EU plan discriminates against US cloud vendors, say lobbyists
Requirement to have global HQ in the EU could limit US activities
A new report commissioned by a tech lobbying group has warned that the proposed immunity requirements of a new Cloud Certification Scheme discriminate against non-EU vendors.
The ECIPE report, commissioned by the Computer and Communications Industry Association (CCIA), argues that the proposed immunity requirements could not only result in retaliatory action, but pose a potential cybersecurity threat to the EU.
CCIA members include tech firms like Amazon, Meta, Google, Samsung, Twitter and Intel. The group has in the past lobbied in favour of net neutrality and patent litigation reform, but against antitrust issues that could lead to the breakup of large companies.
The group's new report refers to the EU Agency for Network and Information Security (ENISA)'s proposed Cybersecurity Certification Regime for Cloud Services (EUCS).
The proposal follows a request from the European Commission, which is evaluating the need for mandatory cybersecurity certification across various EU policies directed towards IT product and service providers in the region.
The preliminary EUCS plan aims to align cloud services' security standards with EU regulations, international norms, industry-leading practices and existing certifications in EU member states.
ENISA says having a single European cloud certification is "crucial" for facilitating unrestricted data movement across Europe, and plays a role in encouraging innovation and competition in the European market.
Based on the most recent draft, the EUCS would restrict non-European vendors from offering high assurance-level services within the EU.
The EUCS would require that a cloud service provider (CSP) has its headquarters or a global office in an EU member state. CSPs without one cannot hold direct or indirect control over a CSP applying for cloud service certification.
With that requirement, the EUCS could potentially exclude non-EU cloud service providers like Amazon, Google and Microsoft from operating in the bloc.
The ECIPE report cautions that the EUCS proposal could establish a precedent for all data-intensive sectors, potentially making the cybersecurity label mandatory for new technologies.
"I think the political intention is to squeeze out foreign suppliers but it will of course have also ramifications for EU businesses that are more or less relying on cloud computing services," ECIPE Director Matthias Bauer told Reuters.
An ENISA spokesperson said the agency is waiting for feedback from EU countries and will use this to finalise the EUCS scheme. Following this, the agency will present the final candidate scheme to the European Commission.
"The scheme should be fully in line with EU law, as well as with the EU's international commitments, including on trade," a Commission spokesperson said.
Despite the continued expansion of the cloud industry in Europe, a significant portion of that growth is attributed to major players like Microsoft Azure, AWS and Google Cloud, all of which are US-based.
Last year, French cloud computing company OVHcloud, along with other European tech firms, filed an antitrust case in Europe against Microsoft, alleging that the US tech giant was stifling cloud competition and making it harder for its consumers to choose services from rival firms.
OVHcloud said that Microsoft was undermining fair competition and limiting consumer choice.
Deutsche Telekom is currently the top local cloud provider in Europe, with a 2% market share, followed by OVHcloud, which has a 1% market share.