The Hague-led coalition against the European Commission’s push to include sovereignty requirements in the European Cloud Services (EUCS) scheme has grown to 12 EU countries, including Germany, that jointly presented negative commentary to the latest draft.
The ministers of the Netherlands, Poland, Germany, Ireland, Romania, Czechia, Finland, and Estonia took the floor at the Telecom Council on Tuesday (5 December) to criticise the Commission’s attempt to include sovereignty requirements in the scheme.
“We feel there’s a need to draw the Council’s attention to this scheme today,” said Dutch state secretary Alexandra van Huffelen, opening the dances.
“We see the risk that the sovereignty requirements included in the scheme will create unfair competition between the EU member states and might also result in a market access barrier, which could negatively impact our strategic partnerships with countries like the US and Japan,” she said.
The chance came with the discussion on a targeted revision of the Cybersecurity Act, the legal basis for the cloud scheme, which the Commission proposed as part of the Cyber Solidarity Act, offering the flank to those unhappy with how the EU executive has been managing EUCS.
In the European Parliament, MEPs voted in favour of turning the adoption of certification schemes from an implementing to a delegate act, which would give them the power to veto the final draft.
“Commission is still in denial of its own role in this process: they made a technical scheme political, on purpose, and this has created backlash both in Council and in Parliament. Now the question is; is the Commission willing to come closer to the other institutions, to actually play the role of the honest broker?” Bart Groothuis, the Dutch MEP behind this amendment, told Euractiv.
The sovereignty requirements are strongly pushed by France and its Commissioner, Thierry Breton, who were essentially alone in defending them during the ministerial discussion. Although the scheme is voluntary, the scheme might be made mandatory for certain entities, excluding non-European cloud companies from large chunks of the European market.
Two weeks ago, Euractiv revealed a new version of the scheme with somewhat watered-down requirements presented at the European Cybersecurity Certification Group on 20 November.
During the meeting, the European Commission stated its intention to present the last version of the scheme in December. However, the proposed compromise does not yet satisfy the sceptical countries.
Therefore, the already mentioned countries, together with Greece, Sweden, Latvia, and Slovakia, got behind comments on the latest draft dated 1 December and seen by Euractiv.
The countries complained that the deadline to provide comments was too short to analyse the compromise thoroughly. Hence, the commentary is deemed incomplete, and the idea of wrapping things up by the end of the year is considered unrealistic.
EU cloud scheme slightly tones down sovereignty requirements
A new draft of the European Cloud Services scheme, seen by Euractiv, was circulated ahead of a meeting of the European Cybersecurity Certification Group on Monday (20 November), with some tweaks on the controversial sovereignty requirements.
The 12 governments are asking for a public consultation to be conducted on the current draft, considering that the consultation in 2020 was based on a version that did not include the sovereignty requirements.
“Please be aware that the market is not prepared for the EUCS, as versions are not publicly shared with stakeholders,” the text reads.
The member states also criticise the cost-benefit analysis informing the draft scheme for merely focusing on the quantitative aspects without addressing the specific impact of the sovereignty requirements, now turned into protection against unlawful access to EU data.
The comments include a request for a legal analysis on the sovereignty criteria for the level of assurance high+, in particular concerning the concept of control from a non-European entity like a parent company.
The document criticises the idea of using the sovereignty requirements to address compliance with other regulations, the introduction of evaluation levels to integrate the sovereignty requirements, and the mention of categories of entities like defence and public procurement that are excluded from the scope of the Cybersecurity Act.
The signatories also point to the possible economic impact of the criteria, which would also make the scheme less flexible to future changes and introduce new tasks for National Cybersecurity Certification Authorities that require specific legal competencies.
Additionally, the concerned countries would like the scheme to reference two technical standards currently being developed within CEN/CENELEC on cybersecurity criteria and assessment methodology.
The paper further objects to the lack of specification of secondary cloud services, the use of the notion of automated monitoring since it was removed from CEN/CENELEC and other concepts developed in the standardisation bodies.
“From the analysis of the response from ENISA regarding the comments of the earlier version draft and the comparison with the text of the current draft, we identified that a number of comments have not been addressed yet but were confirmed,” the document reads.
[Edited by Nathalie Weatherald]