Position paper - Cybersecurity Certification Scheme for Cloud Services (EUCS)

Since 2021, industry has called for the European Commission to adopt the European Cybersecurity Certification Scheme for Cloud Services (EUCS) and resolve the political deadlock by not conflating legal and cybersecurity considerations in a technical instrument. Before the European Cybersecurity Certification Group (ECCG) approves the EUCS as a candidate scheme for the European Commission, the European Union Agency for Cybersecurity (ENISA) should clarify certain concerns about the proposal. 

For instance, the latest draft of the EUCS still contains sovereignty requirements, a form of discriminatory global headquarters and ownership requirements that provoke concern among industry and among the EU’s security and trade partners. Thus, policymakers should explain how the different levels of assurance will impact workloads and critical entities that use cloud services, as well as the reasoning behind applying different levels of assurance.