France Seeks Clarification on European Cloud Services Scheme

In the context of the ongoing discussions surrounding the European Cloud Services scheme, France has requested the Council’s legal service to provide its opinion on the latest version. This version notably removed the immunity criteria but retained the possibility for them to be included in national certification schemes. France has been advocating for aligning the scheme with its SecNumCloud initiative at the EU level, which has encountered opposition from both industry stakeholders and more liberal member states.

The scheme has been a subject of controversy for over three years, marked by differing opinions and negotiations. Originally designed with stringent sovereignty requirements, the most recent draft omitted such provisions, reflecting a shift in approach within the EU regarding cybersecurity and data governance.

Despite the revisions, France continues to express reservations. The scheme, which was set to be adopted at a meeting of the European Cybersecurity Certification Group, was delayed due to France’s objections. With the deadline approaching, stakeholders face increasing pressure to reach a consensus.

France’s concerns revolve around its perception that the European Commission’s approach diverges from the scheme’s intended purpose. The primary goal of adopting cybersecurity certification at the EU level was to standardize and harmonize regulations, thereby preventing the proliferation of disparate national schemes across the 27 member states. France believes the current direction risks perpetuating fragmented regulatory landscapes.

The ongoing debate highlights tensions surrounding data governance, sovereignty, and regulatory harmonization within the EU.