A coalition of 26 industry groups from across Europe has issued a stark warning against potential discrimination in the EU cybersecurity certification scheme, cautioning that it could unjustly impact major cloud service providers like Google, Microsoft and Amazon.
The warning aims to preserve a diverse array of cloud service options for EU-based organizations, following the recent rollback of stringent requirements in the EUCS framework. Initially drafted by ENISA in 2020, the EUCS requirements sought to ensure the protection of EU citizens’ data according to EU standards, even if the data were processed outside the bloc, such as in the United States.
A significant change occurred in March 2024 when the sovereignty requirements, which would have compelled US organizations to either form a joint venture within the EU or collaborate with an EU-based company for data storage and processing, were removed from the EUCS requirements. This adjustment was made in response to growing concerns about maintaining a competitive and open market for cloud services in Europe.
Related: New US Cybersecurity Strategy Advocates Tech Regulation
In a joint letter, the industry groups stated, “We believe that an inclusive and non-discriminatory EUCS that supports the free movement of cloud services in Europe will help our members prosper at home and abroad, contribute to Europe’s digital ambitions and strengthen its resilience and security.”
They further emphasized that “The removal of both ownership controls and Protection against Unlawful Access (PUA) / Immunity to Non-EU Law (INL) requirements ensures that cloud security improvements align with industry best practices and non-discriminatory principles.”
The cloud market is a multi-billion-euro industry with rapid growth anticipated within the EU. Therefore, the industry groups argue that maintaining a broad selection of cloud service providers is crucial for fostering innovation, economic growth and digital resilience.
However, not all stakeholders agree with these changes. Several prominent EU cloud providers, including Deutsche Telekom, Airbus and Orange, have expressed concerns about the potential risks posed by eliminating the sovereignty requirements. They argue that allowing non-EU entities unfettered access to EU data could lead to violations of EU data protection laws and unauthorized access to sensitive information under foreign jurisdictions.
Source: Tech Radar