A proposed cybersecurity certification scheme (EUCS) for cloud services must avoid discriminating against major U.S. tech firms such as Amazon (AMZN.O), Alphabet’s Google (GOOGL.O), and Microsoft (MSFT.O), 26 industry groups across Europe cautioned on Monday.
This warning precedes a meeting on Tuesday involving the European Commission, the EU cybersecurity agency ENISA, and EU countries to discuss the scheme, which has seen multiple revisions since its initial draft in 2020.
The EUCS aims to guide governments and businesses in selecting secure and trustworthy vendors for their cloud computing needs, in an industry that generates billions of euros annually with expectations of continued double-digit growth.
In March, a significant change to the proposal removed the sovereignty requirements from an earlier version. These requirements would have forced U.S. tech giants to either establish joint ventures or collaborate with EU-based companies to store and process customer data within the bloc to qualify for the highest level of the EU cybersecurity certification.
In a joint letter to EU member states, the industry groups emphasized the importance of a fair and inclusive EUCS. “We believe that an inclusive and non-discriminatory EUCS that supports the free movement of cloud services in Europe will help our members prosper at home and abroad, contribute to Europe’s digital ambitions, and strengthen its resilience and security,” the letter stated.
The groups also highlighted the importance of removing ownership controls and Protection against Unlawful Access (PUA) / Immunity to Non-EU Law (INL) requirements. This, they argued, would ensure that cloud security advancements align with industry best practices and uphold non-discriminatory principles.
The signatories stressed that access to a wide variety of resilient cloud technologies is essential for their members to thrive in a competitive global market. The letter was signed by entities such as the American Chamber of Commerce to the EU in multiple countries, the European Payment Institutions Federation, and various national industry associations from across Europe.
Conversely, EU cloud vendors like Deutsche Telekom (DTEGn.DE), Orange (ORAN.PA), and Airbus (AIR.PA) have supported sovereignty requirements in the EUCS. They express concerns that non-EU governments could gain unlawful access to Europeans’ data under their respective legal frameworks.
As the EUCS discussions continue, the balance between fostering a competitive, secure, and non-discriminatory cloud service environment and addressing data sovereignty concerns remains a critical issue for policymakers.