2025-11-15 06:34:55
Modern mobile operating systems are designed with integrated security architectures that limit malicious access, carefully managing connections between hardware, software, and apps. The DMA’s hardware and software interoperability mandate, Article 6(7), requires designated “gatekeepers” to provide developers and businesses with free and effective interoperability with mobile hardware and software features, including those features controlled by the operating system.
The second article in my short series identifies six key risks to the mobile ecosystem posed by the DMA Article 6(7) interoperability mandate.
Interoperability mandates introduce new entry points that malicious actors can target, expanding the attack surface and increasing security risks. Importantly, these entry points were likely not considered when the operating system (OS) was developed, meaning that the security architecture does not take these new targets into account.
The newly exposed interfaces increase the risk of direct memory access attacks, in which an attacker gains access to and directly manipulates the computer’s memory. Modern operating systems limit access to memory because these attacks can bypass almost any other security protections — direct memory access gives an attacker the keys to the kingdom. They can plant spyware, bypass permission limitations, change stored data, remove password requirements, extract encryption keys, escalate privileges, or install a system backdoor without interference.
The Pegasus spyware is one example of the consequences of expanded attack surface; it uses OS-level access to reach cameras, microphones, and messages through hidden system interfaces that were not designed to be used by non-system apps. When the security layers protecting a device are exposed, even a small vulnerability can expose the entire phone.
There are also risks to data integrity and confidentiality without direct memory access. In submitting interoperability requests, developers can request access to broad types of data. Although not necessarily malicious, overly broad access to user data can risk user privacy and security. Additionally, access requests may be intentionally vague or broad to sidestep permissions for certain kinds of data, like notification content, Wi-Fi history, or message history. It is not yet clear whether the DMA will be interpreted as eliminating permissions for some of this sensitive content, or if there is an “equally effective” way to grant access to legitimate developers, but it is a growing concern surrounding initial requests for interoperability. Legitimate actors may ask for overbroad access, and malicious actors might abuse DMA mandates to harvest or misuse certain personal data by asking for interoperability and bypassing the permission architecture in place.
Interoperability requests that replicate the overbroad permissions of past data-sharing systems risk repeating failures like Cambridge Analytica, where a seemingly harmless quiz app collected millions of users’ personal details through an open Application Programming Interface (API) and shared them without consent.
Similar issues have occurred on Android, where malicious apps misused the accessibility service — intended to help people with disabilities — to read messages and capture passwords. Giving third parties wider access to data, even for good reasons, can quickly spiral into privacy abuse when oversight or limits are weak.
In July 2024, CrowdStrike implemented an anti-virus update that crashed computers around the world. The CrowdStrike product had access to the kernel, deep in the operating system, and the misconfigured file impacted the operating system and memory access. Mobile phones emerged unscathed thanks to their secure architecture relative to PCs.
Mobile operating systems rely on centralized control and vertical integration. They are not engineered for arbitrary third-party integrations. Disruptions to this architecture put the stability of the system at risk and could cause system crashes, degraded user experience, and delays in innovation.
Consider, for example, Apple’s AirDrop or Google’s Nearby Share, both designed as seamless and secure file-sharing tools within trusted boundaries and with security controls. If Article 6(7) compels these services to interoperate with third-party file-sharing apps or hardware, without equivalent safeguards like malware scanning, robust encryption, and strict performance controls, the result could be a dramatic increase in system instability and security risks.
In 2019, foreign threat actors targeted the US federal government and private sector entities in a widespread campaign that became known as SolarWinds. To accomplish this unprecedented breach, the attackers executed a supply chain attack, infiltrating a third-party software vendor’s network and embedding malicious code to be shipped to the vendor’s customers without their knowledge.
Supply chain attacks can have widespread impact across all types of downstream organizations and are difficult to detect. Mobile
operating systems benefit from a multi-layered defense-in-depth strategy, which fortifies them against supply chain attacks. Unvetted components from third parties can compromise their integrity. When a third-party component is compromised, it becomes an attack vector.
One-size-fits-all regulation undermines differentiated security models. In part one of this series, I outlined the high-level architecture that mobile OSs generally share, but further differences exist in their security models. Interoperability mandates that do not take differentiated security models into account can have even greater unintended consequences, making simplistic assumptions about how security controls are implemented and forcing new architectures into established computing systems. This is like a mandate that all doors have security guards in front of them, instead of allowing a guard, a security monitoring system, or a deadbolt to accomplish the same goal.
