward quickly.  The European Parliament to date has declined to schedule a vote on the digital euro package submitted by the European Commission—despite urging by the ECB.  Nor has the UK Parliament moved forward with a digital pound initiative. 

The Republican-led Congress and the White House oppose CBDCs, ensuring that no CBDC legislation will move forward in the United States in the foreseeable future.  The Federal Reserve agrees. Chairman Jerome Powell yesterday testified to Congress  that he will not propose or pursue a digital dollar during the balance of his tenure at the central bank.  Chairman Powell’s term expires in spring 2026.  All relevant policymakers in the United States (the White House, Congressional leaders, regulatory agencies, the central bank) are now united in their opposition to a domestic CBDC. Their focus now turns towards articulating a legislative and regulatory framework supporting stablecoins.

House Financial Services Committee Chairman Hill’s 2025 interview with CNBC confirms that leading US lawmakers believe expanded stablecoin adoption would help “extend the reserve currency status” of the US dollar globally. In addition, Federal Reserve Governor Christopher Waller now publicly supports stablecoins “because they are likely to propagate the dollar’s status as a reserve currency, though they need a clear set of rules and regulations.” Senate Banking Committee Chairman Tim Scott weighed in during January, pledging to craft a stablecoin “regulatory framework that…will promote consumer choice, education, and protection and ensure compliance with any appropriate Bank Secrecy Act requirements.” It remains to be seen if dollar-backed stablecoins could strengthen the dollar’s role in the global payment system.

The structure of legislation will materially impact growth trajectories for stablecoin markets domestically and internationally, with implications for US sovereign bond markets. For example, a regulatory framework could require stablecoin issuers to hold US Treasury securities to back their stablecoins, thus guaranteeing liquidity and demand for US dollar-denominated sovereign paper. Additional proposals to create a crypto asset reserve at the federal level could provide additional liquidity support to crypto markets. 

Geopolitics: President Trump campaigned on promises to safeguard the global role of the dollar. His promises included wielding tariffs as a mechanism to discipline foreign countries that undermine the global role of the dollar, presumably in addition to aggressive sanctions enforcement. The Trump administration is not alone in raising red flags regarding certain CBDC use cases. Growing concern exists internationally that non-US dollar CBDC networks could be used to evade Western sanctions. Against this backdrop, in October 2024, the Bank for International Settlements withdrew from the wholesale CBDC mBridge project, whose members include central banks from China, Hong Kong, Thailand, the United Arab Emirates, and Saudi Arabia. The BIS General Manager reiterated the policy that “…the BIS does not operate with any countries, nor can its products be used by any countries that are subject to sanctions…we need to be observant of sanctions and whatever products we put together should not be a conduit to violate sanctions.” In addition, Russia has called for a multipolar global financial system with a separate non-dollar clearing and settlement system.

Distributed free markets: Stablecoins currently occupy a tiny fraction of financial market activity. Crypto itself remains minor relative to US capital markets. Globally, the estimated stablecoin market size is $227 billion in market capitalization, as compared to $6.22 trillion for US capital markets and $3.39 trillion for global cryptocurrency markets. If current double-digit growth rates for stablecoins continue, they could constitute a considerable proportion of overall crypto market capitalization, if not capital markets themselves. More importantly, the vast majority of stablecoins are pegged to the US dollar.

Rapid adoption rates paired with speedy transaction volumes and velocity in stablecoin markets mean that today’s stablecoin and CBDC decisions may amplify ongoing shifts in reserve currency markets. Dramatic shifts in reserve currency status historically have been rare events. The more likely scenario for threats to dollar dominance involve a range of alternative currencies nibbling at the dollar’s role at the margins. While the US dollar is comfortably in the lead, accounting for 49.2 percent of international payment messaging through SWIFT, its share of global FX reserves has fallen from 71 percent in 2001 to 54.8 percent at present. Decreased demand for dollars has increased demand for non-traditional currencies, gold, and several pairs of local currencies, rather than traditional reserve currencies.

In this context, choices made by individual users can materially impact global reserve currency status. The broad adoption of US dollar-backed stablecoins could even reverse the de-dollarization trend.  Decisions made by policymakers during 2025 will thus materially impact how the stablecoin and dollar markets evolve. 

European crypto rules: EU officials promote the digital euro as a mechanism for delivering strategic and economic autonomy relative to the US dollar. At the retail level, they compete with local payments processes currently dominated by US credit card companies. Globally, they facilitate increased usage of the euro as an international transaction currency. Secondary use cases include using blockchain technology to create “ tokenized” (euro-denominated) deposits that would cement the role of commercial banks within the payment system. European policymakers have also begun experimenting with tokenized securities. Slovenia became the first eurozone sovereign country to issue a tokenized euro area sovereign bond. In December, the Bank of France became the first eurozone central bank to complete transactions in the secondary market for both sovereign fixed income and equity using an unnamed digital currency on a blockchain.

However, if a critical mass of individuals in a country holds wealth in a foreign currency stablecoin, the competitive landscape, if not the survival of other reserve currencies, requires that they provide a digital alternative. The scenario also creates incentives for other jurisdictions to make it difficult to achieve  interoperability with non-euro stablecoins, while creating economic hurdles for local users to choose US dollar-backed stablecoins—essentially preserving their economic and monetary sovereignty.

Some see the newly issued EU crypto regulatory framework—the Markets in Crypto Assets (MiCA); and specifically the 1:1 ratio of required liquid reserves for stablecoins —as a strategic tool to raise barriers to non-EU issuers of US dollar-denominated stablecoins. MiCA extends bank-like regulatory requirements to crypto asset issuers and intermediaries. We discussed that framework and its relationship to the US crypto asset policy landscape in our January 28, 2025 Econographics essay. The framework potentially provides European regulators with the time and tools to play defense by regulating local stablecoin markets to permit either a digital euro or euro-denominated stablecoins to gain market traction. Market data will provide the metric for policy effectiveness.

Barbara Matthews is a nonresident senior fellow at the Atlantic Council’s Geoeconomics Center. She is also Founder and CEO of BCMstrategy, inc., a company that generates AI training data and signals regarding public policy.

Hung Tran is a nonresident senior fellow at the Atlantic Council’s Geoeconomics Center and senior fellow at the Policy Center for the New South; a former senior official at the Institute of International Finance and International Monetary Fund.

At the intersection of economics, finance, and foreign policy, the GeoEconomics Center is a translation hub with the goal of helping shape a better global economic future.

Learn more

The post Central bank digital currencies versus stablecoins: Divergent EU and US perspectives appeared first on Atlantic Council.

On February 7th, 2025, South China Morning Post published an article referencing Global China Hub nonresident fellow Hanna Dohmen’s testimony for the US-China Economic and Security Review Commission on the effectiveness of export controls in slowing China’s AI advances.

The post Global China Hub nonresident fellow Hanna Dohmen in South China Morning Post appeared first on Atlantic Council.

The post Event on the future of payments with Federal Reserve Governor Christopher Waller featured in Politico’s Morning Money newsletter appeared first on Atlantic Council.

The post Event on the future of payments with Federal Reserve Governor Christopher Waller restreamed by Yahoo Finance appeared first on Atlantic Council.

The bottom line is that DeepSeek has carved an alternative path to high-performance AI by employing a mixture-of-experts (MoE) model and optimizing data processing. Although these techniques are not completely novel, their successful application could have far-reaching implications for global investment trends, regulatory strategies, and the broader AI industry.

That said, questions remain about the true cost and nature of DeepSeek’s hardware and training runs. DeepSeek’s assertions should not be taken at face value, and further research is needed to assess the company’s claims, particularly given the number of examples of Chinese firms secretly working with the government and hiding state subsidies—particularly in industries the Chinese Communist Party considers strategically important.

The traditional AI development model

The prevailing AI paradigm has supported the development of ever-larger models trained on massive datasets using high-performance computing clusters. OpenAI, for example, has pursued increasingly expansive models, necessitating exponential growth in computational power and finances. OpenAI’s dense transformer models, such as GPT-4, are believed to activate all model parameters for every input token throughout training and inference, further compounding the computational burden.

However, this approach has diminishing returns: Increasing the model size does not always yield proportional improvements in performance. Additionally, with this traditional model, there are considerable resource constraints—access to high-end graphics processing units (GPUs) is limited due to supply chain bottlenecks and geopolitical restrictions. There are also high financial barriers. Large-scale training runs using OpenAI’s transformer architecture can require tens of millions of dollars in funding.

Rather than processing every input through a monolithic transformer, MoE routes queries to specialized sub-networks, enhancing efficiency. And by activating fewer parameters per computation, MoE models demand less power. This structure allows for easier expansion without requiring proportional increases in hardware investment.

Several research efforts have previously explored MoE architectures, but DeepSeek successfully deployed MoE in a way that optimized performance while minimizing computational cost.

