Contents

1. Executive summary

2. How much digital sovereignty does Europe need?

3. What constitutes digital sovereignty?

3.1 Origins of the term

3.2 Importance for the financial sector

4. Policy reqirements to strengthen Europe’s digital sovereignty

4.1 Create a level playing field for digital competition

4.2 Promote cloud banking in Europe

4.3 Promote the data economy by creating a cross-sector data framework

4.4 Enhance cybersecurity expertise

4.5 Introduce a programmable euro

4.6 Create a digital ID ecosystem

1 Executive summary

The digital sovereignty of Europe is a basic prerequisite for the European economy to maintain its innovativeness and therefore its competitiveness in the medium to long term. Yet, Europe’s digital sovereignty is still very limited. The increasing concentration of economic power and technological expertise among large, non-European online platforms has meant they can operate as gatekeepers, particularly to the digital economy. At the same time, however, German and European businesses are strongly interlinked in a globalised world with a high degree of specialisation. So, with this in mind, full digital sovereignty in the sense of complete separation would not be desirable. The aim of this position paper is to raise awareness for the need to strike an even balance between strengthening Europe’s digital sovereignty and retaining an open and flexible European economy in a globalised world. Protectionist measures aimed at turning digital sovereignty into a reality will have a negative impact on Europe as a location and must therefore be avoided.

In order to strengthen Europe’s digital sovereignty, and particularly that of its financial industry, this position paper looks at the specific requirements of the financial industry through the prism of the four sovereignty dimensions – infrastructure sovereignty, data sovereignty, decision-making sovereignty and platform sovereignty.

• Overhaul the existing framework of competition law to produce modern legislation that creates a level playing field for digital competition.
• Promote cloud banking in Europe by removing regulatory hurdles and creating European standards that allow IT infrastructure to become more flexible and powerful.
• Support the data economy by creating a cross-sectoral data framework that allows data-driven value creation across all industries and for the benefit of customers.
• Develop and expand cybersecurity expertise not only to protect critical infrastructures, but also to gain the trust of the individual in the digital economy.
• Focus on multilevel procedures to introduce a programmable euro in order to support particularly German industrial enterprises with their digital transformations.
• Create a European digital eID ecosystem.

All efforts to strengthen digital sovereignty should aim to tread a common European path. And this path must be based on European values and standards such as trust, openness, high levels of data protection and smart governance, whilst also maintaining the competitiveness of European businesses.

2 How much digital sovereignty does Europe need?

“Now is the time for Europe to be digitally sovereign” – these were the words used in a letter sent in early March 2021 by four European heads of government, including German chancellor Angela Merkel, to call on the European Commission to come up with an action plan for greater digital sovereignty. This latest attempt to highlight the issue underlines once again how important the topic has become in recent years. Hardly any political debate about Europe’s role in the world fails to mention digital sovereignty; the term has become synonymous with Europe playing catch-up in the global race for technology leadership, particularly in relation to the US and China. However, this does not define what digital sovereignty needs to encompass. At the German government’s most recent digital summit towards the end of 2020, Chancellor Angela Merkel said that Europe must be able to do everything – in other words, Europe must be independent without restraint. However, Minister of State for Digitalisation, Dorothee Bär, was more reserved and said that for her, digital sovereignty meant wanting to go our own European way on digitisation and determining the digital transformation for ourselves. She said that neither was it a question of doing everything ourselves in Europe. It was about having the sovereignty to decide where we want to remain independent and which areas we will have to invest in.

In the context of the political discussion as to how the competitiveness of banks and fintechs in Europe can be secured, the debate about digital sovereignty has already found expression in regulations targeting the European financial sector. Legislative initiatives, such as the Digital Operational Resilience Act (DORA), the Markets in Crypto-assets Act (MiCA), the Digital Services Act (DSA) and the Digital Markets Act (DMA) show the efforts being made by policymakers to strengthen the digital sovereignty of Europe as an economic location and financial centre. Europe’s GAIA-X project, initiated by the German government, to create an open data infrastructure is also headed in this direction. Nevertheless, Europe has a long way to go to secure its digital sovereignty. As the facts and figures show: China has been working on a digital central bank currency since 2015, Google dominates almost the entire European market for search engines and the vast majority of European internet users are active on Facebook every day. Together with its other services, WhatsApp and Instagram, the Facebook group is already an almost indispensable part of the everyday lives of many Europeans.