Mobile operating systems mitigate security risks through identity verification and access control, but third-party access at the operating-system level complicates this. While identity verification for apps is generally used to manage an account, authentication at the OS-level is the basis of a device’s trust model. Instead of logging into an app or service, hardware and operating system authentication establishes who can control the device itself. If this is bypassed or compromised, every app and all of the device’s data are vulnerable.
Modern mobile operating systems increasingly rely on hardware-backed authentication mechanisms, such as Apple’s Secure Enclave or Android’s Trusted Execution Environment, because software-based security has not proven adequate. These modules provide tamper-resistant storage of cryptographic keys and enable device-level identity verification. Interoperability mandates that compel third-party access to operating systems or hardware features may bypass or dilute these protections by requiring tokens or credentials to be shared. This weakens the principle of least privilege — the idea that any user or program should have the least permissive access necessary to accomplish a task — and creates new opportunities for impersonation to apps or services.
Certain technical challenges arise from the tension between open access and secure design. Once systems become heterogeneous, the engineering complexity increases exponentially.
Engineering secure interoperability across complex, vertically integrated operating systems introduces exponential complexity. Each additional integration layer — whether for translation, backward compatibility, or hardware abstraction — creates new code paths that must be tested, patched, and maintained. This complicates vulnerability management and increases the likelihood of regressions in performance or stability. Moreover, because third-party components may evolve independently, the task of maintaining a coherent security baseline becomes significantly harder for OS providers. Rigid compliance deadlines imposed without regard to this complexity risk forcing unstable implementations into the market. The DMA imposes interoperability in ways that outpace security governance capacity.
DMA interoperability obligations also interact with the broader EU regulatory landscape. The Network and Information Security Directive (NIS2) imposes cybersecurity risk management and reporting obligations on operators of essential and important entities. The General Data Protection Regulation (GDPR) requires data minimization and strict safeguards for personal data processing. The Cyber Resilience Act (CRA) sets baseline security requirements for connected devices and software. Some requests for interoperability under the DMA already implicate multiple frameworks — for example, access to Wi-Fi history implicates data protection and cybersecurity equities.
Under these parallel frameworks, gatekeepers may face conflicting obligations — for example, being required to allow access to sensitive data or APIs under the DMA while simultaneously being liable for breaches under NIS2 or GDPR. Coordinating the DMA with these regimes and providing clarity to gatekeepers about their obligations is essential to avoid undermining Europe’s broader cybersecurity and privacy protections.
Considering these risks, how can gatekeepers and other tech companies move forward under the DMA? In part three of the Europe’s DMA series, I share a series of recommendations on how to make interoperability work without compromising security.
Bandwidth is CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy. All opinions expressed on Bandwidth are those of the author alone and may not represent those of the institutions they represent or the Center for European Policy Analysis. CEPA maintains a strict intellectual independence policy across all its projects and publications.
Explore the latest from the conference.
The post Part 2: Opening Up — Europe’s DMA and the Risks of Interoperability appeared first on CEPA.
2025-11-15 05:43:38
It looks, at first glance, like a bureaucratic footnote: in the recent US Critical Minerals List, Washington added phosphate. But the addition signals a deep shift: the recognition that mineral inputs for agriculture belong in the same strategic category as those for semiconductors.
The updated critical minerals list replaces the one from 2022 and reflects a change in methodology: instead of simply flagging supply vulnerabilities, the new framework gauges each mineral’s potential to inflict GDP-level economic damage in the event of a disruption. It identifies 60 minerals as strategically essential, adding copper, silver, coal, uranium, rhenium, silicon, lead, potash, and of course, phosphate. The result aligns with how the US now understands national security — through the lens of systemic economic risk and strategic supply-chain resilience.
Phosphate rock, the geological backbone of modern fertilizers, is concentrated in a few countries. Morocco’s OCP Group claims access to over 70% of reserves. In potash, Russian and Canadian players account for the bulk of global production. Canada is the world’s leading producer, accounting for more than a third of global production, followed by Russia at about 19%.
These are not just commodity statistics. They describe a world in which a handful of states sit atop the geological levers of global food production. Morocco’s phosphates and Canada’s and Russia’s potash give those countries influence far beyond their borders.