DeepSeek also leveraged sophisticated techniques that reduced training time and cost. For example, its model was trained in stages, with each stage focused on achieving targeted improvements and the efficient use of resources. Additionally, its model employed self-supervised learning and reinforcement learning, leveraging the Group Relative Policy Optimization (GRPO) framework to rank and adjust responses (minimizing the use of labeled datasets and human feedback). And to compensate for potential data gaps, DeepSeek-V3 was fine-tuned on synthetic datasets to improve domain-specific expertise.

These techniques helped DeepSeek mitigate the inefficiencies associated with training on overly oversized, noisy datasets—a problem that has long plagued AI developers.

Implications

Important questions around the true cost of DeepSeek’s training and access to hardware notwithstanding, DeepSeek-R1 could mark a turning point in AI research. By leveraging MoE architectures and optimized training strategies, DeepSeek may have created a roadmap to achieve high performance without the prohibitive costs and inefficiencies of traditional dense models. Whether new capabilities and improvements can be unlocked by reconfiguring existing dense models like GPT-4 to take advantage of these techniques remains to be seen.

DeepSeek’s apparent success also raises crucial policy questions around the efficacy of export controls aimed at restricting Chinese access to high-performance hardware. If AI development becomes less reliant on cutting-edge GPUs and more focused on efficient architectures, these restrictions could lose their bite. It could also potentially disrupt major planned investments in data centers, many of which have been fueled by the OpenAI model of dense AI development. With DeepSeek’s resource-efficient paradigm as a new benchmark, organizations may need to reassess or restructure some of these investments to fit within that paradigm.

While further research is crucial to assess the significance of DeepSeek’s innovation, its emergence stands as a clear wake-up call to leading AI organizations, policymakers, and investors alike. Attention, perhaps, is not all you need.

Ryan Arant is the director of the N7 Research Institute at the Atlantic Council.

Newton Howard is founder and was the first chairman of C4ADS.

New Atlanticist Jan 23, 2025

Trump should keep, not cut, Biden’s last-minute offer of federal land for AI data centers

By Will LaRivee

In an executive order in the final days of his administration, US President Joe Biden put forward a promising idea to expand US data center capacity.

Artificial Intelligence Politics & Diplomacy

New Atlanticist Jan 19, 2025

On trade and technology, the US and EU need each other now more than ever

By Trevor Rudolph

Washington and Brussels must collaborate on telecommunications, semiconductors, and critical minerals to compete with nonmarket economies.

Critical Minerals Economy & Business

GeoTech Cues Aug 6, 2024

The Great IT Outage of 2024 is a wake-up call about digital public infrastructure

By Saba Weatherspoon and Zhenwei Gao

The July 19 outage serves as a symbolic outcry for solution-oriented policies and accountability to stave off future disruptions.

Cybersecurity Internet

The GeoTech Center champions positive paths forward that societies can pursue to ensure new technologies and data empower people, prosperity, and peace.

Learn more

The post Did DeepSeek just trigger a paradigm shift? appeared first on Atlantic Council.

The most impressive thing about DeepSeek-R1’s performance, several artificial intelligence (AI) researchers have pointed out, is that it purportedly did not achieve its results through access to massive amounts of computing power (i.e., compute) fueled by high-performing H100 chips, which are prohibited for use by Chinese companies under US export controls. Instead, it may have conducted the bulk of the training for this new model by optimizing inter-chip memory bandwidth of the less sophisticated H800s (allowing these less sophisticated chips to “share” the size of a very large model). This meant that training the model cost far less in comparison to similarly performing models trained on more expensive, higher-end chips. DeepSeek’s breakthrough has led some to question whether the US government’s export controls on China have failed. 

However, such a conclusion is premature. Other recent “breakthroughs” in Chinese chip technologies were the result not of indigenous innovation but developments that were already underway before export controls seriously impacted the supply of chips and semiconductor equipment available to Chinese firms. In late 2023, for example, US foreign policy observers experienced a shock when Huawei announced that it had produced a smartphone with a seven nanometer chip, despite export restrictions that should have made it impossible to do so. But rather than showcasing China’s ability to either innovate such capabilities domestically or procure equipment illegally, the breakthrough was more a result of Chinese firms stockpiling the necessary lithography machines from Dutch company ASML before export restrictions came into force. The influx of machines bought China time before the impact of export controls would be seen in the domestic market. 

There is evidence to suggest that DeepSeek is benefiting from a similar dynamic. China AI researchers have pointed out that there are still data centers operating in China running on tens of thousands of pre-restriction chips. They also note that the real impact of the restrictions on China’s ability to develop frontier models will show up in a couple of years, when it comes time for upgrading. Or, it may show up after Nvidia’s next-generation Blackwell architecture has been more fully integrated into the US AI ecosystem.

While DeepSeek’s achievement has not exactly undermined the United States’ export control strategy, it does bring up important questions about the broader US strategy on AI. Much of the conversation in US policymaking circles focuses on the need to limit China’s capabilities—specifically by restricting its ability to access compute. While not wrong on its face, this framing around compute and access to it takes on the veneer of being a “silver bullet” approach to win the “AI race.” This kind of framing creates narrative leeway for bad faith arguments that regulating the industry undermines national security—including disingenuous arguments that governing AI at home will hobble the ability of the United States to outcompete China. 

Such arguments emphasize the need for the United States to outpace China in scaling up the compute capabilities necessary to develop artificial general intelligence (AGI) at all costs, before China “catches up.” This has led some AI companies to convincingly argue, for example, that the negative externalities of speed-building massive data centers at scale are worth the longer-term benefit of developing AGI. Such an argument has significant business upside for AI companies, as they amass greater numbers of chips to gain a competitive advantage. What the DeepSeek example illustrates is that this overwhelming focus on national security—and on compute—limits the space for a real discussion on the tradeoffs of certain governance strategies and the impacts these have in spaces beyond national security.

To plug this gap, the United States needs a better articulation at the policy level of what good governance looks like. This should include a proactive vision for how AI is designed, funded, and governed at home, alongside more government transparency around the national security risks of adversary access to certain technologies. It also requires the US government to be clear about what capabilities, technologies, and applications related to AI it is specifically aiming to regulate. This would help to elevate conversations on risk and enable communities of practice to come together to establish adaptive governance strategies across technological, economic, political, and social domains—as well as for national security.

How to best develop, deploy, and govern AI-enabled technologies is not a question that can be answered with “silver bullet” solutions. Rather, it is a process, one that requires consistent, thoughtful engagement from practitioners and experts across a wide variety of issue sets and backgrounds. No one strategy will win the “AI race” with China—and as new capabilities emerge, the United States needs a more adaptive framework to meet the challenges these technologies and applications will bring. 

Kenton Thibaut is a senior resident China fellow at the Atlantic Council’s Digital Forensic Research Lab (DFRLab), where she leads China programming for the Democracy + Tech Initiative.

The post What DeepSeek’s breakthrough says (and doesn’t say) about the ‘AI race’ with China appeared first on Atlantic Council.

The post Lipsky quoted in Reuters on Trump’s impact on CBDC development in the US appeared first on Atlantic Council.

The post CBDC tracker cited in Reuters on digital euro progress appeared first on Atlantic Council.

With legislators favorable to the industry—including Representative French Hill as the chair of the House Financial Services Committee (watch his Atlantic Council event on stablecoins here), Senator Cynthia Lummis as the newly formed chair of the Senate Banking Committee’s subcommittee on digital assets, SEC chair pick Paul Atkins, and advisors like Elon Musk and commerce secretary nominee Howard Lutnick—confidence is growing that crypto-forward agenda is on its way. But what does success on the regulatory front actually look like? What does it mean for the rest of the world? We dive into the dozen bills under consideration in Congress and zoom in on the three big themes for crypto regulation in 2025.

The SEC vs CFTC: Finally, a truce?

One of the major disagreements between the industry and legislators has been whether the SEC or the Commodity Futures Trading Commission (CFTC) is the right regulator for crypto. As is often debated in Washington, is crypto a security or a commodity? Under the former SEC chair, Gary Gensler, the agency regularly fined crypto companies when it found them in breach of securities laws. This led to some legislators and industry favoring the CFTC as the regulator. Several bills under consideration, including the Financial Innovation and Technology for the 21st Century Act, the Digital Asset Market Structure and Investor Protection Act, the Responsible Financial Innovation Act, and the BRIDGE Digital Assets Act, address the jurisdiction of SEC and the CFTC regarding crypto.

One of the Trump campaign’s biggest promises to the industry is an end to this era of regulation by enforcement. Paul Atkins, Trump’s pick to replace Gary Gensler as SEC chair, is seen as friendly to the crypto industry. His appointment follows a wave of legal decisions over the past two years that have ruled in favor of the companies against the SEC. Atkins’ job, once he’s sworn in, will be two-fold: He will need to clarify the SEC’s jurisdiction over the crypto market and then actually enforce regulations on crypto-assets—their issuance, use, and role in the US economy. Congress will augment these efforts, and you can expect several bills rebalancing the SEC and CFTC’s jurisdiction and enforcement powers. See below for the full breakdown.