In order to strengthen and, at the same time, secure Europe’s digital sovereignty, it is crucial that transparent and flexible economic activities are not endangered in a globalised world. However, in our rush to regain technological self-determination, we must never lose sight of the fact that we live in a networked world and that we benefit massively from it. In other words, in a global and therefore highly specialised world, full digital sovereignty will never be possible; we need to strike an even balance. In the following section, we highlight what the Association of German Banks – a firm advocate of these objectives – believes will achieve balanced digital sovereignty in Europe and look specifically at measures relating to the financial sector.

3 What constitutes digital sovereignty?

3.1 Origins of the term

The concept of digital sovereignty has emerged quite recently from the aspiration to achieve European leadership and strategic autonomy in the digital domain. It describes Europe’s ability to act independently in the digital world, deploying both protective mechanisms and offensive instruments to foster digital innovation.

A report by the European Commission on media sovereignty from March 2019[1] highlights that the power of global tech companies whose strategies revolve around the collection and analysis of data, and whose actions are not always guided by European rules and basic values, represents a major political challenge for Europe. Furthermore, in 2019, the European Parliament expressed its deep concern about security threats associated with the growing technology presence of China in the EU and called for possible measures at EU level to reduce Europe’s dependencies.

What does this mean specifically for the concept of “digital sovereignty”? What areas need to be defined and what levels of competence and autonomy need to be attained before we can talk about achieving digital sovereignty? The Bertelsmann Stiftung determined in its publication from July 2020 that the term “digital sovereignty” is interpreted very differently and made its own attempt to define it.

“Digital sovereignty is the ability of an entity to personally decide the future form of identified dependencies in digitalisation and to possess the necessary powers.”[2]

In our opinion, it is important that digital sovereignty, in the sense of being able to take our own decisions and actions, ought not be based solely on an analysis of the present. When considering how critical or indispensable a service, product or sector is, it is vital to take into account future developments and the overall global context.

The Karlsruhe Institute of Technology (KIT), together with the Fraunhofer-Gesellschaft, published a thesis on the digital sovereignty of Europe and attempted to differentiate between its four constituent dimensions. Accordingly, the four dimensions of digital sovereignty are as follows:

• Infrastructure sovereignty: the ability to create trustworthy technical infrastructures or to verify their trustworthiness and operate them in such a way that services offered on the basis of these infrastructures are trustworthy.
   
• Data sovereignty: the ability to make informed and self-determined decisions about how and by whom information about one’s own person or institution, one’s own actions or products is collected, processed and transferred.
   
• Decision-making sovereignty: the possibility to trace the origins and justifications for decisions and recommended actions implemented by autonomous systems and assistants and, where applicable, to influence them through human intervention.
   
• Platform sovereignty: occurs when the market power of major players in a platform economy is restricted through regulation and deliberate customer choices to a degree that allows fair competition.

If European areas of competence and common goods are discussed in terms of these four sovereignty dimensions, it becomes evident that EU member states can only be successful in all these individual areas if they work together. This is clearly illustrated, for example, in the financial industry.

3.2 Importance for the financial sector

Europe’s digital sovereignty is vitally important for the innovativeness of European businesses and organisations. And since users of IT services and of success-critical digital technologies depend on there being sufficient competition on the provider side, the needs of both providers and users must be taken into account. As users of a variety of IT services for many years, banks are all too aware of this. Setting up a competitive landscape of European IT providers, most prominently offering cloud services, and actively promoting European IT cooperation projects, such as the GAIA-X initiative set up by the German government to create an open data infrastructure, are enormously important. These initiatives all come under the dimension of infrastructure sovereignty.

