EU considers expanding cyber security certification program to include more areas – Security

The proposed cyber security labelling rules in the European Union may have a wider scope than originally anticipated. In addition to Amazon, Google, and Microsoft, these rules could also impact banks and airlines, according to the latest draft of the rules.

EU mulls wider scope for cyber security certification scheme

The EU is taking this step as Big Tech companies seek to enter the government cloud market for future growth. Additionally, the recent popularity of OpenAI’s ChatGPT and the potential for artificial intelligence could increase demand for cloud services.

The latest proposal from the EU cybersecurity agency, ENISA, focuses on an EU certification scheme (EUCS) that guarantees the cybersecurity of cloud services. It determines how governments and companies in the European Union choose their vendors.

The document maintains key provisions from previous drafts, including a requirement for US tech giants to form a joint venture with a company based in the EU in order to obtain the EU cybersecurity label.

Other provisions state that cloud services must be operated and maintained within the EU. Additionally, all customer data processed and stored must be within the EU, with EU laws taking precedence over non-EU laws concerning the cloud service provider.

These obligations apply to the highest security level, with four levels in total. The latest draft allows for the possibility of extending these strict requirements to the third highest security level as well.

The latest draft is currently under review by EU countries. After this, the European Commission will finalize the scheme.

The potential broadening of the scope has raised concerns from the tech lobbying group CCIA, as it would have a larger impact on various industries. Alexandre Roure, CCIA Europe’s public policy director, highlighted the possibility that requirements discriminating against foreign cloud providers could also be extended to lower levels of assurance, affecting sectors such as banks, airlines, utility companies, and heavily regulated industries.

Last week, the European Banking Federation (EBF) along with other financial groups criticized the sovereignty requirements.

Unlock your business potential with our expert guidance. Get in touch now!