Urgent call to European Commission regarding the European Cybersecurity Certification Scheme for Cloud Services (EUCS)

Urgent call to European Commission regarding the European Cybersecurity Certification Scheme for Cloud Services (EUCS)

2021-05-18 Terugkoppeling gesprek met Europese Commissie over digitale technologiebeleid.pngWednesday 22 June 2022

CIO Platform Nederland calls on the European Commission not to adopt the EUCS until the consequences for business users in industry and government in Europe have been thoroughly investigated, a consultation of stakeholders has taken place and the responsible political bodies have weighed up the digital autonomy, costs and benefits of a decision.

This because of:
- The risks and costs outlined below for business users of digital technology in industry and government
- The need to prevent further restriction of already limited competition in digital technology markets
- The hasty exchange of the security offered by the expertise of large market parties for the pseudo-security of a certification that mainly looks at compliance with rules

Explanation EUCS
In December last year, the Dutch Financial Times (FD)[1] reported on the worrying direction that the development of the European cybersecurity certification schemes for cloud services (EUCS) seemed to be taking. Due to pressure from the French government (and president of the European Union in the first half of 2022), the ad hoc working group at ENISA (the European Network and Information Security Agency) has included some requirements that threaten to sideline a large number of non-European cloud service providers. The certification schemes developed are almost ready and, although currently still voluntary, they are referred to in various (developing) regulations and therefore certification in accordance with the schemes may eventually become mandatory.

Worrying provisions
The crux of the matter lies in the provisions that must rule out interference by foreign governments. In itself a good development, but it is shaped by some requirements concerning the location and access to data with the highest level of protection, think of medical data and state secrets. According to the latest draft, such data must remain in the EU for processing and storage, only screened employees of the cloud service provider (CSP) in the EU may have access to the data and the functional infrastructure components of the service. If the CSP is based in a country with regulations that allow the government to request data from the CSP, even if the data is located outside the country in question (extraterritorial effect), additional rules apply. Contracts must be based on the law of an EU member state and there must be no form of control over the CSP by an entity outside the EU.

Possible consequences for the business user
After consultation with various members, it appears that the following consequences are likely if these provisions remain in the certification schemes:

  • Although the provisions apply to data with the highest level of protection, which has been estimated to be roughly 1-4% of the total amount of data, the estimation of the CISOs and certification experts participating in the consultation is that the strictest requirements will be applied to all CSPs. This is partly due to the poor interoperability of cloud services.
  • For a large part of the smaller CSPs it will not be possible - see also the aforementioned FD article - to comply with the strict requirements. Moreover, non-European CSPs will have great difficulty meeting the criteria, especially the rules for CSPs from countries such as the US and China, due to the extraterritorial effect of legislation on data access.
  • This limits the number of providers, thus also competition, and probably increases prices and the degree of lock-in.
  • By excluding many parties from the US, who generally achieve the highest levels of security. There is a significant chance that the security of the data will decrease.
  • Moreover, multinationals will have to engage various service providers for the storage and processing of their data. This leads to additional management burdens, complexity in the use of data and insights across borders and additional risks of data leakage and continuity of operations.
  • Finally, the proposed certification scheme mainly looks at whether a measure has been implemented, not whether the implemented system is secure. It therefore provides security on paper, pseudo-security.

To make it even more concrete, it is very likely that many parties, for example in the healthcare sector, where the market for electronic patient records (EPD) is dominated by two large players, one of which is located in the US, could be forced by the criteria in this certification scheme to say goodbye to their EPD, after which only one large party will remain. The same situation could apply to many other companies and organisations.

European politicians let themselves be sidelined by technical working group
In terms of process, it is also very strange that such far-reaching consequences seem to be the result of a certification assignment carried out by a closed technical working group. Such a radical change of policy with the aim of promoting digital autonomy would, at the very least, require political discussion and decision-making. And preferably before that, a very thorough analysis of the possible consequences and a public consultation to give stakeholders the opportunity to provide their input.

Not to mention the fact that this certification exercise will interfere with the negotiations between the European Commission and the US about a Privacy Shield 2.0. This will (hopefully) lay down Schrems-II-proof agreements for the processing of personal data by parties in the US.

In view of the aforementioned risks, we call on the European Commission to look more carefully at the consequences of this certification and not to adopt the certification scheme without properly weighing up the pros and cons.

« Back

More news

Umbrella organisations call for National Growth Fund to remain open

2024-03-12 Koepels roepen op tot openhouden nationaal GroeifondsFriday 08 March 2024 Together with VNO-NCW, FME, NLdigital and several other parties, CIO Platform Nederland sent an open letter to the Lower House last week calling for the National Growth Fund, and in particular the current 4th round, to remain open. full story

CIO-associations launch ‘A Perspective on tomorrow’s digital world’

2024-02-21  Manifesto A perspective on tomorrow's digital worldThursday 29 February 2024 Four CIO-associations launch their joint Manifesto ‘A Perspective on tomorrow’s digital world’ highlighting four priorities for European politicians to address in the coming years to reach the digital ambitions set over the last years and to ensure our strategic independence based on our values in the digital world. full story

Blog - Reflections Chairman on themes and journey for 2024

2023-01-19 Blog Martijn KoningFriday 19 January 2024 Dear colleagues, members of CIO Platform Nederland,

As we’ve stepped into 2024, I am thrilled to present my reflections on the pivotal themes that will shape our journeys throughout this year. full story

Blog: What knowledge and tools should the Supervisory Board have in order to be able to assess the risks of applying artificial intelligence?

2023-12-05 | Blog | Frank FerroMonday 04 December 2023 Are you as part of a (supervisory) board looking for more guidance and control on AI? Or are you interested in this? Find insights and leads in this blog by Frank Ferro (Director Insights, PostNL). full story

View all news items through the archive

Close