Stablecoins, ahoy! 

Stablecoins have now passed $190 billion in global circulation. They can provide much needed liquidity for the crypto market and act as conduits between crypto and non-crypto-assets. Stablecoins increasingly aim to address humanitarian aid and cross-border payments such as remittances, including in Ukraine.

While 98 percent of stablecoins are pegged to the dollar, over 80 percent of stablecoin transactions happen abroad. This makes these “digital dollars” subject to regulatory frameworks set in Europe, Asia, and Africa. Europe’s stablecoin framework, known as Markets in Crypto-Assets, came into full effect in January 2025. Implementing the framework should result in some introspection across the Atlantic over the pending stablecoin legislation in Congress. The Clarity for Payment Stablecoins Act and the Lummis-Gillibrand Payment Stablecoins Act are the two bills under consideration. The Clarity Act has been under consideration by the House Financial Services Committee for the last year, coming close to bipartisan consensus a few times. It has evolved into a discussion draft proposed by Senator Bill Hagerty. The Lummis-Gillibrand Act was introduced to the Senate in May 2024. 

The bottom line, as our cryptocurrency regulatory tracker shows, is that regulations in the United States play a key role in the future of crypto around the world. While other countries have been developing their own regulatory frameworks, the United States has lagged behind—that may finally change in the months to come. 

A trailblazing national bitcoin reserve  

With the appointment of Lummis as the chair of the digital assets subcommittee at the Senate Banking Committee, it’s likely that talks of a bitcoin reserve will continue on the Hill. The logic behind the bill is to purchase bitcoin to be able to pay back the national debt. There are some open questions about the Lummis bitcoin reserve proposal—including the convoluted funding model, which revalues gold certificates from their 1993 price to their current value. 

There are also proposals for a US Central Bank Digital Currency (CBDC). The Trump administration and Republican lawmakers have made it clear that a retail CBDC, or the digital dollar, is not going to happen in the United States. This puts the United States at odds with its peers like Europe, which is rolling out a pilot of the digital euro in 2025, and the United Kingdom, which set up a CBDC lab just last week. The executive order directs all agencies to stop any ongoing work on a CBDC.

The breakdown of all the major pieces of legislation currently being considered is below.

Ananya Kumar is the deputy director, future of money at the Atlantic Council’s GeoEconomics Center.

At the intersection of economics, finance, and foreign policy, the GeoEconomics Center is a translation hub with the goal of helping shape a better global economic future.

Learn more

The post What is next for crypto regulation in the US? appeared first on Atlantic Council.

For more context and to make sense of all the competing arguments, we turned to our experts on China and technology. 

Click to jump to an expert analysis:

Graham Brookie: The Supreme Court’s decision will shape global tech competition

Shelly Hahn: To China, algorithms are a national interest 

Kenton Thibaut: The US data security problem is bigger than TikTok

Caroline Costello: If you’re interested in protecting civil society, you should be concerned about TikTok

Mark Scott: Worries around TikTok’s data collection and security apply to all social media giants

Matt Geraci: US data privacy laws are not up to the task 

Emerson T. Brooking: If TikTok was a tool of Chinese foreign interference, someone forgot to tell China

Samantha Wong: The national security risks will remain whether TikTok is banned or not

Konstantinos Komaitis: A TikTok ban would be a direct attack on the open and global internet

Kitsch Liao: ByteDance’s First Amendment argument is a distraction from its refusal to divest

The Supreme Court’s decision will shape global tech competition 

The United States Supreme Court is set to start 2025 with a blockbuster case on a tight timeline with significant domestic tech and geopolitical ramifications.  

The law in question in the case of TikTok v. Garland—the Protecting Americans from Foreign Adversary Controlled Applications Act—was passed by Congress in April 2024 with widespread bipartisan support: a 352–65 vote in the House and 79–18 in the Senate. US President Joe Biden signed the bill into law, giving him the authority to force TikTok’s divestiture from its Chinese parent company or be banned from the United States. The Department of Justice set a deadline of January 19—forcing this dramatic showdown. The Supreme Court will proceed in hearing the case on January 10 despite Trump’s request to delay until after his inauguration and the fact that the high court typically defers to its two co-equal branches of government on matters of national security.  

The Atlantic Council previously published an in-depth technical analysis of whether the threats of legal control, data access, algorithmic tampering, or broad influence efforts by the Chinese government are unique or singularly focused on TikTok. The threat of legal control proved to be real and ongoing. The other potential risks remain considerable with loopholes not specific to TikTok, such as the sheer amount of Americans’ data for sale on the open market or the litany of US-owned platforms the Chinese Communist Party (CCP) has used to perpetrate influence efforts. Chinese ownership of TikTok is undoubtedly a core strength in its global approach to “discourse power.” The key questions remain whether a Chinese company’s ownership of such a popular social media platform poses unique national security risks to the United States, whether banning such a popular app violates the rights of the company or the app’s US users, and how China may react or force ByteDance to react. Beyond TikTok v. Garland, any outcome will shape global tech competition from the global reach of digital platforms to broader tech governance. If new evidence is surfaced, it will shape both. 

—Graham Brookie is the vice president of technology programs and founding director of the Digital Forensic Research Lab at the Atlantic Council. 

To China, algorithms are a national interest

The TikTok saga highlights Beijing’s strategy of using private companies to exert influence globally, while restricting foreign companies’ operations within China. 

Beijing views algorithms as critical tools to exert national power, with Chinese leader Xi Jinping emphasizing the importance of artificial intelligence in military and economic power competition. As TikTok has gained market clout, the Chinese government has taken a more assertive stance on its technologies, especially content recommendation algorithms. Since 2020, China has implemented measures to protect its technological assets, including adding algorithms to the restricted list  of technologies from export in August 2020, and passing the “Export Control Law” in October 2020, which governs the sale of these technologies to foreign buyers. China now strongly opposes any forced sale of TikTok, asserting its legal authority to veto such transactions. 

Beijing has railed against the United States’ enforcement actions against TikTok, using abusive and inflammatory rhetoric to paint those actions as a violation of international norms. Chinese officials have called these actions “an act of bullying” (Xinhua editorial), “an abuse of national power” (Ministry of Foreign Affairs Spokeswoman Mao Ning), and “hypocritical and double standards” (Xinhua editorial). They have warned of potential consequences for the global economic order. 

That is interesting rhetoric given that Beijing would not allow a US or other foreign company to operate similarly in China. China maintains a restrictive environment for foreign media and technology companies, blocking most foreign social media platforms, search engines, and news outlets. When probed about this disparity, a Ministry of Foreign Affairs spokesperson claimed that “China’s policy on overseas social media is completely incomparable to the US’ attitude towards TikTok . . . as long as foreign media companies comply with the requirements of Chinese laws and regulations, all foreign media platforms and news agencies are welcomed.” In reality, these laws give the CCP firm control over data flows and information within its borders. 

Beijing’s robust defense of TikTok and its underlying technology underscores China’s growing confidence in its tech sector and its willingness to challenge what it perceives as unfair treatment in the global marketplace. 

—Shelly Hahn is the deputy director of the Atlantic Council’s Global China Hub. 

The US data security problem is bigger than TikTok 

There is no doubt that People’s Republic of China (PRC) state entities see the value in collecting data on Americans for intelligence purposes. However, the proposed actions on TikTok leave open serious questions on how effectively a ban or divestment would protect Americans’ data from exfiltration.

The Atlantic Council’s Digital Forensic Research Lab previously conducted a technical, policy, and legal analysis of the stated national security risks posed by TikTok. Our research found that TikTok can be said to present a unique risk in terms of its Chinese ownership, in that the PRC’s National Intelligence Law does give the government broad leeway to potentially compel the company to grant it access to TikTok’s data, including on Americans. In addition, even under the circumstances of outside control of TikTok’s data storage, it would be almost impossible to know if Chinese intelligence authorities somehow maintained a backdoor into these data streams.

At the same time, however, we found that TikTok’s data collection practices on Americans are not outside what is commonly practiced by social media companies, including Meta, X, and others. More importantly, the data that TikTok can provide on Americans pales in comparison to what the Chinese government has accessed through both its illegal hacking activities and what is available legally on the open market through US-based third-party data brokers.  

In fact, a report from Duke University’s Sanford School of Public Policy found that via data brokers, it is “not difficult to obtain sensitive data about active-duty members of the military, their families, and veterans, including non-public, individually identified, and sensitive data, such as health data, financial data, and information about religious practices,” noting that location data was also available for purchase. A narrow, national-security oriented focus on TikTok to address potential threats to the US data ecosystem risks overlooking much broader security vulnerabilities and thus undermines more effective policy solutions. That is to say, while there is much about TikTok’s data gathering and privacy policy to side-eye, the challenge is far wider than TikTok alone and requires a more wide-ranging policy solution to address. 

