A draft Cybersecurity Certification Scheme for Cloud Services, seen by EURACTIV, moved the requirement excluding non-European companies into a new subcategory.

The European Cloud Services scheme is a voluntary certification under the EU Cybersecurity Act that might become mandatory for the numerous entities deemed essential or important under the revised Networks and Information Security Directive (NIS2).

Last year, a leaked draft of the scheme generated significant backlash due to its inclusion of sovereignty requirements that would have effectively excluded foreign companies from a large chunk of the European cloud market.

Since then, the scheme has fallen below the radar as two camps of European member states quietly confronted each other.

In January, EURACTIV revealed on option paper signalling a mediation attempt between the Netherlands, leader of the open market faction, and France, which pushed for the sovereignty criteria via its Commissioner, Thierry Breton.

At last, the European Commission pulled the draft provided by ENISA, the EU cybersecurity agency, out of the drawer and shared it with the members of the European Cybersecurity Certification Group on Monday (8 May).

The technical group will discuss the draft on 26 May in Athens at the margins of ENISA’s Cybersecurity Certification Conference.

The draft, dated May 2023, maintains the sovereignty requirements “to provide some guarantees about the independence from non-EU law” but puts the strictest requirements on a new subcategory.

The Cybersecurity Act provides three levels of assurance: ‘basic’, ‘substantial’ and ‘high’. The initial idea was to put the sovereignty requirements at the high level. However, the option paper floated the idea of creating a ‘high+’ category, which seems to have stuck.

EU countries seek way out of impasse on sovereignty requirements for cloud services

A joint paper obtained by EURACTIV details six possible scenarios to deal with the controversial sovereignty requirements in the upcoming certification scheme for cloud providers.

Control

The most significant difference between the levels ‘high’ and ‘high+’ refers to legal control on the cloud company.

‘High+’ requires the cloud service to be “operated only by companies based in the EU, with no entity from outside the EU having effective control over the CSP [cloud service provider], to mitigate the risk of non-EU interfering powers undermining EU regulations, norms and values.”

The cloud company’s head office and global headquarter would have to be established in an EU country. The cloud providers should also not be subject, directly or indirectly, to the effective control of foreign companies.

Effective control is defined per the EU regulation on controlling concentrations between undertakings. It refers to a relationship constituted by rights, contracts or any other means that might confer the possibility of directly or indirectly exercising a decisive influence.

Primacy of EU law

Additional safeguards have been introduced to put EU data outside the reach of third countries’ jurisdictions with extra-territorial application laws that might conflict with the EU or national law of a member state.

For all the levels of assurance, the draft certification requires that the contracts would have to be governed by the law of an EU country, and only EU courts, tribunals and arbitration bodies would have jurisdiction for disputes related to the contract.

The level of assurance ‘high’ requires the cloud services to include the risks related to non-EU legislation with extra-territorial application in their global risk assessment, covering at least the potential access to commercially sensitive information and trade secrets in the customers’ data or derived data.

Furthermore, the cloud providers would have to inform their customers about any residual risk and provide all the relevant information upon request from the customers to allow them to perform their own risk assessment.

The scheme also bounds the service provider to include in the contract with the customer that it will only consider investigation requests issued under EU law or the national law of a member state.

The extra requirement for the level ‘high+’ mandates providers to put technical and organisational measures in place to ensure that investigation requests from other jurisdictions are not considered.

Sovereignty requirements remain in cloud certification scheme despite backlash

The draft Cybersecurity Certification Scheme for Cloud Services (EUCS), seen by EURACTIV, includes sovereignty requirements on European data localisation and foreign law immunity, even though member states and tech industry representatives strongly advised against it.

Data localisation

Data localisation measures are required for the level of assurance ‘high’ and above, covering the whole life cycle of the relationship with the cloud providers, from pre-sales and operations to maintenance and exit.

For the level of assurance ‘high’, the cloud providers would have to include at least one option in their contracts to locate all data processing activities in the EU.

‘High+’ goes one step further, requiring all the data processing activities to take place in the EU unless the customers agree to some limited exceptions. The cloud providers would have to list all support activities performed outside Europe.

In both cases, to build and maintain their digital infrastructure, the cloud companies would have to only rely on a trusted service provider based in an EU country.

Internal controls

For both ‘high’ and ‘high+’, specific safeguards have been introduced for exchanges between the cloud service and its employees or its suppliers.

The draft requires that the employee with direct or indirect access to the customer data, including via support operations, be located in the EU and undergo a special screening or be supervised by an EU-based employee who passed an appropriate review.

In cases of supervised access, the access would have to occur using a secure solution whereby the supervisor can authorise or forbid individual actions and ask for explanations in real-time.

Read more with EURACTIV

Digital Services Act: Germany proposes creation of advisory board

To make German law fit for the Digital Services Act (DSA), Berlin proposed an advisory board that monitors the EU regulation’s implementation and enforcement, according to a draft of the implementation law seen by EURACTIV.