By Pascal Kerneis Est. 6min 03-04-2024 Content-Type: Opinion Opinion Advocates for ideas and draws conclusions based on the author/producer’s interpretation of facts and data. The draft conclusions by the Council of the European Union on the future of EU digital policy touch upon the digital acts of the past years, cutting-edge technologies, cloud infrastructure, and digital transformation. [Ivan Marc/Shutterstock] Euractiv is part of the Trust Project >>> Print Email Facebook X LinkedIn WhatsApp Telegram It is critical that the European Union Cybersecurity Certification Scheme for Cloud Services (EUCS) remains technology-neutral, risk-based, and focused on concrete cybersecurity outcomes, writes Pascal Kerneis. Pascal Kerneis is the managing director of European Services Forum (ESF), a business organisation representing the European services industry in international trade and investment negotiations. Several elements of the current proposal, first mooted several years ago, provide cause for concern. They could have repercussions far beyond cyberspace, such as damaging European trade relationships at a time when we ought to be building stable, trusted partnerships with our closest allies. The most pressing issue is the attempt to introduce sovereignty requirements to the EUCS, particularly the stipulation that cloud service providers with the highest level of accreditation must be headquartered within the EU and must not be owned or controlled by a non-EU entity. Since the General Agreement on Trade in Services (GATS) was first agreed in the 1990s, digital services have become integral to business operations, creating an ever more interconnected world with free-flowing trade in services across borders. For those of us at the European Services Forum, this is a positive. Our organisation was founded to advance the mission of free and open trade in services both within the EU and with third countries. Europeans benefit from this trade, enjoying the use of cutting-edge digital tools from both inside and outside Europe, attracting investment and innovation, and generating economic growth and creating numerous well-paid jobs. Integral to this is creating a robust European cybersecurity framework that keeps Europeans safe while allowing them to enjoy the benefits of innovation. The EUCS aims to address the challenge of fragmented cybersecurity standards by creating harmony at a European level. Deal on major digital bill: French lawmakers give in to EU Commission demands French lawmakers reached a compromise on Tuesday (26 March) on a hard-fought all-encompassing digital bill, agreeing to water down provisions that would otherwise conflict with EU legislation, white putting sovereign cloud requirements into law. The sovereignty debate This is a welcome goal. But the EUCS goes further than that, particularly with the introduction of sovereignty demands. In the face of increasing geopolitical threats, sovereignty requirements might seem a sensible precaution aimed at protecting critical sectors from nefarious actors. But rules-based trade and non-discriminatory treatment is a cornerstone of EU policy, exports, and prosperity. In practice, these sovereignty requirements have been interpreted as nakedly protectionist, which would certainly damage transatlantic relations by locking out leading cloud services providers from countries such as Australia, Japan, Canada and the US. The requirements could also damage European prosperity and security because we lack homegrown alternatives with the capacity and sophistication to service certain critical sectors. Up to this point, an open trading approach has allowed European businesses to innovate using the best available technologies. The number of U.S. providers of cloud solutions far outweighs the number of European competitors in the market able to provide the cloud services needed by European companies, with internet policy expert Konstantinos Komaitis writing in Cyberscoop in November that the European cloud market is “yet to be fully formed”. Though this may change the future – a truly exciting prospect for Europe’s tech innovators – this does not help European businesses in need of cloud solutions now. Should the EUCS proceed in its current form, non-EU-headquartered service providers would no longer be able to serve their European customers. A very large number of European businesses could find their operations disrupted in the short to medium term, with potentially disastrous consequences for Europe’s digital transformation, and ultimately threaten the EU cyber security. Far from aiding European innovation, the sovereignty requirements in the EUCS could force European businesses to use cloud solutions with potentially lower standards, increasing rather than mitigating cybersecurity risks. Global consequences That is to say nothing of the consequences for international trade. Not only does the EUCS risk imperilling relations with one of the EU’s most important allies, but it directly contravenes WTO GATS agreements on the free flow of data and technical barriers to trade in a manner that is clearly discriminatory. Such protectionist policies are short-sighted and risk backfiring: if third countries adopt similar rules, this would restrict the ability of European companies to export their own products and services or invest abroad, ultimately inhibiting Europe’s economic growth. Belgium currently holds the Presidency of the European Council, and has proposed to separate the question of sovereignty from that of functionality, but this may not solve the issue either: allowing member states to introduce their own sovereignty requirements could instead result in even greater fragmentation across the supposed to be “EU Single Market.” Another area of concern is the need for the EUCS to remain voluntary. Nominally, that is precisely the case now. However, given the breadth and diversity of sectors which will require a ‘high’ classification – from professional services to construction – the EUCS may instead become effectively mandatory, with its stringent requirements imposed on businesses large and small. To be clear, the sectors potentially affected by the EUCS are broad in both scope and impact and include energy, financial services, healthcare and the public sector. All of these are critical to Europe’s economy and security, and forcing them to endure either disruption, lesser solutions or both will have a range of knock-on effects. The debate on cybersecurity has morphed into a political one, rather than the technical standard originally envisaged for the EUCS. Rather than introducing stringent sovereignty requirements that could serve to make European commerce less competitive and less safe, what is critically needed is for policymakers to look again at the cloud solutions used every day by European businesses and ensure that they will continue to be able to be used in the future.
