A would-be technical development could have potentially significant consequences for cloud service providers established outside the EU. The proposed EU Cybersecurity Certification Scheme for Cloud Services (EUCS)—which has been developed by the EU cybersecurity agency ENISA over the past two years and is expected to be adopted by the European Commission as an implementing act in Q1 2024—would, if adopted in its current form, establish certain requirements that could:

  1. exclude non-EU cloud providers from providing certain (“high” level) services to European companies, and
  2. preclude EU cloud customers from accessing the services of these non-EU providers.

Data Localization and EU Headquarters

The EUCS arises from the EU’s Cybersecurity Act, which called for the creation of an EU-wide security certification scheme for cloud providers, to be developed by ENISA and adopted by the Commission through secondary law (as noted in an earlier blog). After public consultations in 2021, ENISA set up an ad hoc working group tasked with preparing a draft.

France, Italy, and Spain submitted a proposal to the working group advocating to add new criteria to the scheme in order for companies to qualify as eligible to offer services providing the highest level of security. The proposed criteria included localization of cloud services and data within the EU – meaning in essence that providers would need to be headquartered in, and have their cloud services provided from, the EU. Ireland, Sweden and the Netherlands argued that such requirements do not belong in a cybersecurity certification scheme, as requiring cloud providers to be based in Europe reflected political rather than cybersecurity concerns, and therefore proposed that the issue should be discussed by the Council of the EU.

The latest EUCS draft lays out a voluntary scheme which specifies three levels of assurance (basic, substantial, or high), based on the amount of risk associated with the envisioned use of the cloud services. The candidate scheme, which is meant to be applicable across all Member States for all cloud services, includes requirements such as data localisation and EU presence of global headquarters for services in the highest level of assurance.

These new requirements could mean that European users subject to a recommendation or requirement to use high-assurance level cloud services might no longer have access to the cloud services of certain foreign providers. Instead, EU cloud customers might need to use providers that store and process data within EU borders by eligible EU-based companies. As with other Cybersecurity Act standards, the EUCS is currently voluntary, but could be made mandatory for certain categories of EU cloud customers under the NIS2 Directive (as noted in our earlier blog) or the Cyber Resilience Act. While the underlying purpose of the EUCS is to boost trust in cloud services by defining a reference set of cybersecurity requirements, the data localisation requirements could exclude many non-EU companies from qualifying for the highest level of assurance.

Who Decides?

One fundamental question raised by the EUCS is who should determine the new requirements: ENISA and the Commission, or a wider set of stakeholders in the Parliament and Council. For instance, if the Commission adopts the EUCS through an implementing act, the Parliament and Council would have no ability to vote on or amend the text. The co-legislators would only be able to object if they deem that the Commission exceeds its mandate. This constrained role was highlighted by several MEPs, who recently filed amendments to the proposed Regulation on Managed Security Services amending the CSA: in particular, they suggested changing the procedure for the adoption of ENISA schemes through delegated acts (where the Parliament and Council would have a say) instead of implementing acts.

Digital Control, Capability, and Solidarity

The dilemmas posed by the EUCS reflect a wider debate within the EU whether it should pursue “digital sovereignty” as a policy objective and how to best conceive of this goal. Digital sovereignty is often viewed in the EU as control: e.g., requiring company headquarters or servers to be located in the EU. But sovereignty can also be conceived as requiring EU capability, as argued by French President Emmanuel Macron among others. From this perspective, some argue that rules that restrict access to the leading global technologies can be viewed as contrary to the EU’s sovereignty ambitions, by inhibiting capability. Alongside digital sovereignty, some have proposed the concept of “digital solidarity,” which emphasizes fostering cybersecurity partnerships with trusted private entities, inside and outside of the EU, based on their compliance with existing regulations and good behavior in the digital realm. Depending on the underlying intellectual framework, the EUCS may be viewed in different ways.

*          *          *

Our regulatory and public policy teams are closely following the EUCS developments, as well as broader EU tech policy, and can help advise clients on potential consequences and opportunities for engagement.

(Matthieu Coget of Covington & Burling LLP contributed to the preparation of this article.)

Tags: cloud service providers, Cybersecurity Act, EU Cybersecurity Certification Scheme for Cloud Services
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lisa Peets Lisa Peets

Lisa Peets leads the Technology Regulatory and Policy practice in the London office and is a member of the firm’s Management Committee. Lisa divides her time between London and Brussels, and her practice embraces regulatory counsel and legislative advocacy. In this context, she…

Lisa Peets leads the Technology Regulatory and Policy practice in the London office and is a member of the firm’s Management Committee. Lisa divides her time between London and Brussels, and her practice embraces regulatory counsel and legislative advocacy. In this context, she has worked closely with leading multinationals in a number of sectors, including many of the world’s best-known technology companies.

Lisa counsels clients on a range of EU law issues, including data protection and related regimes, copyright, e-commerce and consumer protection, and the rapidly expanding universe of EU rules applicable to existing and emerging technologies. Lisa also routinely advises clients in and outside of the technology sector on trade related matters, including EU trade controls rules.

According to the latest edition of Chambers UK (2022), “Lisa is able to make an incredibly quick legal assessment whereby she perfectly distils the essential matters from the less relevant elements.” “Lisa has subject matter expertise but is also able to think like a generalist and prioritise. She brings a strategic lens to matters.”