—Kenton Thibaut is a senior resident China fellow at the Digital Forensic Research Lab of the Atlantic Council’s Technology Programs. 

If you’re interested in protecting civil society, you should be concerned about TikTok 

The debate surrounding TikTok is about a tool that empowers China to extend its high-tech surveillance state beyond its own borders. While it’s true that other social media platforms engage in similar surveillance, other platforms are not beholden to the government of a foreign adversary. 

TikTok’s owner, ByteDance, is a Chinese company. In China, the CCP has absolute control over companies. In China’s authoritarian system, the party is always above the law, but the CCP took the extraordinary step of enshrining this capability into law, likely to make very clear to Chinese companies exactly what they should expect. Article 7 of the National Intelligence Law of 2017 states that “all organizations and citizens shall support, assist, and cooperate with national intelligence efforts,” meaning the government has the right to secretly demand TikTok user data, and the company must share it. 

When defending against these allegations, TikTok has insisted that it stores all US user data in the United States, but the company has also acknowledged that nevertheless, China-based employees can still access US user data, and those same employees must obey any and all edicts from the CCP. In fact, thanks to leaked audio from internal meetings, we now know that China-based employees have repeatedly done so. This includes two cases in which a China-based team at TikTok planned to use the app to monitor the location of specific US citizens.  

Chinese intelligence services have a well-documented history of harassing and intimidating human rights activists and journalists on US soil. Even if you don’t mind the PRC surveilling you, and even if you don’t care about US-China competition, if you’re interested in protecting civil society, you should be concerned about TikTok. 

There is one important caveat, though. As demonstrated in a report from the Atlantic Council’s Digital Forensic Research Lab, foreign adversaries can also buy this data from brokers that rely on US-based companies surveilling their users. In fact, US-based companies have been accused of using targeted surveillance against civil society, as in the cases of Uber and Meta reportedly tracking the location of journalists reporting on their apps. TikTok is just one piece of a broader data security vulnerability perpetuated by US platforms. 

—Caroline Costello is a program assistant at the Global China Hub. 

Worries around TikTok’s data collection and security apply to all social media giants

Central to concerns around TikTok is how the app collects, stores, and uses information it gathers on users. The fear, according to US officials, is that such data may be weaponized by Beijing, though no evidence of such activity has yet to be proven. Based on a review of TikTok’s privacy policy and external analysis, the social media platform does collect a lot of information on users if they give the company permission. That includes information on individuals’ exact location, their phone numbers and those of their contacts, people’s other social media accounts, and detailed information about individuals’ devices (often used by marketers to target specific demographics). 

That may sound creepy. But TikTok’s data collection practices are no different than those of US social media giants, which similarly gather as much information as possible on their users to tailor these firms’ advertising offerings. That also includes in-app web browsers built into the likes of Instagram and X that allow these companies to collect just as much information on people’s web habits—so long as they are surfing the internet from within these social media networks. 

So would forcing TikTok off of US app stores make Americans’ data more private and secure? The short answer is no. While US officials have raised concerns about how Americans’ data may be accessed by Chinese government officials via TikTok, such personal information—from people’s phone numbers and home addresses to internet activity to consumer purchasing history—is already available commercially, via so-called domestic data brokers. The outgoing Biden administration tried to tackle that problem with the Protecting Americans’ Data from Foreign Adversaries Act and prohibitions placed on these data brokers from transferring such sensitive data to foreign adversaries like China. 

Yet, in reality, the lack of comprehensive federal privacy legislation means that Americans’ data—no matter what eventually happens with the potential TikTok ban or sale—remains significantly more at risk compared to their counterparts in other Western countries. State-based laws, particularly those in California and Virginia, have provided a modest degree of greater control for people in how companies gather and use their personal information. But the removal of TikTok from US app stores, which have similarly set baseline levels of privacy protections for users, will not make Americans’ overall data either more private or more secure. 

 —Mark Scott is senior resident fellow at the Democracy + Tech Initiative within the Atlantic Council Technology Programs. 

US data privacy laws are not up to the task 

The absence of common-sense data privacy laws in the United States created an environment that allowed TikTok to become a security risk. Removing TikTok from app stores will not change this. As a 2022 Consumer Reports investigation revealed, TikTok uses many of the same data harvesting techniques employed by companies like Meta and Google for targeting ads. They also concluded that claims by TikTok and others that data is used solely for advertising cannot be verified by consumers or privacy researchers. 

The Cambridge Analytica scandal, which involved unauthorized data collection from millions of Facebook users for targeted political ads, remains fresh in the minds of Americans who are skeptical about the stated reasons for removing TikTok. Although the Federal Trade Commission forced new privacy restrictions on Facebook, the scandal has not led to national legislation like the European Union’s General Data Protection Regulation (GDPR) that could be applied to all companies, including TikTok. Despite this, various US states have endeavored to draft their own laws since the scandal. Yet, companies like Meta, Google, and Amazon often attempt to thwart these efforts through lobbying.  

Regulatory changes are essential to mitigate data security threats from Beijing. However, US tech companies seem to lack enthusiasm for supporting new data protections, and Congress has struggled to make progress. Nearly all the major US tech companies have been fined for violating the European Union’s GDPR (including Amazon, Google, Meta, and Twitter/X), so clearly this is an area that needs improvement. Companies are not ideal self-regulators. TikTok adds another layer given that it must answer to an authoritarian regime and thus poses even larger risks when allowed to operate in an unregulated environment. 

TikTok’s popularity, data collection practices, and Chinese ownership create a unique national security challenge requiring careful consideration. Tech companies should work with the US government to improve data privacy protections, rather than targeting TikTok under the guise of national security while simultaneously perpetuating a harmful regulatory status quo. 

—Matt Geraci is an associate director at the Global China Hub. 

If TikTok was a tool of Chinese foreign interference, someone forgot to tell China 

It’s true that the push for TikTok’s divestment from ByteDance is deeply rooted in fears of Chinese information manipulation. In a March 2024 House Committee on Energy and Commerce report on the forced divestment measure, the committee cited China’s potential use of TikTok to “push misinformation, disinformation, and propaganda on the American public.”  

It’s also true that these fears were never substantiated. The CCP’s propaganda strategy—its quest for “discourse power”—has always been premised on the incremental manipulation of information across many different platforms at the same time. The idea that Beijing built a shiny red button to turn TikTok into a tool of mass brainwashing never accorded with reality.  

Indeed, so far it appears that only a single fake CCP-adjacent TikTok account sought to influence the 2024 US election. Ironically, far more CCP accounts on other platforms sought to stir resentment about a potential TikTok ban. By contrast, Russia—which has had no unique claim to TikTok—extensively used the service for the purposes of information manipulation. In December 2023, the Digital Forensic Research Lab and the BBC uncovered a massive Russian campaign that used artificial intelligence to instrumentalize more than 12,800 accounts to undermine Ukraine.  

Perhaps the CCP was just subtly tweaking the TikTok algorithm to achieve its goals? But this is also unlikely. One of the few available independent studies of TikTok content policy suggests that the platform may have actually reduced the salience of certain hashtags in line with the wishes of US lawmakers. The bizarre nature of some of the material that goes viral on TikTok is explained by the tastes of TikTok’s Millennial- and Gen Z-majority user base, not a global conspiracy. TikTok has repeatedly failed the American people in the realm of transparency and public accountability. So has every US-based social media platform.  

—Emerson T. Brooking is director of strategy and resident senior fellow at the Digital Forensic Research Lab. 

The national security risks will remain whether TikTok is banned or not 

Last February, Biden issued a much-needed executive order limiting the sale of sensitive personal US data or US government-related data to “countries of concern,” including China, to prevent them from “engag[ing] in espionage, influence, kinetic or cyber operations or to identify other potential strategic advantage over the United States.” This is supported by additional legislation, such as the Protecting Americans’ Data from Foreign Adversaries Act of 2024 and the Protecting Americans from Foreign Adversary Controlled Applications Act, both aimed at protecting sensitive US data from being accessed by “foreign adversary nations.” 

However, these new measures are not foolproof. The executive order only targets data brokers from “countries of concern,” and the bill doesn’t address data. One way China can easily circumvent these laws is by purchasing data from companies in third-party countries that obtained it through domestic data brokers that sold the data without knowledge of the final recipient or its intended use. Essentially, if TikTok was a US company, China would still be able to purchase personal US data from TikTok through third-country entities.  

Furthermore, China could easily access any sensitive, critical data through hacking US infrastructure. China is constantly investing and building up its offensive cyber ecosystem to train Chinese hackers to target and acquire critical US intelligence. Although the ban on TikTok would prevent Chinese firms from easily accessing US data, China has the resources to access this sensitive information illegally and is not afraid to implement these illicit operations if it feels the need to do so.  

Ultimately, the TikTok ban addresses only a small aspect of a much larger issue. Even if TikTok were banned or became a US-owned company, the core national security risks would remain. The United States should instead implement broader legislation aimed at strengthening domestic cybersecurity infrastructure and closing any third-party loopholes that could undermine existing protective laws. 

