By Luca Bertuzzi | Euractiv.com Est. 5min 22-11-2023 (updated: 27-11-2023 ) Content-Type: News News Based on facts, either observed and verified directly by the reporter, or reported and verified from knowledgeable sources. [Gorodenkoff/Shutterstock] Euractiv is part of the Trust Project >>> Languages: DeutschPrint Email Facebook X LinkedIn WhatsApp Telegram A new draft of the European Cloud Services scheme, seen by Euractiv, was circulated ahead of a meeting of the European Cybersecurity Certification Group on Monday (20 November), with some tweaks on the controversial sovereignty requirements. The cloud scheme has proved extremely controversial as the European Commission, driven by French Commissioner Thierry Breton, strived to introduce sovereignty requirements following France’s SecNumCloud that would exclude non-European cloud companies from qualifying for the highest security levels. Although the certification is voluntary under the EU Cybersecurity Act, it might be made mandatory for thousands of entities considered essential or important for the European economy under the revised Networks and Information Security Directive (NIS2). The proposal prompted strong pushback from several EU countries and a considerable part of the industry, which saw it as a protectionist move to exclude American hyperscalers from large chunks of the European market. In May, Euractiv revealed that a compromise between the two camps, the French-led one pushing for cloud sovereignty on the one hand and the liberal one led by the Netherlands and with the increasing support of Germany, was being sought through a tiered approach. While the Cybersecurity Act only envisaged three levels of assurance – basic, substantial and high – a new level, ‘high+’, was introduced with the bulk of the sovereignty requirements. A revised version of the scheme was circulated in August but still failed to convince the most reluctant EU countries. This new draft is to be seen as another attempt in this sense, as the sovereignty requirements were further toned down. It remains to be seen if this compromise will be successful or if the Commission will move ahead with adopting the scheme, as the clock is ticking to adopt the scheme before the end of the mandate. National representatives will have the opportunity to adopt or reject the entire text. EU cloud certification headed for tiered approach on sovereignty criteria A draft Cybersecurity Certification Scheme for Cloud Services, seen by EURACTIV, moved the requirement excluding non-European companies into a new subcategory. Notion of control A crucial aspect of the sovereignty requirements has been to what extent the European subsidiary of a cloud provider can be considered under the parent company’s or group’s control. The requirement that the cloud service providers would have to be operated only by EU-based companies with no non-European entity exerting effective control has been slightly softened for the level of assurance high+. In particular, the new text adds the possibility to demonstrate that they have put in place effective technical, organisational and legal measures that prevent non-EU companies linked with the cloud provider from exerting a decisive influence in decisions related to investigation requests. On this point, a placeholder indicates that this option is meant to ensure that “trusted foreign cloud providers fulfilling other requirements can get certified”. The same placeholder is present under the level of assurance high, suggesting this requirement might be extended to this level. France and Germany increasingly drift apart on digital sovereignty of cloud sector The recent announcement of “a new, independent cloud for Europe” by Amazon Web Services has underlined the growing divergence between the positions of Paris and Berlin regarding digital sovereignty in the cloud sector. Data localisation Localisation requirements have also been introduced for the level of assurance high, requiring the cloud service providers to have at least one dedicated location in the Union. Concerning the level of assurance high+, the obligation to have all referenced locations in the EU remained untouched. EU law primacy The requirements concerning the primacy of EU law have been modified for both levels of assurance, high and high+, removing the idea that they would apply to all the account data related to the contractual relationship, including pre-sales, maintenance, operation and exit. The provision on what the cloud service providers should include in the risk assessment for extra-territorial application of non-EU laws was made less prescriptive, whilst the principle that contractual relations should be under the jurisdiction of an EU country was maintained. Additional guidance is to be provided to cloud users about the risks related to using the cloud service, notably regarding the risk of unlawful access from data and derived data, including commercially sensitive, confidential and proprietary business data. EU countries seek way out of impasse on sovereignty requirements for cloud services A joint paper obtained by EURACTIV details six possible scenarios to deal with the controversial sovereignty requirements in the upcoming certification scheme for cloud providers. Staff requirements The requirements for the cloud services’ employees with direct or indirect access to the data have been toned down for the high assurance level. The staff members and their supervisors will still have to undergo “an appropriate review” and be located in the EU. Still, the idea that the maintenance of a functional component should also be logged and monitored was dropped. International agreements A specification was introduced stating that the scheme should not be understood as preventing the application of any obligation under EU law to comply with an investigation or other requests for data access recognised under international agreements such as a mutual legal assistance treaty with a third country. Sensitive data A definition of data was added in line with that of the Digital Markets Act, together with categories of sensitive data, meaning personal or non-personal data for which the disclosure could negatively affect public order, safety, health or the performance of essential governmental functions. Sovereignty requirements remain in cloud certification scheme despite backlash The draft Cybersecurity Certification Scheme for Cloud Services (EUCS), seen by EURACTIV, includes sovereignty requirements on European data localisation and foreign law immunity, even though member states and tech industry representatives strongly advised against it. Sector-specific requirements The new text specifies that the level of assurance high should “be also suitable for cloud services that are designed to meet sector-specific requirements for global operations,” giving the example of the banking and financial sector. [Edited by Nathalie Weatherald] Read more with Euractiv Spanish EU presidency prepares to wrap up technical work on AI lawThe Spanish presidency needs to conclude the technical preparation for the EU’s AI Act this week to request a revised mandate ahead of what is meant to be the last high-level meeting to reach a political agreement on the file.
