The European Commission, The European Union Agency for Cybersecurity (ENISA) and EU countries are set to meet this week to discuss a contentious cybersecurity certification scheme for cloud service providers.
The European Cybersecurity Certification Scheme For Cloud Services (EUCS) (EUCS) is part of three certifications that have emerged out of the EU's 2019 Cyber Security Act.
The EUCC is pitched as helping governments and companies pick a secure cloud services vendor, but industry groups are warning that the certification requirements (mostly to do with data localisation) may be discriminatory towards Amazon, Alphabet, Google and Microsoft.
An alliance of 26 groups has now published an open letter about the rules, arguing that their members should have access to a wide range of cloud services that are resilient and suit their unique needs.
They wrote: “We believe that an inclusive and non-discriminatory EUCS that supports the free movement of cloud services in Europe will help our members prosper at home and abroad, contribute to Europe's digital ambitions, and strengthen its resilience and security."
The first of the three certifications, the EUCC, was adopted in January 2024. It allows ICT suppliers who wish to showcase proof of assurance to go through an EU assessment process to certify products such as hardware, software and technological components (such as chips or smartcards).
Based on the existing SOG-IS Common Criteria evaluation framework, which is used across 17 EU Member States, the scheme allows products to be evaluated by independent, licensed laboratories. The existing signatories to the similarly voluntary Common Criteria technical agreement are expected to recognise the certification.
The Stack has previously reported that the EUCC would pave the way for two more upcoming certification schemes: EUCS on cloud services and EU5G on 5G security.
See also: European cybersecurity labels are coming. Who's signed up?
While Cybersecurity Executive Director, Juhan Lepassaar has described the voluntary schemes as “a milestone towards a trusted EU digital single market", the proposed cloud certification scheme has found itself under close scrutiny.
European cloud service providers such as Airbus, OVHcloud, and Orange have said that not having sovereignty requirements will lead to market fragmentation, and disadvantage the regional players.
While the EU has stated that the labelling process is voluntary, if there is general uptake (as the EU hopes), the EUCC will likely become the standard for cybersecurity - making it hard to operate in the market without it.
It would also be difficult for vendors to supply to government organisations if they do not comply with the ECC requirements. Already, data protection laws for EU institutions are stringent and likely to get tougher with rising cyber-attacks.
See also: EDPS: European Commission breached data infringement rules over Microsoft 365 use
In its draft stage, the scheme establishes requirements that cloud service providers must comply with to be awarded one of four assurance levels (basic, substantial, high, and high+). The assurance levels are determined by the level of risk associated with the intended use of the cloud service and the level of skill and sophistication threat actors would need to compromise the system.
The biggest change in its drafts between August 2023 and April 2024 has been the ENISA's backpedalling on the issue of data sovereignty. However, EUCC's inclusion of free movement of data has not been set into law, and is likely to be the thorniest issue for both vendors and business consumers.
As reported by Politico, previous versions of the scheme text have included language seeking immunity from third countries’ laws, data localization obligations and criteria for local staff in an effort to protect EU Data from foreign jurisdictions.
However, this would have significantly impacted Big Tech's ability to provide critical services in the EU. Think tanks such as the European Center for International Political Economy (ECIPE) have also said that preventing non-European vendors from providing “high assurance level” cloud services in the EU could be damaging.
The European Centre for Political Economy (ECIPIE) has projected losses in annual EU GDP of between €29 billion and €610 billion within approximately two years of the certification being implemented, if what it terms "exclusionary" requirements are not dropped from the policy.
There is also disagreement within EU nations regarding sovereignty requirements. France has been pushing for data localisation, while Ireland, Slovakia, and Germany are reportedly leading the charge for more relaxed norms regarding international vendors.
An easy resolution is unlikely, and it would not be surprising if the ENISA has a few more draft flip-flops before the certification sees the light of day.
