In a few months, things in Brussels will go quiet. From February onwards, Europe’s institutional hub will go into election mode for a brand new European Parliament. As time is running out, Thierry Breton, the European commissioner focused on digital issues, is working hard to push forward outstanding policy proposals.
One of these proposals is the EU Cybersecurity Certification Scheme for Cloud Services (EUCS), a shameless attempt by the European Commission to impose strict sovereignty requirements on the internet. It is a voluntary scheme, designed by Europe’s cybersecurity agency, ENISA, that European companies would use to demonstrate the robustness of their privacy and security measures.
The certification scheme’s main objective is to increase trust and security in products and services. According to ENISA, the scheme “aims at improving the Internal Market conditions, and at enhancing the level of security of a wide range of cloud services.” As in the rest of the world, Europe has struggled in recent years with widespread cyberattacks and a growing number of security vulnerabilities. With this scheme, the European Commission aims to create an EU-wide framework for cybersecurity certificates, with the intention of countering fragmentation among member states, facilitating trade and improving understanding of security features. Currently, the scheme is voluntary, but some observers fear it will become mandatory at some point in the future.
Notwithstanding the need for a more comprehensive cybersecurity regime in Europe, the Commission is looking at this the wrong way, with potentially unpredictable consequences. The inclusion of strict sovereignty and data localization requirements in the legislation means that non-European companies would be disqualified from participating in the scheme. According to a May 2023 leaked draft, sovereignty requirements are necessary to “provide guarantees about the independence from non-EU law” and, to this end, the highest level of security assurance will be issued for cloud services “operated only by companies in the EU, with no entity outside of the EU having effective control over CSP [cloud service provider], to mitigate the risk of non-EU interfering powers undermining EU regulations, norms and values”.
Simply put, such a requirement would make it impossible for non-EU headquartered companies or EU companies with international investments and operations to function at the highest levels of EU cybersecurity and cloud environments, limiting competition in the cloud market significantly in favor of a European cloud industry that is yet to be fully formed. Of course, there is nothing wrong with Europe wanting to boost its own cloud market, but shutting itself off from competition and the global cybersecurity industry is, at best, misguided.
The wide-ranging effects of this policy will be felt across the entire cybersecurity ecosystem, including on European companies, such as subcontractors, involved in cloud service deliveries. The policy would effectively limit their ability to develop their services, not allowing them to compete globally. Additionally, the EU will be breaking its World Trade Organization commitments, further undermining global trade. Under the WTO’s General Agreement on Trade in Services, Europe has committed to market access obligations as well as not discriminating between foreign and domestic suppliers of computer and related services, which would include cloud services.
This move from the European Commission is not out of character. Outside China, Europe is the strongest proponent of the idea of “digital sovereignty” and much of its recent legislation is driven by this concept. EU member states are keen on referring to digital sovereignty, but the fact that they have not bothered to come to a common understanding over its scope, gives the European Commission room for wide interpretation of this idea.
In much of its regulation, the European Commission has adopted a French approach based on heavy regulatory interventions, data protection, governing the flow of data outside of Europe and the securitization of digital and telecommunication infrastructures. This is consistent with the thinking behind EUCS, which is largely based on how France views cloud security. Two years ago, the French government outlined its strategy for the use of cloud technology to protect personal data, following increased concerns over the access non-EU technology companies had to data belonging to EU citizens. According to the strategy, only European companies would be able to operate as cloud service providers in France, with limited ability to transfer data to third countries. The similarity in the vision of EUCS is striking.
EU member states are split on the EUCS scheme’s sovereignty requirements. Countries like the Netherlands and Greece see them as limitations that could, potentially, create more vulnerabilities and cybersecurity gaps. France and Spain, meanwhile, support the European Commission’s vision. Breton has been a proponent of the French view of digital regulations, and as with other dossiers he oversees, such as the network fees policy proposal, he has sought to boost Europe’s digital future by shutting it away from the rest of the world. He has shown a concerning lack of understanding about fundamental aspects of the internet and how it works. He does it again with the EUCS.
Those who have built, sustained and advanced the internet understand that collaboration sits at the heart of its evolution. It is not an accident that most of the internet’s problems get resolved by communities that foster and encourage global collaboration, bodies like the Internet Engineering Task Force (IETF) or the World Wide Web Consortium (W3C). Security provides a good example. Security was not part of the internet’s original design. We may now see this as a flaw, but back then the idea that users could destroy the system was not conceivable. This flaw, however, has also created the conditions under which experts have been coming together to address successfully and consistently security and other vulnerabilities.
The fact that the internet is decentralized and uses building blocks works to the advantage of being able to address issues locally and as they happen without compromising the entire network. When a security issue emerges, engineers from around the world coalesce to address it, which is exactly what they did after the Snowden revelations on mass surveillance. The IETF community responded swiftly through a series of formal and informal meetings, workshops, mailing lists and best practice documents, all of which led to the adoption of enhanced security standards, including an updated version of the Transport Layer Security (TLS) protocol, which is the primary means of protecting network communications over the Internet. This was achieved by the collective effort of engineers, businesses and governments around the world. It could not happen otherwise.
“Throughout the history of the Internet, collaboration among participants and shared responsibility for its smooth operation, have been two of the pillars supporting the Internet’s tremendous growth and success, as well as its security and resilience,” the network operators behind Mutually Agreed Norms for Routing Security, another collaborative effort to address online security issues, wrote in a 2014 manifesto. “Technology solutions are an essential element here, but technology alone is not sufficient. In order to stimulate visible improvements in this area a greater change towards the culture of collective responsibility is needed.”
Against this backdrop, European policymakers are trying to take unilateral actions to shape security policy. ENISA has pushed for the EUCS to be an implementing act, a process that allows the Commission to pass binding rules while limiting the scrutiny from the European Parliament and the Council. This would leave the Commission and ENISA alone to make decisions about the cybersecurity landscape in Europe, which has already raised concerns in the European Parliament. Rightly so. If the scheme proceeds as is, then forget global cooperation: The EU will need to provide solutions to its own security problems and set its own standards. By that time, things are likely to get very complicated, as those standards will not necessarily interoperate with global security standards. Europe will become isolated and more vulnerable.
Europe is at a point where it must seriously rethink how it wants to participate in the internet ecosystem overall and to address more narrow cybersecurity concerns. There are ways for Europe to be digitally independent, but this will not come about from imposing unnecessary and protectionist rules.
Konstantinos Komaitis is a non-resident fellow at the DFRLab at The Atlantic Council and a non-resident fellow and senior researcher at The Lisbon Council.