Tech-sponsored study criticises plan to exclude non-EU cloud vendors

A
proposed
European
Union
cloud
security
label
that
could
exclude
Amazon,
Google,
Microsoft
and
other
non-EU
cloud
services
providers
from
the
bloc
is
discriminatory
and
could
lead
to
retaliatory
measures,
a
study
commissioned
by
a
tech
lobbying
group
said.

The
European
Centre
for
International
Political
Economy
(ECIPE)
report,
which
was
commissioned
by
the
Computer
and
Communications
Industry
Association
(CCIA),
underscores
growing
private
concerns
about
the
draft
label
plan
among
US
tech
giants,
which
have
so
far
not
made
any
public
comment
on
it.

At
issue
is
a
provision
in
EU
cybersecurity
agency
ENISA’s
certification
scheme
(EUCS)
that
requires
cloud
services
providers
to
have
their
registered
head
office
and
global
headquarters
in
the
EU,
and
hold
and
process
customer
data
within
the
27-member
bloc.

“I
think
the
political
intention
is
to
squeeze
out
foreign
suppliers
but
it
will
of
course
have
also
ramifications
for
EU
businesses
that
are
more
or
less
relying
on
cloud
computing
services,”
ECIPE
Director
Matthias
Bauer
told
Reuters.

“Member
states
should
now
call
on
the
cybersecurity
agency
and
also
the
European
Commission
to
abandon
politically
motivated
EUCS
immunity
requirements,”
he
added.

ENISA
is
waiting
for
an
opinion
from
EU
countries,
a
spokesperson
said
and
“will
then
finalise
the
scheme
by
taking
into
utmost
account
this
opinion
and
submit
the
final
candidate
scheme
to
the
European
Commission”.

The
EU
executive
declined
to
comment
on
the
ECIPE
report.

“The
scheme
should
be
fully
in
line
with
EU
law,
as
well
as
with
the
EU’s
international
commitments,
including
on
trade,”
a
Commission
spokesperson
said.

ECIPE
said
the
proposal
could
set
a
dangerous
precedent
for
any
data-intensive
sector,
and
could
see
the
cybersecurity
label
become
mandatory
for
new
technologies
such
as
internet
connected
devices
in
energy,
healthcare
and
autonomous
driving.

A
ban
could
also
trigger
retaliatory
measures
by
EU
trading
partners,
the
think
tank
said.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts