Twenty-six industry groups across Europe have warned that a proposed cybersecurity certification scheme (EUCS) for cloud services should not discriminate against Amazon, Alphabet’s Google, and Microsoft.
The European Commission, EU cybersecurity agency ENISA, and EU countries will meet on Tuesday to discuss the scheme, which has undergone several changes since ENISA released a draft in 2020.
The EUCS aims to help governments and companies choose a secure and trusted vendor for their cloud computing needs. A March version removed the so-called sovereignty requirement from a previous proposal, which required U.S. tech giants to form a joint venture or cooperate with an EU-based company to store and process customer data within the bloc to qualify for the highest level of the EU cybersecurity label.
The groups said in a joint letter to EU countries, “We believe that an inclusive and non-discriminatory EUCS that supports the free movement of cloud services in Europe will help our members prosper at home and abroad, contribute to Europe’s digital ambitions, and strengthen its resilience and security.”
“The removal of both ownership controls and Protection against Unlawful Access (PUA) / Immunity to Non-EU Law (INL) requirements ensures that cloud security improvements align with industry best practices and non-discriminatory principles,” they added.
The groups emphasised the importance of access to a diverse range of resilient cloud technologies tailored to their specific needs for thriving in an increasingly competitive global market.
Signatories to the letter include the American Chamber of Commerce to the EU in the Czech Republic, Estonia, Finland, Italy, Norway, Romania, and Spain, and the European Payment Institutions Federation.
Other signatories include the Czech Confederation of Industry, Denmark’s Dansk Industry, Germany’s Bundesverband deutscher Banken, the Digital Poland Association, the Irish business lobby group IBEC, the Netherlands’ NL Digital, and the Spanish Start-up Association.
EU cloud vendors such as Deutsche Telekom, Orange, and Airbus have pushed for sovereignty requirements in the EUCS, fearing that non-EU governments may gain unlawful access to Europeans’ data based on their laws.