Europe Россия Внешние малые острова США Китай Объединённые Арабские Эмираты Корея Индия

Sovereignty requirements for cloud providers unlikely to make it to Commission’s proposal for implementing act

4 months ago 17

Sovereignty requirements will almost certainly not be included in an EU cloud certification scheme (EUCS), expected to be wrapped up by the end of 2024, a source close to the matter told Euractiv.

The highly technical yet controversial EUCS scheme is at the heart of a debate about what steps Europe should take to protect its infrastructure from third-country actors.

The EUCS aims to set EU-wide criteria for certifying cloud providers over their security attributes. These certifications would then help governments and companies in the bloc to determine the cybersecurity attributes of any given cloud provider when shopping for such services.

The matter was scrapped from the agenda of an ad hoc working group of ENISA, the EU’s cybersecurity agency, on 18 June. This was a decision based on priorities, said the source.

Another source familiar with the matter explained that member states expected guidance from the European Commission on how such requirements could be put in place outside the EU-wide scheme, which is why the agenda item was discarded.

Once the draft scheme is finalised, the European Cybersecurity Certification Group (ECCG), comprising member states’ cybersecurity authorities under the wing of the Commission, will issue an opinion.

The ECCG is likely to approve whatever ENISA submits to it without major changes since many of the people sitting in the ENISA ad-hoc group drafting the scheme are national experts who also sit in the ECCG, said the source.

Based on that, the draft could be tweaked once again and then go through the comitology process, where it will be reviewed by representatives of member states and Parliament’s committees before the Commission eventually adopts an implemented act.

The comitology process could derail the scheme and reignite the sovereignty debate, but having agreement from member states at the ad hoc group and ECCG makes this less likely.

The sticking point

The usually dry technical process of setting criteria for certifying cloud providers took an unexpected turn when in 2022, four EU countries, France, Germany, Spain, and Italy, asked the European Commission to get involved, the first source explained.

These countries already had or were considering their own sovereignty requirements, which take into account territorial considerations, to decide what is a secure cloud.

At that point, ENISA started looking into how these sovereignty requirements could be included in the scheme, which the source described as akin to due diligence before buying a company.

Just last week, Amazon Web Services announced two multi-billion dollar investments in “sovereign cloud” in Spain and Germany.

France has been particularly vocal about its support of sovereignty requirements and was working on its own laws.

The idea is to avoid a situation where Chinese or US companies could snoop on sensitive EU data if they have jurisdiction over the cloud providers. Critics, however, have called the measures protectionist.

In the EUCS, these provisions would have required that cloud providers to critical infrastructure or government be majority-owned by investors based in the EU.

Such criteria were later added to the scheme and then again removed from the latest draft from March 2024, Euractiv has reported.

The scheme is mostly technical, with roughly 600 criteria used, said the ENISA person. The sovereignty requirements would have stopped companies from getting the highest level of certification based on non-technical criteria. These could include being headquartered in the EU or a specific member state, as well as being majority-owned by European investors.

The highest level of certification would then be needed to sell services to key entities such as governments or critical infrastructure providers.

[Edited by Zoran Radosavljevic]

Read more with Euractiv

Read Entire Article