News

Concerns escalate at highest political leval on EU Cybersecurity Certification Scheme for Cloud Services

Written by Amy Ralls | Dec 9, 2022 5:00:00 AM

Concerns about sovereignty requirements in the EUCS have escalated to the Telecoms Council (the Council is where EU Member StatesĀ“ governments meet and is the highest political level of the EU).

At the Telecommunications Council of 6 December 2022, the Czech presidency of the Council of the EU presented a progress report on the draft EU Data Act. In this context, delegates from Estonia, Finland, Ireland, the Netherlands, and Poland raised concerns about the possible inclusion of data sovereignty requirements in the candidate EU cybersecurity certification scheme (EUCS).

The reaction from the EU Commission after the Council was not very clear. Commissioner Bretton (European commissioner for the Internal Market)  said that there will be a separate process to discuss the political elements which could be part of the candidate scheme (without defining when exactly this process could take place).

The EU security agency, ENISA, is preparing and will approve the final certification scheme, Then, the Commission can adopt the scheme as an implementing act, without the need for approval from the European Parliament (EP) and the Council of the EU.

Although the EUCS is not publicly available, the scheme could include requirements related to data sovereignty. The requirements could ask that EU data processed by cloud service providers (CSPs) to be located in the EU and be operated by EU companies in order for a CSP to obtain the highest level of certification.