Count in China, too. It accounts for nearly half of all phosphate rock mined globally, and controls more than 40% of the export trade in chemical calcium phosphates. This position effectively makes Beijing the swing actor in the world’s supply of phosphorous inputs. When Chinese authorities tighten export controls on fertilizers — as they have periodically done — they underline a powerful weapon.
China’s grip is just as firm on the nitrogen side. It is a heavyweight producer of urea, supplying about one-tenth of global exports, and its sprawling industrial base commands roughly 43% of global nitrogen fertilizer revenues. In practice, that means a single country’s policy choices can reshape the cost of growing food across entire continents.
The global fertilizer market is projected to grow from roughly $230 billion in 2025 to about $281 billion by 2030. Demand for the underlying mineral inputs — phosphate rock, potash and nitrogen precursors — is rising in tandem. The global phosphate rock market alone was valued at about $22 billion in 2021 and is projected to reach almost $30 billion by 2030.
Europe’s wake-up call came abruptly with the war in Ukraine. Suddenly, the continent discovered that its fertilizer supply — and in turn, its food security — depended on Russian natural gas, Russian nitrogen, and Russian and Belarusian potash. The EU imported phosphorus fertilizer and phosphate worth close to €1 billion in 2024, making up about 25% of its total phosphorus fertilizer imports. The European Commission acknowledged that over-reliance on Russian and Belarusian suppliers represented a structural vulnerability.
The US faces a subtle version of the same vulnerability. Russia and Belarus continue to shape global potash flows, despite sanctions and export-burden risk. For a country that prides itself on agricultural abundance, the US is discovering that abundance does not always equate to resilience. When China clamps down on exports, as it has in recent years to shield its own farmers, global prices jolt upward, and import-dependent nations feel the squeeze almost overnight.
For both Washington and Brussels, the lesson is becoming clear: food systems are shaped by supply chains as fragile as those for lithium or microchips. Viewed in that light, the US decision to classify phosphate as a critical mineral marks the beginning of a major strategic realignment.
Elly Rostoum is a Resident Senior Fellow with the Center for European Policy Analysis (CEPA).
Bandwidth is CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy. All opinions expressed on Bandwidth are those of the author alone and may not represent those of the institutions they represent or the Center for European Policy Analysis. CEPA maintains a strict intellectual independence policy across all its projects and publications.
Explore the latest from the conference.
The post The Next Critical Mineral Battle: Potash and Phosphate appeared first on CEPA.
2025-11-15 00:46:21
A palm reader examines a woman’s hand and shakes her head. Something terrible and dark lurks in her future. The client sees the palmist’s frowns and becomes frightened.
“Will I get sick?”
“No,” says the palm reader.
“Will I die then?”
The old woman again shakes her head.
“So what will happen?”
“Nothing at all,” the palm reader says. “Nothing will ever change.”
The exchange comes from a Lithuanian movie made in the days of the Soviet dictatorship, and conveys a message familiar to all those who ever lived in countries paralyzed by the Kremlin’s frigid grip.
So, why is it still topical?
Because, depressingly, the Russian state once again offers the palmist’s future to the world, to self-interested autocratic elites that might cooperate with it, and especially to its neighbors. What we see today — Russia’s war of aggression against Ukraine, malicious shadow war attacks on Europe, and disruption around the world – stems from a deep belief in Russia’s right to attack, to dominate and to interfere. It gives itself the freedom to construct a model of society and statehood, and to impose it on non-consenting others.
“We are fighting absolute evil, embodied in Western civilization, its liberal-totalitarian hegemony, in Ukrainian Nazism. We were created for this mission,” said the neo-Stalinist theorist Aleksandr Dugin in 2022, as he urged Russians to mobilize for the invasion of Ukraine.
Sounding eerily like a blut und eisen (blood and iron) 19th century aggressor, angrily complaining about the supposed injustice of his country’s borders, or indeed like his Soviet predecessors, Dugin openly stated: “We have spilled seas of blood, our own and other people’s, to make Russia great. And Russia will be great! Otherwise it will not exist at all. Russia is everything! All else is nothing!”
Of course, Russia is not USSR. Russia is different today — communism is out; crony capitalism is in. But the idea that the Kremlin knows best? That still remains. What sort of life should you lead? Russia will decide.
