Tuesday, May 21, 2024

Vogon Today

Selected News from the Galaxy

StartMag

EU cloud certification project, what happens and the interests at stake

1 month ago babelfish

EU cloud certification project, what happens and the interests at stake

The vote on EUCS, the framework of rules relating to the IT security certification system for cloud services, has been postponed to May. Who likes and who doesn't like the final version of the EU proposal

The vote on the European cybersecurity label for cloud services has been postponed until May.

National experts, who met on April 15 and 16 to negotiate the EUCS, the future European framework for cloud service providers, did not give the green light to the latest proposed version, Reuters reports.

Eucs is the acronym for “European information security certification scheme” with reference to cloud computing. The European Commission released, through the European cybersecurity agency Enisa, the latest draft of the new EUCS in 2020, modified by Belgium which currently holds the rotating presidency of the EU.

As an industry analyst who requests anonymity points out to Startmag , “the group focused mainly on Monday on the EUCC (European Cybersecurity Certification Scheme on Common Criteria, a scheme that concerns ICT hardware and software products) and on Tuesday on Eucs. The formal opinion and vote will probably take place in May."

The proposal being considered by experts removes so-called sovereignty requirements from an earlier draft that forced US tech giants (such as Google, Amazon and Microsoft) to create a joint venture or cooperate with an EU-based company to store and process data. customer data in the EU in order to qualify for the highest level of EU Cybersecurity Label. This would pave the way for them to reach the highest level of cybersecurity label within the EU, similar to the French “SecNumCloud”.

But for now there is no decision, with the vote postponed until next month.

“Europe has not (yet?) said goodbye to its digital “sovereignty”” comments 01net . At stake is the security of European users' data stored in the "clouds".

After the experts' vote, the next step is the opinion of the EU countries and the final decision of the European Commission probably expected in the autumn.

All the details.

WAITING FOR THE FINAL VOTE ON THE EU CLOUD CERTIFICATION SCHEME

Brussels wants to introduce a cybersecurity certification scheme (EUCS) to ensure the cybersecurity of cloud services and help governments and companies choose a secure and reliable provider for their cloud computing activities.

However, disagreements over whether to impose stringent requirements on Big Tech to qualify for the top tier of the EU cybersecurity label have hampered efforts.

THE KNOX OF SOVEREIGNTY REQUIREMENTS IN EU CLOUD CERTIFICATION

The latest version eliminated so-called sovereignty requirements from an earlier proposal, which forced US tech giants to create a joint venture or cooperate with an EU-based company to store and process customer data in the bloc in order to to qualify for the highest level of the European cybersecurity label.

AMERICAN BIG TECH REJOICE

US Big Techs breathed a sigh of relief. This will allow Amazon, Alphabet's Google and Microsoft – which together hold more than three-quarters of the European market – to bid for highly sensitive cloud computing contracts in the EU, the sources cited by Reuters said.

LESS THERE ARE EUROPEAN COMPANIES SUCH AS THE ITALIAN TIM AND ARUBA

The latest version for the cybersecurity certification for cloud services (Eucs) has instead raised choruses of protest from European companies.

Eighteen companies, including Airbus, OVHCloud, Orange, Capgemini and Italy's Tim and Aruba published a letter on April 10 "calling on member states to reject any proposal lacking sovereignty criteria."

Without such requirements, European data could be accessible to foreign governments based on their laws such as the US Cloud Act or the Chinese National intelligence law, the signatories warned. In light of this, European companies have said that the EU cybersecurity label should follow the example of the European cloud computing platform Gaia-X created to reduce the EU's dependence on Silicon Valley giants and which has sovereignty requirements.

Although the certification scheme will be voluntary, it is still intended to guide Member State authorities in making decisions about suppliers. “The lack of sovereignty clauses could also hinder nascent EU cloud service providers compared to their larger US rivals,” the letter further reads.

THE POSITION OF THE UNDERSECRETARY FOR THE PRESIDENCY OF THE COUNCIL BUTTI

Alessio Butti, undersecretary of the Prime Minister with responsibility for Innovation, spoke this morning about the failure to vote expected at the beginning of the week in an interview with the newspaper La Verità .

“It was an operational meeting between representatives of European governments competent in the field of cyber security. The National Cybersecurity Agency (ACN) represented Italy in this important meeting, during which no formal decisions were taken. The focus of the discussion was the proposal for a new European certification for the security of cloud services. The Belgian Presidency has put forward a proposal which, if accepted, would lead to a reduction in the security requirements currently required" explained Butti.

“This change would allow cloud service providers, even those operating under the jurisdiction of governments outside the EU, to be certified as secure. This initiative has found favor with some Nordic countries, which see this move as a potential competitive advantage for companies within their economic fabric. Other countries, however, including Italy, have urged the adoption of higher and more rigorous standards, emphasizing the need to guarantee a higher level of protection for the data of European users" added the undersecretary to La Verità .

ANALYST'S COMMENT

Finally, according to the analyst interviewed by Startmag , “the Belgian compromise proposal is now consolidated; the goal is to conclude everything during the mandate of this European Commission. France is pushing to add some additional transparency requirements and is seeking clarification from the Commission on the conditions under which they can maintain national schemes (the French one, SecNum Cloud, is in fact the basis of their EUCS proposal)”.

We therefore just have to wait until next month to find out which proposal will prevail over the future EUCS certification scheme for cloud services.

This is a machine translation from Italian language of a post published on Start Magazine at the URL https://www.startmag.it/innovazione/progetto-ue-di-certificazione-cloud-cosa-succede-e-gli-interessi-in-ballo/ on Wed, 17 Apr 2024 14:08:17 +0000.