CrowdStrike is the Latest Example of the “Brussels Effect”
In July 2024, millions of individuals and businesses found their lives disrupted by a global IT outage caused by a faulty update to software issued by cybersecurity company CrowdStrike. The faulty update caused a calamity impacting everything from Starbucks and McDonald’s to the London Stock Exchange to airlines.
At least part of the blame for CrowdStrike’s catastrophic impact belongs to European regulations that require Microsoft to structure certain features for compliance purposes, opening up potential security liabilities.
While the CrowdStrike incident may be the most timely and significant example, it is just one of the many ways European regulation is increasingly impacting American consumers and providing them with less innovative and less secure products.
Why is that? Let’s start with the CrowdStrike situation. A 2009 agreement with European regulators required that Microsoft give other security services the same level of access to its Windows system that it has itself. The result is that when a flaw in a security system—like CrowdStrike’s faulty update—occurs, it can have far more devastating effects on the entire operating system and therefore a broader global impact.
The European Commission has pushed back on the claims that such an agreement has forced Microsoft into this position, stating that “Microsoft is free to decide on its business model.” However, European regulations are removing American tech companies’ ability to control their own business models.
The Digital Markets Act (DMA), an EU regulation beginning in 2022, designates five American companies among its “gatekeepers” and places significant restrictions on the types of services these companies can offer, how they present their products, and, in some cases, requires additional access through interoperability obligations. As AEI’s Shane Tews points out, under the DMA, Apple, which was unaffected by the CrowdStrike issues due to its closed ecosystem, could be required to create the same kind of security vulnerabilities by giving additional access to third-party vendors.
The DMA has already caused companies to remove several services and features from the European market—services and features that Americans can still use—due to its compliance requirements. These range from losing the “Ask to buy” parental control feature in the Apple App Store to significant interface changes to services like Google Maps. Not only do such changes hurt European consumers by limiting their access to products, but these regulations impose hardships on the small businesses that they claim to protect by either eliminating their visibility on search engines or taking away features that may help build consumer trust.
But as the issue with CrowdStrike shows, the impact of European regulation is no longer isolated to just Europe. As with many regulatory compliance requirements, it may not be technologically or economically feasible to simply offer a different product in Europe. As a result, we often see a “Brussels Effect,” where EU policy becomes the global standard for technology policy. The average consumer might not realize this in their day-to-day life, but they have been experiencing it for years in both large and small ways.
In Europe, the frustrating cookie pop-ups are one example of an inconvenience necessitated by data privacy regulation compliance requirements, as is the absence of certain services or information avenues like the Los Angeles Times. Other examples include the recent changes to Apple products charging cords with the iPhone 15, brought about not by improvements in technology but by a need to comply with EU regulation.
What features around the world and what vulnerabilities must consumers put up with to appease bureaucrats in Brussels? Thousands of disrupted vacations and business losses from CrowdStrike are likely to be just one example of how regulation gave us worse technology and consumer experiences, not better.
Notably, European regulation is its main contribution to global tech policy. As Ben Thompson puts it in his popular blog Stratechery, “[T]he problem with leading the world in regulation: you can only regulate what is built, and the E.U. doesn’t build anything pertinent to technology.”
Concerningly, some American regulators like the Federal Trade Commission are actively working with EU bureaucrats to regulate US companies through such policies rather than recognizing that this approach hampers American innovation, the economy, and consumers. There are a growing number of examples—including the CrowdStrike outage—that show this approach will lead to significant tradeoffs for consumers around the world that can’t be ignored.