Lenin, a man disdainful of brevity, wrote 54 volumes of 650 pages each to promote the idea of a New Soviet Man, free from exploitation and “tradition”. Communism would eliminate the need for families and households — the country, in the end, would become “one whole family”. Such free men and women would dedicate all their lives to the socialist state with no classes and no ownership. The world, inevitably, would fall to a socialist revolution.
Then Communism would prevail. And no one, ever, would contradict it.
There is a man. He’s a writer but he doesn’t write. He digs coal in a mine. He is a prisoner in the Siberian region of Kolyma, a place called “white death”. He gets his daily soup in a tin with no spoon. His clothes are rags. When he asks for something to wear, he’s given clothing taken from a dead British soldier.
“I can’t wear those,” he objects.
“You bloody nazi!” the warden explodes.
The man is thrown into solitary confinement.
This is a moment in life of Varlam Shalamov, the Russian writer who spent 17 years in the Gulag for complimenting his colleague, Ivan Bunin. Bunin, unfortunately, was an émigré in France, a Nobel prize laureate, and his literary triumph in the USSR was vilified as “an imperialist intrigue”. Shalamov, having called Bunin a “great Russian writer”, ended up in a forced-labor prison, surviving punishment, torture, and typhus. With the wrong worldview, he, and millions like him, was an obstacle to the greatness of the USSR.
After his release, Shalamov wrote a masterpiece memoir, Kolyma Tales, which was only published in 1987, more than 30 years after it was written.
“Don’t be a nazi,” a Russian co-worker once barked at my Lithuanian grandma after she put down the phone. “Next time you call your mother, speak Russian so that I can understand!”
It was never difficult to be judged a nazi by the Russians, be it in the 1940s or 1980s. Be it Moscow or Vilnius; Russians demanded obedience, certain of their superiority.
After the World War II, having occupied and bludgeoned all nearby nations for decades, the Soviets regarded themselves as winners, liberators, and builders of the greatest order known to man. Russia’s 20th century history can reasonably be seen as a vast experiment with human life in which tens of millions were killed and impoverished. Why not?
Human life had little value. You don’t become the largest country in the world by cherishing life. As Henry Kissinger estimated in his book, World Order, Russia added an average of 100,000 sq km (about 40,000 sq miles) a year to its territory from 1552 to 1917. There was no issue that couldn’t be solved by aggression.
My country, Lithuania, became free again in 1918. It had been ruled by tsarist Russia for centuries, but having preserved its own language and hope for freedom, Lithuanians took the opportunity offered by the end of the war. Engulfed in the socialist revolution, the Russians lost the Baltic states. The Germans were pushed out. Lithuania signed a treaty of mutual respect and peace with the USSR. Statehood was restored.
But in 1940 the treaty was proved meaningless. Having decided to expand, the Soviets swallowed their neighbors.
And then the terror began. Private property was confiscated, farmers and the intelligentsia exiled, dissidents shot. One third of the nation was killed. The system of surveillance, control, and subordination was set.
Heavy, mostly military-oriented, industry expanded. Without private businesses, there was no competition and almost no retail market. Poverty dragged everyone down. Prices were set by the state. A winter coat cost two months’ salary, a set of furniture, seven. It took years to save. You could afford potatoes, cabbage and bread, but forget new shoes. We used newspapers as insulation.
My grandma aspired to be a seamstress. She couldn’t afford a knife, so she cut the bread with the seamstress’ scissors. She spent long hours in lines for flour, sugar, and other basics.
Fast forward 50 years. Communism is “mature” and victorious. We, a family of three, live in a single room. It’s our 10th year of waiting for a bigger home. (The government determines who lives where, for how long, and with whom.)
Sometimes we are thrown out of bed by burst pipes and scorching hot water showering all over us. The school, however, is dead cold. Every kid must help insulate the windows by sticking wet paper gunk to the window frames. There are cockroaches everywhere, and the pervasive smell of lung and kidney meatballs, though a raw egg is tossed into your porridge to fight anemia. It is illegal to use the term “poor”.
Worse than that is the air of doom. Nothing is possible and never will be. The more the state resembles a prison, the better. The air is heavy with humiliation.
You’ve dreamed about Jamaica? You’ll never go there. The band you illegally catch on radio will never play in your country. You’ll never dream big. In all likelihood, you’ll work for a military industry, as does every fourth citizen, and drink four times more alcohol than the rest of the world. This is the new society — one part scared, hypocritical and unable to achieve self-realization, and the other insolent and aggressive.
