EU Cybersecurity Certification Program Controversy: Sovereignty vs. Openness

Source: [Finance Intelligence] 

The debate within the EU over the cybersecurity certification program has escalated once again, with 15 EU companies including Deutsche Telekom, France Telecom, and Airbus jointly boycotting a proposal that would allow unrestricted access to EU cloud data by US tech giants like Microsoft, Amazon, and Google. This event has once again brought to the forefront the internal divisions within the EU on cybersecurity issues and added new variables to the market access of global tech giants.

EU Cloud Service Certification Program (EUCS): Fortifying Security or Erecting Trade Barriers?

The EU Cloud Service Certification Program (EUCS) aims to enhance the overall cybersecurity level of the EU by establishing unified certification standards to help EU governments and businesses select secure and trustworthy cloud service providers. However, the program has been embroiled in a fierce struggle between sovereignty demands and market openness from the outset.

Sovereignty Demands: Safeguarding Data Security or Erecting Trade Barriers?

Some EU member states advocate for stringent sovereignty demands in the EUCS, requiring US tech giants to store EU customer data within the EU borders and comply with EU data protection regulations to obtain the highest level of security certification. They believe this can effectively reduce the risk of EU data being illegally accessed by the US government or other third parties.

However, this demand has faced strong opposition from the US government and tech giants. They argue that sovereignty demands are overly burdensome, increase operating costs for businesses, and hinder innovation and development in the EU cloud services market. Additionally, the US contends that the EU’s approach violates relevant rules of the World Trade Organization.

Belgium’s Compromise Solution: Can it Resolve Differences?

In an attempt to break the deadlock, Belgium proposed to separate sovereignty demands from functional requirements, namely:

• Functional security requirements to be unifiedly certified by the EU
• Sovereignty declarations to be self-declared by companies in the International Company Profile Declaration (ICPA) and applicable only to the highest level of certification

This proposal seeks to strike a balance between EU data security and market openness, but it has yet to gain the approval of all EU member states.

Joint Boycott by EU Companies Including Deutsche Telekom: Upholding Sovereignty or Protecting Competition?

Deutsche Telekom, France Telecom, Airbus, and 15 other EU companies have jointly called on EU countries to reject the latest proposal lacking sovereignty demands. They believe sovereignty demands are necessary because they can:

• Mitigate the risk of illegal data access based on foreign laws
• Emulate Europe’s Gaia-X cloud computing platform, reducing dependence on Silicon Valley giants
• Assist EU startup cloud providers in competing with American counterparts

The European Commission will make a final decision in the autumn of the Northern Hemisphere. The outcome will have a significant impact on the EU’s digital economy.

Key Takeaways:

The controversy surrounding the EU cybersecurity certification program highlights the internal divisions within the EU on cybersecurity issues:

• Some countries aim to protect their own data security and advocate for strict sovereignty demands
• Others prioritize market openness and competition

The ultimate balance between sovereignty and openness remains to be seen. This game not only affects the EU’s own cybersecurity landscape but may also have far-reaching implications for the global market positioning of tech giants.