BRUSSELS : The European Union is considering expanding the scope of proposed cybersecurity labeling rules that would impact not only Amazon, Alphabet’s Google, and Microsoft, but also banks and airlines, as per the latest draft of the rules.
The EU’s move to establish such a system coincides with Big Tech’s focus on the government cloud market for future growth, as well as the potential surge in demand for cloud services due to the popularity of artificial intelligence after OpenAI’s ChatGPT viral success.
The latest proposal from EU cybersecurity agency ENISA pertains to an EU certification scheme (EUCS) which certifies the cybersecurity of cloud services and determines how governments and companies in the bloc choose a vendor for their business.
The document maintains key provisions from earlier drafts, including a requirement for U.S. tech giants to form a joint venture with an EU-based company to qualify for the EU cybersecurity label.
Another provision mandates that cloud services must be operated and maintained within the EU, and all customer data must be stored and processed within the EU, with EU laws taking precedence over non-EU laws concerning the cloud service provider.
These obligations apply to the highest security level, of which there are four. The latest draft outlines the possibility of extending these strict requirements to the third-highest security level.
EU countries are currently reviewing the latest draft, after which the European Commission will finalize the scheme.
Tech lobbying group CCIA stated that broadening the scope would impact a wider range of industries.
“Perhaps the most noteworthy aspect of this new draft is that ENISA now suggests that the requirements discriminating against foreign cloud providers could also be extended to lower levels of assurance,” said Alexandre Roure, CCIA Europe’s public policy director. “This would encompass banks, as well as airlines, utility companies, and heavily regulated sectors.”
The European Banking Federation (EBF), along with the European Savings Banks Group (ESBG), the Association for Financial Markets in Europe (AFME), the European Payment Institutions Federation (EPIF), and Insurance Europe, criticized the sovereignty requirements on Tuesday.