The Dutch Online Trust Coalition on the EUCS

The ambitions and goals of the EU commission are undisputed. There is a strong need for a standardized and harmonized set of cyber security rules for Cloud services and Cloud service providers who deliver their services in the EU. A strong standard will create clarity and a level playing field for the thousands of Cloud service providers in the EU, and establish confidence that data of EU citizens is protected. Projects such as Gaia-X will greatly benefit from such a standard.

But now that the EUCS is nearing its completion, concerns have surfaced. The direction that ENISA has taken for the EUCS turns out to have significant detrimental effects on the European Cloud market. The OTC has identified three significant risks.
First, ENISA adopted a rules-based approach for the EUCS. Although this may sound as a technical detail, it is far from that. Rules-based schemes are only suitable for static services and products, but create significant challenges for Cloud services, that by their very nature, continuously change. Consequently, compliance costs of a rules-based approach will be enormous. Besides this there are many reasons to believe that the scheme will not bring the required Assurance for Cloud customers, end users and authorities. Furthermore, a compulsory rule-based approach turns out to be incompatible with other regulations that govern Cloud such as DORA, the GDPR, the NIS directive and the future AI regulation; that all require a principle-based governance approach.
A second concern addresses the inclusion of several rules in the scheme that ensure immunity to non-EU law, as proposed by France, Germany, Italy and Spain. The OTC points out that this is not a cybersecurity, but a legal matter that needs to be resolved by the commission and the EP first. Besides this, given the enormous consequences, such detailed rules cannot be established before the EU and EP have validated that this is indeed the strategy for digital sovereignty and GDPR enforcement issues. Third, the OTC has asked the commission and EP to take a closer look at National cyber security schemes, since there is a significant risk that such requirements, if they stay in place, may create substantial barriers for EU Cloud providers to expand in an open EU market. That would hamper the necessary growth and scale-out of EU Cloud SME companies.

The OTC proposes to strengthen digital trust by adopting the assurance approach, which is already a common best practice in the global Cloud market. This can be reached by using a principle-based approach for all Cloud regulations, including the EUCS, and by EU harmonization of auditing standards such as the ISAE3402. In addition ENISA needs to develop assurance reporting standards for various stakeholders.