In a letter dated 22 July sent to the EU Agency for Cybersecurity (Enisa), the European Data Protection Board calls for clarification of the links between the security levels of the EUCS (European Union Cybersecurity Certification Scheme for Cloud Services) and the European Data Protection Regulation (GDPR).
The EDPB “finds that several important issues related to the links between the cybersecurity risk assessment and personal data protection risk assessment need to be addressed” and raises the question of whether the details of the scheme are sufficient to ensure the security of personal data processing.
To ensure this, the EDPB is proposing to set up a joint working group with Enisa to help link the obligations of the GDPR with the European cybersecurity scheme.
This group could help to “draw up data protection guidelines for cloud service providers and customers” and check whether the requirements included in the EUCS take account of the risks associated with data sharing.
The EDPB also proposes to develop a common risk assessment methodology for the various players involved.
At this stage, adoption of the EUCS is still pending (see EUROPE 13451/10), while the final details of the text have been criticised by France, which is keen to safeguard its own national system.
See the EDPB letter: https://aeur.eu/f/d6k (Original version in French by Isalia Stieffatre)