English
Estonian
Latvian
Lithuanian
Polish
Romanian
Russian
Ukrainian
A joint paper obtained by EURACTIV details six possible scenarios to deal with the controversial sovereignty requirements in the upcoming certification scheme for cloud providers.
The European Commission has been pushing to include sovereignty requirements in the Cybersecurity Certification Scheme for Cloud Services (EUCS), the first certificate under the EU’s Cybersecurity Act.
These sovereignty requirements are intended to put the EU data out of the reach of foreign jurisdictions, notably by mandating the localisation of European data centres, immunity from non-EU laws and conditions for the people or organisations that control the cloud provider.
Although the scheme per se is not mandatory, its level of assurance ‘high’ might become mandatory for sectors like energy operators and banks, deemed highly critical under the recently revised Networks and Information System Directive (NIS2).
The Netherlands and smaller member states have opposed the scheme, while France, Italy and Spain rallied behind Commissioner Thierry Breton’s push toward ‘technological sovereignty’. The two camps have discussed a potential compromise in the last weeks.
The joint document, dated 23 January, has been developed in this context, as it sets out six scenarios to prompt feedback from other member states. The non-paper states that future discussions should involve market actors and consider the effect of the sovereignty criteria on future schemes.
Moreover, it requests the Commission to assess the potential economic impact of these requirements and to what extent they would be compatible with trade law.
Sub/Sub+ and High
The first option entails setting up an extra level of assurance in the scheme by splitting in two the level ‘substantial’, the one below high, with the latter maintaining the immunity requirements. Level substantial two would essentially be a level high without the sovereignty requirements.
As pros, the paper mentions that critical service providers must comply with immunity requirements providing extensive protection from foreign government access, the original technical requirements would be maintained, and EUCS would remain comparable with similar schemes.
As cons, the scope is deemed too broad as it might become mandatory under NIS2, the market impact remains unclear, the number of cloud service providers at level ‘high’ would remain limited, and there might be inconsistencies with the Cybersecurity Act.
High+ (critical uses)
An alternative option would be to split the top assurance level, creating a ‘high’ without immunity criteria and a ‘high+’ with the requirements. This high+ would apply to specific critical uses that would be self-assessed by the users based on general guidelines.
On the plus side, this approach would be more targeted, as the immunity criteria would be limited to types of data that need this protection, whilst the other users would be able to identify cloud services with high cybersecurity, bringing clarity to the market.
The downside is similar to the first scenario, especially regarding vagueness and legal consistency. Moreover, “not covering all assurance levels and might make assurance level “high” somewhat irrelevant,” the paper reads.
Extension Profiles
The third possibility is to create extension profiles that introduce the sovereignty criteria, regardless of the assurance levels, for cloud usage in specific sectors, like health or military.
As most EU providers still lack the resources for the level of assurance ‘high’, this option would still give them a competitive advantage over foreign competitors as it would apply to all assurance levels. Moreover, this alternative enables flexibility and a case-by-case approach driven by the customer.
However, the paper also notes that the immunity criteria would be needed to protect sensitive data, which would not be sufficiently protected with assurance levels’ basic’ and ‘substantial’.
Five evaluation levels
The fourth option combines the first two, creating sub-levels for both ‘high’ and ‘substantial’. The positive side is that this approach would provide all the benefits of the Extension Profiles whilst also being easier to communicate and operationalise.
Nevertheless, the joint paper reiterates concerns about the vagueness, mandatory nature, lack of flexibility, legal challenges and lack of consistency with other certification schemes.
Trustworthiness evaluation
An alternative proposed is outside the Cybersecurity Act’s scope and would include introducing a European evaluation mechanism based on trustworthiness for non-EU cloud operators and supplies as a pre-requisite to entering the single market.
The assessment could be based on security and legislative criteria, such as extra-territorial legislation, data transfers and compliance with European data protection rules. Germany’s IT Security Law 2.0 and the risk profiles of the 5G toolbox are mentioned as potential building blocks.
This approach would not affect technical certification, leaving maximum flexibility to customise the requirements of political nature. Still, it would further delay the process since a new initiative would be needed.
Additional disadvantages are that the scope can hardly be made future-proof, compatibility with trade agreements would have to be assessed, users’ choices might be limited, and it would create uncertainty for non-EU providers.
Integration through compliance
The final idea is to introduce the immunity requirements under EU legislation like the Data Act, which already includes provisions on international data transfers.
Therefore, the criteria would not be in the scheme itself, but to qualify for the scheme, cloud providers would have to show compliance with the relevant legislation.
The pros listed are that these criteria would be politically discussed, the EUCS would move forward, and the approach might be targeted and applied to all assurance levels and future schemes.
Nevertheless, this scenario would require modifying current or upcoming legislation to add the immunity aspect, meaning it would take significantly longer.
[Edited by Alice Taylor]
