The current proposal of the European Cybersecurity Certification Scheme for Cloud Services might decelerate digital transformation or force EU companies to choose less secure solutions, writes Vladimir Vano.
Vladimir Vano is the chief economist of GLOBSEC, a global think-tank committed to enhancing security, prosperity, and sustainability in Europe and throughout the world.
In an ever-changing world marked by continuously emerging and unique security threats, it is crucial for European authorities to establish a robust framework that not only employs state-of-the-art safeguards to ensure the security of European data but also remains flexible in response to evolving dangers.
The European Cybersecurity Certification Scheme for Cloud Services (EUCS) is intended to be one such framework.
However, the measures outlined in the current proposal carry a heightened potential for trade retaliation and legal disputes, without offering any tangible improvements to European cybersecurity.
On the contrary, in its current state, it may compel European companies to either slow down their digital transformation efforts or opt for less secure cloud solutions.
While there are some encouraging developments in the latest draft, such as the decrease in data localization requirements for data categorized up to the level ‘High’, the most recent version of the EUCS still falls short in adequately mitigating the economic and security risks for the member states.
Several concerning clauses persist in the document, especially concerning data categorized at the level ‘High Plus’. The scope of ‘High Plus’ level is inadequately defined; rather than exclusively encompassing data critical to national security, it also includes extensive data related to the ‘fundamental interests of society’.
However, despite its expansive classification, Level ‘High Plus’ is subjected to stringent sovereignty and data localization requirements.
For example, the EUCS would block market access for firms without a European HQ.
This limitation would apply to providers of the most advanced and secure Cloud systems, including companies like Amazon, Google, and Microsoft, which numerous European governments are currently utilizing to safeguard their critical data.
And recent suggestions to circumvent these sovereignty provisions via adequacy agreements would not address the underlying and more fundamental issue.
In certain instances, adequacy agreements may be susceptible to legal challenges or could fall away, potentially leading to reliance on EU-based companies, with significant consequences for European security.
Furthermore, the existing wording of the EUCS compromises the EU’s position in terms of trade. It not only conflicts with important EU obligations like the General Agreement on Trade in Services (GATS) and the WTO Agreement on Government Procurement (GPA), potentially exposing the EU to legal disputes, but it also carries a tangible risk of provoking trade retaliation.
Such trade retaliation would likely have a disproportionate impact upon smaller EU economies. ECIPE has estimated a potential impact on Gross National Income (GNI) ranging around USD 12-20 billion, with the loss of trade with external partners more than outweighing any domestic increase in demand.
To provide perspective, the GNI of Estonia in 2021 was a mere USD 55 billion, while its neighbour, Latvia, had an equivalent figure of USD 64 billion.
Moreover, uncertainties persist regarding the data localization criteria for Level ‘High Plus’ data. While the most recent draft has eliminated any mention of metadata, it remains unclear whether metadata at the ‘High Plus’ level should also be subject to localization.
The war in Ukraine serves as a compelling illustration of the urgency surrounding data localization. Without the capacity to store data across multiple global locations using techniques like ‘sharding’ and extensive use of encryption, governments become dependent on local, physical infrastructure that can be vulnerable to targeting.
For certain member states, this situation could lead to an escalation in security risks rather than a reduction.
Using adequacy agreements as a substitute for sovereignty controls raises legal ambiguity and legislative sustainability concerns, as these agreements can be legally contested and possibly abolished.
They are susceptible to lapses or legal challenges. If multiple EU-US adequacy agreements govern industry operations, conflicts may arise, for instance, if one agreement pertaining to cloud services is terminated while another covering data remains in place.
Hence, it’s imperative to consider a dependable and proportional framework for the foreseeable future.
However, of paramount significance, should the EUCS be implemented as presently structured, European organizations will confront challenging decisions and may find themselves unable to adopt cutting-edge technologies.
According to a recent CSIS survey, 30 percent of firms would opt for lower-quality technology, and one-fifth would slow down their digital transformation efforts.
This contradicts the stated intentions of European policymakers and goes against the essential objectives of the Digital Decade.
Member states have a limited timeframe remaining to ensure that the ultimate version of the EUCS prioritizes the safety of Europeans and bolsters their digital security. It is imperative that they take decisive action.