Read more about Lisa PeetsEmail
Show more Show less
Photo of Marty Hansen Marty Hansen

Martin Hansen has represented some of the world’s leading information technology, telecommunications, and pharmaceutical companies on a broad range of cutting edge international trade, intellectual property, and competition issues. Martin has extensive experience in advising clients on matters arising under the World Trade…

Martin Hansen has represented some of the world’s leading information technology, telecommunications, and pharmaceutical companies on a broad range of cutting edge international trade, intellectual property, and competition issues. Martin has extensive experience in advising clients on matters arising under the World Trade Organization agreements, treaties administered by the World Intellectual Property Organization, bilateral and regional free trade agreements, and other trade agreements.

Drawing on ten years of experience in Covington’s London and DC offices his practice focuses on helping innovative companies solve challenges on intellectual property and trade matters before U.S. courts, the U.S. government, and foreign governments and tribunals. Martin also represents software companies and a leading IT trade association on electronic commerce, Internet security, and online liability issues.

Read more about Marty HansenEmail
Show more Show less
Photo of Mark Young Mark Young

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to…

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, and state-sponsored attacks.

Mark has been recognized in Chambers UK for several years as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” and having “great insight into the regulators.”

Drawing on over 15 years of experience advising global companies on a variety of tech regulatory matters, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology (e.g., AI, biometric data, Internet-enabled devices, etc.).
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
    Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • GDPR and international data privacy compliance for life sciences companies in relation to:
    clinical trials and pharmacovigilance;

    • digital health products and services; and
    • marketing programs.
    • International conflict of law issues relating to white collar investigations and data privacy compliance.
  • Cybersecurity issues, including:
    • best practices to protect business-critical information and comply with national and sector-specific regulation;
      preparing for and responding to cyber-based attacks and internal threats to networks and information, including training for board members;
    • supervising technical investigations; advising on PR, engagement with law enforcement and government agencies, notification obligations and other legal risks; and representing clients before regulators around the world; and
    • advising on emerging regulations, including during the legislative process.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.
Read more about Mark YoungEmail
Show more Show less
Photo of Aleksander Aleksiev Aleksander Aleksiev

Aleksander advises clients on legal problems associated with data protection, cybersecurity, and new technologies. He holds degrees in both law and computer engineering which he combines to provide advice that is both legally sound and technologically pragmatic.

Aleksander has advised companies, governments, and…

Aleksander advises clients on legal problems associated with data protection, cybersecurity, and new technologies. He holds degrees in both law and computer engineering which he combines to provide advice that is both legally sound and technologically pragmatic.

Aleksander has advised companies, governments, and charitable organizations on a range of technology law issues including data breach response, compliance with privacy and cybersecurity laws, and IT contract negotiations. In addition to his experience advising on European law, Aleksander is Australian-qualified and has significant experience advising clients in the Asia-Pacific – particularly on Australian and Hong Kong law.

Email
Show more Show less
Photo of Bart Szewczyk Bart Szewczyk

Having served in senior advisory positions in the U.S. government, Bart Szewczyk advises on European and global public policy, particularly on technology, trade and foreign investment, business and human rights, and environmental, social, and governance issues, as well as conducts international arbitration. He…

Having served in senior advisory positions in the U.S. government, Bart Szewczyk advises on European and global public policy, particularly on technology, trade and foreign investment, business and human rights, and environmental, social, and governance issues, as well as conducts international arbitration. He also teaches grand strategy as an Adjunct Professor at Sciences Po in Paris and is a Nonresident Senior Fellow at the German Marshall Fund.

Bart recently worked as Advisor on Global Affairs at the European Commission’s think-tank, where he covered a wide range of foreign policy issues, including international order, defense, geoeconomics, transatlantic relations, Russia and Eastern Europe, Middle East and North Africa, and China and Asia. Previously, between 2014 and 2017, he served as Member of Secretary John Kerry’s Policy Planning Staff at the U.S. Department of State, where he covered Europe, Eurasia, and global economic affairs. From 2016 to 2017, he also concurrently served as Senior Policy Advisor to the U.S. Ambassador to the United Nations, Samantha Power, where he worked on refugee policy. He joined the U.S. government from teaching at Columbia Law School, as one of two academics selected nationwide for the Council on Foreign Relations International Affairs Fellowship. He has also consulted for the World Bank and Rasmussen Global.

Prior to government, Bart was an Associate Research Scholar and Lecturer-in-Law at Columbia Law School, where he worked on international law and U.S. foreign relations law. Before academia, he taught international law and international organizations at George Washington University Law School, and served as a visiting fellow at the EU Institute for Security Studies. He also clerked at the International Court of Justice for Judges Peter Tomka and Christopher Greenwood and at the U.S. Court of Appeals for the Third Circuit for the late Judge Leonard Garth..

Bart holds a Ph.D. from Cambridge University where he studied as a Gates Scholar, a J.D. from Yale Law School, an M.P.A. from Princeton University, and a B.S. in economics (summa cum laude) from The Wharton School at the University of Pennsylvania. He has published in Foreign AffairsForeign PolicyHarvard International Law JournalColumbia Journal of European LawAmerican Journal of International LawGeorge Washington Law ReviewSurvival, and elsewhere. He is the author of three books: Europe’s Grand Strategy: Navigating a New World Order (Palgrave Macmillan 2021); with David McKean, Partners of First Resort: America, Europe, and the Future of the West (Brookings Institution Press 2021); and European Sovereignty, Legitimacy, and Power (Routledge 2021).

Read more about Bart SzewczykEmail
Show more Show less