It also includes setting up secure technological infrastructures (e.g. 5G) and a digital euro. Although in its payments system based on SEPA standards, Europe has a sovereign and powerful payments infrastructure, it is under threat from initiatives such as Facebook’s digital currency, Diem (formerly known as Libra). In order to introduce a programmable euro and thereby satisfy the needs of industry in the Internet of Things (IoT), a powerful telecommunications network is vital. In addition, true digital infrastructure sovereignty can only be attained through strong European cybersecurity skills, as this issue will dominate future security policy.

Data are not only a key factor in strategic production and competition, they are also at the core of value creation in the digital economy. The financial sector has supported the principle of data sovereignty by using open interfaces for Europe-wide payment services, in line with the EU’s Revised Payment Services Directive (PSD2). Of course, the use of open interfaces is currently unilateral and limited to the financial industry. Open interfaces must now be used in all sectors, including the major technology companies, because promoting the exchange of data across sectors is fundamental for European data sovereignty. This includes allowing customers to make decisions about storage, processing, access and use of their data at any time. Among other things, this would enable banks to better satisfy customer needs and to modernise and thereby significantly improve their risk management.

Decision-making sovereignty in the digital world is becoming increasingly dependent on expertise in the field of artificial intelligence. Entire business models and even government action are increasingly based on the evaluation of enormous amounts of data by complicated algorithms. It became clear during the COVID-19 pandemic that decisions taken based on the use of advance AI systems could have major advantages in combatting the spread of the virus.[4] The US and China, in particular, are leaders in the field of research and development into artificial intelligence. The lack of European expertise in this area could have devastating consequences for the sovereignty of Europe, since it would mean purchasing technologies blindly and without any real opportunity to verify them. Even today, it is no longer possible in all cases to fully trace every decision made using advance AI methods, such as neural networks. The possibility to trace the origins and reasoning of decisions taken and actions recommended by autonomous systems and to influence them, where necessary, is important for the individual as well as for businesses and industries. A sense of proportion must be applied here in order to enforce decision-making sovereignty over the major US and Chinese tech companies and, at the same time, avoid excessive regulation for European providers, such as banks.

In terms of platform sovereignty, market distortions resulting from the gatekeeper role of the major online platforms must be countered by a more modern framework of regulation for digital services and new competition legislation. This affects banks in particular because they are already in competition with the major online platforms in some business sectors. At the same time, however, they still need to cooperate with them, for example in setting up cloud solutions for bank IT. Especially in the acquisition of new customers, banks are increasingly dependent on platforms; the customer journey usually begins with providers such as Google. Banks are at a disadvantage here because they are gradually losing the customer interfaces. A European digital identity network set up as a public-private-partnership between all sectors and government to “verify identities” could form a counterweight to solutions from the major platforms. However, we are seeing an increasing loss of customer interfaces and noting how hugely dependent existing customers are on platforms, such as Apple Pay, Samsung and Google Pay.

Digital sovereignty should not be achieved by copying what already exists in other countries, instead we should create a framework that meets our future needs and allows us to tread a European path. This European path should be characterised by values and standards such as trust, openness, high levels of data protection and smart governance. However, we do not have much time. Digitisation is not subject to any linear innovation process, it is exponential and fast action should be the top priority.

In the following, we outline the specific policy requirements being called for by Germany’s private banks. They have been carefully formulated to advance Europe along the path to digital sovereignty.

4 Policy requirements to strengthen Europe’s digital sovereignty

4.1 Create a level playing field for digital competition

• The increasing concentration of economic power among online platforms, which have assumed the role of gatekeepers to the digital economy, has resulted in a distortion of the European digital single market and of global competition. Online platforms can exploit their economies of scale, network effects and data assets to continually improve their services and penetrate an increasing variety of business sectors. At the same time, this “winner-takes-all” effect means that existing or potential competitors and new market entrants have absolutely no chance of catching up with the gatekeepers thanks to their competitive advantage.
   
• In some business sectors, banks already compete with the major online platforms, in others, they have no alternative but to cooperate with them. Since the gatekeeper role of the major online platforms threatens to put banks at risk if they lose direct customer access to these platforms, some have decided to adapt platform-based business models. It is therefore important to differentiate between the gatekeeper platforms and new and innovative platform models. It must be made easier, particularly for banks, to pursue tech developments and new business models which are far removed from traditional banking areas in other group divisions, in order to maintain the long-term competitiveness of the European financial sector. 
   
