The aerospace, security and defence industry is set to voice concerns about an EU-wide cloud cybersecurity certification scheme (EUCS) in a position paper to be published, its representatives told Euractiv.
EUCS has been the subject of much-heated debate over so-called sovereignty requirements. Provisions could have set requirements around a company’s domicile, setting joint ventures with local firms, or being majority-owned by EU investors, to achieve the highest level of the cybersecurity certification.
The certification scheme is seen as key to securing European critical data from third countries at a time of geopolitical tensions.
The Association of Space and Defence (ASD), which represents 4,000 companies, according to its website, in a position paper already sent to the Commission and to be published soon, will be calling for provisions on data localisation and contractual guarantees, to ensure industrial data does not fall into foreign hands, Giorgio Mosca, chair of the ASD cybersecurity task force, told Euractiv.
“To us, it is not an issue of sovereignty. In fact, it is an issue of location. Knowing where your data is and adding a higher guarantee that you can access it,” without disruptions said Mosca.
Contractual guarantees would protect EU companies from the extraterritorial reach of non-EU laws, ensuring cloud providers don’t hand over data to foreign authorities, he said.
Major industrial and tech companies have previously expressed concerns similar to those of ASD. However, at a time when Europe is considering boosting its defence capacity, this particular industry could hold more influence.
A group of companies including Airbus published a letter similar to ASD’s in early June, which is currently making the rounds for signatures.
“We know that we are going to be asked to to provide a certain guarantee in the new European defence industrial strategy,” including a security supply regime that is still under discussion, said Mosca.
For the defence industry to be able to provide assurances on the security of its supply chain, it needs “a certain level of control” on how they mange their relations with their contractors, which these days, inevitably means data and the cloud, he said.
The defence industry is specifically concerned with potential intellectual property theft or security issues in their industrial and supply chain data, said Mosca.
Choose your own sovereignty
It may, however, be too late as the sovereignty requirements are expected to be discussed at a meeting of the European Cybersecurity Certification Group (ECCG), comprising experts from cybersecurity authorities of member states, all under the wing of the Commission, in early July.
The sovereignty requirements are almost certainly not on the table for the EUCS and won’t make it to the Commission’s implementing act, a person with knowledge of the matter who declined to be identified discussing internal negotiations, told Euractiv.
Even after the draft is finalised, the scheme still has several hurdles to pass within the Commission and the Parliament before it is adopted.
Still, member states can draw up their own rules to ensure data sovereignty outside the scheme.
Large players like Amazon Web Services and Oracle have announced “sovereign cloud” plans for EU countries, which they plan as operating independently from the rest of their infrastructure, with the data staying within a country’s borders.
Many companies in the defence sector work across member states, increasingly have harmonised rules that could help ease the regulatory burden, said Mosca. This was partly the point of creating an EU-wide scheme.
“Shifting the responsibility for defining requirements to the national level would inevitably lead to” divergence, says the ASD’s position paper, as seen by Euractiv.