—Samantha Wong is a program assistant with the Global China Hub. 

A TikTok ban would be a direct attack on the open and global internet

In the conversation about whether the United States should or should not ban TikTok, there is one parameter that no one is mentioning: what will this mean for the internet? The answer is straightforward. If the United States proceeds with banning TikTok, such a move will be nothing short of a direct attack on the open and global internet.  

The internet is based on a decentralized architecture, which means that there is no center of control. The value of the open internet is that networks should be able to connect without any restrictions. The internet was not designed so that only specific networks could connect; rather, any network should be able to connect as long as it is willing to abide by certain rules—the internet’s open standards and protocols. Banning TikTok will affect how networks get to interconnect. 

 At the same time, a potential ban will also affect the internet’s global reach and integrity. The whole idea of the internet is that no entity should inspect or modify packets carried through different networks beyond what might be necessary to route the packet as advertised. This is an expectation that users have no matter where they are in the world, and it will not be met should the ban take effect.  

The United States has historically and unequivocally been a strong supporter of the open and global internet. In fact, for more than two decades, the United States has been at the forefront of pushing back at attempts by authoritarian governments to centralize internet control. A TikTok ban will be a setback to all these years of effort and will legitimize the narrative by other authoritarian states that the internet should be subject to government control and management. It will also weaken the United States’ position globally, especially at the United Nations, where conversations about the future of internet governance are currently taking place. 

 —Konstantinos Komaitis is a resident senior fellow and Global Democracy and Technology lead with the Democracy + Tech Initiative. 

ByteDance’s First Amendment argument is a distraction from its refusal to divest

ByteDance has yet to provide a rationale commensurate with freedom of speech or national security regarding why TikTok cannot be a US company without ties to the Chinese Communist party-state. Yet, on January 10, the nation will focus on the US Supreme Court’s hearing for the “TikTok ban,” highlighting First Amendment concerns. 

This is a distraction. The government has already successfully argued in court against TikTok on both national security and data collection grounds. ByteDance has sidestepped the national security argument by pointing to the lack of public evidence and argued that TikTok’s data collection practices are the same as those of other platforms. TikTok, however, failed to argue against its intent to endanger US national security, and it’s a point that bears reiterating.  

A series of reports from 2019 to 2021 detailed TikTok’s extreme security risks, including that the app allowed remote downloading and execution of binary files, essentially acting like a pre-installed backdoor ready for payload delivery. This sets it apart from other social media platforms and established its intent to harm. A “black hat” hacker would usually have to compromise a target’s devices through phishing or other means before it can achieve what TikTok pre-installed for its users. A Washington, DC court ruling also stressed TikTok’s continued malicious intent to abuse data collected from US citizens, even after the establishment of TikTok US Data Security.   

Until TikTok’s cord with the PRC is cut, it will continue to test the waters and find legal and illegal means to endanger US national security, as it clearly possesses both the intent and capability to do so.  

The essence of security is to make it harder for an adversary to do you harm. Just because China can obtain US user data through other ways doesn’t mean we should let them do so through TikTok. Deterrence through cost imposition is a foundational concept in international security, and the “cost,” be it through financial means or legal risks should China decide to furnish data through other social media giants operating within the United States, is very real. 

—Kitsch Liao is an associate director at the Global China Hub. 

The post Your expert guide to the debate over banning TikTok  appeared first on Atlantic Council.

On January 3rd, 2025, Global China Hub nonresident fellow Dakota Cary spoke to the Washington Post about Beijing Integrity Tech, the cybersecurity company linked to the Flax Typhoon attacks.

The post Global China Hub nonresident fellow Dakota Cary in the Washington Post appeared first on Atlantic Council.

In May, US President Joe Biden announced a 100 percent tariff on all electric vehicles (EVs) imported from China. The administration had two main objectives: 1) Protect and stimulate US clean energy industries and supply chains, and 2) counter a flood of Chinese goods as Beijing turns to exports to compensate for its weak internal demand. For the United States, these tariffs are largely preventative and symbolic, as Chinese EVs make up only around 2 percent of total EV imports. For other Group of Seven (G7) countries, it’s too late for prevention, as Chinese EVs already dominate.

The Biden administration coordinated with concerned allies and, in August, Canada also announced it would levy a 100 percent tariff on EV imports from China. The European Union (EU) later imposed up to 45.3 percent tariffs on Chinese EVs. Economic stress due to Chinese dumping increasingly reaches beyond the United States––and even beyond the G7. Since 2023, Argentina, Brazil, India, and Vietnam have all begun anti-dumping or anti-subsidy investigations into Beijing’s practices. 

The incoming Trump administration will now have a choice. It can revert to President-elect Donald Trump’s previous preference for bilateral negotiations, or it can continue to restrict China’s access in step with allies and partners, possibly by creating a “buyers club” to regulate standards and open markets to a select few.

—Sophia Busch is an assistant director at the Atlantic Council’s GeoEconomics Center. 

In October 2024, the US Department of the Treasury issued final regulations implementing the Executive Order on Addressing United States Investments in Certain National Security Technologies and Products in Countries of Concern. Once it comes into effect on January 2, 2025, the Outbound Investment Security Program (OISP) regulations will prohibit or subject to notification requirements certain transactions involving Americans and persons affiliated with designated countries of concern (presently, China, including Hong Kong and Macau) operating in the semiconductor and microelectronics, quantum information technology, or artificial intelligence (AI) sectors (“covered foreign persons”). 

With respect to AI, the OISP will generally prohibit US persons from investing in a covered foreign person that develops any AI system trained using a quantity of computing power greater than ten septillion (10^25) computational operations (integer or floating-point operations). In addition, the OISP sets forth other computational thresholds implicating investment prohibitions (i.e., greater than 10^24 computational operations using primarily biological sequence data) or notification requirements (i.e., greater than 10^23 computational operations). Notably, regardless of computing power, covered transactions involving AI systems designed or intended for military, government intelligence, mass surveillance, cybersecurity, digital forensics, penetration testing tools, or the control of robotic systems end uses are also subject to prohibitions or notification requirements.

Absent practical guidance or enforcement history, exactly what these computing power thresholds mean in practice, as well as how they reasonably can be determined, remain to be seen. However, given its breadth, complexity, and enforceability, the OISP seems likely to have a significant effect—most notably with respect to US persons, but also in connection with the activities of certain foreign persons controlled by US persons or for which US persons serve in key roles. Such persons have until the new year to start making sense of what may be about 10^25 questions regarding their exposure under the OISP.

—Annie Froehlich is a nonresident senior fellow at the GeoEconomics Center and partner at Cooley LLP.

The 2024 meeting of the BRICS+ gathered the representatives of forty countries on October 22-24 in Kazan, Russia. This number is about four times the size of the BRICS+ (named for members Brazil, Russia, India, China, and South Africa), which expanded in 2023 to include Argentina, Egypt, Ethiopia, Iran, the United Arab Emirates, and Saudi Arabia.

While the creation of a BRICS currency still appears unlikely, the bloc announced a substitute for Western payment systems called BRICS Clear. Circumventing sanctions or the extraterritoriality of US banks and, more generally, becoming less dependent on the US dollar are clear motivations behind such endeavors, as well as a growing interest in making bilateral arrangements to use China’s e-yuan.

Some notable leaders, such as Argentine President Javier Milei and Brazilian President Luiz Inácio Lula da Silva, were absent. But the attendees were a large and heterogeneous group, including both Turkey and North Korea. But without being officially opposed to the United States, the US dollar, or even the G7, the summit in Kazan visibly illustrated increasing global fragmentation. True, it took two world wars for the British pound to be dethroned by the dollar, and the latter remains dominant, representing about 60 percent of central banks’ official reserves, international debt, and credit. But in a multipolar world, could too much hegemony be its own undoing?

—Marc-Olivier Strauss Kahn is a nonresident senior fellow at the Atlantic Council and honorary director general at Banque de France.

Russia’s invasion of Ukraine laid bare a vulnerability in Europe’s energy strategy: an overreliance on a single supplier for critical resources. The EU is determined to avoid repeating the same mistake with lithium, a critical mineral often referred to as “white gold” for its indispensable role in the decarbonization race. However, the EU faces an uphill battle to reduce its near-total dependence on China, which currently supplies 97 percent of the bloc’s raw lithium.

With its ability to produce lithium at low cost thanks to cheaper labor, state-controlled financing, and energy subsidies, Beijing has flooded global markets and produced much more lithium “than the world needs today, by far,” according to Jose Fernandez, under secretary for economic growth, energy, and the environment at the US Treasury Department. To mitigate this monopoly, the EU has set ambitious targets, including producing at least 10 percent of its annual lithium consumption within the bloc by 2030. However, the region’s lithium mining projects are not expected to begin production until the end of 2026, leaving a significant gap in the interim.

