The European cybersecurity certification system for cloud services

When you buy through links on our site, we may earn a commission at no extra cost to you. However, this does not influence our evaluations.

Eucs

Enisa designed The EUCS as an “voluntary” cybersecurity certification scheme that companies can exploit to demonstrate the solidity of their confidentiality and security measures. However, in practice, consumers may include EUCS as a requirement for a call for tenders, which actually makes certification compulsory. In addition, the Directive on the Network and Information Safety (NIS2) allows the Governments of the EU and the European Commission to demand that cloud customers only use the cloud services certified by the EUC.

THE Eucs The certification system for CSPS classifies its safety levels as “basic”, “substantial”, “high” and, in its latest version, “High +”. The current EUCS project includes an example of certification request. The request has a compulsory CSP identity in which each supplier would be required to register nationality by giving its office and the head office. Eucs will eventually end up promote The objectives of Europe ‘digital sovereignty by demanding that a CSP be based and operated in an EU Member State to receive the highest level of insurance. This actually prevents non -European CSPs from reaching the same high levels of insurance certification as European CSPs. In addition, the European Commission has asked Enisa to add immunity requirements to the EUC so that CSPs would be required to demonstrate the legal immunity of foreign jurisdictions, an impossibility for American companies which must remain in conformity with American law.

In addition to the protectionist aspirations to raise the EU CSCs and to remove European dependence on American companies, the European reform center emphasizes that Enisa’s strong commitment to EUCS also stems from the lasting EU concerns concerning American companies providing foreign governments from the EU. However, this argument would have more weight without the current primacy of American CSPs in the European Union. As Matthias Bauer, director of the European Center for International Political Economy, arguments“Political intention is to withdraw foreign suppliers, but it will of course also have ramifications for EU companies which are more or less based on cloud computing services.” Sut the ability of American CSPs to serve the European market can Ultimately decrease Cybersecurity of EU companies because EU cloud service companies are struggling to provide the same cybersecurity capacities as American suppliers like Amazon Web Services or Google Cloud. Although EUCS can ultimately promote the growth of European CSPs through trade policies and protectionist investment, its immediate impact would be force European companies contract with smaller and perhaps less secure cloud services.

Opposition to eucs

EU countries are divided into their positions on EUCs, but France, Italy and Spain have remained its main supporters. France has launched its own cloud safety program, known as “Confidence cloud doctrine»And its cloud cybersecurity certification system, known as Secnumcloud. These initiatives require cloud suppliers cannot be guided by non -EU laws. French regulations explicitly provide that any company which is more than 39% of foreign ownership is not eligible for the certification to be subject. Consequently, American companies must associate – and transfer technology and control to – a local company in order to compete for cloud affairs with French public sector agencies and commercial entities considered as “operators of vital importance”.

For their part, Denmark, Estonia, Greece, Ireland, Lithuania, Poland, Sweden and the Netherlands would have issuing A non-spouse opposite to EUC. These countries also question Enisa's jurisdiction in this area, urging that as political matters, EUCs should be decided by the European Council rather than managing as a regulatory question. In particular, the spouse's non-paper recommends that ENISA delete the nationality requirements of the certification system.

The United Kingdom, too, raises objections. In December 2022 meeting Among the Commercial Partnership Committee under the Commerce and Cooperation Agreement of the United Kingdom, the United Kingdom has criticized data location policies in the European Union, stressing that they could undermine digital trade between the United Kingdom and the European Union. The United Kingdom has expressed its concerns concerning the compatibility of EUC policies with the digital titles of the Trade and Cooperation Agreement as well as the WTO Agreement on Government Purchasing.

In June 2022, the US Chamber of Commerce of the European Union (AMCHAM EU), Software Alliance (BSA), IT and Communication Industry (CCIA) and the Information Technology Industry Council (ITI) joint declaration express concerns about the objectives of Europe. According to this declaration, “the potential inclusion of the unnecessary requirements of” digital sovereignty “risks the risk negatively on international and European service providers of cloud computing solutions, as well as organizations that use the cloud and require high levels of cybersecurity.” This vast group of American industry maintains that the complex legal compliance requirements contained in the regime will effectively dilute the potential advantages of EU cybersecurity. He also criticizes EISA for not having considered the prospects of the main stakeholders in the EU in the formulation of the EUC. Because there is a concern that the program will in fact help to increase the market share of Chinese CSPs in the European Union, the US Chamber of Commerce Recommends that the EUCs adopt an approach based on the risks which considers the practices of the company, as well as if the company has its head office in an ally or rival country.

Incompatibility with the WTO agreement on government purchases

The EUCS is contrary to the obligations of the European Union under the Government's supply agreement, which goals “Ensure open, fair and transparent competition conditions on public procurement markets.” For example, according to Euractiv,, The current EUCS project require That companies have its registered office in the European Union, store European data within the European Union and only allow access to the European Union to this data to obtain high certification +. These manifestly discriminatory requirements will act as an important obstacle to market access and could therefore constitute a violation of the European Union's commercial obligations under the OMC government supply agreement. The European Union, on the other hand, has supported that the EUCs comply with the WTO agreements by emphasizing the exceptions of the public procurement agreement. The agreement authorizes discrimination against foreign companies for reasons of national security and confidentiality, provided that policies are necessary, proportional and as little restrictive as possible.

The office of the US trade representative opposes this defense, as shown by the American ambassador María Pagán Remarks to the World Trade Organization in June:

“Notwithstanding our close strategic partnership, it is important to recognize … that certain American goods and services face persistent obstacles on the EU market. These obstacles limit the advisability of American workers and businesses to benefit from the transatlantic transaction … The EU has proposed a new cybersecurity certification regime for the supply of cloud services that would close foreign access.

Conclusion

In November 2021, the European Data Protection Office wrote a letter in support of new data location measures. He quoted the Judgment of Schrems II of the Court of Justice of the European Union, which increase obstacles to Europe's transfer of data to the United States. However, in the light of the recently agreed EU data confidentiality framework, which introduces new binding guarantees to respond to the concerns raised by the European Court of Justice concerning the adequate protection of personal data transfers, it will be a more difficult argument to make. The framework clearly violates trade rules by refusing more competitive CSPs, including the best players in the United States – stretched and non -discriminatory treatment. The long -term consequence of EUCS may well be a weakening of EU security, because the current ENISA proposal will reduce the capacity of European companies to have access to high -quality cybersecurity services and further decreases Europe's ability to compete globally in many sectors. To avoid a new discrimination against American providers, US trade officials should insist that Enisa reassessed the membership of EUCs to international law, as well as its unintentional potential consequences for EU and national security companies.

Meredith Broadbent is principal (non -resident) principal at the president of Scholl in international affairs at the Center for Strategic and International Studies in Washington, DC

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.