In an open letter to the Member States dated 11 April, 18 European companies, including Airbus, Capgemini, Dassault Systèmes, EDF and OVHcloud, roundly criticise the latest version of the EU-wide cybersecurity certification scheme, known as EUCS (EU cloud certification scheme).
The aim of this European project is to strengthen the security of personal data within the EU and guarantee the sovereignty of Member States in the processing of user data. Three levels of security are specified for data, depending on its use and degree of sensitivity.
In its original version, EUCS was intended to impose legal certainty to combat the transfer of the most sensitive data outside Europe and, potentially, to foreign governments or web giants.
However, the latest version of the text, dated 22 March, is a complete reversal of this security and removes the legal criterion that obliged foreign providers to set up a joint venture or cooperate with a European company to obtain the highest level of the scheme if they were to store and process the sensitive data of customers located in the EU.
18 companies have signed the open letter denouncing the removal of this legal certainty criterion and calling on “Member States to reject any proposal” that does not include provisions guaranteeing the sovereignty of European States.
The signatories point out that the protection of sensitive user data is a crucial issue, in particular to counter the extraterritoriality of a number of foreign laws, citing China’s National Intelligence Law and the US Cloud Act.
They also point out that, as it stands, this European cybersecurity certification scheme contradicts the Data Act (see EUROPE 13211/19), which prohibits illegal access to non-personal data by foreign governments.
Cigref, which brings together the digital leaders of major French companies, joined in the criticism on 11 April, also sending a letter to the President of the Commission.
“The latest version of the EUCS project seems to be moving away from its essential objective of guaranteeing a high level of security and immunity against non-European extraterritorial legislation”, the letter states, denouncing this situation as “unacceptable” and running counter to “the European Union’s ambition for strategic and technological autonomy”.
National experts from the EU27 met on Monday 15 April to look at the latest version of the text. While France is in favour of stricter certification, this is not the case in all the other Member States.
The EUCS stems from the EU Cybersecurity Act, which calls on ENISA (the European Union Agency for Cybersecurity) to develop an EU-wide certification system to regulate cloud computing service providers.
See the Cigref letter: https://aeur.eu/f/bsz (Original version in French by Isalia Stieffatre)