The European Cybersecurity Certification Scheme for Cloud Services
It is by now a familiar theme: the European Commission’s campaign for “digital sovereignty” continues with its proposed European Cybersecurity Certification Scheme for Cloud Services (EUCS). A doubling down on protectionist industrial policy, this time cloaked in a national security rationalization, the proposed EUCS poses a threat to the future success of U.S. cloud service providers (CSPs) in Europe and will damage them in other global markets. As in the case of the Digital Services Act, the Digital Markets Act, and the Data Act, the new measure is aimed squarely at disadvantaging U.S. service suppliers, with the ultimate goal of benefiting existing or potential local European firms that seek to be more competitive in leading-edge technologies.
The European Union, pushed by France, Spain, and Italy, will move to make these regulations—which likely violate WTO rules—final if U.S. officials are not able to join with likeminded EU member states in raising strong objections. Now, in a welcome development, the Biden administration is organizing its trade officials to be more effective in defending the interests of U.S. tech champions under the internationally agreed rules.
Europe’s Concern
Reflecting its protectionist objectives, the European Union’s 2020 joint declaration on the cloud describes Europe’s aim and intention to boost the capability and reach of Europe’s CSPs: “Europe is facing a great investment gap for cloud, estimated at €11 billion annually, and needs to boost the development of a truly competitive EU cloud supply.” In December 2020, the EU Agency for Cybersecurity (ENISA) released a draft of the EUCS, saying, “The EUCS scheme aims at improving the Internal Market conditions, and at enhancing the level of security of a wide range of cloud services, of the cloud capabilities they implement, including application, infrastructure, and platform capabilities.” Comments from ENISA’s executive director, Juhan Lepassaar, are consistent with the agency’s view that putting foreign competitors at a disadvantage will grow the cloud service market in Europe for European firms: “A single European cloud certification is critical for enabling the free flow of data across Europe and is an important factor in fostering innovation and competitiveness in Europe.” The scheme uses the government tool of revamped cybersecurity certification requirements to advance digital sovereignty. With these requirements, the EUCS would boost European businesses over American businesses while arguably counterproductively reducing overall cybersecurity.
The Impact of Crippling U.S. CSPs on Europe’s Goals for Digital Transformation
The European Parliament’s December 2022 decision establishing the Digital Decade Policy Program 2030 calls for “the digital transformation of businesses, where: (a) at least 75% of Union enterprises have taken up one or more of the following, in line with their business operations: (i) cloud computing services; (ii) big data; (iii) artificial intelligence.” Among its general objectives, the decision emphasizes that the European Union should aim to establish a “competitive, secure and sustainable data cloud infrastructure in place, with high security and privacy standards and complying with the Union data protection rules” by 2030. It is difficult to envision Europe achieving this objective without continuing to partner with U.S. firms that currently dominate global cloud service markets, given their exceptional levels of know-how in protecting privacy and data security.
In September 2022, data from the Synergy Research Group showed that the European cloud market had grown to five times the size it had been in early 2017. Over that period, European CSPs grew their cloud revenues by 167 percent. Despite that growth, their market share declined by 14 percent. At the same time, Amazon Web Services, Microsoft Azure, and Google Cloud grew to account for upwards of 72 percent of the regional market. The European Union’s joint declaration on the cloud highlights how “the public cloud infrastructure market is converging globally around four large non-European players,” all of which are American. The other major players in the market, Alibaba and Tencent, are Chinese.
EUCS
ENISA designed the EUCS as a “voluntary” cybersecurity certification scheme that companies can leverage to demonstrate the soundness of their privacy and security measures. However, in practice, consumers may include the EUCS as a requirement of a tender, which effectively makes the certification mandatory. Moreover, the Network and Information Security Directive (NIS2) allows EU governments and the European Commission to require that cloud customers only utilize cloud services certified by the EUCS.
The EUCS certification system for CSPs ranks its security levels as “basic,” “substantial,” “high,” and, in its latest version, “high+.” The current draft of the EUCS includes a sample application for this certification. The application has a mandatory CSP identity field in which each provider would be required to register nationality by giving its office and headquarters location. The EUCS will ultimately promote Europe’s digital sovereignty goals by requiring that a CSP be headquartered and operated in an EU member state to receive the highest level of assurance. This effectively bars non-European CSPs from attaining the same high levels of assurance certification as European CSPs. Moreover, the European Commission requested that ENISA add immunity requirements to the EUCS such that CSPs would be required to demonstrate legal immunity from foreign jurisdictions, an impossibility for U.S.-based companies that must stay consistent with U.S. law.
In addition to protectionist aspirations to elevate EU CSPs and remove European dependence on U.S. firms, the Centre for European Reform points out that ENISA’s strong commitment to the EUCS also stems from perennial EU concerns about U.S. firms providing foreign governments with EU data. This argument would, however, hold more weight were it not for the current primacy of U.S. CSPs in the European Union. As Matthias Bauer, director of the European Centre for International Political Economy, argues, “the political intention is to squeeze out foreign suppliers but it will, of course, also have ramifications for EU businesses that are more or less relying on cloud computing services.” Stifling the ability of U.S. CSPs to serve the European market may ultimately decrease the cybersecurity of EU companies, since EU cloud service firms struggle to provide the same cybersecurity capacities as U.S. providers like Amazon Web Services or Google Cloud. Though the EUCS might ultimately promote the growth of European CSPs through protectionist trade and investment policies, its immediate impact would be to force European companies to contract with smaller and perhaps less secure cloud services.