• We believe some of the business practices undertaken by the major online platforms are particularly problematic, and especially the “take-it-or-leave-it” approach which often amounts to gatekeepers refusing to negotiate or compromise in any way on their business relationships. It is, therefore, important in this regard that the major gatekeeper platforms are not afforded the possibility of restricting access to the technical infrastructures on their platforms, for example, by limiting access to Near Field Communication (NFC) interfaces for third-party applications in the financial services sector. In addition, major gatekeeper platforms should be obliged to provide more data transparency and to share data with their customers (i.e. businesses/banks).
   
• We support the goal of maintaining fair and competitive markets. Competition promotes innovation which benefits users. Competition increases the innovative spirit of businesses. Functioning competition simultaneously prevents the emergence or consolidation of social or political powers that are too dominant. Consumers, especially, benefit from a competitively organised market because they are able to choose from a wide variety of offers of those goods and services that correspond most to their ideas of quality and price.
  • The recent proposals put forward by the European Commission in its Digital Markets Act are a step in the right direction because they address the negative consequences resulting from the behaviour of the major online platforms (gatekeepers), i.e. search engines, social networks and online marketplaces. The proposals are aimed at closing gaps in the regulation of gatekeepers and allowing measures to be implemented that maintain the competitiveness of markets. Germany’s private banks welcome that these rules will only apply to the major online platforms with fixed quantitative threshold values and that the proposals include clear “dos and don’ts”. The regulations in the Digital Market Act must now be implemented in European competition as soon as possible.
  • At the beginning of the year, German lawmakers responded appropriately to the growing significance of digital and platform companies by initiating significant changes to national competition law with the 10th Amendment to the German Act against Restraints of Competition (Gesetz gegen Wettbewerbsbeschränkungen, GWB). These are, in particular, the inclusion of intermediation power as a criterion for determining a dominant market position, new regulations on the right of access to essential infrastructures, behavioural obligations for undertakings with an overriding importance for competition across markets as well as the German Monopolies Commission assessing the legality of certain partnerships when requested to do so. We welcome these changes.
     
• An EU digital single market is the foundation for digital services to be developed competitively and dynamically within the EU. It is important to reduce the fragmentation of the legislative framework for the EU’s digital single market in order to improve opportunities for innovation and to deepen the single market for digital services. 
  • Banks are faced with fragmented regulation, supervision and jurisdictions across various authorities in the EU single market. Alongside calls from banks for capital markets union in the EU, a digital single market is highly relevant for banking services that are increasingly shifting to the digital sphere.
  • EU authorities must significantly expand their expertise in the area of digital services and, in particular, acquire the technical know-how.

4.2 Promote cloud banking in Europe

• A technological paradigm shift has been taking place in the IT of many banks in recent years. Given the ever faster pace of change in industries and customer needs, a flexible and efficient IT infrastructure has become vitally important. Driven by digital competition and new customer behaviour, it has been necessary to steadily increase agility, customer centricity and cost effectiveness while reducing the time to market.
  • The foundation for this is the cloud as the technological basis for modern analytics solutions, artificial intelligence applications, big data, microservices and application programming interface (API) connections. Most banks aim at a hybrid combination of traditional IT systems and cloud applications in their IT architecture.
  • The targeted migration of bank infrastructure from local systems to the cloud is an important element of ensuring the competitiveness of the bank of the future.
     
• However, regulatory challenges often make it difficult to implement cloud projects swiftly, efficiently and in compliance with the rules. The interpretation of existing rules and their supervision do not yet take sufficient account of the rapidly increasing use of the cloud by banks. At the same time, new regulatory projects such as DORA contain proposals that could hamper the cloud journey of banks and have adverse effects on the range of cloud services and their prices. To rectify this, we believe some adjustments are needed. We call on regulators and supervisors to support an innovative financial sector and become actively involved in eliminating practical obstacles to greater use of cloud technologies in banks.
   
