The label EUCS for European cloud cybersecurity must include sovereignty requirement: against the hypothesis of a “sweetened” version of the certification scheme for cloud services in the Union they intervene 18 “cloud providers and users” in Europe, including Aruba and Timwith a joint statement (DOWNLOAD HERE FULL TEXT) which invites Member States “to take the time necessary to take full account of the implications of a potential removal of the sovereignty provisions from the main body of the EUCS system”.
In recent days, a draft of the new certification framework for cloud providers in the European Union (Eucs) appeared to no longer contain the obligation for foreign cloud service providers (as AWS, Google and Microsoft) to adhere to specific cybersecurity requirements, among which independence from non-EU laws, essential element to ensure compliance with European privacy rules and avoid the use of data and sensitive information from foreign governments, especially if far from European values and legal norms. In fact, this text it could represent a step backwards from the values of digital sovereignty in the cloud and the principles underlying the project Gaia-X.
The signatories insist on the importance of ensure full transparency and protection for the most sensitive data of European cloud users against illegal access.
“The EU must not abandon its overall objective of promoting sovereigntyan objective that is even more relevant in a context of geopolitical uncertainty”, write the signatories A1, Airbus, Aruba, Capgemini, Dassault Systemes, Deutsche Telekom, Edf, Exoscale, Gigas, Ionos, OpenNebula Systems, Orange, Ovhcloud, Proximus, Eutelsat group , Above Steria, StackIT, Tim.
Eucs, sovereignty requirements are “necessary”
“Bearing in mind that EUCS is designed as a voluntary certification scheme, we believe it should be based on market practices and user preferences, while ensuring transparency and protection for users where necessary,” reads the joint statement. “We believe that the inclusion of sovereignty requirements is necessary to overcome market fragmentation, protect the most sensitive data of European organizations and encourage the development of sovereign cloud solutions in Europe. The elimination of any reference to the sovereignty provisions from the main scheme (even if transferred to the Icpa, International company profile attestation) clearly does not satisfy these objectives. This would not only contradict what was proposed in the previous EUCS schemes in two years, but would also mean giving up the collective efforts undertaken by Enisa, the European Commission and the Member States”.
A step back, therefore, also on the Data Act and the GDPR, compliance with which would not be guaranteed by a less severe EUCS scheme.
The two criteria at the center of the debate
As for Gaia-X, its policy “designed among other things to guarantee data sovereignty, explicitly includes both an EU headquarters (Eu-Hq, criterion P5.1.4) and a European control (criterion P5.1.5 ) for the highest level of guarantee (label 3). Gaia-X indicates the way forward for Eucs”say the signatories.
At the center of the debate are, in fact, precisely these two requirements that the draft circulated among the member countries seems to have eliminated: the need for a headquarters in the European Union (Eu-Hq) and European control. Without these criteria, the cloud provider remains subject to non-EU laws, including the Chinese National intelligence law or the US Cloud act, which may conflict with EU rules.
“The EU would give up its most effective tools to mitigate the risk of illicit access to data”, we read in the appeal of European companies. “As a result, cloud users who do not want to run the risk of illicit access will continue to be left without real alternatives and a clear framework that meets their needs.” Furthermore, “it would severely undermine the ability of EU cloud providers to invest in sovereign cloud solutions.”
European cloud, investments at risk
“We invite Member States to reject any proposal that removes sovereignty requirements from the EUCS scheme, because only this allows us to address the risk of illegal access to data, thanks to the Eu-Hq and European control requirements in the main scheme, which protect European users from practices based on foreign legislation not compatible with the GDPR”, write the signatories.
It’s still: “Digital and sovereign Europe requires access to the best cloud technologies while supporting the development of sovereign cloud solutions in Europe. We believe that these two objectives can go hand in hand, supporting the inclusion of a harmonized set of sovereignty requirements in the regulatory framework of the EUCS system”. Which remains, however, voluntary.
@ALL RIGHTS RESERVED
