Monday, May 6, 2024

Vogon Today

Selected News from the Galaxy

StartMag

Cloud, is the government espousing pro-France theses in Europe?

11 months ago babelfish

Cloud, is the government espousing pro-France theses in Europe?

The strange case of the pro-French vote of the Italian ambassador Verrecchia, the indications of the Cybersecurity Agency and a necessary and clear position taken by the Meloni government on the "European IT security certification scheme" with reference to cloud computing.

In the institutions there is a battle between sides of which, as often happens, practically nothing is known at a national level. It is a pity that Brussels' choices impact precisely on the Member States. If then the representatives of the same go against the very line of their own government, then the negative impact is certain. And this is what happened two days ago in Luxembourg on the occasion of the EU Council on telecommunications, where the deputy head of the permanent representation, Ambassador Stefano Verrecchia, spoke on behalf of Italy and expressed full Italian support for France's position on a industrial and safety issue of great importance, as critically underlined by the newspaper La Verità in an article by Claudio Antonelli. All in the absence of the Minister of Enterprise and Made in Italy, Adolfo Urso, on a mission to the USA, with the rest of the government engaged in the celebrations for the Republic Day and – more importantly – in contrast with the positions of the Government itself.

THE CLASH ON THE EUROPEAN COMMISSION DRAFT

The issue in question is called EUCS, an acronym for "European IT security certification scheme" with reference to cloud computing. The European Commission has released, through the European cybersecurity agency ENISA, the latest draft of the new EUCS. This was sent to members of the European Cyber ​​Security Certification Group (ECCG) on May 8 and later leaked in full to Politico on May 10 .

This document is at the center of the clash between two factions: France against the so-called Dutch Coalition, composed mainly of Nordic and Central-Eastern countries more oriented towards innovation than French protectionism. It is a clash that has been going on for months, which saw the last – for now – episode air on the occasion of the ECCG meeting on May 26th. The strange thing, at least for the standardized EU regulatory process – the insiders who follow the dossier point out – is that the Commission has not yet asked for an opinion from the ECCG nor has it started the process of adopting the EUCS through an implementing act which is unlikely to happen before the Commission gets more clarity on the positions of the Member States. In this phase therefore, the positions held by the States in this phase are fundamental

The general objective of the EUCS to unify and harmonize security best practices while reducing market barriers for companies is excellent, but there is a complete lack of transparency in the negotiation process and the failure to assess the market impact of the proposed sovereignty requirements . The draft scheme, according to the leaks, imposes non-technical requirements, including strict foreign (non-EU) ownership for cloud providers operating in Europe and strict localization obligations (for example, global headquarters, data and operations in the EU). , leaving full discretion to Member States to decide to what extent and what workloads and types of data such discriminatory restrictions apply. Only that the description of what is considered "particularly sensitive data" in the case of the French proposal is very broad (for example, data protected by intellectual property) and will lead to the fragmentation of the internal market, as each Member State will be able to choose any category of what are considered such data at the national level. A model that would also go against the classification built by ACN , the Italian cybersecurity agency, which has also informally proposed a compromise solution currently rejected by France and the Commission. In fact, it is now clearly emerging that it is a well-constructed lobbying action by the French government to impose standards that photograph the services of the main French cloud companies.

Furthermore, while the competitive conditions for IT services are largely homogeneous around the world, a standard cloud service provider, such as the various Microsoft, AWS and Google, which are not based in the EU, would have to invest multibillionaires to build new infrastructures, change their operating model, build joint ventures with third parties and transfer their technologies – exactly as happens in China – and significantly increase (we are talking about more than 50%) the prices for companies and public administrations European countries to recover costs.

THE CONCERN OF THE FINANCIAL WORLD

There is much concern in the European financial sector about sovereignty requirements. EU financial institutions and associations believe that the sovereignty requirements in EUCS, by limiting the technological choice, will harm the resilience and cyber security of digital and cloud solutions and the sovereignty requirements in EUCS are in contradiction with the recent adopted the Digital Operational Resilience Act (DORA). Choices that seriously risk impacting foreign investments in Europe and reducing access to the best technologies – from artificial intelligence to big data – by European users, with an even greater impact on small and medium-sized countries.

Practically all EUCS negotiations are taking place behind closed doors, although a recent study conducted by the European Center for Political Economy (ECIPE) has already well illustrated the harmful effects on the economy of European states of the requirements that France would like to impose, putting at risk the integrity of the single market and also its cyber resilience. This would endanger the European digital targets for 2030. For this reason, many European and global organizations have already raised their concerns on the latest draft of EUCS: from the European clearing houses to the financial sector , not to mention the German confederations and the ' Central and Eastern Europe , plus Japanese, British, North and South American associations.

DOES FRANCE WANT TO IMPOSE ITS OWN MODEL ON THE EUROPEAN CLOUD?

That EUCS is an attempt by the French government and the Commission to impose an existing French scheme (which would almost exclusively benefit French cloud service providers) on other EU Member States is now a fact, confirmed by the French minister himself of digital Jean-Noël Barrot, who spoke about the EUCS at the French National Assembly [ VIDEO ] and what he said is extremely revealing. According to Barrot, European countries must conform to the French model. Barrot explicitly says: the latest EUCS draft is a copy-and-paste of SecNumCloud (the equivalent of EUCS in France), nothing has changed and nothing should change. Minister Barrot's rhetoric and tone are bellicose ("battle", "it is essential to win our cause", etc.) and the minister goes so far as to say that France is ready to blame Europe if the final EUCS does not reflect the existing French scheme. Last but not least, Barrot says the French government supports extending immunity requirements well beyond procurement, to critical infrastructure and other broad sectors of the economy. However, and this is the revealing part, he admits that they are not doing it yet for image reasons, as it would provide arguments to European governments that oppose it.

Words that represent documented proof of the true aspirations of France, which does not see the EUCS as a technical standard to improve European cybersecurity, but rather as a political tool to impose French industrial protectionism on other EU member states through the back door. Furthermore, also two days ago, the French government issued a circular , specifying when the cloud immunity requirements for public procurement and so-called “sensitive data” should be applied under the French SecNumCloud programme. Reading it, one discovers that the language used is identical to that of the latest EUCS draft, so this is further confirmation that France has always kept Brussels' pen in drafting the EUCS.

WHAT AMBASSADOR VERRECCHIA THINKS

Ambassador Verrecchia's public position in Luxembourg was surprising. In particular, it is thought that the PSN , the Italian national cloud managed by the consortium led by Tim together with Cdp, Leonardo and Sogei, is based precisely on the US technologies that France would like to expel from the continent. To understand how it is possible for an Italian representative to vote going against the indications of the Government and the interests of his own country. With the government – the Undersecretary to the Presidency of the Council with responsibility for Security, Alfredo Mantovano, and Minister Urso – who, at this point, cannot avoid intervening publicly – as many insiders hope -, inevitably supporting the positions of the 'ACN, which otherwise would risk being discredited at European level.

This is a machine translation from Italian language of a post published on Start Magazine at the URL https://www.startmag.it/innovazione/cloud-eucs-governo-meloni-francia/ on Mon, 05 Jun 2023 05:44:50 +0000.