EU Policy. Cyber certification fix sought by mid-April over sovereignty issue

Non-EU cloud services providers such as Amazon Web Services will not face more restrictions
Non-EU cloud services providers such as Amazon Web Services will not face more restrictions Copyright Flickr/Web Summit Rio/Amanda Melo/Amanda Melo @amnndamelo
By Cynthia Kroet
Share this articleComments
Share this articleClose Button

The new draft text builds on suggestions put forward by Belgium.


Companies could see cybersecurity certification for cloud services (EUCS) approved by April 15, after EU cybersecurity agency ENISA published a new draft text aiming to overcome a current deadlock in negotiations.

Discussion has been ongoing for the past three years on a voluntary certification scheme for cloud services after the European Commission asked ENISA in 2019 to prepare such a scheme. This would allow companies to demonstrate that certified ICT solutions offer the right level of cybersecurity protection for the EU market.

According to the draft text seen by Euronews, dated March 22, the current proposal leaves out so-called sovereignty requirements.

“The EUCS is a technical tool designed to provide information to customers and allow them to make informed decisions,” the new text says.

“As such, the EUCS does not enforce restrictions on geographical location of data or processing, or on applicable laws; however, it requires the Cloud Service Provider to be transparent about this information at all evaluation levels [...],” the text says.

Non-EU companies

This comes after Belgium, which is chairing EU ministers meetings in the first half of this year, proposed to do exactly that in a draft text circulated in February, as reported by Euronews.

The Belgian paper suggested allowing non-EU cloud providers, such as Amazon Web Services and Microsoft, to be certified at the highest level and have full access to the EU market, without prejudice to potential additional national sovereignty requirements for some entities.

For some countries, including France, the previous texts clashed with existing national laws. The country attempted to introduce sovereignty requirements within the text designed to exclude non-EU cloud companies from qualifying for the highest security options.

This proposal was strongly resisted by several EU countries and industry, seeing it as a protectionist move.

The next expert group meeting on the EUCS is set for 15 April and the aim is for member states to agree on the text then. The process of the implementing act can be started thereafter.

Of the two other certificates proposed by the commission since 2019, only one has been approved, on baseline ICT products; another on 5G is still in progress.

Share this articleComments

You might also like