Sunday, November 3, 2024

Meeting on EU’s cloud services certification scheme postponed

Must read

A discussion on the European Union’s proposed cybersecurity scheme, EUCS, originally scheduled for 18 June 2024, has been postponed to mid-July, Euronews reported on June 18, 2024. The EUCS is a voluntary certification scheme for cloud services which is set to be used by companies to demonstrate that they have the right level of cybersecurity protection for the EU market.

Details of the Scheme and Industry Responses to it

Notably, the EUCS has faced apprehensions from industry groups because of issues in the cybersecurity scheme related to ownership controls and immunity to non-EU law. Recently, 26 industry groups wrote to the EU claiming that big tech companies need access to a diverse range of cloud services in order to survive in a global market. Calling for the removal of both ownership controls and Protection against Unlawful Access (PUA) / Immunity to Non-EU Law (INL) requirements, they said that such a move would ensure that cloud security improvements align with industry best practices and non-discriminatory principles. Further, they wrote, “We believe that an inclusive and non-discriminatory EUCS that supports the free movement of cloud services in Europe will help our members prosper at home and abroad, contribute to Europe’s digital ambitions, and strengthen its resilience and security.”

Previous Context on EU’s Cybersecurity Scheme

The scheme, originally drafted in 2020 by the European Union Agency for Cybersecurity, (ENISA), to enhance the level of cybersecurity for ICT products and services across the EU and to harmonize cybersecurity standards within the Union, has been facing an ongoing deadlock since then. This is because of the sovereignty requirements under the EUCS, which required cloud service providers to register their head office and global headquarters in a Member State to be able to obtain certification under the EUCS. Sovereignty requirements were emphasized by EU cloud vendors such as Airbus due to a perceived need to protect EU citizens’ data.

This requirement has been removed from the current 2024 draft, following pressure from some Member States and Industry Bodies, who argued that it would create significant barriers for non-EU headquartered states to enter the EU cloud market.

Notably, ENISA has been active on the cybersecurity front, also drafting the Cyber Resilience Act in September 2022, for regulating the security of hardware and software products.

Also Read:

Latest article