‘Big three’ cloud providers face business overhaul to continue EU operations

European Union flags at Berlaymont building of the European Commission in Brussels, Belgium
(Image credit: Santiago Urquijo/Getty Images)

New EU cloud security labeling proposals could force the three major cloud providers to overhaul their business practices in order to continue operating in the region, according to reports.

Draft documents, not yet officially presented to the public, in their current wording suggest providers will be required to engage in a joint venture with an EU-based firm. 

The documents add that non-EU operators, including US firms, will only receive a ‘minority stake’ in such ventures, which aim to improve security by providing an EU-based point-of-contact for regulatory purposes. 

Employees with access to EU data would also be required to undergo screening processes and be located within one of the EU’s 27 member states.

The documents, seen by Reuters, relate to the EU’s plans to introduce a cyber security label that will be required if a company, like Microsoft, Google Cloud, or AWS wishes to handle sensitive data in the EU.

The latest proposals put forward by the EU cyber security agency, ENISA, form part of the EU certification scheme (EUCS), which aims to establish a union-wide certification regime for cloud providers. 

This, ENISA has said, will “further improve the union’s internal market conditions for cloud services by enhancing and streamlining the services’ cyber security guarantees”. 

“The draft EUCS candidate scheme intends to harmonize the security of cloud services with EU regulations, international standards, industry best practices, as well as with existing certifications in EU member states,” ENISA said.

EU data sovereignty 

A key component within the draft documents centers around the requirement that cloud services must be operated and maintained within the EU. 

In addition, the document outlines requirements that customer data stored and processed in the EU will be subject exclusively to EU regulations and take precedence over non-EU laws. 

“Certified cloud services are operated only by companies based in the EU, with no entity from outside the EU having effective control over the CSP (cloud service provider), to mitigate the risk of non-EU interfering powers undermining EU regulations, norms and values,” the document reads.

“Undertakings whose registered head office or headquarters are not established in a member state of the EU shall not, directly or indirectly, solely or jointly, hold positive or negative effective control of the CSP applying for the certification of a cloud service,” it added.

RELATED RESOURCE

Red whitepaper cover with title and logo

(Image credit: TrendMicro)

Solving the cloud-native app puzzle with CNAPP

The value of integrating cloud-native application protection into security and development

DOWNLOAD FOR FREE

The move could spark concern for non-EU cloud service providers - particularly the three major hyperscalers, all of which have a major stake in the union, according to Philip Brining, co-founder and director of Data Protection People. 

"The proposed cyber security labeling rules, which require non-EU cloud providers to establish joint ventures with EU-based firms, may present challenges for providers like Google, Microsoft, and Amazon amongst others,” he told ITPro

“Compliance with the requirements would involve significant restructuring and potential delays in obtaining the EU cybersecurity kite mark. These companies, with their extensive customer bases and data management responsibilities, could face a competitive disadvantage compared to EU counterparts.”

In March, industry stakeholders criticized the EU’s current approach to cloud regulation, noting that its proposals could prove highly inhibitive for non-EU operators. 

A report from the European Centre for International Political Economy (ECIPE) described the proposed certification scheme as “discriminatory” toward non-EU providers. 

A key point of contention highlighted by ECIPE was the requirement that non-EU cloud providers must register their head offices and global headquarters within the region. 

Gavin Millard, Deputy CTO at Tenable echoed Brining’s comments, noting that the current proposals could be highly inhibitive to non-EU-based providers due to the requirement to operate alongside a third party. 

“Whilst the protection of sensitive data from external entities should be paramount, the requirement to have an EU-based third party with a majority stake in the venture could be a ridiculously high barrier for the cloud services providers to do business in Europe,” he said. 

“It could be far more achievable and palatable to mandate and audit the siloing of sensitive data from non-EU employees of the cloud giants, than trying to force a potentially damaging commercial relationship with a third party.”

Millard added that while larger cloud providers could be impacted by the move, smaller organizations and software vendors may also be seriously affected. 

"The draft proposal could also greatly impact other software vendors and businesses, as they've built platforms to be cloud-specific, leveraging services only available on a particular provider,” he said.

“If providers based outside the EU can't provide a cloud platform deemed suitable, it's going to take a significant effort for companies doing business in the EU to reengineer their products to support the ‘EU Cloud’. Implementing could be a huge headache for both US and EU-based organizations, creating unnecessary friction by replacing one risk with another."

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.