The EU cybersecurity certification impact on European businesses

From a business perspective, the European Union’s recent decision to incorporate sovereignty into cyber security certification requirements has introduced the concept of “foreign law immunity.” This move effectively excludes non-national corporations that provide cloud services from operating in the EU. This protectionist approach raises concerns for companies relying heavily on non-EU cloud services, particularly those offered by American hyper-scale companies. Although there has been some modification by the European Agency for Cybersecurity (ENISA) to make the agreement voluntary instead of mandatory, there is a growing push within the EU to achieve digital sovereignty as a baseline for ICT products, services, and processes.

The draft legislation of the European Union Cyber Security (EUCS) specifies that cloud services must be operated and maintained within the EU, with all customer data stored and processed exclusively in the EU. Additionally, EU laws take precedence over non-EU laws concerning cloud service providers. On the surface, this level of sovereignty may seem beneficial for EU-based cloud service providers while posing challenges for foreign cloud service providers. However, the reality is quite different, and it could lead to significant disruptions in cloud operations for many companies, causing what can be termed “Cloud Chaos.”

Why is the EU taking this approach? There is a heightened focus on the security of services that countries rely upon, and even President Biden has acknowledged the security issues associated with cloud computing. The industry’s lack of common standards raises concerns for national security and businesses alike. Given large cloud providers’ substantial influence and data holdings, they present attractive targets for malicious actors, posing risks to national infrastructure and small businesses. The United States aims to address these challenges by improving regulations for public hyperscale cloud providers and enhancing security measures to promote inclusivity in cloud offerings.

A logical approach to resolve the current stalemate between EU policymakers and the ICT industry would be to remove the political aspect of sovereignty from the EUCS. The EU can maintain an open market conducive to business by doing so. However, as the EU grapples with this issue and the United States progresses at a different pace, a legal impasse with the EUCS in its current draft format will likely persist. Time is running out, with the final stages of the EUCS draft underway, and businesses must make intelligent decisions regarding their cloud strategies that align with the current draft ENISA EUCS and the anticipated legislation coming into effect in 2024.

Businesses must recognize that they will not be exempt from these developments, and assuming otherwise could be costly. 

The EUCS may become mandatory for highly critical sectors under the EU Networks and Information Systems Directive (NIS2), starting in 2024. “NIS 2 will apply to any organization with more than 50 employees whose annual turnover exceeds €10 million and any organization previously included in the original NIS Directive“. The updated directive will also increase its scope to include the following new industries: Electronic communications & Digital services. The latest draft of the EUCS proposal has the potential to create fragmentation in the EU cloud market, as each EU country has the authority to impose specific requirements from the EUCS to protect its citizens and national data. This fragmentation means businesses must elevate their cloud strategies and ensure that their data aligns with the appropriate cloud classification and the processes applied to that data.

Adopting a Cloud Smart approach should not be overwhelming; it is something that VMware has been delivering for many years. Every business should have the right to choose the appropriate cloud for their data and data processing needs. Being locked into a cloud service that may not align with EUCS certification requirements could be acceptable for certain data types. However, gaining control over your data is essential now, making it a primary goal for your company. Aligning with national and forthcoming international legislation should be high on your company’s agenda to ensure a Cloud Smart strategy that complies with EU and national regulations, avoiding potential fines and breaches of regulatory requirements.