As the world transitions to green technologies, lithium will remain a cornerstone of the global energy transition. For the EU, building a resilient, diversified supply chain is a strategic necessity.

—Grace Kim is a young global professional with the GeoEconomics Center.

Almost half of the world held elections in 2024. In Western democracies, opposition parties have won six out of fifteen decisive elections. Globally, more than half of incumbents or ruling coalitions managed to stay in power. However, unstable coalitions prompted multiple collapsed governments in Europe, including Germany and France.

Meanwhile, Russia’s efforts to interfere in Eastern European and Eurasian countries’ elections were a prominent but not unexpected problem. Russia’s direct and indirect interference in the Georgian parliamentary elections has been thoroughly researched and documented. Like in Georgia, the Moldovan elections were fraught with Russian disinformation and meddling, although pro-Western incumbent President Maia Sandu emerged victorious. Meanwhile, Romanian intelligence services declassified documents showing that the country’s elections have become the target of “aggressive hybrid Russian action,” including 85,000 cyberattacks on Romanian election websites. 

These instances of interference throughout 2024 demonstrated that Russia and other adversaries are invested in undermining elections as a fundamental principle of democracy. This is an opportunity for the United States and the EU to leverage positive economic statecraft tools to equip countries in Eastern Europe and Eurasia with secure election technologies and provide financial assistance to educate populations in identifying and thwarting Russian propaganda and disinformation. 

—Kimberly Donovan is the director of the Economic Statecraft Initiative within the Atlantic Council’s GeoEconomics Center. Follow her at @KDonovan_AC.

—Maia Nikoladze is the associate director at the Economic Statecraft Initiative within the Atlantic Council’s GeoEconomics Center. Follow her at @Mai_Nikoladze.

—Mikael Pir-Budagyan is a young global professional at the Economic Statecraft Initiative within the Atlantic Council’s GeoEconomics Center.

Since the start of the year, the cryptocurrency market capitalization nearly doubled from $1.65 trillion to $3.65 trillion. This year, the digital asset industry made significant inroads into the global economy, especially bitcoin and stablecoins. 

Bitcoin continues to dominate the digital asset market, accounting for more than 50 percent of the total market capitalization as the asset crossed $100,000 on December 4. On January 10, the US Securities and Exchange Commission approved the bitcoin spot exchange-traded funds, giving retail and institutional investors greater access to the asset—in November, a group of US bitcoin exchange-traded funds recorded $6.2 billion of inflow. Stablecoins also saw significant, use accounting for trillions of dollars of transaction volume every month. In October, Stripe acquired stablecoin platform Bridge for $1.1 billion, demonstrating what may be fintech firms’ bigger push into digital assets. 

Digital assets should be expected to see more mainstream adoption under the Trump administration and a Republican-led House and Senate, which have expressed a pro-crypto stance. This will likely result in more open-source developers in the United States and greater exploration by financial institutions. 

—Nikhil Raghuveera is a nonresident senior fellow at the GeoEconomics Center and co-founder of Predicate.

As interest rates hit twenty-year highs, developing countries paid out a staggering sum of $1.4 trillion to service their foreign debts. The details behind that headline are equally stark and troublesome. Interest payments alone amounted to more than $400 billion as rates surged. And, as with most shocks, the poorest countries and most economically insecure people have been hit the hardest as governments are forced to make tradeoffs between development and growth, and as spending is diverted from critical health, education, and infrastructure investments. Low-income economies eligible for the International Development Association (IDA) paid $96 billion in debt service; and their interest payments now amount to nearly 6 percent of the export earnings of IDA-eligible countries—a level that hasn’t been seen in more than twenty-five years. For some countries, the payments run as high as 38 percent of export earnings. And more money is flowing out than in. Since 2022, foreign private creditors took in almost $13 billion more in debt-service payments from public sector borrowers in IDA-eligible economies than they doled out in new financing. Multilateral banks have been playing a larger role, even as service payments, interest rates, fees, charges, and surcharges have come under scrutiny. 

For its part, the World Bank announced in advance of the Annual Meetings in October that it was lowering the minimum equity-to-loan ratio from 19 percent to 18 percent, freeing up $30 billion more in financing, removing certain fees, and lowering the price of loans for smaller economies. Meanwhile, the International Monetary Fund (IMF) announced a package of reforms to its General Resources Account lending that will significantly reduce the cost of IMF borrowing, which has compounded the crisis for many countries. The principal changes include a reduction of the margin over the Special Drawing Rights interest rate, an increase in the threshold at which surcharges apply, a lower rate for time-based surcharges, and a higher threshold for commitment fees. More than a third of General Resources Account (GRA) borrowers are currently subject to surcharges. By fiscal year 2026, the number of nations subject to surcharges is projected to drop from twenty to thirteen. Hefty savings for GRA borrowers are expected––$1.2 billion annually, or 36 percent.

––Nicole Goldin, PhD, is a nonresident senior fellow at the Atlantic Council’s Geoeconomics Center.

Nothing encapsulates China’s economic crisis better than the steep fall in government revenue from “land use” sales. Since peaking in 2021, the country’s booming real estate sector has fallen into a deep depression, with construction grinding to a halt in many cities and falling prices adding to deflationary pressures in the Chinese economy. That has proven devastating to China’s heavily indebted local governments, which have relied on the sale of “land use” rights for much of their operating income. The IMF estimated in 2023 that the debt of local governments and financing vehicles they’ve set up over the years to raise (and spend) money totaled more than 100 trillion yuan ($13.7 trillion). With an estimated fifty million residences sitting empty nationwide, many property developers having defaulted on debts, and local governments unable to pay their bills, Beijing is struggling to sustain economic growth.

—Jeremy Mark is a nonresident senior fellow at the Atlantic Council’s GeoEconomics Center.

In 2024, the US Department of the Treasury took the final steps to implement Biden’s Executive Order 14105 to create a targeted Outbound Investment Security Program. During the rulemaking process, Treasury initially estimated that 212 transactions per year could fall within the program’s jurisdiction. The public comment period apparently caused Treasury to raise their estimates to 318 to “account for the likely underrepresentation of potentially relevant transactions,” but the private markets are famously opaque and Treasury went on to concede that “precise data that matches the scope of potential covered transactions is not available.” Treasury’s revised estimate should still only implicate less than 1 percent of deal activity (by deal count, vice value). The question for 2025 is whether this small percentage is an accurate reflection of the program’s impact on US outbound investments and the costs of compliance.

—Jesse Sucher is a nonresident senior fellow at the Atlantic Council’s Economic Statecraft Initiative in the GeoEconomics Center. 

There is nothing like large, unilateral, and across-the-board tariff proposals from the United States to get tongues wagging and economic models churning. The latest tariff proposals from the president-elect are no exception. But maybe more important than the impact of such tariffs is the question of whether the EU should view these tariff proposals as weapons and threats directed against trading partners, or as tools of US domestic policy that result in collateral damage to the EU. Each characterization is credible, but the difference is huge in terms of the direction of transatlantic relations.  And once EU policymakers start to publicly own one narrative or the other, it is hard to go back. 

If the tariff proposals are viewed as weapons and threats, a reasonable EU response—and maybe the only one—is retaliatory tariffs, and to refuse to negotiate “with a gun to our heads” (in well-worn EU parlance). This would likely lead to tit-for-tat retaliation or even a trade war. If, by contrast, the EU views the tariff proposals as tools of US domestic policy that inflict collateral damage on the EU, then a reasonable response is an early bilateral discussion on other ways to achieve US domestic policy objectives, but with less or no collateral damage to the EU. 

Among the policy objectives for these and previous proposed tariffs are: addressing persistent goods trade imbalances, encouraging domestic manufacturing, raising revenue, and protecting against and disincentivizing nonmarket excess capacity. These are policy goals that the EU and other trading partners can understand (and even arguably share), even if they disagree that tariffs are always a good way to achieve them. Indeed, some of these goals—like addressing the challenges posed by nonmarket economies—are better achieved in coordination with like-minded allies, which provides a clear opening and opportunity for collaboration.  

The current moment is ripe for early US-EU engagement on achieving the United States’ policy objectives while minimizing collateral tariff damage (including to the US economy itself). Engagement could, indeed, drive the percentage numbers in the header above closer to zero, at least for the EU.

––L. Dan Mullaney is a nonresident senior fellow with the Atlantic Council’s Europe Center and GeoEconomics Center.

That’s the amount of money generated by pulling forward future interest earnings on Russia’s blocked sovereign assets. For nearly three years, the G7 debated how to handle the $300 billion in Russian foreign exchange reserves being held in Western central banks. While some advocated for a total seizure of the full amount, others worried about the legality of such a move and the backlash it would create across the Global South. 

So the G7 reached a game-changing compromise. Creatively, and drawing in part on Atlantic Council GeoEconomics Center research (see our simple annuity formula below), the G7 calculated the interest these assets would earn over the next twenty years and deliver that total—$50 billion—to Ukraine in this calendar year. When you consider that Ukraine’s total budget in 2023 was around $80 billion, you understand that this solution is more than just a temporary fix—it’s a surge of resources delivered at a critical moment. And the number also represents what can happen when allies work together and think outside the box during an unprecedented situation.

