In April 2022, the European Commission (EC) requested the European Union Agency for Cybersecurity (ENISA) to add sovereignty requirements for cloud service providers into the draft Cybersecurity Certification Scheme for Cloud Services (EUCS). The proposal generated significant backlash, with eight EU member states calling for the issue to be escalated to the political level.

More than a year later, the controversy remains. The proposal has been criticised for effectively excluding so-called “hyperscalers”, including major US-headquartered cloud service providers, from the EU cloud service market.

However, the call for “technological sovereignty” continues as cyber threats undertaken or nudged by state actors escalate.

Does the EUCS strike the right balance?

What are the proposals?

The EU’s Cybersecurity Act directs ENISA to develop and administer a certification system for cloud service providers which would define a minimum acceptable baseline for cloud cybersecurity. There would be three assurance levels: basic, substantial and high.

As originally proposed, the proposed sovereignty requirements were to apply to the “high” assurance level and would have required that cloud service providers have their headquarters in Europe, “not be controlled by any non-EU entity”, and be “completely independent from non-EU laws”. The objective, according to the EC, was “…to adequately prevent and limit possible interference from states outside of the EU with the operation of certified cloud services”.

However, in May 2023, a draft EUCS was released that moved the strictest sovereignty requirements into a new subcategory, “high +”, with two significant requirements in addition to being HQ’ed and controlled within the EU:

• have all its data processing activities take place in the EU unless customers agree to limited exceptions; and
• have technical and organisational measures in place to ensure that investigation requests from other jurisdictions are not considered.

Scaled back sovereignty requirements for the “high” assurance level still would require at least one option in customer contracts to locate all data processing activities in the EU. All levels of assurance contracts also would have to be governed by the law of an EU country and provide that only EU courts, tribunals and arbitration bodies have jurisdiction for disputes related to the contract.

How did we get here?

In 2020, the European data strategy was developed, aiming to ensure EU competitiveness and technological sovereignty.

The strategy led to the creation of the Data Governance Act (DGA) and the proposed Data Act, which both provide additional frameworks on top of the GDPR for the reuse, transfer and protection of non-personal data. Under the DGA, international access and transfer of EU data is limited to situations where a third-country decision that compels the disclosure of such data is based on an international agreement between that third country and the EU or a member state. Similar provisions are contained in the proposed Data Act.

The EUCS is the next step implementing in this policy direction. In theory, EUCS is a voluntary scheme. However, in practice, obtaining EUCS certification to the highest level is likely to be important for cloud service providers in being seen as legitimate and secure. The highest assurance levels also are expected to become mandatory for essential and important services...

The impact would be dramatic:

• from a consumer perspective, by significantly raising entry barriers to numerous major cloud providers, there are concerns these sovereignty proposals are likely to reduce the amount of choice, quality and innovation, and increase costs for users.
• from a trade perspective, the proposals could “increase trade tensions by introducing data localisation, foreign ownership restrictions and local establishment requirements” according to the European Centre for International Political Economy. Some have estimated that the EU could be subject to retaliatory tariffs of up to USD 12 billion worth of goods exports or equivalent restrictions for EU services exports to the US...

It has also been argued that the proposed EU sovereignty requirements will be self-defeating: best practices such as encryption ensure the security of data, not its location, and data localisation and the sovereignty requirements could create obstacles to information sharing, hamper incident response efforts, and delay adoption of the most up-to-date technologies.

Is something going on below the surface?

While every nation has concerns over cybersecurity, European politics and policy also appear to be driven by two other concerns in the background.

First, Europeans understandably have a heightened concern over privacy driven out of a history of ubiquitous state surveillance in some countries, such as the Stasi in East Germany. European concerns over challenges to privacy also look not only “to the East”, but also to the US, heightened by the revelations from Edward Snowden in 2013 about the US National Security Agency’s surveillance programs. These concerns are reflected in the decision by the EU Court of Justice to invalidate, under the GDPR’s requirement for reciprocal data protection in countries with which data is transferred from the EU, the “Privacy Shield” negotiated between the US and the EC (“Schrems II” decision).

Second, there also seems to be a degree of technology protectionism, mainly focused on the US. In particular, France has been one of the most vocal advocates of digital sovereignty in Europe, raising significant concerns about the exposure of EU data to the US Government and the dominance of US cloud providers. In fact, the EUCS is modelled after France’s national cybersecurity scheme, SecNumCloud. SecNumCloud, launched in 2016, was updated in March 2022 to preclude majority foreign-owned providers from being SecNumCloud certified. This sparked a number of partnerships between French and US companies to build joint cloud services with majority French ownership, such as between Google and Thales.

While not directly linked to the cybersecurity requirements, French policymakers also have competition concerns about cloud-based markets. In May 2023, the French parliament considered a proposal aimed at removing obstacles for customers changing cloud service providers. The French competition authority also recently released a market study into the cloud industry in relation to self-preferencing, hike migration costs and below-threshold acquisitions.

Second, there also seems to be a degree of technology protectionism, mainly focused on the US. In particular, France has been one of the most vocal advocates of digital sovereignty in Europe, raising significant concerns about the exposure of EU data to the US Government and the dominance of US cloud providers. In fact, the EUCS is modelled after France’s national cybersecurity scheme, SecNumCloud. SecNumCloud, launched in 2016, was updated in March 2022 to preclude majority foreign-owned providers from being SecNumCloud certified. This sparked a number of partnerships between French and US companies to build joint cloud services with majority French ownership, such as between Google and Thales.

While not directly linked to the cybersecurity requirements, French policymakers also have competition concerns over the dominance of US-based cloud services providers. In May 2023, the French parliament considered a proposal aimed at removing obstacles for customers changing cloud service providers. The French competition authority also recently released a market study which found the cloud industry was dominated by Amazon, Google and Microsoft, noting their ability to self-preference, hike migration costs and engage in below-threshold acquisitions.

The most recent developments

DigitalEurope’s Director General has said that the EUCS scheme is “a very opaque process…with specific players and individual member states pushing their own agenda under the guise of “sovereignty”.
There is a stalemate between smaller member states like Denmark, Estonia, the Netherlands, Lithuania, Poland and Sweden who have strongly opposed the proposal, and the likes of Italy, Spain and France who have championed it.

Responding to this continuing controversy of the EUCS proposals, the EC is taking a different procedural pathway to engage a wider consultation process. On the 21st September 2023 draft amendments to the Cybersecurity Act were published proposing to adopt the EUCS via a delegated act instead of an implementing act.

This would mean that both EU governments and parliament (instead of just EU governments) would have the ability to object to the EUCS, and that it would have to undergo an economic impact assessment requiring proper consultation with stakeholders.

Conclusion

It is undoubtedly important for any government (or private firm storing information on a government’s behalf) to maintain information security, and establishing standardised cybersecurity frameworks for procurement of cloud services is a legitimate and important policy objective for governments. The EU also isn’t alone - the US already operates such a framework through the Federal Risk and Authorisation Management Program, although without US-control requirements (but of course in practice, it really does not need these formal requirements because the main cloud service providers are US HQ'ed).

However, the EU debate raises the question whether a protectionist approach as currently contemplated by the EUCS is the best way to achieve cybersecurity for economies which are dependent, whether happily or not, on global technology providers.