Nearly 30 European industry groups warned EU not to discriminate against major US technology companies in the upcoming European Cybersecurity Certification Scheme on Cloud Services.
The certification scheme was created by the European Union Agency for Cybersecurity. Its goal is to improve the market conditions for cloud services in the EU and to assist European companies and governments to select a trusted service provider.
The first draft was published in 2020. It included proposals “to harmonise cloud security with EU regulations, standards, and industry best practices as well as existing certification in EU member states,” according to the document. The first draft was modified several times over the past four-year period. This week, EU countries, ENISA, and the European Commission will discuss and review the latest version.
Reuters reports that 26 industry groups in Europe signed a letter Monday, urging the need to have access to “a variety of resilient cloud technology tailored to their needs to thrive on an increasingly competitive global marketplace.” The European Payment Institutions Federation (EPIF), the German Bundesverband Deutscher Banken, and the Irish Business Lobby Group IBEC are among the signatories.
The letter to EU legislators and countries states: “We believe an inclusive and non-discriminatory EUCS will help our members prosper both at home and abroad. It will also contribute to Europe’s Digital Ambitions, and strengthen its resilience, security, and resilience.” The letter added that “the removals of both ownership controls, and Protection against Unlawful Access / Immunity to Non-EU Law requirements ensures that Cloud Security Improvements align with industry standards and non-discriminatory practices.”
Disagreements about stricter requirements for non EU companies
This warning comes at a time when one of the major amendments to the latest version, the most controversial of all, is the removal of sovereignty requirements that were proposed in the original draft. The latest version of the scheme allows US tech giants to qualify for the highest level of assurance without having to establish a joint venture with an EU company or work together.
The EU has a number of major cloud computing contracts that are being bid on by large tech companies like Google and Microsoft.
Content from our Partners
EU cloud vendors, however, have expressed concern about this amendment and said that they prefer stricter requirements to be placed on non-EU tech firms to qualify for certification.
In a letter sent to the relevant authorities in April 2024 by Airbus, Orange, and Capgemini, they argued that the latest version of this scheme, without sovereignty clauses, should be rejected. Reuters reportedly viewed this letter. It stated that: “Incorporating EU Headquarters and European Control Requirements in the Main Scheme is necessary to reduce risk of unlawful data entry under foreign laws.”