A coalition of 26 European industry groups has issued a strong warning against possible discrimination in the EU cybersecurity certificate scheme. They warn that it could unfairly impact major cloud providers like Google, Microsoft, and Amazon.
The warning is intended to preserve a variety of cloud services options for organizations based in the EU, following the recent rollbacks of stringent requirements within the EUCS framework. The EUCS requirements were first drafted by ENISA 2020. They sought to ensure that EU citizens’ data was protected according to EU standards even if it was processed outside of the bloc, like in the United States.
In March 2024, the EUCS requirements changed significantly. The sovereignty requirements that would have forced US organizations to form a joint-venture within the EU, or work with a company based in the EU for data storage and process, were removed. This adjustment was made to address growing concerns about maintaining an open and competitive market for cloud services across Europe.
Related to New US Cybersecurity Strategy Advocates Tech Regulation
In a letter sent together, the industry groups stated: “We believe an inclusive and nondiscriminatory EUCS, which supports the free flow of cloud services across Europe, will help our members prosper both at home and abroad. It will also contribute to Europe’s digital goals and strengthen its resilience.”
They also stated that “the removal of both ownership control and Protection against Unlawful Access / Immunity from Non-EU Law requirements (INL) ensures that cloud security improves align with industry best practice and non-discrimination principles.”
Cloud computing is a multibillion-euro market with rapid growth predicted in the EU. The industry groups believe that a wide selection of cloud service providers will help to foster innovation, economic growth, and digital resilience.
Not all stakeholders are in agreement with these changes. Several prominent EU cloud service providers, including Airbus, Orange, and Deutsche Telekom, have expressed concern about the potential risks of eliminating the sovereignty requirements. They claim that allowing non EU entities to access EU data without restrictions could lead to violations in EU data protection laws as well as unauthorized access to sensitive data under foreign jurisdictions.
Source: Tech radar