Almost 30 European industry groups warned that the EU should not discriminate against major US tech companies in the upcoming European Cybersecurity Certification Scheme on Cloud Services (EUCS).
The certification scheme is an initiative by the European Union Agency for Cybersecurity (ENISA) which aims to improve the cloud services’ market conditions within the EU market and to help European companies and governments select a trusted provider.
The first draft of the scheme was published in 2020 and included propositions “to harmonise the security of cloud services with EU regulations, international standards, industry best practices, as well as with existing certification in EU Member States,” the document read. However, the first draft has been modified more than once in the past four years, and the latest version of the scheme is set to be discussed and reconsidered this week by EU countries, the ENISA and the European Commission.
Prior to this meeting, 26 industry groups from around Europe signed a letter on Monday emphasising the importance of having access to “a diverse range of resilient cloud technologies tailored to their specific needs to thrive in an increasingly competitive global market,” Reuters reported. Signatories include the European Payment Institutions Federation, the German Bundesverband deutscher Banken and the Irish business lobby group IBEC.
The letter to EU countries and legislators says: “We believe that an inclusive and non-discriminatory EUCS that supports the free movement of cloud services in Europe will help our members prosper at home and abroad, contribute to Europe’s digital ambitions, and strengthen its resilience and security.” The letter also added that “the removal of both ownership controls and Protection against Unlawful Access (PUA) / Immunity to Non-EU Law (INL) requirements ensures that cloud security improvements align with industry best practices and non-discriminatory principles.”
Disagreements over stricter requirements for non-EU companies
This warning comes as one of the main amendments made to the latest version – the most controversial one – is the removal of the sovereignty requirements proposed in the initial draft. Under the newest version of the scheme, US tech giants can qualify for the highest assurance level without having to set up a joint venture or cooperate with an EU-based company.
Big tech companies such as Google, Microsoft and Amazon welcomed the scrapping of sovereignty requirements, as it allows them to bid for major EU cloud computing contracts.
However, EU cloud vendors have expressed concerns about this amendment to the scheme and said they favour stricter requirements for non-EU tech companies to qualify for the certification.
In a joint letter to relevant authorities signed in April 2024, companies including Airbus, Orange and Capgemini argued for the latest version of the scheme – without the sovereignty clauses – to be rejected. Reuters reportedly viewed the letter, which stated: “Incorporating EU headquarters and European control requirements in the main scheme is necessary to reduce the risk of unlawful data access under foreign laws.” The letter also argued that “removing sovereignty requirements from the scheme would significantly undermine the viability of sovereign cloud solutions in Europe, many of which are either in development or already available on the market.”