EU cloud security certification proposals could harm overseas cloud providers, industry lobbyists have warned.
A report from the European Centre for International Political Economy (ECIPE) has described the proposed EU Cloud Certification Scheme (EUCS) as “discriminatory” towards non-EU cloud providers.
Under proposals lodged by the EU Agency for Network and Information Security (ENISA), the EUCS will require cloud service providers to register their head offices and global headquarters within the EU.
The scheme will also require providers to operate their cloud services within the union, as well as carry out the storage and processing of customer data locally too.
A key point of contention, according to the ECIPE report, is that ENISA will include “immunity” requirements. This provision would mean that a cloud service provider is immune from non-EU law.
These immunity requirements risk “opening a Pandora’s box”, the report warned, and could pave the way for data localisation, foreign ownership restrictions, and create an exclusionary environment for non-EU cloud service providers.
“It would empower the European Commission and member state authorities to exclude foreign businesses from domestic cloud services markets and set a dangerous precedent for any data-intensive sector,” the report claimed.
US-headquartered companies, which currently serve more than 75% of the EU cloud market, would be most affected by such immunity requirements, ECIPE noted, and long-term this could result in “retaliatory tariffs” on EU service exports.
“It seems that the immunity provision will mean that entities which are not headquartered in the EU will not be given the highest level of security certification, since they are susceptible to the laws that apply to their headquarters operations,” said Frank Jennings, partner and head of commercial at Teacher Stern, to IT Pro.
“So, US and UK providers could implement the best levels of security but will not be given the highest level of certification because of potential access to data they hold by their governments.”
Jennings agreed that the proposals could create an abrasive environment for non-EU providers, adding that while this does not represent an outright ban on overseas cloud providers, it could “make it more difficult for them to compete inside the EU against EU-based providers”.
“In practice, it is likely to create international tensions given how much cloud is provided from outside the EU,” he said. “This might disrupt cloud provisions inside the EU, with retaliatory actions by other countries or trading entities, leading to fragmentation of cloud.”
Trend Micro security predictions for 2023
Prioritise cyber security strategies on capabilities rather than costs
Jennings said this specific requirement appears “consistent with the disquiet” surrounding the influence of foreign governments on organisations currently operating in the EU.
Companies with links to the Chinese government, such as TikTok, ZTE, or Huawei, have come under intense scrutiny from lawmakers in recent years as the EU seeks to prevent outside influence or the expatriation of member state data to foreign entities.
TikTok recently announced plans to set up data centres within the EU to assist with regulatory compliance and assuage concerns.
Similarly, the US government used its Cloud Act to seek to force Microsoft to hand over customer data it was holding in its Dublin data centre.
According to ENISA, the EUCS seeks to establish an EU-wide certification regime for cloud providers that will “further improve the union’s internal market conditions for cloud services by enhancing and streamlining the services’ cyber security guarantees”.
“The draft EUCS candidate scheme intends to harmonise the security of cloud services with EU regulations, international standards, industry best practices, as well as with existing certifications in EU member states,” ENISA said in 2020.
This will see a certification scheme created with three specific levels of assurance - “basic”, “substantial”, and “high”.
