The cloud scheme has proved extremely controversial as the European Commission, driven by French Commissioner Thierry Breton, strived to introduce sovereignty requirements following France’s SecNumCloud that would exclude non-European cloud companies from qualifying for the highest security levels.

Although the certification is voluntary under the EU Cybersecurity Act, it might be made mandatory for thousands of entities considered essential or important for the European economy under the revised Networks and Information Security Directive (NIS2).

The proposal prompted strong pushback from several EU countries and a considerable part of the industry, which saw it as a protectionist move to exclude American hyperscalers from large chunks of the European market.

In May, Euractiv revealed that a compromise between the two camps, the French-led one pushing for cloud sovereignty on the one hand and the liberal one led by the Netherlands and with the increasing support of Germany, was being sought through a tiered approach.

While the Cybersecurity Act only envisaged three levels of assurance – basic, substantial and high – a new level, ‘high+’, was introduced with the bulk of the sovereignty requirements.

A revised version of the scheme was circulated in August but still failed to convince the most reluctant EU countries. This new draft is to be seen as another attempt in this sense, as the sovereignty requirements were further toned down.

It remains to be seen if this compromise will be successful or if the Commission will move ahead with adopting the scheme, as the clock is ticking to adopt the scheme before the end of the mandate.

National representatives will have the opportunity to adopt or reject the entire text.

Notion of control

A crucial aspect of the sovereignty requirements has been to what extent the European subsidiary of a cloud provider can be considered under the parent company’s or group’s control.

The requirement that the cloud service providers would have to be operated only by EU-based companies with no non-European entity exerting effective control has been slightly softened for the level of assurance high+.

In particular, the new text adds the possibility to demonstrate that they have put in place effective technical, organisational and legal measures that prevent non-EU companies linked with the cloud provider from exerting a decisive influence in decisions related to investigation requests.

On this point, a placeholder indicates that this option is meant to ensure that “trusted foreign cloud providers fulfilling other requirements can get certified”. The same placeholder is present under the level of assurance high, suggesting this requirement might be extended to this level.

Data localisation

Localisation requirements have also been introduced for the level of assurance high, requiring the cloud service providers to have at least one dedicated location in the Union. Concerning the level of assurance high+, the obligation to have all referenced locations in the EU remained untouched.

EU law primacy

The requirements concerning the primacy of EU law have been modified for both levels of assurance, high and high+, removing the idea that they would apply to all the account data related to the contractual relationship, including pre-sales, maintenance, operation and exit.

The provision on what the cloud service providers should include in the risk assessment for extra-territorial application of non-EU laws was made less prescriptive, whilst the principle that contractual relations should be under the jurisdiction of an EU country was maintained.

Additional guidance is to be provided to cloud users about the risks related to using the cloud service, notably regarding the risk of unlawful access from data and derived data, including commercially sensitive, confidential and proprietary business data.

Staff requirements

The requirements for the cloud services’ employees with direct or indirect access to the data have been toned down for the high assurance level. The staff members and their supervisors will still have to undergo “an appropriate review” and be located in the EU. Still, the idea that the maintenance of a functional component should also be logged and monitored was dropped.

International agreements

A specification was introduced stating that the scheme should not be understood as preventing the application of any obligation under EU law to comply with an investigation or other requests for data access recognised under international agreements such as a mutual legal assistance treaty with a third country.

Sensitive data

A definition of data was added in line with that of the Digital Markets Act, together with categories of sensitive data, meaning personal or non-personal data for which the disclosure could negatively affect public order, safety, health or the performance of essential governmental functions.

Sector-specific requirements

The new text specifies that the level of assurance high should “be also suitable for cloud services that are designed to meet sector-specific requirements for global operations,” giving the example of the banking and financial sector.

Source