The European Commission continues to intervene in the digital market, this time through the European Cloud Service Provider Certification Scheme - EUCS, with which the Commission is attempting to introduce highly controversial "sovereignty" requirements and offer voluntary three-tier certification for cloud structures in the bloc.
It all sounds good in theory - the favored option is a coordinated approach across Member States to support digital transformation and the completion of the digital market. However, the devil is in the detail. According to a leaked draft of the document, only those companies headquartered within the Union would receive the highest level of security. This automatically excludes non-European providers from large parts of the EU market for cloud services (and could drive them out altogether) and puts both smaller companies in Europe that use the services of large US tech companies and government organizations whose servers also rely on their infrastructure in a difficult position.
The problem is that the issue has gone from being too technical to highly political, and information is scarce. In this regard, the European Parliament has taken a strong position to extend its powers to amend or completely delete the draft proposal.
The new European certification scheme for cloud services
The European Certification Scheme for Cloud Service Providers is a voluntary certification under the EU Cybersecurity Act, which is currently being negotiated between countries. It is expected that the system's certificates will be applicable in all European countries and can be used for all types of cloud services - IaaS, PaaS, SaaS, etc.. The aim is to increase trust in cloud services by defining three security levels - "Basic", "Substantial" and "High".
A draft of the regulation leaked last year sparked a backlash because it contained "sovereignty" requirements that would effectively exclude foreign companies from much of the European cloud market. France was the first country to include this exclusion of foreign cloud providers in its national SecNumCloud system. Internal Market Commissioner Thierry Breton attempted to replicate this approach at EU level, but faced strong opposition from more market-friendly countries such as the Netherlands. As it turned out, however, France strongly supports the proposal, as it could become one of the major players in the market.
OVHcloud, one of Europe's largest cloud computing, dedicated server and other web services companies (based in France), told KInsights that the European certification scheme for cloud service providers will not immediately replace national certification schemes once adopted.
Co-legislators want more EP intervention and impact assessment
The lack of clear positions in the negotiations and an initial analysis of the impact of the legislation on the economy is worrying both politicians and companies. "Our concern is triggered by leaked information that the regulation contains requirements that should have been negotiated politically ('sovereignty requirements'). Last year, we pointed out that there is no agreed definition of 'sovereignty' at EU level that would justify the inclusion of requirements of a political nature in such technical documents. Any interference with the freedom of economic activity in the EU must be a political decision taken with democratic legitimacy and accountability," says Svetlana Stoilova, digital economy advisor at BusinessEurope (the lead lobbying organization representing the business in Brussels).
She adds that the proposal requires a solid analysis of the EU market and opportunities in the EU (taking into account the needs of sectors, different sizes of companies, etc.) to be carried out for the EC. "This is the politicians' homework that needs to be done," Stoilova adds.
"I do not agree with the way and procedure of adopting the European cloud certification scheme. That is why I have proposed amendments to the Cybersecurity Act, which have been voted on in the Committee on Industry, Research and Energy on Wednesday," Dutch MEP Bart Groothuis told KInsights. They refer to the possibility of authorizing the European Parliament to approve or completely reject the regulation. Other amendments include the mandatory requirement for an impact assessment, public consultations with relevant stakeholders and national representatives, etc.
The Ministry of eGovernment told KInsights that "Bulgarian interests will be protected in the best possible way during the negotiations". Certainly, the EUCS does not lead to a self-serving restriction of the EU market for third party providers, but to an opportunity to increase security in general, unless it is mandatory." And they add that they still expect "an ex-ante analysis on the impact to be carried out before a decision is made".
What companies should look out for
According to the European Cybersecurity Agency, both public and private organizations should decide whether and what level of protection they need based on their own risk and cost assessment. "As for the 'High' level, certified cloud services at this level are expected to implement state-of-the-art measures that may have an impact on operational costs. However, we do not expect prices to increase as many cloud providers are already operating at this level, particularly those that are differentiated in terms of security. The regulation will encourage providers to diversify their cloud services so that each organization can choose the right level of protection for itself," says the agency.
The problem is how this will affect customers and whether they are willing to make their data available to organizations that use a lower level of security certification. "The role of the certification scheme, whether national or European, is to provide different levels of protection for different needs and types of data. And if the data is particularly sensitive or subject to a specific regulation, the user must choose a cloud provider whose services are compatible with that particular regulation," says OVHcloud.