• We recommend EU-wide rules and the establishment of standards. The regulation and supervision of cloud outsourcing should always take a risk-based approach. Existing regulation[5] already provides a basis for this. The European banks, together with the European Banking Federation (EBF), have commented on these requirements in several technical position papers,[6] which take an educative approach and are intended to stimulate discourse.
  • It is essential to develop a common understanding of the risks of, and control mechanisms available for, cloud services. Risks should be assessed on the basis of uniform criteria, such as the degree of responsibility transfer and the importance of the outsourced data and functions.
  • Regulatory reporting requirements and exit strategies (e.g. business continuity in the event of terminating an outsourcing agreement or of significant service failure, etc.) need to be clear and consistent across Europe.
     
• The provision of cloud services is currently concentrated in the hands of a few very big global cloud infrastructure firms. To minimise the resulting dependency, cross-industry standards should be supported which guarantee that data can be transferred between cloud providers. This is the aim of SWIPO[7] (Switching Cloud Providers and Porting Data), a cross-industry, multi-stakeholder group established in 2020 with the support of the European Commission. The initiative has developed a code of conduct to prevent vendor lock-in. It will also be important to ensure that the supervision of cloud providers under discussion does not have adverse effects on the use of cloud services by banks.
   
• The GAIA-X initiative launched by the German government could also help to make the cloud market more transparent, thereby increasing the number of cloud providers. We welcome this initiative and are actively involved in the Finance Domain Working Group and in the Financial Big Data Cluster project. GAIA-X is not intended to replace established cloud providers, however, but to serve as an additional alternative in the market.
  • The European financial and insurance community in GAIA-X has agreed on “compliance by design” as a core requirement. This means that all services bearing the GAIA-X label must already be compliant with financial market regulation at the time of release, i.e. ex-ante.
  • The broad support and involvement of relevant departments and supervisory authorities is needed from the outset of the GAIA-X development phase. This will enable GAIA-X to help cloud regulation take better account of the financial sector’s requirements.

4.3 Promote the data economy by creating a cross-sector data framework

• Data are at the core of all value creation processes in the digital economy and thus a strategic production and competitive factor; they make a significant contribution to the economic success of companies and economies.
• In a world of international competition between business locations, a European data economy will open up the opportunity to substantially boost the attractiveness of the continent through data-driven innovation.
   
• Access to data and the possibility of their reuse will be key to success and contribute to Europe’s digital sovereignty.
   
• The framework conditions of a data economy must allow all market participants equal opportunities, promote the sharing of data on fair conditions and at the same time preserve the protection of personal data and trade secrets.
   
• The current legal framework creates asymmetries with some companies – especially established tech firms – acting as data gatekeepers, while banks have to provide one-way access to their customer data. There is a lack of reciprocity, which has a negative impact on Europe’s digital sovereignty.
   
• Given the increasing market penetration and diversification of non-European big techs and platform firms, sector-specific approaches could exacerbate existing imbalances. A framework for cross-sectoral data exchange could counteract this.
   
• The Association of German Banks sees a need for a European legal framework enabling data exchange across different companies and industries.
  • When it comes to personal data, companies in all industries should be obliged to share data provided by an individual in real time via standard mechanisms if the data subject so wishes. This could operationalise existing data portability rights under the General Data Protection Regulation (GDPR) and lead to new services and added value for customers.
  • In addition, cooperation in exchanging non-personal data must be facilitated, among other things by creating greater legal certainty (e.g. with regard to anonymisation). Such cooperation, for example in the form of data pooling, is vital to success in gaining new insight from the analysis of a wide range of data and in unlocking the potential of artificial intelligence and machine learning for research and business in Europe.
  • Furthermore, access to public-sector data should be rigorously promoted. In addition to establishing standardised electronic access channels, it is desirable to consolidate access points in the public sector in order to reduce transaction costs and make the data available for the broadest possible use.
     
• In its proposal for a Data Governance Act, the European Commission suggests instruments for promoting data availability and use, especially by increasing trust in data intermediaries through a statutory registration and supervisory framework. Though these have the potential to provide fresh impetus, they are unlikely to be sufficient in themselves to make a European data economy a reality.