Your greatest ambitions are not to fall out of grace with your superiors and get a decent set of curtains.
Once my grandma took me to a “posh” cafe. We ordered a meatloaf with potatoes and peas. It should have come with a sauce, but it didn’t. The waitress shrugged. My grandma started to cry: I am an orphan of World War II, a socialist labor champion, bring us a plate with the sauce! I was drowning in shame, suspecting that’s not how dignity works. (The sauce came, though).
There was no client-manager relationship, but a superior-inferior dynamic. A Party member versus a teacher. A Russian versus a Lithuanian. A clerk, a doctor, a woman at the cashier or a shoe-repair man — all against you. They could scold, dismiss or lecture you, as they had the upper hand. Every day you engaged in a petty struggle of pleasing, begging, bribing or, if nothing worked, of wailing. There was no justice, just the occasional and accidental mercy.
Try to criticize it and you’ll end up jailed or medicated. Discontent equaled schizophrenia.
In the end? The USSR collapsed. So much for humanity’s Grand Project. So much for a new society.
Independence for Lithuanians not only meant the return to freedom and market economy. It also meant that we, as humans, were valued again. Lithuania did everything to rid itself of the communist legacy – oppression, surveillance, and the centrality of power. The vetting and decommunization process ensured that former Soviet army officers and the secret service agents came clear about their past.
But that never happened in Russia.
There was no vetting and decommunization process. Soviet security archives were never declassified. They still serve as the textbooks for FSB, SVR and GRU. It is believed that a cache of KGB files that were abandoned in Ukraine by mistake, would stretch 7km if arranged in a single row.
Russian propagandists claim that Russians are a special race with “an additional gene” and a mission to bring civilization to the world. Russia’s imperial mission must transcend the Russian Federation’s borders — only Russia can decide where it stops. You think the Kremlin’s mouthpieces were joking as they mused that Alaska was really Russian? They really weren’t. There is no equal partnership or parity. No peaceful co-habitation side by side with other nations. Russia must dominate. It is Russia or the West. If Russia loses, the West wins.
The USSR is gone, but the empire remains. The country that offered a masterclass in failure keeps returning with solutions. They talk about “security guarantees for Europe”. They demand we address the “root causes” of the disaster they made. They seem to struggle what to believe: either that Ukrainians are nazis, or that both nations are the same, and are “one whole family”.
With disdain for Western “human rights”, freedoms and liberties stifled, with domestic violence legalized, with a murder rate 17 times higher than that of the EU, and a market run by state-mafia, Russians today are doing what they always did – choosing violence as a solution. Monuments to Stalin are rising again.
It is estimated that Russian sabotage and subversion attacks against Europe tripled from 2023 to 2024, following a quadrupling between 2022 and 2023. Sabotage, explosions, arson, cyber-attacks, murder plots, airspace violations, aviation disruption, and weaponized flows of migrants go hand-in-hand with the relentless attacks on Ukraine.
Russians simply fail to understand that violating the other does not make you a winner. It makes you a criminal. The list is long enough. Enough of these ghastly experiments with human life. Russia must be resisted, and made to pay for its crimes.
Gabrielė Klimaitė-Želvienė is a Lithuanian diplomat, working on security policy, arms control and non-proliferation issues. Previously, she headed the Middle East and North Africa Division at the Global Affairs Group, Ministry of Foreign Affairs of Lithuania. During her diplomatic career, Mrs Želvienė worked in Washington DC, Moscow, Stockholm, Dublin, and Brussels. She graduated from Vilnius University’s Institute of International Relations and Political Science, and joined the Ministry of Foreign Affairs in 2003.
Europe’s Edge is CEPA’s online journal covering critical topics on the foreign policy docket across Europe and North America. All opinions expressed on Europe’s Edge are those of the author alone and may not represent those of the institutions they represent or the Center for European Policy Analysis. CEPA maintains a strict intellectual independence policy across all its projects and publications.
Explore CEPA’s flagship event.
The post The Fortune Teller’s Vision — A Russia Without End appeared first on CEPA.
2025-11-14 04:50:41
The alliance has been in dire need of an updated naval plan to tackle a fast-evolving range of threats. Now, 14 years after the last iteration, it has finally delivered.
The updated strategy identifies Russia, China, and terrorism as the main dangers, alongside climate change and the challenges brought about by AI and other emerging and disruptive technologies.
