On 23 January 2023, the EU institutions produced an informal “joint document” on the sovereignty requirements of the European Cybersecurity Certification Scheme for Cloud Services (EUCS). This European certification scheme for cloud computing providers is being developed as part of the Cybersecurity Act.
The document presents six scenarios on how to incorporate the requirement to keep certain data out of the reach of foreign jurisdictions into the EUCS nomenclature.
Currently, the EUCS counts three levels of security, “basic“, “substantial“, and “high“. The “high” level could become required for critical sectors. Does it imply a guarantee of sovereignty, like the French SecNumCloud?
France, Spain and Italy are supporting the position of Internal Market Commissioner Thierry Breton in favour of such “technological sovereignty“. A group of small countries, led by the Netherlands, is opposed. These six proposals should fuel the debates to finalise the nomenclature.
The first proposal is said to consist in applying sovereignty requirements at the “high” level and splitting the “substantial” level into two. One of the two could then be the equivalent of the “high” level but without the immunity requirements. Second option: add a fourth “high +” level that includes sovereignty constraints.
Third proposal: create extension profiles with sovereignty criteria that are independent of the levels of guarantee. The fourth option would include two such extension profiles specific to the “high” and “substantial” levels.
The fifth option would not touch the current certification. But it would add a mechanism to evaluate non-European cloud computing providers outside the EUCS. Finally, the sixth proposal would offload sovereignty requirements to future European legislation, again outside the current certification scheme.