Cloud services certification: a hard road to harmonisation

In November 2019, the European Commission gave ENISA the task of preparing a common candidate certification scheme for cloud services: the European Cybersecurity Certification Scheme for Cloud Services (EUCS). Its legal framework was set out in the Cybersecurity Act.

The scheme will guarantee a high level of expertise and quality of service in cybersecurity, while providing strong protection of sensitive data. It will also have to standardise and harmonise the cloud services market in line with EU regulations, international standards, industry best practice and existing certifications in EU Member States.

The certification scheme will apply to all types of cloud services, including IaaS, PaaS, SaaS and XaaS. It will be voluntary and its approach will take existing national schemes and international standards as a starting point. Certificates issued will be valid throughout the EU. The certification will be valid for three years and will be renewable.

An oligopolistic market

Many Member States already have their own certification schemes: C5 in Germany, SecNumCloud in France and ENS in Spain. “The diverse set of market players, complex systems and constantly changing landscape of cloud services, along with different schemes in Member States, pose challenges to the certification of cloud services,” says ENISA.

According to the Synergy Research Group, the European cloud market has grown fivefold since early 2017, with revenues reaching €10.4 billion in 2022. “Providers have grown their cloud revenues by 167%, but their market share has declined from 27% to 13% as their growth rate lagged well behind overall cloud market growth,” says the research group.

The three hyperscalers (Amazon, Microsoft and Google) are still the main beneficiaries of this market growth and now have a 72% share of the EU market. By contrast, European leaders SAP and Deutsche Telekom each have only a 2% share of the European pie.

“The cloud market is a game of scale where aspiring leaders have to place huge financial bets, must have a long-term view of investments and profitability, must maintain a focused determination to succeed, and must consistently achieve operational excellence,” says John Dinsdale, Chief Analyst at Synergy Research Group. “No European companies have come close to that set of criteria and the result is a market where the six leaders are all US companies.”

ENISA was tasked with drafting a preliminary version of the scheme and assembled an ad hoc working group of 20 industry stakeholders and a dozen representatives from accreditation bodies and EU Member States.

In December 2020, the agency published a draft version of the scheme, whose recommended security requirements are largely modelled on the German C5 and French SecNumCloud schemes. They also incorporate the principles of other European standards and the proposals of the ad hoc working group.

The document sets out sovereignty requirements whereby cloud service providers would be required to locate their operations and infrastructure within the EU and demonstrate “immunity” from foreign law. “The objective of these specific requirements is to prevent and adequately limit potential interference by non-EU states in the operation of certified cloud services,” the document says.

Unacceptable requirements

ENISA’s proposals were then submitted to a public consultation, which ended on 7 February 2021. Drawing on the opinions received, the agency unveiled version 1.1.1 of its candidate scheme in May 2021, which was then sent to the European Commission, which will take the lead on an implementing regulation. ENISA is currently working on a second implementation scheme. According to the planned schedule, the final scheme will be adopted in mid-2023 and the first certificates issued in mid-2024.

For some countries and representatives of the technology industry, the sovereignty requirements, drawn in particular from “the French doctrine on the use of cloud computing by the State”, are unacceptable. The draft document is based primarily on “technical measures”, but they would also like to see discussions at political level.

In a non-paper submitted to the European Commission in April 2022, the Netherlands, Sweden and Ireland explain that these proposed requirements “could have wide-ranging effects for companies (sub-contractors) involved in cloud service deliveries and their ability to develop their services and compete on the global market.”

They add that these requirements “are difficult to implement and audit, leading to high costs and affecting competition. The result might be restricting competition to a smaller pool of vendors.” They argue that the European economy risks restricting the choice and quality of cloud offerings.

For the US Chamber of Commerce, the “sovereignty” requirements undermine cybersecurity and damage transatlantic ties: “Under the guise of promoting Europe’s so-called ‘digital sovereignty’, several proposed requirements (for example, only certifying companies with a global headquarters in the EU) are politically motivated rather than based on sound technical standards, core cybersecurity principles, and best practices,” it laments. “They are designed to siphon away business opportunities from US and other international companies to benefit European champions.”

In its view, excluding US cloud providers from key sectors of the European economy would have a cascading negative impact on the businesses and consumers that depend on their cutting-edge technologies: “Ironically, European competitiveness and cybersecurity would be considerably compromised if these proposals are adopted,” it says. “This would impose significant limitations on both the quantity and quality of vendors available to meet the operational needs of governments, businesses and customers.”