Applying green energy tax policies to improve cybersecurity

For years, governments have focused only on the stick of compliance when they could leverage the carrot of tax incentives. Theoretically, compliance fines and penalties should act as a deterrent that improves accountability and reduces data breaches. However, many vendors often assume compliance risk rather than securing data effectively.

For example, Meta has been the most penalized company, accounting for €2.5 billion in fines across parent and subsidiaries. These large, ubiquitous, irreplaceable technology companies are willing to accept the risk of paying fines and penalties because the amount is insignificant in comparison to their overarching financial portfolio. Meanwhile, average technology companies and startups often have limited cybersecurity budgets, creating data breach and compliance risks.

Tax policies similar to the ones that promote green energy investments can incentivize large technology companies to build security by design and default while bridging the financial gap for other vendors. When combined with digital trust labels across consumer and commercial technology products, these tax policies would motivate buyers, technology producers, and service providers to make choices focused on data protection.

Understanding the producer and buyer landscape

Regulatory compliance covers various technology companies, yet only targets corporate purchasing. However, remote work has entangled a company’s security practices with its employee’s cybersecurity hygiene. To improve overarching security, regulations must address the different types of technology producers and buyers.

The technology producers

Across this layer, technology companies fall into three general categories:

• Gatekeepers: A set of ubiquitous technology companies that buyers cannot easily swap for more secure solutions, like those defined in the European Union’s Digital Markets Act.
• Replaceable technologies: Technologies, like enterprise SaaS applications or consumer devices, that buyers can easily swap for more secure options.
• Innovators: New-to-market technologies that should be built with security-by-design and security-by-default

The technology buyers

To support cyber resilience, any policy must consider all end users:

• Commercial buyers: Businesses required to review supplier compliance as part of their third-party risk management requirements.
• Consumer buyers: Individuals purchasing technology without insight into or education about cybersecurity risks.

Digital trust label: The ENERGY STAR program for data protection

Cybersustainability applies environmental sustainability concepts to digital infrastructures. At a high level, cybersustainability means addressing current and future data protection concerns by thinking about IT ecosystems in ways that map to environmentalism’s concept of sustainable development by focusing on:

• Economic value: Adopting and maturing digital strategies.
• Healthy ecosystems: Promoting operational resilience and continuous monitoring.
• Building community: Communicating across all stakeholders.

While many corporate cybersecurity programs work to achieve these outcomes, little option is available to private consumers.

A digital trust label provides the necessary visibility for all technology buyers that maps parallels how ENERGY STAR labels indicate energy efficiency for appliances. Research notes that identifying an appliance’s energy efficiency can make them more willing to pay a premium for the appliance. Further, research into purchase intention notes that purchase intention, giving priority to environmental protection products, impacts how consumers value energy efficiency labels. In short, when people care about purchasing energy efficient appliances, they are more willing to use a label to make a purchase that aligns with their beliefs and pay more for it.

Digital trust labels provide that same visibility when looking at data protection. The Swiss Digital Initiative and the German IT Security Act 2.0 close the information gap that exists for all buyers so that they can make cyber-secure decisions. The BSI IT Security Label Directory gives both buyer personas easy insight into a product’s or service’s high level security capabilities, empowering all buyers through transparency.

By using digital trust labels, governments can provide the transparency into data protection that energy efficiency labels provide when purchasing appliances. Ultimately, digital trust labels improve consumer decision-making and offer an easy way to promote the social responsibility necessary to improve security across consumer and commercial buyers.

Taxation and subsidies: Incentivizing cybersustainability

By taking an approach rooted in environmentalism, governments can build similar incentives around cybersecurity. Taxation and subsidies have improved green energy and technology production and purchasing. Building a tax framework modeled on the ones supporting green energy production and investment offers a way to move toward improving security across all technology products.

The buyer: Incentivizing data protection

Corporate buyers have vendor risk management compliance requirements that incentivize purchasing secure products and services. However, consumers lack visibility into a product or service’s security and no incentive to prioritize data protection when making purchases.

A tax framework that provides rebates or tax credits for products and services with a digital trust label would offer an incentive to both buyers which would further hold manufacturers and providers accountable. According to research, vehicle rebate incentives that reduced up-front purchase costs correlated with more purchases for battery electric vehicles, improving green technology adoption. While rebates appear to offer the most benefit, other research found that tax credits could, at the right level, improve adoption of energy-efficient and renewable products.

A digital trust label supports incentivizing consumer and commercial purchases, either through rebates or tax credits since most buyers will choose the cheaper option. Under this proposal, legislation creates a “demand-pull” policy that targets consumers by providing a financial model that makes technologies and services with a digital trust label less expensive.

Additionally, these incentives would limit operational disruption while rewarding secure technologies:

• Gatekeepers: Highly regulated firms using current compliance to achieve digital trust label certification, creating little friction for the businesses and consumers who rely on them.
• Replaceable technologies: Buyers choosing less expensive and more secure technology, creating an incentive to switch providers.
• Innovators: Buyers supporting new technologies that achieve digital trust labels, creating a market incentive for security and privacy by design and default.

Reduced tax rates: Offering the carrot

From a cybersecurity perspective, research findings support the concept that offering a tax credit for achieving a digital trust label could extend best practices across products and services. Researchers analyzed the relative effectiveness of R&D tax credits and subsidies, noting that tax credits are more effective for large firms.

For these firms, tax credits might fall into one of two categories:

• “Deadweight”: Research would have been conducted without the incentive.
• Additive: Organization reinvests the savings into research.

Offering a tax credit for achieving a digital trust label provides a reward for organizations, especially the gatekeepers and replaceable technologies, that:

• Encourages firms to maintain their security posture so they can reap a reward.
• Enables firms to expand their budgets so they can improve their security posture.
• Induces ongoing research and information sharing which maps to NIS2.

Subsidies: Supporting the innovators

Innovation is critical to consumer technology, enterprise purchases, and cybersecurity solutions. However, new-to-market firms often have less financial resources for implementing, monitoring, and maintaining cybersecurity. Even more challenging, many of these technologies rely on open-source code that threat actors target in software supply chain attacks. For these firms, subsidies mapped to digital trust labels offer a different value.

Offering a technology-push policy reduces production costs. Research notes that as a product’s social benefit increases, governments often implement push subsidies that increase adoption while reducing R&D costs. For new-to-market technology firms, this push subsidy offers additional support around developing with security and privacy by design and default.

The optimal approach to government subsidy for innovators is a combined push and pull model providing new to market technologies benefits that enable them to securely build products and services by:

• Reducing buyer costs related to the digital trust label.
• Offering tax credits or benefits that improve profit margins without passing costs to buyers.
• Promoting secure software development by rewarding companies so they can reinvest in the technology’s security.

Using incentives to drive better data protection

Penalties under legislation, like the GDPR, remain critical. Organizations must be held accountable for violations, especially as data is now a universal currency. However, governments must implement additional levers that provide incentives across the entire ecosystem.

By creating a taxation framework modeled around the current green energy and energy efficiency models, consumers and corporate buyers can make informed decisions by using a digital trust label. Meanwhile, technology companies can receive a financial benefit for appropriately protecting data. Ultimately, these varied levers work together to incentivize security while still holding organizations accountable for poor security and privacy practices.