EU draft proposes tougher cybersecurity labelling for cloud service operators

The draft document was prepared by the EU cybersecurity agency ENISA and concerns an EU certification scheme (EUCS) that would guarantee the cybersecurity of cloud services.


The draft document proposes that the cloud service must be operated and maintained from the EU, that all cloud service customer data must be stored and processed in the EU, and that EU laws must take precedence over non-EU laws in relation to the cloud service provider. Under this draft proposal, non-EU cloud service providers, including Amazon, Google and Microsoft, will only be able to obtain an EU cybersecurity label for the handling of sensitive data through a joint venture with an EU company. In addition, US tech giants and others can only have a minority stake in the joint venture. Employees with access to EU data would have to undergo special vetting and be based in the 27-nation bloc.

The latest draft could lead to fragmentation of the EU’s single market, as each country would have full discretion to impose the requirements whenever it sees fit, an industry source said. The US Chamber of Commerce has already said the plan puts US companies on an uneven playing field, while the EU stated that the measures are necessary for the protection of data rights and privacy in the bloc. EU countries will review the draft later this month before the European Commission adopts a final regulation.