Key Points:
- National cybersecurity experts postpone a vote on the draft EU cybersecurity label for cloud services until May.
- Debates arise over whether major tech companies should be allowed to bid for sensitive EU cloud computing contracts.
- The EUCS aims to establish a cybersecurity certification framework to ensure the security and trustworthiness of cloud services.
- Disagreements emerge regarding the stringency of requirements for Big Tech companies to qualify for the highest level of the EU cybersecurity label.
Implementing a proposed European Union cybersecurity certification scheme (EUCS) for cloud services has been postponed as national cybersecurity experts defer a vote on the draft to May. This delay comes amid ongoing debates regarding including major tech players such as Amazon, Google, and Microsoft in bidding for sensitive EU cloud computing contracts.
The primary objective of the EUCS is to establish a cybersecurity certification framework that ensures the security and trustworthiness of cloud services, assisting governments and businesses in selecting secure vendors for their cloud computing needs. However, disagreements have arisen regarding the stringency of requirements for Big Tech companies to qualify for the highest level of the EU cybersecurity label.
During meetings held in Brussels on Monday and Tuesday, experts did not vote on the latest draft of the scheme, initially proposed by the EU cybersecurity agency ENISA in 2020 and subsequently modified by Belgium, the current holder of the rotating EU presidency. Following the experts’ deliberations, the next steps involve gathering opinions from EU member states and a final decision by the European Commission.
The latest draft eliminated sovereignty requirements from previous proposals, which mandated U.S. tech giants to establish joint ventures or collaborate with EU-based companies to store and process customer data within the bloc and attain the highest level of the EU cybersecurity label.
While Big Tech companies welcomed the removal of these requirements, EU-based cloud vendors and businesses such as Deutsche Telekom, Orange, and Airbus criticized the decision. They warned of the potential risks of unlawful data access by non-EU governments under the pretext of their respective laws.
The ongoing debate underscores the challenges in balancing promoting cybersecurity and fostering competition and innovation in cloud computing. As the EU navigates these complexities, adopting the cybersecurity label for cloud services remains contingent upon addressing the concerns raised by stakeholders and reaching a consensus on the appropriate criteria for certification.