Two years ago, ENISA (the European Union Agency for Cybersecurity) launched a public consultation on a new draft for the Cybersecurity Certification Scheme for Cloud Services (EUCS), to enhance trust in cloud services across Europe. The scheme aims to further improve the EU’s internal market conditions for cloud services by enhancing and streamlining the services’ cybersecurity guarantees. The draft EUCS candidate scheme intends to harmonise the security of cloud services with EU regulations and international regulations. However, strong opposition from some Member States and the private sector arose, pertaining specifically to the sovereignty requirements on European data localisation and foreign law. Sovereignty requirements will be difficult to implement and audit, which will lead to high costs and will affect competition.
“These requirements have nothing to do with cybersecurity concerns, some may even argue this is a protectionist approach pushed by certain national governments,” said Alexandre Roure, Europe’s Director of Public Policy for the trade association CCIA. The Member States and the private sector also argue that sovereignty requirements are difficult to implement and audit, leading to high costs and affecting competition. The result might be restricting competition to a smaller pool of vendors.
Read more about the draft and the ongoing discussion here.