Moscow “is reinforcing its conventional and nuclear capabilities, while carrying out increasingly aggressive destabilizing cyber and hybrid actions against the Alliance and its partners,” the document says. At the same time, Beijing’s “confrontational rhetoric, coercive policies and growing assertiveness” are an increasing concern for NATO’s defense.
It recognizes that “terrorism, in all its forms and manifestations, is the most direct asymmetric threat to the security of our citizens,” and authoritarian regimes “are investing in sophisticated conventional, nuclear and missile capabilities, with little transparency or regard for international norms and commitments.”
The strategy outlines three main elements to maritime power’s contribution to allied security: deterrence and defense, crisis prevention and management, and cooperative security. Each comes with its own set of objectives and activities.
It says allied sea power must be used to provide credible nuclear deterrence, sea control and power projection, freedom of navigation, maneuver and action, and protection for sea-lanes and maritime critical infrastructure — with a particular focus on undersea cables and pipelines.
The alliance should leverage the “inherent agility” of its navies for crisis prevention and management, the document says. It also highlights the importance of maritime activities for building more robust cooperative security relationships between allies.
Implementing the strategy will need adaptation and innovation to improve interoperability and warfighting readiness. The document sees the importance of Standing Maritime Groups (SNMGs), which are currently inadequate, as vital tools for the alliance’s posture.
There is a clear change in language and intent compared to the 2011 strategy, with concise and to-the-point descriptions, including a broader definition of allied sea power and what it enables.
The new tone is underlined by the phrases “maritime power” and “projection of power,” which are mentioned 17 times, compared to just twice in 2011. There is also a clear emphasis on “hard power required to prevail in conflict,” and the role of naval capabilities.
There is, however, less attention paid to other aspects of allied maritime activity that might have added greater depth.
The current state of alliance members’ merchant fleets, and the need to address problems such as the growing use of flags of convenience, are not mentioned, for example. Neither are the challenges facing the shipbuilding sector.
The security of critical undersea infrastructure, while addressed, also receives less attention than might be expected, especially given January’s launch of Operation Baltic Sentry to protect pipelines and cables.
Building and sustaining capable fleets is an expensive and demanding business, as the $13bn Norwegian order for British Type 26 frigates illustrates. Senior policymakers will need to ensure taxpayers are well acquainted with the importance of the Navy to ensure they support the necessary investment.
The strategy could form the basis of a campaign to build awareness and momentum behind the need for future spending. It is “a solid, compact briefing document that we should be handing out like pamphlets at the church door on Sunday,” wrote the naval blogger Commander Salamander.
The updated Alliance Maritime Strategy is a positive and necessary step for NATO, but much work remains to be done. Not least, winning the support of allies and their populations.
Gonzalo Vázquez is a research associate with the Center for Naval Thought at the Spanish Naval War College.
Europe’s Edge is CEPA’s online journal covering critical topics on the foreign policy docket across Europe and North America. All opinions expressed on Europe’s Edge are those of the author alone and may not represent those of the institutions they represent or the Center for European Policy Analysis. CEPA maintains a strict intellectual independence policy across all its projects and publications.
Explore CEPA’s flagship event.
The post Work Needed After NATO Floats Maritime Plan appeared first on CEPA.
2025-11-14 00:54:19
Mobile devices serve as wallets, medical portals, and workplace IDs. A single vulnerability in the operating system can expose financial information, health data, or corporate credentials. When rules that aim to promote competition inadvertently weaken these defenses, the effects are felt not only by platform providers but by every user.
This series focuses on the implications of DMA provisions around interoperability of hardware and software on mobile operating systems, identifies the key risks, and makes recommendations to avoid weakening the mobile ecosystem. Article 6(7) of the DMA requires designated “gatekeepers” to provide developers and businesses with free and effective interoperability with mobile hardware and software, including those features controlled by the operating system (OS). While intended to promote competition, the mandate requires operating systems to open internal functions in ways that disrupt security protections. They open a wide attack surface, threaten data integrity and confidentiality, increase system instability, create vulnerabilities in authentication and authorization, and erode user privacy.
