Computer & Communication Industry Association
PublishedDecember 1, 2022

Cybersecurity: EU Cloud Requirements Risk Excluding International Suppliers, Global Businesses Warn

Brussels, BELGIUM – A broad coalition of business associations from around the world is calling on the EU to refrain from adopting new requirements that discriminate against legitimate suppliers of cloud services, which would not only limit Europe’s cloud choice but also undermine effective cybersecurity.

The 13 signatories, representing both cloud users and vendors operating in the EU Digital Single Market, today published a joint industry statement to raise their strong concerns about the draft European Cybersecurity Certification Scheme for Cloud Services (EUCS).

This scheme, as currently proposed by the EU Agency for Cybersecurity (ENISA), would considerably reduce the offering of cloud computing services in Europe. Not only that, the EUCS would mandate the use of cloud services that cannot be used by companies with global operations, as well as delaying adoption of the latest technologies and paradoxically weakening cybersecurity.

The draft EUCS includes several requirements that are seemingly designed to ensure that non-EU cloud suppliers simply cannot access the market on equal footing, thereby preventing European businesses and governments from using the services of global suppliers.

In particular, the proposed “immunity requirements” would strictly limit eligibility for cybersecurity certification to cloud providers headquartered in the EU, and exclude other vendors simply because of the location of their headquarters or investors’ nationality.

The business associations from Japan, Latin America, North America, and the United Kingdom call upon the EU’s 27 national governments, the European Commission, and the European Parliament to reject the introduction of these discriminatory immunity requirements in the EUCS.

Exclusionary policies that target Europe’s most important trading partners and allies are particularly inopportune given today’s volatile geopolitical climate, the coalition stresses.

Businesses that rely on cloud solutions, underlined the following in the statement:

“The EU should seek to expand – not decrease – the availability of cloud technologies in Europe. Our members need access to the widest range of innovative cloud technologies that best suit their needs to be successful in a fast-growing global market.”

The following can be attributed to CCIA Europe’s Public Policy Director, Alexandre Roure:

“The cloud requirements proposed by ENISA would severely restrict competition and customer choice, but also undermine cybersecurity in Europe.”

“We believe that every market participant should have a fair chance to compete on merit; regardless of the location of their headquarters, the nationality of their shareholders or board members, or the business opportunities they may have pursued elsewhere.”

***

The global coalition consists of the following 13 associations:

    • ACT | The App Association (ACT)
    • American Chamber of Commerce to the European Union (AmCham EU)
    • Coalition of Services Industries (CSI)
    • Computer & Communications Industry Association (CCIA Europe)
    • Internet and Competitive Networks Association (INCOMPAS)
    • Information Technology Industry Council (ITI)
    • Japan Association of New Economy (JANE)
    • Latin American Internet Association (ALAI)
    • National Foreign Trade Council (NFTC)
    • Software & Information Industry Association (SIIA)
    • techUK
    • U.S. Chamber of Commerce
    • United States Council for International Business (USCIB)

Click here for the Joint Industry Statement on the Draft European Cybersecurity Certification Scheme for Cloud Services (EUCS).