Three years in the making
With this need in mind, in 2020 the European Commission tasked the European Union Agency for Cybersecurity (ENISA) with developing the Cybersecurity Certification Scheme for Cloud Services (EUCS). Unfortunately, through this request, the Commission avoided the process outlined in the Cybersecurity Act which requires stakeholder involvement – including consultation with the Stakeholder Cybersecurity Certification Group (SCCG). Nonetheless, in this process the Commission did not have any strategic guidance nor did it include discussions in the European Cybersecurity Certification Group (ECCG).
This legal vacuum has tainted the EUCS and led to a lack of transparency and openness that severely worries stakeholders. Since 2020, several draft versions of the EUCS have been informally circulated, all of which include discriminatory sovereignty requirements. Only one public consultation on the draft scheme took place end of 2020, but it did not evaluate these sovereignty requirements.
Since then, all subsequent documents have included discriminatory sovereignty requirements and have never been subject to a proper public consultation, broad stakeholders discussion, or impact assessments. In this context, associations, industry, Member States and the EU’s security and trade partners have suggested amendments to reach a workable solution. AmCham EU has also released detailed recommendations. But all this input has not been taken into account by the European Commission and ENISA.
The latest inadequate ‘solutions’
Despite surface level changes, the recently released EUCS draft scheme retains stringent and arbitrary sovereignty requirements. The EU still justifies these measures by citing national security concerns, which primarily sit within the purview of Member States. However, it is well-known that the EU’s competence in this area is restricted.
These discriminatory sovereignty requirements – alongside any non-technical factors – should be removed from the scheme in their entirety to avoid limiting the choice the supply of cloud services, which increases costs and reduces the quality of the offer. If they are not removed, the objective to achieve 75% of cloud adoption among EU enterprises by 2030 will be unmanageable. Additionally, and perhaps most importantly, prohibiting non-EU headquartered cloud operators from obtaining certain evaluation levels would present considerable capacity risks and pose a significant threat of trade retaliation.
The absence of a clear scope, conformity and framing of Evaluation Levels 3 and 4 (EL4) also remains problematic. The mention of ‘loss of reputation and competitive advantage’ does not clarify the scope of EL4. Additionally, there is no clarity on what kind of data would fall under the category of ‘data of particular sensitivity’. The different use cases for EL3 and EL4 are non-existent, while requirements in the Primacy of EU law section include contractual requirements that are applicable throughout all evaluation levels. This can severely affect non-EU cloud customers, whose contracts are governed by legal system of their home jurisdiction.
The EUCS is a much-needed scheme, which will harmonise the free movement of secure cloud services in the internal market. However, it is crucial to account for the significant impact that the EUCS will have on European security and economy.
In order to mitigate any unintended consequences, the European Commission should conduct and publish an impact assessment, and the latest draft should be evaluated through a formal consultation open to public, private and civil society entities. Similarly, the ECCG should be given enough time to review it before it is asked to provide their final recommendation – most certainly prior to the start of the formal adoption process (comitology). Finally, national and EU policymakers should clarify what will happen with the existing national schemes (eg, SecNumCloud or C5) once the EUCS is finalised.
Why does this matter?
With the exponential adoption of cloud services in the EU, there is a growing need for trustworthy cybersecurity systems. These can protect sensitive data, ensure compliance with regulations, maintain service availability, mitigate risks and safeguard trust and reputation. To ensure the continued growth of safe and reliable cloud computing technology, any EU cybersecurity certification scheme must focus on technical measures to strengthen security and resiliency, aligning with consensus-based international standards that have proven to work. Without this, the EU will remain vulnerable to ever-rising cybersecurity threats and we will risk undermining our collective efforts to drive cloud adoption and meet Europe’s Digital Decade targets.