The European Commission is proposing to require Member States to carry out sovereignty risk assessments to guide the procurement of ‘cloud computing’ services for critical public services according to four levels of sensitivity.
“We want to ensure that our most critical and most sensitive data are stored in Europe. With CADA [the draft Regulation on the development of cloud and artificial intelligence (‘Cloud and AI Development Act’)], we are introducing a four-tier framework for the public sector. It will enable providers of cloud and artificial intelligence services to demonstrate their level of sovereignty on the basis of clear criteria, including infrastructure location, control of the software supply chain, and cybersecurity”, explained European Commission Executive Vice-President for Tech Sovereignty, Henna Virkkunen, when presenting the tech sovereignty package. She also recommended that companies active in the sectors covered by the NIS II Directive do the same.
Henna Virkkunen also announced the appointment of Jim Hagemann Snabe as special envoy for AI.
A four-tier European framework for cloud sovereignty. At present, three non-European hyperscalers control more than 70% of the European cloud market, a dependency that exposes the Union to “unilateral decisions by third-country actors” liable to disrupt services.
In order to reduce these risks, the Regulation establishes a European sovereignty framework for public ‘cloud computing’ services. Member States will be required to carry out “sovereignty risk assessments to determine which sub-sectors should be served by services corresponding to different levels of sovereignty”, in order to ensure adequate data protection, operational autonomy and preservation of public order.
The Regulation introduces harmonised criteria at Union level, but the assessment itself will remain within the competence of the Member States. The Commission will provide guidance to help them in this exercise. It will also set up a central register listing ‘cloud computing’ services benefiting from a European assurance level.
Strict access conditions for third-country providers. For level 3 services, the Commission may identify eligible third countries by means of an implementing act. Providers established in third countries may be recognised subject to certain conditions. In particular, their country will have to benefit from an adequacy decision in data protection matters. Authorities of the third country must not be in a position to exercise control over the provider in order to obtain unlawful access to non-personal data or impose a service interruption. The country concerned must also not prevent the provision of cutting-edge technologies or services by the cloud provider and will have to guarantee equivalent access to public procurement markets for ‘cloud computing’ services for Union companies.
Henna Virkkunen specified that the requirements applicable to levels 3 and 4, particularly in the field of defence, were “very strict”, including with respect to “European control” and data location in Europe. “We also want to ensure that no one has the possibility of activating a ‘kill switch’. With the US Cloud Act, it is difficult for American companies to reach level 3”, she explained, stressing that certain provisions of US law would not be compatible with the proposed criteria.
However, she recalled that it will be the national authorities that will be responsible for the audits and insisted that “in most cases, when it comes to public services and cloud services, we are mainly talking about levels 1 and 2”, whereas levels 3 and 4 concern “extremely critical areas”.
More broadly, the Cloud and AI Development Act seeks to support the objective of tripling sustainable data-centre capacity in Europe over the next five to seven years, through a number of concrete measures intended to foster the development of cloud and artificial intelligence capacities, notably by stimulating domestic demand.
A criterion of “European added value” in public procurement. The Commission is proposing to introduce a “European added value” criterion in the evaluation of bids relating to innovative cloud services and artificial intelligence systems. However, this criterion would not in itself be decisive and would account for 15 points out of a total of 120, in order to preserve the primacy of the technical and financial criteria. It will make it possible to favour solutions that contribute to strengthening the European digital value chain, notably through the use of software or hardware designed or manufactured in the Union and through the integration of technologies developed in Europe.
Joint procurement and sharing of digital public services. The proposal paves the way for joint procurement of data-centre services, cloud services, software and artificial intelligence systems by the European Commission on behalf of the Member States.
The text also provides for the creation of a European public cloud Federation (‘EuroCloud Federation’), open on a voluntary basis to Union institutions and national public administrations. It will facilitate the sharing of data-centre and cloud computing services between European public administrations. The entity providing the service may charge limited fees to the user entity.
Leadership initiatives in cloud and AI, priority AI projects and strategic data-centre projects will be selected. The Regulation provides for leadership initiatives in the field of cloud and artificial intelligence in order to promote research and innovation activities and develop large-scale capacities across European cloud and AI ecosystem.
Acceleration areas for data centres. Within six months of the Regulation’s entry into force, Member States will have to designate at least one acceleration area for data centres. These areas will have to incorporate sustainability requirements and will be subject to an assessment of energy needs as well as of their impact on greenhouse gas emissions. Authorisation procedures for the construction of data centres in these areas will be simplified and must not exceed 12 months, Member States being able to provide for shorter deadlines.
Promotion of open source. Regulation provides that Union institutions and Member States’ public administrations use and promote the reuse of open standards and components distributed under an ‘open source’ licence when building their cloud and AI infrastructures, while taking account of security requirements, functionalities and overall cost.
National strategies for cloud and AI. Lastly, in order to implement the Regulation, Member States will have to adopt, no later than one year after its entry into force, national strategies relating to cloud and artificial intelligence aimed at accelerating their development and uptake at national, regional, and local level.
See proposal: https://aeur.eu/f/m64 (Original version in French by Ana Pisonero Hernández)