According to the latest draft of the EU cybersecurity certification scheme for cloud services (EUCS), dated August 2023 (leaked by POLITICO), the data localisation requirement, which was heavily criticised by the industry, will now apply only to the highly critical “high+” level. Data localisation would, should the EUCS be approved as such, not apply to the category 3 (“high”) level. This might not be the end of a debate that has run wild between industry (with major cloud providers unkeen with the idea) on one side and some member states defending some level of sovereignty, such as France, Italy and Spain, and EU institutions (such as the European Data Protection Board and ENISA) on the other one.

Background

Due to its characteristics, within assurance level “high”, two distinct evaluation levels are delineated: CS-EL3 (“category 3” or “high”) and CS-EL4 (“category 4” or “high+”). They differ in their approach to the protection of EU data from unlawful access. Category 3 prioritises technical and transparency measures, while category 4 adopts an even more stringent approach, imposing strict regulation on non-interference with data.

The EUCS is an EU cybersecurity certification scheme for cloud services. It is part of the European Commission’s broader strategy to enable access to secure, sustainable and interoperable cloud infrastructure and services for European businesses. It aims to enhance the conditions within the EU Internal Market and elevate cybersecurity standards.

The EUCS supports three assurance levels as defined in the Cybersecurity Act: “basic”, “substantial” and “high”. The security requirements on cloud services and on their assessment increase with levels in several dimensions: scope, rigor and depth.  

The standards set for assurance level “high” are notably rigorous, aligning closely with or at the state-of-the-art benchmarks.[1] This level is primarily aimed at safeguarding the most sensitive instances of cloud utilisation. It is relevant when relating to fundamental interests of society or extremely delicate business concerns. It should apply where any compromise to cybersecurity is deemed unacceptable or likely to result in significant harm.

One of the most controversial requirements for these categories included in previous drafts of the EUCS was the obligation for category 3 to offer “at least one contractual option in which all data storage and processing locations were within the EU”, as well as “to only use in the provision of trust services that are being provided by a Trusted Service Provider based in an EU Member State”. Category 4 requirements were even stricter: all processing and storage locations had to be within the EU, with limited exceptions. Both would have effectively excluded non-EU CSPs.

Why Is This Relevant?

Article 52(7) of the Cybersecurity Act explicitly designates the “high” assurance level as the only level intended to “minimize the risk of state-of-the-art cyberattacks […]”; opting for the “high” level makes sense for cloud solutions within Europe, if this does not lead to protectionism.

Data localisation requirements would have restricted the ability of non-EU CSPs to cater to the European market, which could have potentially led to a reduction in cybersecurity capabilities for EU businesses. ENISA, the European cybersecurity agency that was tasked with designing the scheme under the Cybersecurity Act, was criticised for not considering stakeholders’ positions at the time. One of the EUCS’ long-term objectives with data localisation might also have been to support/promote European CSPs; in the short term, it represented the risk of forcing European companies to work with European CSPs and exclude mature non-EU providers.  

How? The EUCS was initially conceived as a voluntary certification programme that companies could use to demonstrate the robustness of their cybersecurity practices. However, in practice, consumers – whether governmental or commercial – might incorporate this certification as a prerequisite in procurement processes, essentially transforming it into a prerequisite. Going even further, one could imagine EU governments or the European Commission requiring certain assurance levels by law.

What Next?

The sky looks brighter, but that does not mean that no rain will be falling. The EUCS is not yet endorsed or adopted. This development is, however, a step in the right direction, as, if adopted in the current format, it will not require non-EU CSPs to reverse-engineer requirements or restructure their offerings to meet the category 3 assurance level.

In a world where cyberthreats are growing (and not solely from sovereign states), the data localisation requirement seemed almost counterproductive. Let’s allow organisations to use infrastructure capable of obtaining the “high” cybersecurity certification level. This means that EU consumers, if they want to, will still be offered the choice to select providers based upon their technical requirements and not their locations.

[1] ENISA, EUCS – Cloud Services Scheme, August 2023, p. 6