Several industry groups across Europe have warned that the EUCS cybersecurity certification scheme should not discriminate against cloud giants such as Google, Microsoft and Amazon.
The warning from a total of 26 industry groups seeks to ensure that a wide range of cloud service providers remain available to EU-based organisations, removing or weakening previous EUCS requirements.
In March 2024, sovereignty requirements, which would have pushed US organizations to establish a joint venture within the EU or partner with an EU-based company for the storage and processing of customer data, were removed from EUCS requirements.
Regulation versus competition
The EUCS requirements were originally drafted in 2020 by ENISA as a way to protect EU citizens' data to the same EU standard if their data were to leave the bloc, to be processed in the US, by example. The cloud market is a multi-billion euro industry and rapid growth has been predicted within the EU.
A joint letter written by the 26 industry groups said: “We believe that an inclusive and non-discriminatory EUCS that supports the free movement of cloud services in Europe will help our members prosper at home and abroad, contribute to digital ambitions of Europe and will strengthen its resilience and security.”
“Removing both ownership controls and Protection from Unlawful Access (PUA)/Immunity to Non-EU Legislation (INL) requirements ensures that cloud security improvements align with best practices and non-discriminatory principles of the industry.
Several EU cloud providers, including Deutsche Telekom, Airbus and Orange, have opposed the removal of sovereignty requirements, believing that non-EU countries could use their own laws to violate the EU's data protection. EU and gain access to data.
Through Reuters
