EU drops sovereignty requirements in cybersecurity certification scheme, document shows

By Foo Yun Chee

BRUSSELS (Reuters) – Amazon, Alphabet’s Google and Microsoft may find it easier to bid for EU cloud computing contracts after draft cybersecurity labelling rules scrapped a requirement that vendors should be independent from non-EU laws, according to the document seen by Reuters.

The European Union has struggled to agree to a cybersecurity certification scheme (EUCS) to vouch for the cybersecurity of cloud services and help governments and companies in the bloc to select a secure and trusted vendor for their business.

The move comes as Big Tech looks to the lucrative government cloud market to spur growth. The EU on the other hand fears illegal state surveillance while some governments worry that the dominance of U.S. cloud providers may inhibit nascent EU rivals.

One draft circulated to EU governments last year required U.S. tech giants to set up a joint venture with an EU-based company and store and process customer data in the bloc to qualify for the EU cybersecurity label.

Such so-called sovereignty requirements sparked criticism from European banks, clearing houses, insurance groups and some startups which said technical provisions rather than political and sovereignty obligations should prevail.

The latest draft dated March 22 removed such requirements, with cloud vendors only obliged to provide information about the location of the storage and processing of their customers’ data and about applicable laws.

EU countries are now reviewing the tweaked draft after which the European Commission will adopt a final scheme. The EU executive did not respond to a request for comment.

(Reporting by Foo Yun Chee; Editing by Alison Williams)