This Tuesday June 17th a new meeting had to be held on the European cloud certification scheme (Cybersecurity Certification Scheme for Cloud Services, EUCS), bringing together the European Commission, ENISA (European Cybersecurity Agency) and the member states of the European Union. An opportunity for lobbyists to reiterate their position, which, unsurprisingly, aims to remove barriers to guarantees of protection against extraterritorial laws.
A non-discriminatory and inclusive standard
In a common position, 28 industry groups call for the adoption of a European cloud certification scheme “inclusive and non-discriminatory, which supports the free movement of cloud services in Europe”. Signatories, including the American Chambers of Commerce in the Czech Republic, Estonia, Finland, Italy explain to support”removal of control and protection against illegal access/immunity claims from non-EU laws”which ensures that”Cloud security enhancements are in line with industry best practices”.
As a reminder, the latest version of EUCS – has expired in the press but which was never published – removed the sovereignty requirements for the label’s highest level (high). These have been replaced by much more flexible obligations that would open up the possibility for foreign companies to obtain the highest level and thereby host data in sensitive sectors. This is the version that the lobbyists want the institutions to perceive.
Less and less demanding versions
In its previous version, the text required to obtain the highest level of label that foreign companies set up a joint venture with a company based in the European Union store and process customer data within the European Union, in the manner of S3NSjoint venture between Thales and Google. The requirements drew criticism from European banks, clearing houses, insurance groups and some start-ups, who said technical requirements should take precedence over considerations “political and sovereign“.