User trust has been a cornerstone of mobile adoption. The security and privacy assurances provided by integrated mobile operating systems have enabled widespread adoption of sensitive services such as mobile payments, health applications, and enterprise productivity tools. If interoperability mandates erode that trust, consumers may become reluctant to adopt new services or may disable interoperability features altogether. Instead of promoting competition and innovation, poorly implemented interoperability could stifle uptake of alternative services. Preserving user trust should be seen as an integral part of achieving the DMA’s pro-competition objectives.
Secure mobile operating systems already have sophisticated interoperability capabilities – openness and interoperability are not necessarily in tension. But measures to achieve a level playing field and competition in the digital market must not trample security by compromising existing system design. And if users distrust their mobile devices, it will negatively impact the mobile market.
DMA interoperability is difficult to implement. Modern mobile operating systems are designed to control and limit access to the core functions of the operating system.
A central objective of the DMA is to enhance competition and contestability — the ability of rivals to challenge dominant firms by lowering switching costs and reducing lock-in.
The Commission designates gatekeepers as platforms that function as important gateways to end users and hold entrenched or durable positions. To date, the European Commission has named 23 core platform services from seven companies: Alphabet, Amazon, Apple, Booking, ByteDance, Meta, and Microsoft.
The DMA does include a security clause allowing gatekeepers to adopt “strictly necessary and proportionate” measures to preserve the integrity of their services. But this qualifier offers limited practical protection. Policymakers can deem security safeguards to be excessive or unjustified. Device manufacturers or operating system developers can claim security risks that are unlikely to manifest. Firms requesting interoperability can dismiss real security risks. Admittedly, gatekeepers also can use the security opt-out to resist safe changes.
The result is a potential erosion of the trust that users place in mobile platforms.
Competition concerns are valid and should be addressed — but surely competition and contestability can be improved while maintaining the advances that mobile devices have brought to our collective cybersecurity.
The mobile integrated model stands in deliberate contrast to traditional desktop systems such as Microsoft Windows or Linux, where early architectural decisions toward open interoperability with third-party hardware and software fostered innovation. This same openness created persistent vulnerabilities, resulting in malware proliferation, driver conflicts, and fragmented updates.
Mobile operating systems were designed and refined to avoid those weaknesses by emphasizing integration and restricting access to core functions. Modern mobile operating systems rely on layered or ‘tiered’ security, similar to airport checkpoints. Both Apple’s IOS and Google’s Android use tiered access permissions. Apps and services must pass through multiple verification gates — such as sandboxing, permission prompts, and OS-level authentication — before they can interact with sensitive hardware or data. Each layer catches what another might miss, creating predictable and controlled pathways. Mobile operating systems retain privileged control over core functions such as software updates and hardware interactions, while third-party apps operate require permission to be installed.
This permission system limits opportunities for hacking, but also limits, by design, access for untrusted applications or developers. The Apple App Store and Google Play Store vet apps for malware or risky functionality.
Similar limitations and controls are in place throughout the device and operating system, though less visible to the user. This provides defense-in-depth — multiple layers of protection, such as hardware-based security, encryption, permission controls, and secure boot processes. Even if one control fails, others remain in place to prevent compromise.
Unavoidably, interoperability mandates to disrupt this integration — including Article 6(7) — present significant tensions with the design of mobile operating systems. The history of computing is full of examples where efforts to make systems more open or compatible also made them more vulnerable. Key risks and technical challenges, discussed in part two of this series, illustrate these tensions.
Heather West is a non-resident senior fellow at CEPA and a Senior Director of Cybersecurity and Privacy Services at Venable law firm in Washington. Equipped with degrees in both computer and cognitive science, she focuses on data governance, data security, artificial intelligence, and privacy in the digital age.
Bandwidth is CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy. All opinions expressed on Bandwidth are those of the author alone and may not represent those of the institutions they represent or the Center for European Policy Analysis. CEPA maintains a strict intellectual independence policy across all its projects and publications.
Explore the latest from the conference.
The post Part 1: Europe’s DMA — A Cybercriminal’s Paradise? appeared first on CEPA.
2025-11-13 02:31:05
The National Anti-Corruption Bureau of Ukraine (NABU) has detailed a sweeping investigation into a $100 million kickback and money-laundering scheme in the energy sector involving some individuals with ties to the government.
NABU, along with the Specialized Anti-Corruption Prosecutor’s Office (SAPO), said detectives had detained five individuals and notified seven members of their alleged involvement in a criminal conspiracy it has codenamed Midas.
