Major European industry players including Airbus, OVHcloud, and Orange condemned a recent decision by the European cybersecurity agency (ENISA), that would no longer differentiate between cloud providers based on their origin, in a letter seen by Euractiv.
The bloc’s cybersecurity agency, ENISA, which coordinates the work on the EU cybersecurity certification scheme (EUCS), decided to delete references to sovereignty requirements in its latest draft, dated 22 March and reported by Euractiv.
The EUCS aims to create an EU-level certification scheme, that would help governments and companies in the bloc to determine the cybersecurity attributes of any given cloud provider when shopping for such services.
The scheme lays out different levels of protection based on the sensitivity of the data handled.
“We believe the inclusion of sovereignty requirements is necessary to overcome market fragmentation” and “protect European organisations’ most sensitive data,” wrote the 18 signatories in the open letter.
The letter calls on “Member States to reject any [EUCS] proposal” that does not include sovereignty provisions.
The letter reiterates that sovereignty requirements are important to address the risk of unlawful data access by foreign governments. As such, these provisions also protect user privacy, the letter stated.
The provisions are seen by their supporters as a crucial tool to protect EU companies and governments against the powers of foreign governments.
The letter quotes the Chinese National Intelligence Law and the US Cloud Act law that European cloud providers and users should be protected against.
These laws could give national security agencies the possibility to access third-party data handled by their homegrown companies.
Signatories added that the current draft of the rules will lead to market fragmentation, as the responsibility of defining sovereign elements will fall upon national regulators.
The companies pointed out that the EUCS scheme will contradict the EU’s data-sharing law; the Data Act.
The act prohibits the unlawful access of foreign governments to non-personal data, stressed the signatories.
ENISA’s dedicated working group is scheduled to meet on 15 April to discuss the cloud certification scheme.
Signatories included energy provider EDF, Dassault Systèmes which owns cloud service provider Outscale, tech companies Sopra Steria and Capgemini, as well as telecom companies Deutsche Telekom, Telecom Italia, and Proximus.
[Edited by Rajnish Singh]