4.4 Enhance cybersecurity expertise

• The danger of cyber incidents has intensified in recent years. This is due above all to technological developments and the greater interconnectedness of companies, but also to the increasing professionalism of cybercriminals and attackers. It is no coincidence that cyberattacks are now considered the biggest operational risk in the financial sector. It is therefore imperative to vigorously pursue the strategy of steadily improving Europe’s cyber resilience.
   
• The European Commission’s DORA proposal aims at harmonising the regulation of IT security in the financial sector. This coordination and harmonisation of regulatory requirements is essential if synergy effects and efficiency gains are to be created in the security architectures of banks and if cyber resilience in Europe is to be strengthened. The disproportionate time and effort, double burdens and uncertainties caused by currently diverging requirements must be eliminated. The resources thus freed up will in turn help banks to boost their own cyber defence measures and response capabilities.
   
• Given the scale of the tasks ahead, European IT experts are in greater demand than ever before. Ensuring their education, training and availability on the market is a major challenge at present. Studies[8] show a current shortfall of almost 170,000 experts in Europe alone – estimates put the figure at 350,000 for 2022. This has adverse effects on the security level of businesses. Yet IT and information security must not be neglected in a world which is becoming digitised at a significantly increasing rate. It is therefore vital to invest in the training of IT specialists.
   
• Networking between those responsible for cybersecurity is also essential. The interconnectedness of public and private-sector security incident and response teams is an absolute prerequisite for managing potential large-scale incidents. Event detection, assessment and, if necessary, crisis response are a joint task in cybersecurity and must be addressed as such.
   
• Attention should, moreover, already focus on the future implications of quantum computers on the security of the cryptographic security protocols currently in use. To protect against future cyberattacks using quantum computers, businesses, the security industry and the relevant national and supranational authorities must pull together in designing and implementing suitable defence strategies in a timely manner. This is the only way to make sensible use of the advantages and potential of the new technology, recognise the associated security risks and counter them efficiently.
   
• The European direction of travel will undoubtedly also have an influence on how cybersecurity issues are addressed at global level. Ultimately, coordinated action and joint efforts by policymakers, regulators, central banks and the financial industry will be needed. This should include exploring collective action by governments to deter malicious cyberactivity against financial institutions, such as international standards and diplomatic processes to increase cyber resilience.

4.5 Introduce a programmable euro

• Distributed ledger technology (DLT) and smart contracts will fundamentally change economic processes in many areas of all industries. They will only be able to develop their full potential, however, if payment processes are part of smart contracts. Programmable money on a DLT network will be a prerequisite for processing these payments efficiently and in a frictionless manner.
   
• The availability of a programmable form of the euro will help determine the international competitiveness of businesses in Germany and Europe and thus Europe’s ability to compete with Asia and North America. The discussion surrounding Libra/Diem has therefore given important impetus to the discussion on the design of a global monetary order for the digital age.
   
• But programmable digital money must be integrated into the monetary order in such a way that the stability and resilience of the system are not undermined.
   
• The characteristics of the two-tier banking system should also be reflected in the new forms of money. This means that the ECB should use the digital euro to maintain the basic function of central bank money, ensure the stability of other forms of money, such as commercial bank money, and thereby enable the development and diversity of monetary forms.
   
• The private banks see it as their task to develop commercial bank money into a programmable form of money, the commercial bank money token.
   
• The private banks propose a three-step approach:
  • Adapt the existing payment system in Europe to meet the challenges of digitisation; in particular improve and optimise TARGET Instant Payment Settlement (TIPS) and the European Payments Initiative (EPI).
  • Consolidate the forces of the German and European banking industry to design and issue a token based on bank money (commercial bank money token). A joint solution based on private-law agreements is necessary because this is the only way to ensure the interoperability and convertibility of tokens created by different banks. The process of creating standards should be supported and promoted by European regulation along the lines of SEPA/PSD2.
  • Press ahead with efforts to make central bank digital currency (CBDC) available to the general public. The utmost care should be taken to avoid damaging the functionality of the existing financial system, including banks. It will be particularly important to ensure that CBDC can only be accessed through the banking system. This is one of the preconditions for minimising the risks associated with CBDC, namely disintermediation and bank runs.
  • In any event, all efforts should be stepped up with an eye on time to market. It is important that reactive behaviour does not cause Europe to lose ground in the discussion and thus be unable to play a part in shaping the future objective.
     