Although the suspects were not officially named, local media reported that Timur Mindich, a former business associate of President Volodymyr Zelenskyy and the alleged mastermind of the scheme, had been charged. So was Ihor Myronyuk, who advised German Galushchenko when he was Energy Minister. Galushchenko subsequently became Justice Minister and resigned along with the Energy Minister on November 12. Energoatom’s supervisory board was suspended.
The allegations center on Energoatom, the state-owned operator of Ukraine’s nuclear facilities, and suggest a fairly simple kickback scheme, where contractors were forced to rebate 10%-15% of a deal’s value to company insiders. One particularly damaging element of the inquiry suggests some of the embezzled funds were earmarked to build protective infrastructure for Ukraine’s energy infrastructure. Power stations have been extensively attacked and damaged by Russia in recent weeks, causing widespread power cuts.
NABU and SAPO said the scheme was “legalized” by entrusting the embezzled funds to a separate office located in central Kyiv, which belonged to the family of former Ukrainian MP and current Russian senator, Andriy Derkach.
The 15-month investigation is something of a triumph for Ukraine’s anti-corruption agencies after an attempt in July to bring them under government control. That failed amid uproar both inside Ukraine and among the country’s Western backers. But while it is a testament to Ukraine’s continuing efforts to combat graft, that is unlikely to dampen public outrage.
Details showing that members of the group used their official connections in the energy ministry and Energoatom to ensure control over personnel decisions, procurement processes, and financial flows suggest a degree of impunity.
There has long been Western unease over governance in Ukraine’s energy sector. In 2023, CEPA detailed concerns about government interference in the activity of state-owned enterprises such as Energoatom, Ukrenergo, Naftogaz, and GTSOU, fearing that a lack of accountability and corporate governance safeguards in state-owned energy firms could foster widespread corruption.
A number of senior managers have been removed in recent years, causing confusion and some dismay among Western energy companies and European think tanks that have spoken to this author.
Take Volodymyr Kudrytskyi, the man credited for defying all odds to connect the Ukrainian grid to Europe’s and ensure security of supply for the country, just as Russian tanks were rolling into Ukraine in spring 2022.
He was forced out as head of Ukrenergo more than a year ago, with many observers expressing fears in private that the government was exerting influence over strategically important energy state-owned enterprises for murky reasons.
On October 28, he was arrested on claims he had tried to defraud a bank in 2018. Kudrytskyi says the accusations are false, and is currently free on bail.
But his case is not singular. Other high-profile CEOs of energy state-owned enterprises, such as Naftogaz’s Andriy Kobolyev, were also forced out of their jobs and are facing official action.
Sources outside Ukraine have told this author that all these cases follow a similar pattern — the sidelining of high-profile individuals who fought to protect the independence of energy companies from government interference and the type of corrupt practices that are now being revealed by NABU and SAPO.
The latest scandal with its high-level ramifications is likely to raise many questions among international donors and the local population. They are sure to provide fuel for Russian propaganda campaigns in an effort to undermine Western support and stoke division within the country.
Some will ask whether supporting Ukraine’s war efforts against Russia is not a waste of time, money, and effort?
But that would miss the point. Graft is deeply embedded in many countries, and it takes time to eradicate. Ukraine’s efforts to face the issue are showing results – it has risen to 105th from 122nd place in Transparency International’s corruption index between 2021 and 2024, even as Russia moved in the opposite direction to 154th. From greater effort, expect greater results.
Meanwhile, the Russian kleptocracy will try to exploit hard evidence of Ukrainian crime-fighting to claim the country’s rulers are fleecing the population. It is clear now, and has been for some years, that those words describe the ruling elite in Moscow far better than its counterpart in Kyiv.
Aura Sabadus is a senior energy journalist writing for Independent Commodity Intelligence Services (ICIS), a London-based global energy and petrochemicals news and market data provider. She is also a Non-resident Senior Fellow with the Democratic Resilience Program at the Center for European Policy Analysis (CEPA).
Europe’s Edge is CEPA’s online journal covering critical topics on the foreign policy docket across Europe and North America. All opinions expressed on Europe’s Edge are those of the author alone and may not represent those of the institutions they represent or the Center for European Policy Analysis. CEPA maintains a strict intellectual independence policy across all its projects and publications.
Explore CEPA’s flagship event.
The post Ukraine’s Corruption Probe — Bad But Not Terminal appeared first on CEPA.
