The European cloud certification project, known as “EUCS”, could strengthen the protection of citizens’ data against Tech giants. But it arouses the fear of large French and European companies.
The issue is sensitive, but Europe is moving towards a new cloud security standard, with the EUCS certification project, supposed to guarantee the sovereignty of States in the processing of users’ personal data. If initially, the proposal was to impose legal certainty to combat the transfer of the most sensitive data outside Europe, the latest version of the text would take a step backwards in this area. Enough to worry – rightly – the major European players.
The previous version of the text, which imposed a legal requirement of sovereignty on Tech giants, was rejected
Let’s explain things very simply. The cloud cybersecurity certification, EUCS, classifies data into three distinct levels: a basic level, a substantial level, and a high level. What differentiates them are the uses and the level of sensitivity of the data that must be hosted.
In the penultimate version of the text discussed within the European Union, the legal requirement of sovereignty required companies like Amazon, Microsoft, Google and others to directly create a joint venture, or to cooperate with a European company. All this, since these companies would have to store and process the sensitive data of customers located within the European Union. This requirement would allow digital giants to obtain the maximum level cybersecurity label within the European Union, equivalent to our French SecNumCloud.
“ The real challenge is to admit and assume that certain data and certain processes are very sensitive, that their processing must be carried out under particularly strict technical, operational and legal security conditions and that one of the consequences is then to ensure that only European law applies, to the exclusion of any other », Explains Guillaume Poupard, former director of ANSSI, the French IT security agency, now deputy general director of Docaposte. What changes in the new version?
Some European Union member countries would like to preserve their interests, to the detriment of data security
This legal certainty requirement for the highest security level of certification has simply disappeared in the latest version. And it’s not just a detail, no, it changes everything! Because without this provision, the American and Chinese governments and all those located outside the European Union could freely access the data of consumers in the area, by simply brandishing their local laws, quote the Cloud Act for the United States or Chinese National Intelligence Law for the Middle Kingdom.
In other words, our most sensitive personal data would be available to everyone. With consequences that could be severe, and primarily economic. All French cloud initiatives (Bleu d’Orange and Capgemini; S3NS from Thales; and OVHcloud) would see their models fall, and France would depend more than ever on foreign players. But why is Europe not uniting on this issue?
Guillaume Poupard has his own idea. “ Some especially do not want to take the risk of reducing their tax revenues, others are ready to do anything to continue selling luxury cars or importing LNG, many have as a legitimate priority their military protection by NATO in a particularly tense geopolitical context », Explains the engineer. Indeed, not all EU Member States have the same priorities.
No less than 18 companies, including Airbus, Capgemini, Dassault Systèmes, EDF, Deutsche Telekom, Orange, OVHcloud, Eutelsat Group, Sopra Steria and others, have published an open letter in which they bluntly criticize the latest version of ‘EUCS, pointing to the proposal which would allow Amazon, Microsoft and Google to host sensitive European data in the Cloud.
Sources: Clubic, Linkedin @ChristianGacon, LinkedIn @GuillaumePoupard
4