AmCham EU issued a joint statement alongside key EU digital business organisations to express concerns over several procedural and substantial elements in the Cybersecurity Certification Scheme for Cloud Services (EUCS) currently undertaken within the European Union Agency for Cybersecurity (ENISA). While the EU's ambition to tackle global cyber threats and protect citizens, institutions and businesses through cybersecurity certifications is appreciated, the inclusion of 'digital sovereignty' requirements risks negatively impacting international and European providers of cloud computing solutions as well as organisations that use cloud and require high levels of cybersecurity assurances.

The potential inclusion of 'digital sovereignty' requirements will create complex legal compliance procedures, create obstacles to information sharing, give rise to significant entry barriers for companies and will not necessarily increase levels of cybersecurity. The EUCS discussions have been characterised by limited transparency and lack of stakeholder engagement. Moreover, the different Member States' positions on this issue might result in Single Market fragmentation, should these provisions be adopted. Thus, the signatories urge ENISA and the European Commission to inform and engage with stakeholders throughout the EUCS finalisation process to prevent it from carrying unnecessary and discriminatory requirements.

We set out a number of suggestions that address points which we believe remain highly uncertain. We respectfully encourage co-legislators to consider these concrete recommendations to ensure the workability of the EUCS.