The new proposal of the cybersecurity agency of the European Union, ENISA, for the creation of a certification scheme that serves to guarantee the protection of cloud services It hasn’t started off on the right foot. At least, according to the criticism received by up to 13 groups and associations.
Among these, some as important as the United States Chamber of Commerce, the Latin American Internet Association, the National Council of Foreign Trade and the Japanese Association of New Economy. This scheme it also seeks to determine how governments and community businesses have to select suppliers for your business.
A “lack of freedom” that, according to the criticism received, would exclude technological giants such as Amazon, Google, Microsoft as well as numerous other cloud service providers that do not belong to the EU from the equation. ENISA intends that cloud services be operated and maintained from the territoryand that all customer data is stored and processed in the old continent where the laws of the EU prevail over those of other geopolitical groups.
The consequences that the new certification scheme could trigger
The joint statement, as reported by Reuters, was sent both to relevant commissioners of the European Commission, to national governments, to ENISA itself and even to Union legislators. “The EU should refrain from adopting requirements of a political nature, rather than a technical one, that would exclude legitimate companies and would not enhance effective security controls (…) these requirements are ostensibly designed to ensure that providers from outside the territory cannot access their market on equal terms, which prevents industries and governments from fully benefiting from the offerings of these global providers.
From the European Union’s own cybersecurity agency they have decided to send an updated proposal to the Commission for consultation in September, which could lead to changes before a final text is adopted. “Discussions are ongoing to have a balanced approach and no decision has been made yet. The scheme must be fully in line with EU law, as well as the EU’s international commitments, including trade,” an EU executive spokesman said, seeking to dampen tempers.
ENISA proposes various levels of certification. The highest is intended to be applicable only to a small set of use cases that require the highest level of security. These can be sensitive government applications and critical infrastructure, “which would have to have some sense of independence from outside laws. Which does not apply to all cloud services,” a spokesperson told Reuters.
The 13 groups and associations critical of the new proposal from the European Union’s cybersecurity agency have also warned that if other countries followed similar policies, European cloud providers could also see their own opportunities diminished in non-EU markets. In addition, they question whether the scheme complies with the General Agreement on Trade in Services of the World Trade Organization and the commitments of the EU Government Procurement Agreement.
And last but not least: the size of the global government cloud market is expected to reach $71.2 billion by 2027 from $27.6 billion in 2021, according to market research firm Imarc Group.