EU is considering removing sovereignty clauses in cloud certification scheme

The EU might remove sovereignty clauses in the cloud certification scheme, documents show, potentially lowering barriers for non-EU companies to compete more effectively for EU cloud computing contracts.

Earlier drafts circulated among the EU member states had proposed stringent requirements for US tech giants, including establishing joint ventures with EU-based companies and processing and storing customer data within the EU. However, such sovereignty clauses faced criticism from various quarters, including European financial institutions, insurance firms, and startups, which argued in favour of technical criteria over political and sovereignty obligations.

In the most recent draft, dated 22 March, these sovereignty requirements have been eliminated. Instead, cloud vendors are now only mandated to disclose information regarding the location where customer data is stored and processed and the relevant laws applicable to them.

This shift comes amidst the growing interest of major tech corporations in the government cloud market, which is seen as a significant avenue for expansion. However, concerns persist within the EU regarding potential unauthorised state surveillance, while some member states fear that the dominance of US-based cloud providers could stifle emerging competitors from the EU.

Currently, the EU countries are scrutinising the revised draft, after which the European Commission will finalise the scheme.