EU cybersecurity label should not discriminate against Big Tech, European groups say

87

A proposed cybersecurity certification scheme (EUCS) for cloud services should not discriminate against major U.S. tech companies like Amazon, Alphabet’s Google, and Microsoft, according to a warning from 26 industry groups across Europe issued on Monday.

On Tuesday, the European Commission, EU cybersecurity agency ENISA, and EU member states will convene to discuss the EUCS, which has undergone multiple revisions since ENISA introduced a draft in 2020.

The EUCS is designed to assist governments and companies in selecting secure and trusted vendors for their cloud computing needs. The global cloud computing industry generates billions of euros in annual revenue, with expectations of continued double-digit growth.

A version of the scheme from March removed previously proposed “sovereignty requirements.” These requirements would have compelled U.S. tech giants to either establish a joint venture or collaborate with an EU-based company to store and process customer data within the EU to qualify for the highest level of the EU cybersecurity label.

In a joint letter to EU countries, the industry groups expressed their views: “We believe that an inclusive and non-discriminatory EUCS that supports the free movement of cloud services in Europe will help our members prosper at home and abroad, contribute to Europe’s digital ambitions, and strengthen its resilience and security.”

“The removal of both ownership controls and Protection against Unlawful Access (PUA) / Immunity to Non-EU Law (INL) requirements ensures that cloud security improvements align with industry best practices and non-discriminatory principles,” the letter stated.

The industry groups emphasized the importance of their members having access to a diverse range of resilient cloud technologies tailored to their specific needs to remain competitive in the global market.

Signatories of the letter include the American Chamber of Commerce to the EU in the Czech Republic, Estonia, Finland, Italy, Norway, Romania, and Spain, along with the European Payment Institutions Federation. Additional signatories include the Czech Confederation of Industry, Denmark’s Dansk Industry, Germany’s Bundesverband deutscher Banken, the Digital Poland Association, Irish business lobby group IBEC, the Netherlands’ NL Digital, and the Spanish Start-up Association.

In contrast, EU cloud vendors such as Deutsche Telekom, Orange, and Airbus have advocated for the inclusion of sovereignty requirements in the EUCS. They are concerned that non-EU governments might unlawfully access European data under their respective laws.