Europe Россия Внешние малые острова США Китай Объединённые Арабские Эмираты Корея Индия

EU’s digital quest: Cybersecurity governance and sovereignty at a stake?

11 months ago 38

In its digital quest, the EU stands at a crossroads, employing the European Cybersecurity Certification Scheme (EUCS) to balance cybersecurity, autonomy, and global aspirations while probing the efficiency of governance and sovereignty, writes Francesco Cappelletti.

Francesco Cappelletti works as a Policy and Research Officer at the European Liberal Forum (ELF) and is currently a PhD candidate in Cybersecurity Law at Vrije Universiteit Brussel.

Securing EU data globally

Connecting the unconnected’ offers both opportunities and risks. The EU has significantly advanced in cybersecurity, with initiatives like the revised NIS Directive, the Cybersecurity Act and the upcoming Cyber Resilience Act. These aim to enhance cybersecurity, harmonise standards, and establish an EU-wide certification framework.

Moreover, ENISA is drafting a new EUCS. This scheme aims to ensure secure data flow across the EU, while safeguarding the security of cloud systems for the Digital Single Market. The proposed Cloud Service Scheme includes sovereignty requirements to protect EU data from non-EU laws, such as data localisation and corporate control, restrictions on foreign ownership, the location of headquarters, and local staffing.

EU’s ‘digital sovereignty’ aims to boost competitiveness and innovation in the digital single market, offering European digital industries equal opportunities to compete with major tech firms. This requires balancing independent decision-making, strategic global collaborations, and aligning data control with European standards.

However, the approach has been criticised for misinterpreting the reality of global European businesses. These rules could limit European cloud market choices and fail to address non-EU access issues. The Cloud Service Scheme impacts how European companies do business worldwide, especially with important partners like the US, hampering their growth and ability to compete. Such limitations could adversely affect the EU’s GDP and impede its involvement in global technological progress over the long term.

The plan could hurt cybersecurity by limiting the transfer of top-notch EU-approved data to other countries. Fragmented EU cybersecurity standards and practices hinder effective combat against growing cyber risks.

Digital sovereignty and clouds

As anticipated, sovereignty is one of the most critical and divisive issues surrounding the EUCS. Semantics matters, and one wonders if this word does not act as a scarecrow for many. Varying viewpoints among industry players and member states raise concerns about whether the current proposals are more politically motivated than genuinely aligned with the EU’s digital aspirations.

For instance, some EU countries might prioritise stricter data protection and local control, emphasising national security concerns and fearing data vulnerability. In contrast, others may favour policies that encourage cross-border data flow to promote innovation and economic growth.

A different perspective suggests that establishing a robust, self-reliant European digital infrastructure could be a strategic move. In this view, EU-based companies may support rigid EUCS standards they can readily meet. Nonetheless, Europe must develop cloud computing and data management alternatives, balancing sovereignty and interoperability – while remaining open to global technological advancements.

Digital sovereignty, then, does not necessarily lead to technological isolation. Instead, it can be a catalyst for a competitive and innovative European digital market that adheres to European values and standards.

This raises questions about the European cloud providers’ readiness to meet global standards. In the absence of American and other non-European tech, can Europe ensure the highest level of data safety and effectively guard against the escalating wave of cyberattacks?

Within the proposed scheme, a viable solution would be to eliminate the sovereignty requirements from the EUCS. Regulations such as DORA, GDPR, and NIS2, already offer robust tools for ensuring operational resilience and supervising ICT critical third-party providers. And so, the focus should be on an implementing Act centred exclusively on technical requirements.

Finding a balance

An open discussion is crucial to align diverse national interests and policy priorities among EU member states stemming from varying levels of technological advancement and differing economic dependencies. Balancing open trade, cybersecurity, and sovereignty is a complex challenge for EU policymakers. Fast-paced innovation demands ‘smart’ policies that balance economic impact, stakeholder input, global trade, innovation, and digital sovereignty.

The ongoing debate on the EUCS underscores the importance of striking such a balance, with growing urgency for Europe to foster transparent and inspectable digital services and move beyond certification-based trust only. Given the fluid geopolitical landscape and the EU’s dependence on foreign technologies, a unified European cloud infrastructure is essential for ensuring digital autonomy and competitive strength in the global tech landscape.

The latest EUCS revisions suggest a more flexible, tiered approach to sovereignty, considering EU states’ and non-EU providers’ concerns. This approach could represent a middle ground between EU-based companies and non-EU firms advocating for flexibility, showing the need for dynamic policymaking in the digital sector.

Amid these challenges, a crucial need emerges for a unified EU strategy, crafted by policymakers and in collaboration with stakeholders. This strategy must bolster the tech industry, stabilise the market, and safeguard data sovereignty. It is essential to prioritise the integration of data and infrastructure management, ensuring that the direction of the EUCS aligns with these goals and provides clear guidance to the industry.

Read Entire Article