––Josh Lipsky is the senior director of the Atlantic Council’s GeoEconomics Center.

Digital ID presents massive opportunities for governments and the private sector to interact with people more efficiently; well-known examples include India’s Aadhar system and Estonia’s e-ID. As governments digitize services and interfaces with constituents, digital ID is expected to play a significant role in resource allocation, access control, and data collection. At the same time, digital ID poses a number of challenges. Prior research (including from me and my colleagues at Carnegie Mellon University) has shown that ID requirements can pose significant barriers—particularly to marginalized populations—due to procedural challenges and/or limited resources for onboarding, identity-proofing, and authenticating individuals. Another prominent challenge is privacy and security. Digital ID systems typically collect and process sensitive data such as biometrics; ensuring proper privacy and security protections for this data is far from trivial. Moreover, not all countries with digital ID systems even have data protection laws in place—or the means to enforce them. 

As governments around the world increasingly embrace digitization and adopt digital ID, they will face a challenging balancing act between providing useful, usable services while also providing safeguards against many potential pitfalls that can have disastrous outcomes for constituents.

—Giulia Fanti is a nonresident senior fellow at the Atlantic Council’s GeoEconomics Center and an Angel Jordan associate professor of electrical and computer engineering at Carnegie Mellon University.

Through May of 2024, Russia supplied approximately 35 percent of US imports for nuclear fuel. Biden imposed a ban on the importation of uranium products from Russia, which went into effect in August. This was a significant move for the US energy sector transitioning away from resources that had been a critical part of the US nuclear energy regime. It’s important to note that a waiver process exists to allow some importation of enriched uranium to continue for a limited time. 

This very narrow resource that continued to be purchased from Russia by a country that had imposed crippling sanctions on the Russian economy is an important reminder that Russia was still very much part of global supply chains this year. 

—Daniel Tannebaum is a partner at Oliver Wyman, where he leads the Global Anti-Financial Crime Practice, and a nonresident senior fellow within the Atlantic Council’s GeoEconomics Center.

In October, the Associated Press reported that Microsoft and Google would invest in small nuclear reactors to support “surging demand [for carbon-free electricity] from data centers and artificial intelligence.” Amazon also announced plans to invest in small nuclear reactors as dedicated sources of zero-carbon energy to support its data centers and server infrastructure.

These investments occur as technological innovation sparks sharp increases in demand for electricity, as seen in data released by the US Energy Information Administration.

Goldman Sachs research this year estimates that AI alone will generate a more than 160 percent surge in demand by 2030 for electric power to cool data centers and maintain operational integrity for the physical servers that support cloud-based AI computing.  

The share of demand for electricity by US data centers is expected to double by 2030, although it will still remain in the single digits relative to other sources of demand.

For decades, energy and national security have had a high degree of overlap with geopolitics due to the unique role that fossil fuels play in the global economy. One consequence of Russia’s aggression in Ukraine since 2014 has been to incentivize the rapid adoption of clean energy in order to minimize geoeconomic vulnerabilities associated with imported fossil fuel energy. 

Many will celebrate the proactive shift toward renewable and nuclear energy by the three largest technology companies on Earth. But the shift will also create national security issues among three critical infrastructures: the electricity grid, nuclear energy, and AI/data centers. Local, renewable, zero-emission energy will transform and potentially complicate the interplay between national security policy, energy policy, and AI policy.

—Barbara C. Matthews is the CEO of BCMstrategy, Inc., a company that generates AI training data from the language of public policy. When in government, she was the first US Treasury Department attaché to the EU and, prior to that, senior counsel to the House Financial Services Committee. She is a nonresident senior fellow with the Atlantic Council’s GeoEconomics Center.

The post By the numbers: The global economy in 2024 appeared first on Atlantic Council.

Recognizing this rapid progress as well as the tremendous potential, policymakers in the three countries are rightly betting on the promise of their technology sectors to play key roles in economic growth, job creation, and overall social good. As policymakers are aware, developing vibrant and innovative technology sectors is even more urgent given the ongoing transition worldwide from labor-intensive economies to more knowledge-intensive ones. This trend is accelerating because of recent technological breakthroughs, including in automation and robotics, big data, and generative artificial intelligence (AI).

Policymakers are also rightly prioritizing greater data regulation, for reasons that range from combating misinformation to safeguarding national security and sovereignty. These priorities—including economic, social, and security—involve complex trade-offs.

To be sure, none of these trade-offs and complexities are unique to these three South Asian countries. Governments across the world are navigating similar issues, made even more challenging by the rapid pace of technological progress.

Recognizing the importance and complexity of this topic, the Atlantic Council’s South Asia Center embarked in 2023 on a study of the state of data protection regulations in Bangladesh, India, and Pakistan. The project resulted in three issue briefs—one each for the three countries—that were published from March through May 2023 and provided an overview of the regulatory landscape, the underlying politics, and watchpoints. This paper represents the capstone of the project.

The subsequent sections of this paper provide summaries of the three issue briefs. A snapshot of the main reasons why data protection regulation matters is presented below.

1. Economic: A broad range of sectors and companies stand to gain substantially from well-designed data protection regulations, and to thereby enable countries’ economic objectives that include growth, job creation, foreign direct investment, and foreign exchange reserves. Small and medium-size enterprises stand to gain substantially from opportunities in e-commerce and gig economies. Conversely, they are more likely than large firms to be hurt by digital trade restrictions. Good data protection regulations support the growth of innovative sectors such as those in AI, blockchain, biotech, robotics, 3D printing, electric vehicles, and other technologies of the 21st century. Digital trade regulations can enable or curtail the growth of services such as IT, financial, and business consulting.
2. Social: Data protection regulations affect social development objectives, such as privacy, the growth and effectiveness of democracies, and the efficient delivery of essential social services, such as health care, education, and benefits. Achieving these social objectives involves careful navigation of trade-offs in data regulations, for instance, between the goal of protecting free speech and the goal of minimizing hate speech and misinformation.

Join the South Asia Center mailing list

The South Asia Center serves as the Atlantic Council’s focal point for work on greater South Asia as well as its relations between these countries, the neighboring regions, Europe, and the United States.

• Name
  First Last
• Email
• 
  
  
• Phone
  This field is for validation purposes and should be left unchanged.

Bangladesh

The South Asia Center’s issue brief on Bangladesh, “Bangladesh’s Draft Data Protection Act,” authored by Stephen Weymouth in March 2023, focused on the potential implications of new restrictions on cross-border data flows and data localization requirements. The brief tracked the recent history of efforts by the Bangladesh government to promote digitalization of the economy while seeking to curb threats to data privacy and to protect personal data. 

The Digital Bangladesh initiative, launched in 2009, sought to build a national digital infrastructure that could connect Bangladesh to the larger global economy, position it as a regional commercial hub, and spur more access for its citizens to digital services. The initiative was generally seen as successful in providing the digital underpinnings for an economy that saw enormous growth in the decade that followed. The Digital Security Act of 2018 and its successor, the Cyber Security Act, however, raised questions about the increased role of Bangladesh enforcement bodies in governing the digital activities of its citizens.

The draft Data Protection Act of 2022 caused concerns among many stakeholders over the risk of some of the proposed provisions undermining the vision and ambitions of the Digital Bangladesh initiative. Some of the proposed measures were seen as being counterproductive by constraining the required range of digital services and increasing regulatory uncertainties and costs. The concerns of stakeholders included aspects such as the draft act’s requirement that sensitive data, user-generated data, and classified data be stored on servers located in Bangladesh and the draft act’s proposed restrictions on the transfer of personal data outside Bangladesh. 

More recently, there have been encouraging signs that the Bangladesh government is noting some of the inputs received about the Data Protection Act. The latest version, issued in January 2024, took an important step forward in narrowing the scope to “personal data” rather than the more general “data.” Stakeholders in the United States and elsewhere have welcomed this improvement and expressed hope that this trend toward less restrictive treatment of data flows will continue as Bangladesh finalizes and enacts the legislation.

Concerns remain, however, about some aspects of the latest draft act. For instance, the three-year transition period that was included in a March 2023 draft has been deleted, even though it would have enabled stakeholders to fully understand and properly implement new data flow restrictions. Additionally, the conditions for transfer of data that is not “classified” outside Bangladesh are not clear in the draft and could create new legal uncertainties for data fiduciaries. The draft could also benefit from greater discussion and clarity about proposed measures involving extraterritorial application, disclosure of protected data to government authorities, and the practicality of parental consent and age verification.

Bangladesh is at a turning point, with significant potential to build on its remarkable socioeconomic progress and diversifying beyond dependence on the garments sector. If Bangladesh strikes a productive balance between policies that would bolster its vibrant growth and those that enable government oversight, the country will be on a fast track to unlocking its immense potential.

