Skip to main content
Cloud

What the proposed EU cybersecurity certification scheme means for cloud providers and big tech

More than two dozen groups across Europe penned a joint letter to EU countries, stating the labeling scheme shouldn’t discriminate against big tech.
article cover

Nurphoto/Getty Images

3 min read

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

Twenty-six European industry groups penned a joint letter to EU countries last month, stating that a cybersecurity certification scheme for cloud services shouldn’t discriminate against big tech companies like Amazon, Google, and Microsoft, Reuters reported.

Catch me up. The European Union Agency for Cybersecurity (ENISA) is the organization behind the scheme, which seeks to “harmonise the security of cloud services with EU regulations, international standards, and industry best practices,” a news release from the European Commission stated in 2021. The organization published the first draft of its European Union Cybersecurity Certification Scheme on Cloud Services (EUCS) in 2020 for external review and public consultation.

The latest version, from March of this year, nixed rules that would have “required US tech giants to set up a joint venture or cooperate with an EU-based company to store and process customer data in the bloc in order to qualify for the highest level of the EU cybersecurity label,” according to Reuters.

“I would not say to scrap it altogether. I still think it’s the right foundation,” Azeem Aleem, managing director for Northern Europe at Sygnia—a cybersecurity consulting and incident response company—told IT Brew. “Because you also have to look at the flip side of it as well. There is a lot of concern about how the US companies have been looking at the data from the surveillance point.”

“I think the idea was right, and…[it] still is the right initiative to control…how the data will be stored and accessed and which legislation will it impact, too, but the implementation has gone wrong,” he said. “I think right now we’re in this situation that I call the analysis paralysis stage.”

Though the EUCS is technically a “voluntary” cybersecurity framework,

Meredith Broadbent, a senior adviser and Scholl chair in international business at the Center for Strategic and International Studies in Washington, DC, wrote last September that “in practice, consumers may include the EUCS as a requirement of a tender, which effectively makes the certification mandatory.”

“A doubling down on protectionist industrial policy, this time cloaked in a national security rationalization, the proposed EUCS poses a threat to the future success of US cloud service providers (CSPs) in Europe and will damage them in other global markets,” she wrote.

A working group for ENISA had been scheduled to make a decision on EUCS last month, but postponed it to mid-July because, as Euro News reported, “the European Commission had yet to provide the experts with guidance on how the member states may add their own requirements, in particular related to sovereignty.”

IT Brew reached out to ENISA, Amazon, Microsoft, and Google for comment. Amazon declined to comment.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.