The standard of the future European certification scheme for cloud computing services (EUCS for European Cybersecurity Certification Scheme for Cloud Services) is causing tension, particularly regarding the notion of sovereignty.
Adopted on March 12, 2019, the Cyber Security Act (CSA) has created a cybersecurity certification framework to harmonize assessment procedures and the different levels of certification assurance on a European scale. It is a question of guaranteeing the stability of a product according to a reference system previously adopted by the European Agency governing network and information security (ENISA).
The regulation defines three levels: the primary level for non-critical products intended for the general public, the large level targeting the median risk and the high level for solutions where there is a risk of attacks involving skills or resources “significant“.
The draft certification procedure – consulted by media Euractiv – includes requirements for sovereignty over data localization and impermeability to foreign laws. The European Commission has asked ENISA to include such requirements. “The purpose of these specific requirements is to adequately prevent and limit any interference by states outside the European Union in the operation of certified cloud services.“, Is it written in the document.
A very strict definition of the notion of “control”
Immunity from foreign laws means that only cloud service providers located in Europe and not controlled by external entities can claim a certification scheme. The notion of “control“is defined very little, according to the document. Companies should be”completely independent of non -European laws“.
In addition, exchanges between European suppliers and those based outside the EU need to meet specific requirements in terms of authorization and security supervision. Even companies headquartered in the EU but investors are foreign may have limited access.
Differences between Member States
This future system is not pleasing to everyone. Mainly between Member States. While France, Germany, Italy and Spain fully support these requests, the Netherlands, Sweden and Ireland (which are home to most of the European headquarters of major tech companies in the US) are more concerned. In fact, they fear that they will exclude many companies from the certification scheme.
The development process has also been criticized by the industry. The American Chamber of Commerce in the European Union (AmCham EU), the Computer & Communications Industry Association (CCIA Europe), and the Information Technology Industry Council (ITI) wrote an open letter criticizing the lack of transparency and ‘commitment “stakeholders“in discussions.”The use of internationally agreed standards is essential to ensure the effectiveness of cybersecurity requirements“, they wrote. They added that the requirements for digital sovereignty are”purely political considerations“who will do”complex legal compliance” and no “will not contribute to increased levels of cybersecurity“.
The eternal debate of digital sovereignty
This debate is not new. It appears in similar terms at the French level with the approach “Clouds in the middle“presented by the Minister of the Economy, Bruno Le Maire, in May 2021. It should also be noted that European certification is intended to remove the French label. This means that only certified providers will be able to offer their manufacturing services. hosts in some particularly critical sectors.Problem: today, Amazon (Amazon Web Service), Microsoft (Azure) and Google (Google Cloud Platform) have captured 69% of the European market alone.Dutsche Telecom is in the latter with a 2% market share, followed by companies such as OVHcloud and Orange.
France has made a third path that leaves the door open to American companies. They can offer their services under licenses granted to French companies. This is how Google Cloud signed an agreement with OVHcloud (for which we are still waiting for news), then joined Thales in October 2021. Microsoft approached Orange and Capgemini through a dedicated entity, called “Blue”, whose launch date is still unknown today.
The European project is “under review by the AHWG (Ad-Hoc Working Group), and must be submitted to the ECCG (European Cybersecurity Certification Group) for advice ”, an ENISA spokesperson told EURACTIV. It also needs to be approved by the European Commission. The next ECCG meeting is scheduled for June 28th.