France, EU to take landmark decisions on cloud sovereignty requirements
French MPs and EU cybersecurity agency ENISA are due to make landmark decisions on cloud cybersecurity on 10 and 15 April, amid concerns of espionage and fragmentation of the European cloud market.
French MPs will vote on an all-encompassing digital bill (SREN), including specific cloud sovereignty provisions, finishing a year-long legislative process.
Shortly afterwards, ENISA’s dedicated working group (ECCG) will meet to approve the EU cybersecurity certification scheme (EUCS), which aims to harmonise national cloud certifications.
In both documents, cloud sovereignty requirements have been contentious.
These provisions, also called immunity requirements to extraterritorial laws, would have given EU cloud providers an advantage.
Free-market defenders have interpreted them as a protectionist move detrimental to the EU’s economy, while some EU cloud service providers and multinationals see the requirements as crucial in protecting the EU’s nascent industry against espionage.
While the French legislature and ENISA, decided not to include the capital ownership requirements in their respective documents, France is expected to implement them later by decree.
ENISA’s latest compromise draft, dated 22 March and seen by Euractiv, replaced the sovereignty requirements with mandatory transparency provisions, including information on storage location and data processing methods.
“These transparency rules could become a disguised way to admitting sovereignty requirements,” Pascal Kerneis, managing director of the European Services Forum, a business organisation that advocates for free trade, told Euractiv.
In an open letter dated November 2023 and addressed to ENISA, 19 companies supported “explicit and transparent criteria” at the EU level, which could include the immunity criteria.
They further underlined the importance of “a European-level scheme” to prevent “fragmentation across member states”.
Signatories included cloud providers OVHcloud, Oodrive, NumSpot, 3DS Outscale, Cloud Temple and cloud users Airbus, Deutsche Telekom, Orange, and EDF.
The sovereignty debate
French senators wanted to set the most controversial sovereignty requirements in law: those on capital ownership.
They suggested copying and pasting the capital ownership requirements set in France’s most secure cloud certification, developed by the cybersecurity agency ANSSI, SecNumCloud 3.2.
Cloud service providers “individually held at more than 24% and collectively held at more than 39%” outside the EU would not be authorised to handle data from public institutions.
Similar requirements were discussed between the 27 cybersecurity agencies and ENISA when negotiating the EUCS cloud certification scheme, a process that started in 2020.
While neither document is set to include sovereignty provisions, capital ownership requirements are expected to be set by decree by France’s State Council within six months of the SREN law entering into force.
Supporters of the immunity provisions consider it an important way to protect EU companies and governments against the US Foreign Intelligence Surveillance Act and Cloud Act. These two US legislations give US national security agencies leeway to access third-party data handled by US entities.
“There are particularly sensitive data that, as such, should not […] be entrusted to just any company,” said centrist French Senator Catherine Morin-Desailly on Tuesday.
But opponents disagree. These requirements are “requesting that the companies’ headquarters be located in Europe, which is unprecedented and completely contrary to what the EU does,” Kerneis said.
Next steps
Once ENISA validates the EUCS, the European Commission will issue an implementing act under the Cybersecurity Act, making the scheme a common EU framework that all member states can use voluntarily.
Member states can pass national laws making the scheme mandatory for a specific data set — just like the SREN law does for health or national security data.
Read more with Euractiv
