Of three certificates proposed since 2019, only one has been approved, two others are still in progress.
ADVERTISEMENTBelgium is trying to break the political deadlock over an EU cybersecurity certification scheme for cloud services by proposing to separate sovereignty from functional requirements, according to a document drafted by the national Center of Cybersecurity, seen by Euronews. National EU governments and the European Commission have been holding talks on the matter for the past three years.
In December 2019 the commission asked the bloc’s cybersecurity agency ENISA to prepare a voluntary cybersecurity certification scheme on cloud services (EUCS) which companies can use to demonstrate that certified ICT solutions have the right level of cybersecurity protection for the EU market.
EUCS became the subject of a political debate as France attempted to introduce sovereignty requirements within the text designed to exclude non-EU cloud companies from qualifying for the highest security options. This proposal was strongly resisted by several EU countries and industry, perceiving it as a protectionist move, and no deal has been reached since. The next EUCS expert group meeting is foreseen in March.
Belgium, which chairs the meetings of EU ministers in the first half of 2024, now proposes to split functional requirements from sovereignty statements. Both would still be included in the scheme, but with a different approach and status.
The country suggests that only the functional security requirements would actually be certified, while sovereignty statements would be declared in the International Company Profile Attestation (ICPA), and this only for the highest level of certification. This would allow a level of harmonisation at EU level while maintaining the options for the 27 member states to implement their national sovereignty requirements only for the most sensitive use cases.
The paper claims that this proposed EUCS certificate scheme would "fully allow non-EU cloud providers to be certified on the highest level and have full access to the EU market, allowing competition in all tenders for which certification 'High' could be made obligatory, without prejudice of potential additional national sovereignty requirements for some entities."
This approach would also "allow for a free market and tailored approach to a varying level of risk, depending on the potential geopolitical threat."
ENISA
Of the two other certificates proposed since 2019, only one has been approved, on baseline ICT products; another on 5G is still in progress.
Euronews reported earlier this month (20 February) that the commission is seeking feedback from industry and national governments on the functioning, efficiency and scope of work of ENISA.
The aim of the questionnaire is to evaluate ENISA‘s working practices, as well as the potential need to modify the agency’s mandate and any financial implications.
The move comes as the EU’s Cybersecurity Act (CSA), which entered into force in 2019 and gave ENISA a mandate to oversee the implementation of EU-wide cybersecurity rules, is up for review this summer.
