The European Union is currently working on a cybersecurity certification for cloud services that could ultimately replace national qualifications like SecNumCloud in France, C5 in Germany or ENS in Spain. The drafting of this future EUCS (European cloud services certification scheme) is entering the straight line and is taking a more controversial turn.
The latest version of this certificate project, which Contexte publishes in full, proposes, in fact, to integrate sovereignty criteria from the third level of security (“high”) and no longer only at the fourth and final level (“high + “) as envisaged in the May version.
Head office and data localization
To qualify, a cloud service provider must meet a set of criteria. The service provider must first of all have its headquarters in Europe and demonstrate its “impermeability” to the principle of extraterritoriality of certain non-European legislation, starting with the American Cloud Act. “ The question is to what extent the European subsidiary of a cloud provider can be considered to be under the control of its parent company », asks the Euroactiv website.
The version dated November of the draft certificate mentions the possibility given to the supplier to demonstrate that it has implemented “ effective technical, organizational and legal measures » which prevent non-European companies from exercising decisive influence over it in decisions relating to requests for extra-territorial investigations.
Another key point: data localization. Cloud service providers certified at the “high” level must have at least one data center located in the European Union. Those falling under the “high +” level are required to have all their sites referenced in the EU.
Furthermore, employees of the supplier who have direct or indirect access to the data will have to reside in the EU and will be subject to a “ proper examinationie “. Finally, the text provides a definition of data qualified as sensitive. Namely, indicates Euractiv, “ personal or non-personal data the disclosure of which could harm public order, security, health or the exercise of essential government functions. »
American tech is on the rise
While EUCS certification is, of course, voluntary, it could be made mandatory for organizations considered essential or important to the European economy under the NIS2 directive. It would also constitute a competitive advantage. In France, providers are fighting to obtain the precious secret of SecNumCloud and the name of trusted cloud.
In this context, the lobbies are firing on all cylinders. American tech pressure group, the CCIA (Computer & Communications Industry Association) estimates, in a document, that the EU intends with this future certificate to protect its cloud market from foreign competition, mainly American. Referring to free competition, he recalls that the American market does not have equivalent restrictions based on the nationality of a supplier.
For the CCIA, the text would force non-European suppliers to join forces with EU players to obtain the valuable label. An approach that would be similar to the Chinese model which requires foreign companies to create joint ventures with local companies to access its market. In France, this type of joint venture exists like S3NS, an alliance between Google Cloud and Thales.
Support from French companies
United within Allied for Startups (AFS), national startup associations, most of them European, fear no longer having access to “ most innovative products on the global market ”, which they depend on to grow and enable them to be at the forefront of digital transformation and the AI revolution. “ A choice based on the quality of the product and not the nationality of the supplier. »
In a letter made public by Bloomberg, around twenty European companies, mainly French – Orange, Deutsche Telekom, Airbus, EDF, OVHcloud or Docaposte… – however support this draft text which would make it more difficult for American providers to obtain and in particular hyperscalers (AWS, Google Cloud, Microsoft Azure) of the highest level of certification.