The draft Cybersecurity Certification Scheme for Cloud Services (EUCS), seen by EURACTIV, includes sovereignty requirements on European data localisation and foreign law immunity in spite of strong opposition from some member states and the private sector.
The European Commission had asked the European Union Agency for Cybersecurity (ENISA), responsible for developing and maintaining the EUCS, to add sovereignty requirements to the scheme.
“The objective of these specific requirements is to adequately prevent and limit possible interference from states outside of the EU with the operation of certified cloud services,” the draft document reads.
This approach would mirror requirements recently introduced in France’s national cybersecurity certification scheme, known as SecNumCloud, and would affect cloud service providers operating in the EU market, ensuring that EU law is primary and that maintenance, operations and data must be located within the EU.
Immunity from non-European access would also be guaranteed by demanding that providers of cloud services be headquartered in Europe and not be controlled by any non-EU entities.
The concept of “control” is defined very narrowly. Companies are to be completely independent of non-EU laws, as relationships constituted by ownership, rights or contracts are regarded as having a decisive influence on an undertaking, according to the draft.
Exchanges between cloud service providers and providers based outside of the EU would have to fulfil specific requirements in terms of security clearance and supervision. Even companies with EU headquarters but foreign investors or operations could have restricted access.
“This will hurt [cloud service providers] directly and will mean, more broadly, that the European economy will lose choice and quality in cloud offerings,” a Digital Europe spokesperson told EURACTIV.
While the draft text states that these are “technical measures”, some member states and several tech industry representatives disagree on keeping the talks purely at the technical level and are pushing for a political discussion.
What is the EUCS?
The EUCS is secondary legislation under the EU Cybersecurity Act aiming to increase trust and security in important products and services. The scheme is a voluntary, EU-wide framework for cybersecurity certificates intended to counter fragmentation between member states, facilitate trade and understanding of security features.
ICT products and services shall be certified according to a comprehensive set of rules, technical requirements, standards and procedures.
Users shall be informed about the cybersecurity risk through three assurance levels: basic, substantial and high, the latest meaning that a certified product passed the highest security tests. The proposed sovereignty requirements would only apply to high-level assurance.
Arguments against sovereignty requirements
In April the Netherlands, Sweden and Ireland shared a non-paper, seen by EURACTIV, arguing that all cloud service providers will likely strive for certification on the third level “because cloud providers are often part of the supply chain for sectors like government and vital infrastructures and services.”
Moreover, experts expect the certification to become mandatory in the future.
“Therefore, the proposed requirements on sovereignty in the cloud scheme could have wide-ranging effects for companies (sub-contractors) involved in cloud service deliveries and their ability to develop their services and compete on the global market,” the non-paper states.
They also argue that sovereignty requirements are difficult to implement and audit, leading to high costs and affecting competition. The result might be restricting competition to a smaller pool of vendors.
“These requirements have nothing to do with cybersecurity concerns, some may even argue this is a protectionist approach pushed by certain national governments,” said Alexandre Roure, Europe’s Director of Public Policy for the trade association CCIA.
These requirements were pushed forward by France, Germany, Italy and Spain, several EU officials confirmed.
In addition, these requirements could create a new point of friction between the EU and the United States as well as other trading partners, stressed Nigel Cory, associate director at the Information Technology and Innovation Foundation.
Lack of transparency
The drafting process has also been criticised due to “limited transparency and lack of stakeholder engagement”, according to a statement signed by the tech industry representatives of CCIA, ITI, BSA and AmCham EU.
“We have been particularly puzzled by how proposals for these requirements have been introduced. The process has been driven by individual players and member states, with industry stakeholders and other member states left in the dark and now being asked to accept a new version of the scheme as fait accompli,” a spokesperson for Digital Europe told EURACTIV.
Tech industry representatives have urged ENISA and the European Commission to inform stakeholders of the state of the discussion and to engage with them throughout the finalisation process.
They are also calling on member states to reject sovereignty requirements and to request a more thorough impact assessment.
“There is currently a complete final draft, including all requirements, that is under review by the AHWG (Ad-Hoc Working Group), and that should be submitted to the ECCG (European Cybersecurity Certification Group) for their opinion,” an ENISA spokesperson informed EURACTIV.
This review and opinion may then lead to further work to finalise the scheme before submitting it to the Commission who in turn may then adopt such a scheme through the implementing act. The next ECCG meeting is set for 28 June.
[Edited by Luca Bertuzzi/Nathalie Weatherald]