Urgent call to European Commission regarding the European Cybersecurity Certification Scheme for Cloud Services (EUCS)
Urgent call to European Commission regarding the European Cybersecurity Certification Scheme for Cloud Services (EUCS)
CIO Platform Nederland calls on the European Commission not to adopt the EUCS until the consequences for business users in industry and government in Europe have been thoroughly investigated, a consultation of stakeholders has taken place and the responsible political bodies have weighed up the digital autonomy, costs and benefits of a decision.
This because of:
- The risks and costs outlined below for business users of digital technology in industry and government
- The need to prevent further restriction of already limited competition in digital technology markets
- The hasty exchange of the security offered by the expertise of large market parties for the pseudo-security of a certification that mainly looks at compliance with rules
Explanation EUCS
In December last year, the Dutch Financial Times (FD)[1] reported on the worrying direction that the development of the European cybersecurity certification schemes for cloud services (EUCS) seemed to be taking. Due to pressure from the French government (and president of the European Union in the first half of 2022), the ad hoc working group at ENISA (the European Network and Information Security Agency) has included some requirements that threaten to sideline a large number of non-European cloud service providers. The certification schemes developed are almost ready and, although currently still voluntary, they are referred to in various (developing) regulations and therefore certification in accordance with the schemes may eventually become mandatory.
Worrying provisions
The crux of the matter lies in the provisions that must rule out interference by foreign governments. In itself a good development, but it is shaped by some requirements concerning the location and access to data with the highest level of protection, think of medical data and state secrets. According to the latest draft, such data must remain in the EU for processing and storage, only screened employees of the cloud service provider (CSP) in the EU may have access to the data and the functional infrastructure components of the service. If the CSP is based in a country with regulations that allow the government to request data from the CSP, even if the data is located outside the country in question (extraterritorial effect), additional rules apply. Contracts must be based on the law of an EU member state and there must be no form of control over the CSP by an entity outside the EU.
Possible consequences for the business user
After consultation with various members, it appears that the following consequences are likely if these provisions remain in the certification schemes:
- Although the provisions apply to data with the highest level of protection, which has been estimated to be roughly 1-4% of the total amount of data, the estimation of the CISOs and certification experts participating in the consultation is that the strictest requirements will be applied to all CSPs. This is partly due to the poor interoperability of cloud services.
- For a large part of the smaller CSPs it will not be possible - see also the aforementioned FD article - to comply with the strict requirements. Moreover, non-European CSPs will have great difficulty meeting the criteria, especially the rules for CSPs from countries such as the US and China, due to the extraterritorial effect of legislation on data access.
- This limits the number of providers, thus also competition, and probably increases prices and the degree of lock-in.
- By excluding many parties from the US, who generally achieve the highest levels of security. There is a significant chance that the security of the data will decrease.
- Moreover, multinationals will have to engage various service providers for the storage and processing of their data. This leads to additional management burdens, complexity in the use of data and insights across borders and additional risks of data leakage and continuity of operations.
- Finally, the proposed certification scheme mainly looks at whether a measure has been implemented, not whether the implemented system is secure. It therefore provides security on paper, pseudo-security.
To make it even more concrete, it is very likely that many parties, for example in the healthcare sector, where the market for electronic patient records (EPD) is dominated by two large players, one of which is located in the US, could be forced by the criteria in this certification scheme to say goodbye to their EPD, after which only one large party will remain. The same situation could apply to many other companies and organisations.
European politicians let themselves be sidelined by technical working group
In terms of process, it is also very strange that such far-reaching consequences seem to be the result of a certification assignment carried out by a closed technical working group. Such a radical change of policy with the aim of promoting digital autonomy would, at the very least, require political discussion and decision-making. And preferably before that, a very thorough analysis of the possible consequences and a public consultation to give stakeholders the opportunity to provide their input.
Not to mention the fact that this certification exercise will interfere with the negotiations between the European Commission and the US about a Privacy Shield 2.0. This will (hopefully) lay down Schrems-II-proof agreements for the processing of personal data by parties in the US.
In view of the aforementioned risks, we call on the European Commission to look more carefully at the consequences of this certification and not to adopt the certification scheme without properly weighing up the pros and cons.