EU cybersecurity label should not discriminate against big tech firms, says European group

BRUSSELS: A proposed cybersecurity certification scheme for cloud services (EUCS) should not discriminate against Amazon, Alphabet’s Google and Microsoft, 26 industry groups in Europe warned on Monday.

The European Commission, the EU’s cybersecurity agency ENISA and EU countries will meet on Tuesday to discuss the plan, which has undergone several changes since ENISA published a draft in 2020.

EUCS aims to help governments and businesses choose secure and reliable suppliers for their cloud computing businesses. The global cloud computing industry generates billions of euros in revenue each year and is expected to grow at a double-digit rate.

The March version removed the so-called sovereignty requirement in the previous proposal, which required U.S. tech giants to form joint ventures or partnerships with EU companies and store and process customer data within the EU in order to receive the EU’s highest level of cybersecurity label.

“We believe that an inclusive, non-discriminatory EU cloud computing hub that supports the free flow of cloud services across Europe will help our members prosper at home and abroad, contribute to Europe’s digital ambitions, and strengthen Europe’s resilience and security,” the groups said in a joint letter to EU countries.

“Removing ownership controls and the Prevention of Unlawful Access (PUA)/INL exemption (INL) requirements ensures that cloud security improvements are in line with industry best practices and non-discrimination principles,” they said.

The organizations say it is vital that their members have access to a wide range of elastic cloud technologies tailored to their specific needs in order to thrive in an increasingly competitive global marketplace.

Signatories to the letter include the U.S. Chamber of Commerce in the European Union and the European Federation of Payment Institutions in the Czech Republic, Estonia, Finland, Italy, Norway, Romania and Spain.

Other organizations signing the letter include the Confederation of Czech Industry, Denmark’s Danish Industry Association, Germany’s Bundesbank, Poland’s Digital Association, Irish business lobby group IBEC, the Netherlands’ NL Digital and the Spanish Startups Association.

EU cloud computing providers such as Deutsche Telekom, Orange and Airbus have pushed for sovereignty requirements for EU cloud computing systems because they are concerned that non-EU governments could illegally access Europeans’ data under their laws.