But platforms’ dominance raise challenges in itself. Trust, transparency and fair trading practices, to start with. There were obvious problems for us to tackle, including a need to set down some basic rules to guarantee a sustainable and predictable business environment.
In a public consultation, we found that 46% of businesses in the EU experienced serious problems in their relation with platforms.
They listed detrimental practices such as sudden changes in terms and conditions, account suspensions, product delisting and search engine ranking issues, as well as a lack of effective redress mechanisms.
For ‘heavy users’, meaning those businesses generating more than 50% of turnover via platforms, this amount went as high as 75%.
Something needed to be done. But without over-regulating platforms or stifling innovation.
Today, all European small and medium-sized businesses selling via intermediary platforms enjoy transparency and clarity in their contractual conditions.
The EU’s new platform-to-business rules create a benchmark for transparency, outlawing the worst practices with the aim of reducing their impact by 30%.
Protecting consumers online
Here, EU rules are far more consistent than before. Instead of dealing with 28 sets of rules, people have a better idea of their rights when they buy or sell online, anywhere in Europe. It makes e-commerce a more accessible and attractive prospect.
Now, EU consumer laws ensure that the same contract law rules apply across the EU for online purchases of goods and supply of digital content.
This includes more transparency in online marketplaces and for search results on online platforms.
All EU consumers are better protected against unfair commercial practices such as aggressive or misleading marketing. They now have the right to claim - such as for financial compensation or termination of contract - if they are affected. Wherever they are in the EU.
They get even more protection from being able to use secure digital identities and authentication, thanks to the eIDAS regulation.
This makes sure that companies and individuals can use their own national e-identities when they do business or reside in another EU country to access public services.
It cuts red tape, it saves money and just makes everyone's lives easier.
The eIDAS scheme affects innumerable sectors and daily activities: banking, financial and corporate services, domestic utilities, registering a company, filing tax returns online, accessing electronic medical records and enrolling at university.
But trust and transparency extend further as concepts in the DSM.
As always, data is key.
Europe’s transformed data landscape
Data protection and online privacy underpin public trust in the internet and the entire digital economy. This is vital for people to feel confident in using digital services.
In the space of four years, Europe's data landscape has changed dramatically - for the better.
Perhaps the biggest headline came with the General Data Protection Regulation (GDPR), which came into force in May 2018. Perhaps because its effect extends outside Europe too.
The GDPR gives people more control and protection of their personal data - no matter where it is sent, processed or stored - even outside the EU, as may often be the case on the internet.
It is the basis used by the EU for international cooperation on data flows, such as the Privacy Shield agreement with the United States, and also ‘adequacy decisions’, where a non-EU country is deemed to offer a similar, and acceptable, level of data protection.
The effect of these decisions is that personal data can flow from the EU to the non-EU country with no other safeguards required. The most recent EU decision related to Japan in January 2019, which has created the world's largest area of safe data flows.
GDPR requirements warranted an update of EU rules on e-privacy, last changed in 2009.
Today, EU privacy rules only cover traditional communications providers and services, which must keep our communications confidential. They may not listen, store or tap into any communications; they can only process our communications metadata for billing purposes, or for value-added services, if we have given our consent.
To complement the GDPR, the Commission has proposed extending the rules to cover electronic communications services to make sure that all providers respect people’s communications, whether it is personal data being processed or not.
Guarding against online attack
While it is one thing to create an environment that protects data in a more or less predictable situation, it is quite another to protect against the unpredictable: cyber-attacks.
Cybersecurity now ranks as a major policy issue, for companies as much as for governments.
Not just in Europe, but globally.
The frequency and sophistication of cyber-attacks is not diminishing. In fact, the opposite is true: cyber-attacks are booming as our societies and economies turn more digital.
This is something that the European Union takes very seriously, especially since our countries differ markedly in their readiness to deal with online attacks and threats.
Those who carry out the attacks do not recognise country borders - and as we have seen with wide-scale assaults like NotPetya and Wannacry, they do not discriminate.
All countries, and their critical infrastructure, are at risk. The Wannacry virus in 2017, for example, infected 100,000 groups in at least 150 countries at a total cost of around $4 billion.
As part of building the DSM, we have worked hard on the legislative front to bolster EU cybersecurity and improve our collective resilience by ironing out the national differences.
At the start of my mandate, there were no EU cybersecurity laws. Now, we have agreed on Europe-wide rules to complement an area closely linked to EU countries’ national security.
This is the main objective of the law to protect the security of network and information systems, known as the NIS Directive: the first EU-wide legislation on cybersecurity.
It creates the structures for strategic and operational cooperation between EU countries, including information exchange between relevant authorities: the first response, or remedy, against cyber-attacks.
It includes requirements for incident response and implementation of technical security measures based on risk, designed to improve cross-border cooperation in information and network security and promote a culture of risk management.
While the NIS Directive is hugely important, we needed to go further still - to make sure that collectively, the EU stays resilient as much as possible against cyber-risks in general.
That means EU industry staying at the cutting edge in developing next-generation cybersecurity and digital technologies, which is why we are pooling more EU and national funding for cybersecurity research, innovation and industrial activities.
For the EU’s next long-term budget, the Commission has proposed more than €2 billion to set up a network of cybersecurity competence centres with a European centre.
Then, the Cybersecurity Act.
It creates a structure for certifying ICT products and services, where the EU landscape is still quite patchy, and make sure they are technically compatible between EU countries. This is especially important for the Internet of Things, where the billions of devices that underpin critical infrastructure and connected devices must be reliable and trustworthy.
Europe has come a long way on cybersecurity since 2014.
Back then, our protection was patchy at best. Some countries did not take it too seriously.
Now, we have created ‘integrated shields’ to strengthen our collective resilience against attack. Europe is only as strong as its weakest link - cyber-crime does not recognise borders.
The biggest challenge for the future is protecting security of the supply chain. We started our work on 5G security to raise awareness in all EU countries about the security threats that come with this new encompassing technology but still need to continue this work.
The risks have not gone away. They probably never will.
But now, we are far better equipped and ready to deal with them.