• It must naturally be ensured that the DLT-based forms of money that are emerging worldwide are internationally convertible. This will require internationally coordinated regulatory measures. As experience in the financial crisis demonstrated, however, this is very time-consuming and the international consensus can very quickly fracture.

4.6 Create a digital ID ecosystem

• For digital commerce, we need digital identities that are easy to use, secure, legally recognised and reusable. We do not have them as things stand.
   
• To help digital identities achieve a breakthrough and overcome existing barriers (e.g. lack of widespread availability), we recommend creating first a national and, in a second step, a European ID ecosystem.
   
• A digital ID ecosystem would enable a frictionless exchange of identity data and credentials of natural and legal persons, and possibly of objects, too (Internet of Things). What is more, data could be exchanged across different industries and use cases in the private and public sectors.
   
• A prerequisite is the elimination of the jungle of differing legal requirements and supervisory practices surrounding identification – both within the EU and across different sectors (banks and other entities subject to money laundering rules, trust service providers, telecommunications companies, public authorities). Otherwise, there is a risk in some business locations that certain European providers will be placed at a disadvantage compared to their counterparts in other parts of the EU. This is a problem currently facing German trust service providers, for instance.
   
• Banks are legally obliged to verify the identity of their customers and therefore have a keen interest in using reliable digital identities for their customer processes. At the same time, they could provide an ecosystem with high-quality and reliable customer identity data in a broader sense (e.g. national ID data, proof of income, account data).
   
• The lack of availability of widely usable, qualified digital identities in Germany today could be compensated – at least on an interim basis – by making it easier to reuse verified customer identity data such as those collected by banks as part of the know-your-customer process.
   
• In the interests of the digital sovereignty of the individual, it is important to give all citizens the opportunity to decide for themselves how their data are used. This applies first and foremost to data that directly affect their own identity. Consumers should have transparency at all times and be in control of who has access to their identity data and for what purpose.
   
• One possible solution is offered by what is known as a self-sovereign identity (SSI for short), meaning that citizens manage their own identity data themselves and release them for use by a third party as and when needed, e.g. to set up a contractual relationship or use a service. Only users themselves know all their identity data and it is the user who decides with whom these data should be shared.
   
• We therefore welcome the recent initiative of the German government to establish a European digital identity ecosystem based on an SSI approach and share the view that an ecosystem of this kind can only be achieved through close cooperation between the private and the public sector (institutions and authorities).
   
• Together with its members (banks and fintechs), the Association of German Banks has developed proposals for making such an ecosystem a reality. These have been published in a separate position paper entitled “Digital identities – steps on the path to an ID ecosystem”.

[1] https://ec.europa.eu/info/sites/info/files/guillaume_klossa_report_final.pdf, accessed on 10 March 2021.

[2] https://www.bertelsmann-stiftung.de/fileadmin/files/BSt/Publikationen/GrauePublikationen/Digital_Sovereignty_in_the_EU_Policy_Brief_BSt_EZ_European_Public_Goods_EN.pdf, accessed on 8 December 2020.

[4] https://thediplomat.com/2020/12/covid-19-underscores-the-benefits-of-south-koreas-artificial-intelligence-push/, accessed on 10 March 2021.

[5] EBA BS 2019 xxx (EBA Draft Guidelines on outsourcing arrangements).docx (europa.eu), accessed on 10 March 2021.

[6] https://www.ebf.eu/priorities/cybersecurity-innovation/cloudbanking/, accessed on 21 December 2020.

[7] https://swipo.eu/, accessed on 21 December 2020.

[8] Cybersecurity Workforce Study of 2020 and 2018; Cybersecurity study by Trend Micro, 2019.