By Eliza Gkritsi | Euractiv Est. 4min 26-06-2024 (updated: 03-07-2024 ) Content-Type: News News Based on facts, either observed and verified directly by the reporter, or reported and verified from knowledgeable sources. Cloud,And,Edge,Computing,Technology,Concepts,With,Cybersecurity,Data,Protection. [Ar_TH/Shutterstock] Euractiv is part of the Trust Project >>> Print Email Facebook X LinkedIn WhatsApp Telegram Corrections:This article has been updated to correctly reflect which working group removed the EUCS from its agenda on 18 June. Sovereignty requirements will almost certainly not be included in an EU cloud certification scheme (EUCS), expected to be wrapped up by the end of 2024, a source close to the matter told Euractiv. The highly technical yet controversial EUCS scheme is at the heart of a debate about what steps Europe should take to protect its infrastructure from third-country actors. The EUCS aims to set EU-wide criteria for certifying cloud providers over their security attributes. These certifications would then help governments and companies in the bloc to determine the cybersecurity attributes of any given cloud provider when shopping for such services. The matter was scrapped from the agenda of the 18 June meeting of the European Cybersecurity Certification Group (ECCG), comprised of member states’ cybersecurity authorities under the wing of the Commission. This was a decision based on priorities, said the source. Another source familiar with the matter explained that member states expected guidance from the European Commission on how such requirements could be put in place outside the EU-wide scheme, which is why the agenda item was discarded. Once the draft scheme is finalised, the ECCG will issue an opinion. The ECCG is likely to approve whatever ENISA submits to it without major changes since many of the people sitting in the ENISA ad-hoc group drafting the scheme are national experts who also sit in the ECCG, said the source. Based on that, the draft could be tweaked once again and then go through the comitology process, where it will be reviewed by representatives of member states and Parliament’s committees before the Commission eventually adopts an implemented act. The comitology process could derail the scheme and reignite the sovereignty debate, but having agreement from member states at the ad hoc group and ECCG makes this less likely. The sticking point The usually dry technical process of setting criteria for certifying cloud providers took an unexpected turn when in 2022, four EU countries, France, Germany, Spain, and Italy, asked the European Commission to get involved, the first source explained. These countries already had or were considering their own sovereignty requirements, which take into account territorial considerations, to decide what is a secure cloud. At that point, ENISA started looking into how these sovereignty requirements could be included in the scheme, which the source described as akin to due diligence before buying a company. Just last week, Amazon Web Services announced two multi-billion dollar investments in “sovereign cloud” in Spain and Germany. France has been particularly vocal about its support of sovereignty requirements and was working on its own laws. The idea is to avoid a situation where Chinese or US companies could snoop on sensitive EU data if they have jurisdiction over the cloud providers. Critics, however, have called the measures protectionist. In the EUCS, these provisions would have required that cloud providers to critical infrastructure or government be majority-owned by investors based in the EU. Such criteria were later added to the scheme and then again removed from the latest draft from March 2024, Euractiv has reported. The scheme is mostly technical, with roughly 600 criteria used, said the person. The sovereignty requirements would have stopped companies from getting the highest level of certification based on non-technical criteria. These could include being headquartered in the EU or a specific member state, as well as being majority-owned by European investors. The highest level of certification would then be needed to sell services to key entities such as governments or critical infrastructure providers. [Edited by Zoran Radosavljevic] Netherlands gathers opposition front to EU cloud certification scheme The Hague-led coalition against the European Commission’s push to include sovereignty requirements in the European Cloud Services (EUCS) scheme has grown to 12 EU countries, including Germany, that jointly presented negative commentary to the latest draft. Read more with Euractiv EU Commission accuses Microsoft of breaking antitrust rules with bundled Teams appThe European Commission said in a formal 'statement of objections' on Tuesday (25 June) that Microsoft had violated EU antitrust rules by bundling its Teams app with its Office 365 and Microsoft 365 productivity suites.
