Tech lobbyists in Brussels are calling for the European Union to reconsider its plans to force major cloud providers like Microsoft, Amazon and Google to abide by a new cybersecurity label aimed at blocking U.S. snooping in Europe.
Officials at the EU’s Cybersecurity Agency (ENISA) are finalizing a certification scheme for cloud companies to prove they abide by high cybersecurity standards. But the draft requirements to obtain the label, first reported by POLITICO in April, could also force U.S. cloud giants to disavow Washington’s data-access laws, restructure their operations and even cut off foreign investors from decision-making.
Four major lobby groups — ITI, CCIA Europe, BSA and Amcham EU, all of which have American cloud giants as key members — on Tuesday released a statement saying requirements aimed at boosting Europe’s sovereignty over the cloud sector “are politically motivated, will create complex legal compliance procedures and will not add to increased levels of cybersecurity.”
“The potential inclusion of ‘digital sovereignty’ provisions that would require the maintenance, operations of the cloud service and data to be solely located within the EU, would limit cloud service providers’ eligibility for the highest level” of the cybersecurity certification scheme, the statement said.
The European tech association DigitalEurope is also drafting a letter expressing concerns about the scheme, which it plans to send to national governments later this week.
“The consequences of having the wrong scheme on our future economic growth, and for our very security, would be disastrous,” DigitalEurope’s Director General Cecilia Bonefeld-Dahl said, adding the label was being developed through “a very opaque process … with specific players and individual member states pushing their own agenda under the guise of ‘sovereignty.'”
The cloud-security label is one of Europe’s first cybersecurity schemes designed by officials at ENISA. It aims to nudge cloud providers to increase their cybersecurity policies to obtain an official stamp of approval by European authorities.
The EU initiative follows work in France on a label called the SecNumCloud and is developed by an “ad hoc working group” at ENISA that includes officials from companies like SAP, Deutsche Telekom’s T-Systems, Cisco, Amazon and others.
In addition to technical measures required to get the stamp of approval, the working group is also considering measures to give European courts jurisdiction over disputes, list “residual risks related to non-EU laws with extraterritorial application” and indicate in contracts that data will fall under EU law. It could even propose that non-EU investors in cloud service providers shouldn’t be allowed “control” over the services.
The cloud label has pitted two groups of European countries against each other.
On one side, major powers France, Germany, Italy and Spain sent around a joint nonpaper earlier in favor of including immunity requirements in the scheme to stop U.S. snooping on cloud data. The group is being led by Paris, where officials have railed against American extraterritorial data laws like the U.S. CLOUD Act for years.
On the other side, Ireland, Sweden and the Netherlands pushed back on the sovereignty requirements in an earlier letter obtained by POLITICO, arguing they don’t belong in a cybersecurity certification scheme.
ENISA did not immediately respond to a request for comment. The agency previously said the requirements were still under discussion and added the sovereignty requirements would apply only to cloud services that want proof of the highest level of cybersecurity in cloud services, and that a final scheme would need formal approval from EU institutions before entering into force.
This article is part of POLITICO Pro
The one-stop-shop solution for policy professionals fusing the depth of POLITICO journalism with the power of technology
Exclusive, breaking scoops and insights
Customized policy intelligence platform
A high-level public affairs network