EU lawmakers drop sovereignty requirements for cyber security labeling scheme

Flag of the European Union (EU) pictured during the day with sunlight behind and blowing in the wind.
(Image credit: Getty Images)

EU lawmakers have dropped sovereignty requirements for the proposed cyber security labeling scheme, marking a shift away from rules that critics said would severely inhibit non-EU providers. 

The proposals would’ve required non-EU cloud vendors to establish a ‘joint venture’ with providers based in the union due to data sovereignty and security rules.

However, new changes mean cloud vendors will only be obliged to provide information about their organizational data structures, according to documents seen by Reuters.

This will include information on where data is stored and customer data processing practices.

The move from lawmakers marks a major pivot, and while the changes are expected to be welcomed by non-EU firms, the decision to drop sovereignty requirements could prompt further confusion.

Several major companies had already begun making relevant moves toward ensuring compliance with the impending regulation.

EU member states will now review the edited draft, after which the European Commission will finalize the requirements.

Cyber security labeling rules raised eyebrows

The original proposals for the rules would have mandated that non-EU cloud operators establish a joint venture with an EU-based company to qualify for the EU cyber security label. 

These non-EU operators would only have received a ‘minority stake’ in these joint ventures, designed specifically as points of contact for EU regulators within the region.

This would have also necessitated non-EU cloud providers such as Microsoft or Google to store and process customer data within the region.

“Certified cloud services are operated only by companies based in the EU, with no entity from outside the EU having effective control over the CSP (cloud service provider), to mitigate the risk of non-EU interfering powers undermining EU regulations, norms and values,” the original document read.

These original requirements drew marked criticisms from various groups, including European banks, clearing houses, and insurance groups, which argued that technical provisions should prevail over political and sovereignty obligations.

The proposed regulation drew similar criticism from those with stakeholder interests in the non-EU cloud provider ecosystem, with various officials and trade bodies voicing their concerns at the demands made by the regulation.

This backlash came at a time when cloud industry stakeholders were at loggerheads with EU lawmakers over its approach to regulation.

In March 2023, the European Centre for International Political Economy (ECIPE) issued a report describing the demands of the original draft as “discriminatory” toward cloud providers operating outside of the EU.

These changes come amidst a period of heightened regulatory scrutiny for hyperscale cloud providers such as Microsoft.

The tech giant has come under frequent fire for its alleged lackluster attempts to alter data sovereignty rules to adhere to EU regulations.

Microsoft recently entered into talks with Cloud Infrastructure Service Providers in Europe (CISPE) with a view to resolving an EU antitrust complaint filed back in November 2022.

George Fitzmaurice
Staff Writer

George Fitzmaurice is a staff writer at ITPro, ChannelPro, and CloudPro, with a particular interest in AI regulation, data legislation, and market development. After graduating from the University of Oxford with a degree in English Language and Literature, he undertook an internship at the New Statesman before starting at ITPro. Outside of the office, George is both an aspiring musician and an avid reader.