A number of industry groups across Europe have warned that the EUCS cybersecurity certification scheme should not discriminate against cloud giants such as Google, Microsoft and Amazon.
The warning from a total of 26 industry groups looks to ensure a wide range of cloud service providers remain available to EU based organizations, with previous EUCS requirements being scrapped or weakened.
In March 2024, the sovereignty requirements, which would have pushed US organizations to establish a joint venture within the EU or team up with an EU based company for customer data storage and processing, was taken out of the EUCS requirements.
Regulation vs competition
The EUCS requirements were originally drafted in 2020 by ENISA as a way to protect the data of EU citizens to the same EU standard if their data were to leave the bloc, to be processed in the US for example. The cloud market is a multi-billion euro industry, and rapid growth has been forecasted within the EU.
A joint letter written by the 26 industry groups stated, “We believe that an inclusive and non-discriminatory EUCS that supports the free movement of cloud services in Europe will help our members prosper at home and abroad, contribute to Europe’s digital ambitions, and strengthen its resilience and security.”
“The removal of both ownership controls and Protection against Unlawful Access (PUA) / Immunity to Non-EU Law (INL) requirements ensures that cloud security improvements align with industry best practices and non-discriminatory principles.”
A number of EU cloud providers including Deutsche Telekom, Airbus, and Orange, have pushed back against the scrapping of the sovereignty requirements, believing that non-EU countries could use their own laws to violate EU data protection and gain access to the data.
Via Reuters