1 min

Cloud: European Union slightly loosens sovereignty criteria

Latest version of EUCS, future European certification scheme for cloud services, specifically reduces requirements for “impermeability” to extraterritoriality of foreign legislation.

Digital Sovereignty - December 05, 2023

On November 20, 2023, the European Union updated its European certification scheme for cloud services, the EUCS. Since no consensus was reached on the August 2023 version, Brussels softened its sovereignty criteria for the third and fourth levels (“high” and “high +”) of the frame of reference, which has four.

The new version thus lightly reduces European location requirements for “high +” certified cloud providers. It gives them the choice of drawing up “effective technical, organizational and legal measures”, which “prevent non-European companies with ties to the cloud provider from holding decisive influence over decisions relating to investigation requests.”

This measure explicitly aims to guarantee that “trustworthy foreign cloud providers meeting other requirements [than simply being located in Europe, editor’s note] may be certified.” Several other EUCS changes tend to mitigate, at “high” and “high +” levels, the required “impermeability” to foreign legislation extraterritoriality, particularly the US Cloud Act.

In regard to data location, “high” level certified cloud providers will be required to have at least one datacenter in the European Union. In order to qualify for the  “high +” level, all datacenters will have to be in the EU.

It remains to be seen whether these concessions will be enough to unite the countries, led by the Netherlands and Germany, who are opposed to drastic sovereignty criteria. Time is of the essence, as the 27 must pass the EUCS before the end of the current term, in 2024.

Send this to a friend