New EU cloud security rules could discriminate against big companies, tech giants warn
A number of industry groups across Europe have warned that the EUCS cybersecurity certification program should not discriminate against cloud giants such as Google, Microsoft and Amazon.
The warning from a total of 26 industry groups appears to ensure that a wide range of cloud service providers remain available to EU-based organisations, removing or weakening previous EUCS requirements.
In March 2024, sovereignty requirements, which would have prompted US organizations to establish a joint venture within the EU or partner with an EU-based company to store and process customer data, were removed from the EUCS requirements.
Regulation versus competition
The EUCS requirements were originally established by ENISA in 2020 as a way to protect EU citizens’ data to the same EU standard if their data left the bloc, for example to be processed in the US. The cloud market is a multi-billion dollar industry and rapid growth is predicted within the EU.
A joint letter written by the 26 industry groups said: “We believe that an inclusive and non-discriminatory EUCS that supports the free flow of cloud services in Europe will help our members thrive at home and abroad, contribute to the digital ambitions of Europe and its resilience and security.”
“The removal of both ownership controls and Unlawful Access Protection (PUA) / Non-EU Law Immunity (INL) requirements ensures that cloud security improvements align with industry best practices and non-discriminatory principles.”
A number of EU cloud providers, including Deutsche Telekom, Airbus and Orange, have opposed the removal of sovereignty requirements, believing that non-EU countries could use their own laws to breach EU data protection and gain access to the data.
Through Reuters