Internet Fragmentation > EU Cybersecurity Certification Scheme

Protectionism Doesn’t Protect Internet Users

Region: Europe
Threat type: Digital Sovereignty
Last updated: 1 December 2023

A proposed certification scheme in the EU confuses more control for more security.

In May 2023, a draft leaked for a proposed European Union (EU) scheme for developing cybersecurity certification at the EU level. The proposed Certification Scheme for Cloud Services (EUCS) would require non-EU cloud services that handle sensitive data to partner with an EU-based company. This would mean that companies like Amazon Web Services, Google, and Microsoft would have to partner with EU companies to provide the same services they already offer.

These partner companies would need to be located in the 27-member EU bloc, and meet a specific set of criteria. All customer data would need to be stored and processed in the EU–i.e. data localization–and EU laws would always take precedence over non-EU laws.

The stated intention of the scheme is to develop a cybersecurity standard for the EU, but there are concerns about the unintended impact it could have. The core concern is that the highest level of certification would only be available to cloud providers that comply with strict criteria, which favor European cloud providers.

The Network and Information Security Directive (NIS2), which is the EU-wide legislation on cybersecurity, allows EU governments and the European Commission to require that cloud customers only use cloud services that would be certified by the EUCS.

None of the measures under this scheme actually relate to a higher standard of security. This is being seen as an attempt by the EU to impose political goals around digital sovereignty.

While the scheme is voluntary, there was also concern that it could, in practice, become a de facto requirement. This could happen if it was used in public tenders, where only those who met the highest requirements of digital sovereignty would be eligible.

It could also become a de facto barrier for non-EU companies, making it difficult for some of the world’s largest cloud providers to operate within the 27 EU states. What this means for business and trade can only be guesswork at this point.

The data localization rules would prevent data from flowing across borders, and would discriminate between European and non-European providers. This is an example of an attempt to regulate business relationships. The requirements for the highest certification levels under the scheme do not represent best practices of digital security, but seem to reflect the political objectives of digital sovereignty.

Status

This draft was leaked in May 2023, from ENISA, the European Union Agency for Cybersecurity. They have also outlined online their plans and potential benefits as they see them. Any action on this is expected in Q1 2024.

Our Position

Requiring cloud companies to work with EU cloud providers to provide the same services they already do, without any enhanced cybersecurity standards, presents higher barriers for operating in EU markets. This scheme does not represent best practices of digital security, but seem to reflect the political objectives of digital sovereignty.

Green background with patterns

Talking Points

  • Data localization rules would prevent data from flowing across borders, and would discriminate between European and non-European providers.
  • While currently voluntary, if this becomes a de facto barrier for non-EU cloud providers, it would make business and trade quite difficult in EU markets.
  • In the implementation phase, each country could use their discretion to execute this scheme differently, fragmenting the single EU market.