• Office Hours : 08:00 - 17:30

EU cloud proposals branded "discriminatory", could spark retaliatory tariffs

EU cloud security certification proposals could harm overseas cloud providers, industry lobbyists have warned.  

A report from the European Centre for International Political Economy (ECIPE) has described the proposed EU Cloud Certification Scheme (EUCS) as “discriminatory” towards non-EU cloud providers.  

Under proposals lodged by the EU Agency for Network and Information Security (ENISA), the EUCS will require cloud service providers to register their head offices and global headquarters within the EU. 

The scheme will also require providers to operate their cloud services within the union, as well as carry out the storage and processing of customer data locally too.

A key point of contention, according to the ECIPE report, is that ENISA will include “immunity” requirements. This provision would mean that a cloud service provider is immune from non-EU law.

These immunity requirements risk “opening a Pandora’s box”, the report warned, and could pave the way for data localisation, foreign ownership restrictions, and create an exclusionary environment for non-EU cloud service providers.  

“It would empower the European Commission and member state authorities to exclude foreign businesses from domestic cloud services markets and set a dangerous precedent for any data-intensive sector,” the report claimed.

US-headquartered companies, which currently serve more than 75% of the EU cloud market, would be most affected by such immunity requirements, ECIPE noted, and long-term this could result in “retaliatory tariffs” on EU service exports. 

“It seems that the immunity provision will mean that entities which are not headquartered in the EU will not be given the highest level of security certification, since they are susceptible to the laws that apply to their headquarters operations,” said Frank Jennings, partner and head of commercial at Teacher Stern, to IT Pro.  

“So, US and UK providers could implement the best levels of security but will not be given the highest level of certification because of potential access to data they hold by their governments.” 

Jennings agreed that the proposals could create an abrasive environment for non-EU providers, adding that while this does not represent an outright ban on overseas cloud providers, it could “make it more difficult for them to compete inside the EU against EU-based providers”.  

“In practice, it is likely to create international tensions given how much cloud is provided from outside the EU,” he said. “This might disrupt cloud provisions inside the EU, with retaliatory actions by other countries or trading entities, leading to fragmentation of cloud.” 

Related Resource

Trend Micro security predictions for 2023

Prioritise cyber security strategies on capabilities rather than costs

Whitepaper cover with distorted image of a female wearing a VR headsetWhitepaper cover with distorted image of a female wearing a VR headsetFree Download

Jennings said this specific requirement appears “consistent with the disquiet” surrounding the influence of foreign governments on organisations currently operating in the EU.

Companies with links to the Chinese government, such as TikTok, ZTE, or Huawei, have come under intense scrutiny from lawmakers in recent years as the EU seeks to prevent outside influence or the expatriation of member state data to foreign entities.  

TikTok recently announced plans to set up data centres within the EU to assist with regulatory compliance and assuage concerns.

Similarly, the US government used its Cloud Act to seek to force Microsoft to hand over customer data it was holding in its Dublin data centre.  

According to ENISA, the EUCS seeks to establish an EU-wide certification regime for cloud providers that will “further improve the union’s internal market conditions for cloud services by enhancing and streamlining the services’ cyber security guarantees”. 

“The draft EUCS candidate scheme intends to harmonise the security of cloud services with EU regulations, international standards, industry best practices, as well as with existing certifications in EU member states,” ENISA said in 2020.  

This will see a certification scheme created with three specific levels of assurance – “basic”, “substantial”, and “high”. 

Featured Resources

Big payoffs from big bets in AI-powered automation

Automation disruptors realise 1.5 x higher revenue growth

Free Download

Sustainability and TCO: Building a more power-efficient business

Sustainable thinking is good for the planet and society, and your brand

Free Download

Hyperscaler cloud service providers top ten

Why it’s important for companies to consider hyperscaler cloud service providers, and why they matter

Free Download

Take control of diverse and rapidly evolving enterprise risks

Effectively manage and report on risk and compliance

Free Download

See the original article here: ITPro