To note, the ongoing political crisis in Bangladesh has added new uncertainties to policy making, including the digital landscape.

India

Stephen Weymouth also authored the South Asia Center’s issue brief on India, “India’s Personal Data Protection Act and the Politics of Digital Governance,” in May 2023. The brief highlighted the role of digital trade in India’s continuing economic growth and the recent efforts of the Indian government under the Narendra Modi administration to bring some regulatory order to the country’s burgeoning digital marketplace. The brief provided a summary of the wide-ranging legislation in the works at that time, including the Digital Personal Data Protection Bill, the Digital India Bill, and the Telecommunications Bill. 

Since then, the government succeeded in passing two pieces of legislation: the Digital Personal Data Protection Act (DPDP Act) and the Telecommunications Act. The government’s vision going forward involves a comprehensive regulatory framework to govern digital commerce and trade. Its legislative agenda therefore includes other rules and draft bills such as the Information Technology Rules, the draft Digital Competition Bill, and the draft National E-Commerce Policy. It remains to be seen how this agenda is advanced through the many relevant ministries. 

Reactions to all this activity have been mixed. For example, on the US-India bilateral front, the joint statement on the Trade Policy Forum, convened by Minister of Commerce and Industry Piyush Goyal and US Trade Representative Katherine Tai on January 12, 2024, noted that Ambassador Tai “appreciated India’s extensive consultations and noted that India’s approach of enhancing data protection, privacy and security while enabling connectivity will support further expansion of the bilateral digital trade.” To this point, an important and welcome amendment to the final DPDP Act was a shift from data localization—a prospect in earlier drafts that had caused widespread concern—toward permitting data flows from trusted geographies. However, while the DPDP Act signals a moving away from express data localization mandates, it does not specify to which countries data may be transferred nor does it list the criteria for trusted geographies.

The Modi administration is preparing for a third term in power following India’s national elections, conducted from April 19 to June 4. Despite Prime Minister Modi’s party falling short of a majority in parliament and now leading a coalition government, the administration’s likely focus will remain on preparing India to be the third-largest economy in the world by the end of the decade and to be a compelling pole in an increasingly multipolar world. The global marketing of data public infrastructure, as witnessed during India’s G20 presidency, is a manifestation of this.

To enable the administration’s vision for India’s growth and global stature, the government needs to promote foreign investment in both goods and services production. At the same time, the government is sensitive to concerns in key electoral constituencies about the threat of foreign competition. The government has also sought to regulate social media content with measures that have been criticized by some as authoritarian and intended to control the political narrative but supported by others as necessary to prevent the spread of misinformation and to ensure public order.

The Modi administration has demonstrated admirable ability to advance a socioeconomic agenda by navigating these trade-offs and to take into account inputs from a range of stakeholders. The administration should continue to show its readiness to listen to many different voices through opportunities for consultation and stakeholder engagement. Doing so will help continue putting in place a regulatory environment that balances complex trade-offs and lays the groundwork for India’s continued rise in the coming decades.

Pakistan

In his April 2023 issue brief, “Pakistan’s Data-Protection Landscape in 2023,” Uzair Younus highlighted that the Pakistan government risks curtailing the development of its digital economy if its legislation on data protection increases regulatory uncertainties and costs. Such legislation may discourage foreign investment and impede development of a facilitative ecosystem for local start-ups as well as other domestic and multinational investors. Per Younus,¹ this would be a self-inflicted wound, given the impressive growth of Pakistan’s technology sector from USD 1 billion in fiscal year 2018 to around USD 2.6 billion in 2023.

The Prevention of Electronic Crimes Act (PECA) of 2016 was among the first pieces of data regulation in Pakistan. The act involves many measures that are stated as being intended for public order and to prevent misinformation, which are important goals. However, the act is also counterproductive to building a strong, globally competitive digital economy. PECA increases uncertainties and costs of doing business, for instance, providing unclear levels of authority to the Pakistan Telecommunication Authority to control content on social media. Although a range of private sector and civil society stakeholders within and outside Pakistan have advocated against continuing this approach, the measures remain in place and appear likely to be reinforced with new legislation on data protection. 

Since 2020, the Ministry of Information Technology and Telecommunication has been working on data protection legislation that involves potential features that could negatively affect growth and homegrown innovation in digital services. These features include data localization requirements, many controls on data flows, low autonomy of data regulatory authorities, and insufficient opportunities for checks and feedback on enforcement. These concerns were discussed in bilateral US-Pakistan trade dialogues, as reflected in the joint statement on the ninth meeting of the Trade and Investment Framework Agreement Council in February 2023. 

While admittedly operating in challenging circumstances, Pakistan’s government—newly formed after elections in February—could consider slowing the pace of new data regulations and prioritizing additional rounds of inputs and consultations on existing and proposed legislation. The government could even seize the opportunity to reset and refresh the regulatory agenda by considering changes to the Data Protection Act approved by the cabinet. Additional engagements with key stakeholders both in the private sector and civil society groups would enable the new government to revise the act to better balance the goals of protecting data privacy, preventing misinformation, and promoting a robust digital economy.

Pakistan’s technology sector holds tremendous promise for the country’s future, even more so amid the ongoing economic stasis. The sector can play a key role in Pakistan’s economic recovery and in fully realizing the country’s economic potential. The Pakistan government should safeguard and catalyze the sector through any means in its tool kit. A well-designed regulatory framework could be a core component of that tool kit.

Conclusion

With their large, youthful, and highly digitized and connected populations, Bangladesh, India, and Pakistan have immense potential as emerging economies, vibrant demographies, and key players in a multipolar world. Admittedly, each country is in a different state of development in terms of economic growth, economic diversification, digitization, integration into global trade and value chains, democratic parameters, and social services, among others.

The differences in context notwithstanding, all three countries stand to benefit economically and socially from well-designed data protection regulations. For instance, suitable regulatory frameworks could enable each country to supercharge growth of its technology sector and enable it to capitalize on opportunities through greater digital linkages and trade with large markets such as the United States and the European Union. Conversely, each country’s immense potential risks being negatively affected by limitations in its regulatory frameworks in areas such as extraterritorial scope and governance of personal data sharing with governments.

In this context, the Atlantic Council’s project resulted in the following main observations and recommendations to policymakers and other stakeholders in the three countries.

• Bangladesh: Bangladesh’s most recent draft of the Personal Data Protection Act, 2024, contained measures that were welcomed by stakeholders, such as the narrowing of the act’s scope to personal data. The government could continue to refine the draft based on consultations, including, for instance, to permit an appropriate transition period. The government could also continue to remain open to inputs from key stakeholders for future data protection legislation. However, recent developments in Bangladesh’s political climate have brought new uncertainties to the trajectory of policy making in the country.
• India: India’s consultative and iterative approach with the DPDP Act was welcomed by many, as were some of the main updates incorporated into the final act. Industry, civil society, and other stakeholders would welcome a similarly consultative and iterative approach toward ongoing and future data regulations, including the work-in-progress draft E-Commerce Policy.
• Pakistan: Pakistan’s new government could consider slowing down the pace of data protection legislation and could prioritize inputs and consultations with key stakeholders from the private sector and civil society. In addition, the government could seize the opportunity to review and refresh the latest version of the Personal Data Protection Act and welcome inputs from stakeholders to that end.

More broadly, all three governments—and governments across the world—could choose to adopt more nimble and flexible approaches to policymaking in this complex and rapidly evolving context. A “regulatory sandbox” approach, while undoubtedly complex politically and administratively, could enable policymakers to learn, adapt, and customize regulations over time.

Mark Linscott is a nonresident senior fellow with the Atlantic Council’s South Asia Center. Prior to joining the Atlantic Council, Linscott was the assistant US trade representative (USTR) for South and Central Asian Affairs.

Gopal Nadadur is a nonresident senior fellow at the Atlantic Council’s South Asia Center and is also vice president for South Asia at The Asia Group.

Issue Brief Mar 8, 2023

Inside Bangladesh’s new data protection laws

By Stephen Weymouth

The 2022 Draft Data Protection Act (DPA), which establishes new restrictions related to the processing, storage, and transfer of data, appears to move Bangladesh’s digital governance in a different direction.

Bangladesh Digital Policy

Issue Brief Apr 17, 2023

Pakistan’s rapidly digitizing society requires clear policymaking

By Uzair Younus

This issue brief provides recommended steps that policymakers in Pakistan ought to take to address key concerns around free expression on the internet, and to generate momentum to catalyze higher levels of growth in Pakistan’s technology ecosystem.

Digital Policy Economy & Business

The South Asia Center is the hub for the Atlantic Council’s analysis of the political, social, geographical, and cultural diversity of the region. ​At the intersection of South Asia and its geopolitics, SAC cultivates dialogue to shape policy and forge ties between the region and the global community.

Learn more

The post Mapping South Asia’s digital landscape appeared first on Atlantic Council.