Credit: pixdeluxe
Main takeaways
Recent wave of cybersecurity threats requires urgent action across Europe
Yet, political deadlock and ‘immunity’ debate keep stalling critical cloud certification
More delays in EUCS adoption threaten EU competitiveness and innovation
Five years. It’s been five years since the EU started debating how to unify and provide robust security standards for cloud services across all Member States, under the so-called European Cybersecurity Certification Scheme for Cloud Services (EUCS). The reality is that it would have taken a lot less time, had the conversation only focused on designing effective security controls – skipping protracted debates over duplicating a French certification scheme only designed to favour local cloud vendors.
Meanwhile, we do not need to look far for a stark reminder on the economic and political importance of ensuring that EU businesses and critical infrastructure operators can access the most robust cloud service capabilities available on the market.
1. Cybersecurity threats demand urgent action
In the past few months, European elections have been targeted by cyber attacks, as have several French government departments, prompting local authorities to activate a crisis unit. Meanwhile a ransomware attack on a blood test provider forced hospitals in London to cancel thousands of life-saving operations.
The reality is that European governments and businesses of all sizes are continuously targeted by groups, ranging from intelligence services of strategic adversaries and industrial espionage actors to ransomware gangs and amateur hackers.
According to a report released a few weeks ago by EU cybersecurity agency, late 2023 and the first half of 2024 saw a “notable escalation in cybersecurity attacks, setting new benchmarks in both the variety and number of incidents, as well as their consequences,” with public administration (19%), transport (11%) and finance (9%) being the most targeted sectors across Europe.
Meanwhile, the 2022 Eurobarometer poll found that 28% of European SMEs were victims of at least one type of cybercrime in the previous year. Against this complex landscape, strengthened cybersecurity provisions are more vital than ever.
And the March 2024 draft of the EUCS proposal set forth by the European Union Agency for Cybersecurity (ENISA) aims to establish just that: a harmonised and robust framework for assessing and certifying cloud services’ security – also simplifying regulatory compliance to minimise fragmentation for enterprises operating across the EU.
2. Deadlock and ‘immunity’ debate keep stalling EUCS
The draft, which garnered support from a broad range of stakeholders, took many years to finalise. The Commission had initially requested ENISA to prepare an EUCS proposal back in December 2019. An intense political debate ensued, particularly after France suggested introducing discriminatory requirements vis-a-vis non-EU cloud vendors. These requirements would have mandated cloud service providers to headquarter themselves in the EU, or invest in expensive China-style joint ventures, while offering questionable security benefits but certainty of higher costs for cloud customers and end users.
The sovereignty requirements proposed never reflected modern industry best practices in cybersecurity. Indeed, in order to prevent unauthorised third-party access, customer-managed encryption technologies are far more effective than any requirements to store and process data within given geographical boundaries. Moreover, there are also obvious drawbacks to data localisation in terms of it limiting the cross-border sharing of security telemetry and threat intelligence. Ultimately, this protectionist approach would have simply undermined European security, rather than enhancing it.
While the ambition to promote EU-based cloud technologies is understandable given the increasingly hostile geopolitical climate, the European cloud market is still in its infancy. If these ‘immunity’ requirements had remained in place, EU businesses using cloud solutions would have suddenly found themselves unable to access the essential cloud services they now rely on daily.
Over the years, many stakeholders have raised concerns about this flawed approach, including the Federation of German Industries (BDI), European banks, clearing houses, insurance groups, and start-ups to name but a few. Recognising this reality, a group of 12 EU Member States, led by the Netherlands, staunchly opposed any attempts to introduce discriminatory requirements into the EUCS proposal. This (welcome) opposition, however, led to several years of political deadlock.
Five years after the scheme’s initial proposal, a delicate compromise was finally reached earlier this year, when the Belgian EU Presidency separated the ‘immunity’ elements from EUCS’s functional cybersecurity requirements. This March 2024 draft, supported by most EU Member States, finally allows non-EU cloud providers to achieve the highest level of certification, based on merit and not a company’s passport, ensuring European businesses and the public sector can continue using their current cloud solutions.
However, France remains the main opponent of this solution, and thus continues to block the EUCS’s adoption. In April, France requested the Council to clarify the scheme’s potential impact on future national schemes, adding more delays to the process. So now, as things stand today, and despite the urgency and the rare hard-fought consensus, the EUCS scheme risks falling victim to delays as the EU institutions prepare for their next political mandate.
At the 18 June meeting of the European Cybersecurity Certification Group, time ran out before the EUCS could even be addressed. Rather than prioritising a vote on the EUCS proposal or presenting legal considerations to justify the delay, the European Commission is now considering first developing guidance around the EUCS and national certification schemes, potentially delaying the vote even further.
While the Commission guidelines might prove to be helpful for companies, their non-binding nature likely would delay progress on the scheme itself. At the end of the day, more delays will only benefit malignant actors in the ongoing cyber arms race.
Conclusion
Delaying the EUCS’s adoption has much broader ramifications. It harms online safety and cloud innovation in the EU, and Europe’s competitiveness at large, directly opposing the priorities the next Commission and Parliament are likely to pursue. Furthermore, it hampers the growth of several key strategic sectors, including artificial intelligence (AI) – all of which depend on a clear cloud certification scheme for their secure development.
Instead of Europe being reactive to cyber attacks, let us be proactive. By adopting the latest EUCS proposal DON’T FORGET TO ADD THE EDIT, the EU has a massive opportunity to set businesses, governments, and citizens on a proactive footing in the fight against cyber threats.