A would-be technical development could have potentially significant consequences for cloud service providers established outside the EU. The proposed EU Cybersecurity Certification Scheme for Cloud Services (EUCS)—which has been developed by the EU cybersecurity agency ENISA over the past two years and is expected to be adopted by the European Commission as an implementing act in Q1 2024—would, if adopted in its current form, establish certain requirements that could:
- exclude non-EU cloud providers from providing certain (“high” level) services to European companies, and
- preclude EU cloud customers from accessing the services of these non-EU providers.
Data Localization and EU Headquarters
The EUCS arises from the EU’s Cybersecurity Act, which called for the creation of an EU-wide security certification scheme for cloud providers, to be developed by ENISA and adopted by the Commission through secondary law (as noted in an earlier blog). After public consultations in 2021, ENISA set up an ad hoc working group tasked with preparing a draft.
France, Italy, and Spain submitted a proposal to the working group advocating to add new criteria to the scheme in order for companies to qualify as eligible to offer services providing the highest level of security. The proposed criteria included localization of cloud services and data within the EU – meaning in essence that providers would need to be headquartered in, and have their cloud services provided from, the EU. Ireland, Sweden and the Netherlands argued that such requirements do not belong in a cybersecurity certification scheme, as requiring cloud providers to be based in Europe reflected political rather than cybersecurity concerns, and therefore proposed that the issue should be discussed by the Council of the EU.
The latest EUCS draft lays out a voluntary scheme which specifies three levels of assurance (basic, substantial, or high), based on the amount of risk associated with the envisioned use of the cloud services. The candidate scheme, which is meant to be applicable across all Member States for all cloud services, includes requirements such as data localisation and EU presence of global headquarters for services in the highest level of assurance.
These new requirements could mean that European users subject to a recommendation or requirement to use high-assurance level cloud services might no longer have access to the cloud services of certain foreign providers. Instead, EU cloud customers might need to use providers that store and process data within EU borders by eligible EU-based companies. As with other Cybersecurity Act standards, the EUCS is currently voluntary, but could be made mandatory for certain categories of EU cloud customers under the NIS2 Directive (as noted in our earlier blog) or the Cyber Resilience Act. While the underlying purpose of the EUCS is to boost trust in cloud services by defining a reference set of cybersecurity requirements, the data localisation requirements could exclude many non-EU companies from qualifying for the highest level of assurance.
One fundamental question raised by the EUCS is who should determine the new requirements: ENISA and the Commission, or a wider set of stakeholders in the Parliament and Council. For instance, if the Commission adopts the EUCS through an implementing act, the Parliament and Council would have no ability to vote on or amend the text. The co-legislators would only be able to object if they deem that the Commission exceeds its mandate. This constrained role was highlighted by several MEPs, who recently filed amendments to the proposed Regulation on Managed Security Services amending the CSA: in particular, they suggested changing the procedure for the adoption of ENISA schemes through delegated acts (where the Parliament and Council would have a say) instead of implementing acts.
Digital Control, Capability, and Solidarity
The dilemmas posed by the EUCS reflect a wider debate within the EU whether it should pursue “digital sovereignty” as a policy objective and how to best conceive of this goal. Digital sovereignty is often viewed in the EU as control: e.g., requiring company headquarters or servers to be located in the EU. But sovereignty can also be conceived as requiring EU capability, as argued by French President Emmanuel Macron among others. From this perspective, some argue that rules that restrict access to the leading global technologies can be viewed as contrary to the EU’s sovereignty ambitions, by inhibiting capability. Alongside digital sovereignty, some have proposed the concept of “digital solidarity,” which emphasizes fostering cybersecurity partnerships with trusted private entities, inside and outside of the EU, based on their compliance with existing regulations and good behavior in the digital realm. Depending on the underlying intellectual framework, the EUCS may be viewed in different ways.
* * *
Our regulatory and public policy teams are closely following the EUCS developments, as well as broader EU tech policy, and can help advise clients on potential consequences and opportunities for engagement.
(Matthieu Coget of Covington & Burling LLP contributed to the preparation of this article.)