Opposition to the EUCS
EU countries are divided in their positions on the EUCS, but France, Italy, and Spain have remained its primary supporters. France launched its own cloud security program, known as the “Trusted Cloud Doctrine,” and its cloud cybersecurity certification scheme, known as SecNumCloud. These initiatives require that cloud providers cannot be guided by non-EU laws. The French regulation provides explicitly that any company that is more than 39 percent foreign owned is not eligible for certification to bid. As a result, U.S. companies must partner with—and transfer technology and control to—a local company in order to compete for cloud business with French public sector agencies and commercial entities considered “operators of vital importance.”
For their part, Denmark, Estonia, Greece, Ireland, Lithuania, Poland, Sweden, and the Netherlands reportedly issued a joint non-paper opposing the EUCS. These countries also question ENISA’s jurisdiction in this area, urging that, as a political matter, the EUCS should be decided by the European Council rather than managed as a regulatory issue. Notably, the joint non-paper recommends that ENISA remove nationality requirements from the certification scheme.
The United Kingdom, too, is raising objections. During the December 2022 meeting of the Trade Partnership Committee under the UK-EU Trade and Cooperation Agreement, the United Kingdom criticized data localization policies in the European Union, highlighting that they could undermine digital trade between the United Kingdom and the European Union. The United Kingdom expressed concerns regarding the EUCS policies’ compatibility with the digital titles of the Trade and Cooperation Agreement as well as the WTO Agreement on Government Procurement.
In June 2022, the American Chamber of Commerce to the European Union (AmCham EU), the Software Alliance (BSA), Computer & Communications Industry Association (CCIA) Europe, and Information Technology Industry Council (ITI) published a joint statement expressing concerns about Europe’s objectives. According to this statement, “the potential inclusion of unhelpful ‘digital sovereignty’ requirements risks negatively impacting both international and European providers of cloud computing solutions, as well as organisations that use cloud and require high levels of cybersecurity assurance.” This broad U.S. industry group maintains that the complex legal compliance requirements contained in the scheme will effectively dilute any potential benefits for EU cybersecurity. It also criticizes ENISA for not considering the perspectives of key EU stakeholders in the formulation of the EUCS. Because there is a concern that the scheme will, effectively, help grow the market share of Chinese CSPs in the European Union, the U.S. Chamber of Commerce recommends that the EUCS adopt a risk-based approach that considers company practices, as well as whether the company is headquartered in an allied or rival country.
Incompatibility with WTO Agreement on Government Procurement
The EUCS runs contrary to the European Union’s obligations under the Government Procurement Agreement, which aims “to ensure open, fair and transparent conditions of competition in the government procurement markets.” For instance, according to EURACTIV, the current draft of the EUCS will require that firms are headquartered in the European Union, store European data within the European Union, and only allow personnel in the European Union access to that data to obtain a high+ certification. These blatantly discriminatory requirements will act as a significant market access barrier and could therefore constitute a violation of the European Union’s trade obligations under the WTO Government Procurement Agreement. The European Union, on the other hand, has argued that the EUCS complies with the WTO agreements by pointing to the Government Procurement Agreement’s exceptions. The agreement allows discrimination against foreign firms for national security and privacy reasons, provided that the policies are necessary, proportional, and as unrestrictive as possible.
The Office of the United States Trade Representative is objecting to this defense, as shown by U.S. ambassador María Pagán’s remarks at the World Trade Organization in June:
"Notwithstanding our close strategic partnership, it is important to acknowledge . . . that certain U.S. goods and services face persistent barriers in the EU market. These barriers limit the opportunity of U.S. workers and businesses to benefit from transatlantic trade. . . . The EU has proposed a new cybersecurity certification scheme for procurement of cloud services that would close access to foreign suppliers. U.S. stakeholders have expressed concerns about provisions of the proposed scheme, including restrictions on domestic ownership requirements. The EU covers cloud services in its GPA [General Procurement Agreement] commitments and is required to provide non-discriminatory access to covered procurement."
Conclusion
In November 2021, the European Data Protection Board wrote a letter in support of further data localization measures. It cited the Schrems II judgement of the Court of Justice of the European Union, which increased barriers to transferring data from Europe to the United States. However, in light of the recently agreed EU-U.S. Data Privacy Framework, which introduces new binding safeguards to address the concerns raised by the European Court of Justice regarding the adequate protection for personal data transfers, this will be a harder argument to make. The framework clearly violates trade rules by denying more competitive CSPs—including the top players from the United States—fair and non-discriminatory treatment. The long-term consequence of the EUCS might well be a weakening of EU security, as ENISA’s current proposal will decrease European companies’ ability to have access to high-quality cybersecurity services and further diminish Europe’s ability to compete globally in many sectors. To avoid further discrimination against U.S. providers, U.S. trade officials should insist that ENISA reevaluate EUCS adherence to international law, as well as its potential unintended consequences for EU businesses and national security.
Meredith Broadbent is a senior adviser (non-resident) with the Scholl Chair in International Business at the Center for Strategic and International Studies in Washington, D.C.