The EU’s latest cybersecurity certification draft may pave the way for Amazon, Google, and Microsoft to more easily secure cloud computing contracts within the bloc. According to a recent Routers report, this development comes from the removal of a contentious requirement in the draft rules, which previously mandated that vendors must be independent of non-EU legal jurisdictions. The change could have profound implications for how cloud services are procured and secured across the EU, balancing the drive for cybersecurity with the realities of global tech dominance.
The EU has long grappled with establishing a comprehensive cybersecurity certification scheme (EUCS) aimed at ensuring the cybersecurity integrity of cloud services. Such a scheme is crucial for both governments and private entities in the EU, aiding them in selecting secure and trustworthy vendors for their cloud computing needs. The stakes are high, as the dominance of U.S.-based tech giants in the cloud sector has sparked concerns over potential illegal state surveillance and the stifling of emerging EU cloud providers.
The EU’s shift in requirements for cybersecurity certification
Initially, draft requirements circulated among EU governments proposed stringent “sovereignty requirements.” These included compelling U.S. tech companies to form joint ventures with EU counterparts and to localize the storage and processing of customer data within the EU to be eligible for the coveted EU cybersecurity label. This approach, however, faced backlash from various sectors within Europe, including banks, insurance groups, and startups. Critics argued that the focus should be on technical cybersecurity measures rather than on political or sovereignty considerations.
The latest draft, dated March 22, reflects a pivot from these earlier sovereignty requirements. Instead of demanding independence from non-EU laws or mandating data localization within the EU, the revised rules only require cloud service vendors to disclose the locations where customer data is stored and processed, along with any applicable laws. This adjustment could significantly lower the barriers for Amazon, Google, and Microsoft, allowing them to participate more freely in the EU’s cloud computing market without the need for complex legal restructuring or data localization measures.
EU countries are currently reviewing the updated draft, which will eventually be formalized into a final scheme by the European Commission. This move signals a pragmatic approach to cybersecurity, acknowledging the global nature of cloud computing services while still striving to protect the data and interests of EU citizens and businesses.