New EU Cloud security label deals a big blow to the ‘Big Three’ cloud providers

The EU has proposed new cloud security labelling that could force foreign cloud providers including Google, Amazon, and Microsoft to change how they operate in the region. Draft documents, which are yet to become publicly available, dictate that foreign providers engage in a joint venture with an EU-based firm. The documents further state that the foreign operators will only receive a minority share in these ventures.

“Certified cloud services are operated only by companies based in the EU, with no entity from outside the EU having effective control over the CSP (cloud service provider), to mitigate the risk of non-EU interfering powers undermining EU regulations, norms and values,” the document reads. “Undertakings whose registered head office or headquarters are not established in a member state of the EU shall not, directly or indirectly, solely or jointly, hold positive or negative effective control of the CSP applying for the certification of a cloud service,”

These new proposals have been drafted by the EU cyber security agency, ENISA with the aim to increase the data security of EU citizens. According to the proposals, employees with access to EU data are required to undergo screening processes and be located within one of the EU’s 27 member states.

The new proposals form part of the EU certification scheme (EUCS), which aims to establish a union-wide certification regime for cloud providers. Foreign companies like Google Cloud, Microsoft, and AWS will need to prove compliance to handle sensitive data in the EU.

“The draft EUCS candidate scheme intends to harmonise the security of cloud services with EU regulations, international standards, industry best practices, as well as with existing certifications in EU member states,” ENISA said.

The cybersecurity agency is very keen to ensure that cloud services must be operated and maintained within the EU. Also, according to the documents, customer data stored and processed in the EU will be subject exclusively to EU regulations and take precedence over non-EU laws.

If the proposals are implemented, foreign countries especially the three cloud giants will have a huge task ahead of them.

“Compliance with the requirements would involve significant restructuring and potential delays in obtaining the EU cybersecurity kite mark. These companies, with their extensive customer bases and data management responsibilities, could face a competitive disadvantage compared to EU counterparts,” said Philip Brining, co-founder and director of Data Protection People.

Gavin Millard, Deputy CTO at Tenable has also echoed Brining’s sentiments noting that a more favourable solution should be explored.

“Whilst the protection of sensitive data from external entities should be paramount, the requirement to have an EU-based third party with a majority stake in the venture could be a ridiculously high barrier for the cloud services providers to do business in Europe,” Millard said. Instead, the CTO proposes that the data storage centres of these companies be audited to prove compliance.