A proposed cybersecurity certification scheme (EUCS) for cloud services should not discriminate against major U.S. tech companies like Amazon, Alphabet’s Google, and Microsoft, according to a coalition of 26 industry groups across Europe.
These groups voiced their concerns on Monday before a crucial meeting between the European Commission, the EU cybersecurity agency ENISA, and EU countries.
Background of the EUCS:
The EUCS aims to assist governments and companies in selecting secure and trusted vendors for their cloud computing needs. The global cloud computing industry, which generates billions of euros annually, is expected to continue its rapid growth. The scheme has undergone several revisions since ENISA first introduced a draft in 2020.
Recent Changes and Industry Concerns:
A version of the scheme from March removed the previously proposed sovereignty requirements. These requirements would have forced U.S. tech giants to establish joint ventures or cooperate with EU-based companies to store and process data within the EU to qualify for the highest level of the EU cybersecurity label.
In a joint letter to EU countries, the industry groups stated, “We believe that an inclusive and non-discriminatory EUCS that supports the free movement of cloud services in Europe will help our members prosper at home and abroad, contribute to Europe’s digital ambitions, and strengthen its resilience and security.”
Key Points of the Industry Groups:
The letter emphasized the following points:
- Non-Discriminatory Principles: Removing ownership controls and Protection against Unlawful Access (PUA) / Immunity to Non-EU Law (INL) requirements aligns the EUCS with industry best practices and non-discriminatory principles.
- Access to Diverse Technologies: Members must have access to various resilient cloud technologies tailored to their specific needs to compete effectively in the global market.
Signatories of the Letter:
The letter was signed by a range of organizations, including:
- The American Chamber of Commerce to the EU in several European countries
- The European Payment Institutions Federation
- National industry associations such as the Czech Confederation of Industry, Denmark’s Dansk Industry, Germany’s Bundesverband deutscher Banken, and others
Opposition from EU Cloud Vendors:
Conversely, EU cloud vendors such as Deutsche Telekom, Orange, and Airbus have advocated for sovereignty requirements within the EUCS.
These companies are concerned that non-EU governments may unlawfully access Europeans’ data under their respective laws.