[ad_1]
A joint paper obtained by EURACTIV details six scenarios to address controversial sovereignty requirements in the upcoming certification scheme for cloud providers.
The European Commission has promoted the inclusion of sovereignty requirements in the Cybersecurity Certification Scheme (EUCS) for cloud services. This is the first certification under EU cybersecurity law.
These sovereignty requirements are intended to keep EU data out of reach of foreign jurisdictions. In particular, by mandating European data center localization, exemptions from non-EU legislation, and conditions for the people or organizations that manage the cloud he provider.
Although the scheme itself is not mandatory, its assurance level ‘High’ has been recognized in sectors such as energy utilities and banks which are considered very important under the recently revised Networks and Information Systems Directive (NIS2). may be required.
France, Italy and Spain rallied in support of Commissioner Thierry Breton’s push for “technological sovereignty”. The two sides have been discussing possible compromises in recent weeks.
The joint document of 23 January was drawn up in this context, as it sets out six scenarios to prompt feedback from other Member States. The non-paper states that future discussions should involve market players and consider the impact of sovereignty standards on future schemes.
It further requests the European Commission to assess the potential economic impact of these requirements and the extent to which they fit into trade law.
sub/sub+ and high
The first option involves putting an extra level of guarantee in the scheme by splitting the “substantial” level into two. Effective Level 2 is essentially a higher level if there is no sovereignty requirement.
On the strengths, critical service providers will have to comply with exemption requirements that provide broad protection from foreign government access, the original technical requirements will be preserved, and EUCS will remain on par with similar schemes. says.
On the downside, it may be mandated under NIS2 and is considered too broad in scope, the market impact remains unknown, and the number of high-level cloud service providers remains limited. and may conflict with cybersecurity laws.
High+ (critical use)
Another option is to split the highest assurance level to create a “high” with no immunity criteria and a “high+” with requirements. This high+ applies to specific critical uses that users self-assess based on general guidelines.
On the plus side, this approach will be more targeted. It brings clarity to the market as other users can identify cloud services with advanced cybersecurity as the exemption criteria are limited to the types of data that require this protection.
The drawbacks are similar to the first scenario, especially regarding ambiguity and legal consistency. Furthermore, “the assurance level ‘high’ may not mean much, as not all assurance levels are covered,” the paper states.
extended profile
A third possibility is to create an extended profile that introduces sovereignty standards for cloud usage in certain areas, such as healthcare and military, regardless of assurance level.
Since most EU providers are still short of resources for warranty level ‘High’, this option offers a competitive advantage over overseas competitors as it applies to all assurance levels . Additionally, this alternative allows for flexibility and a customer-driven, case-by-case approach.
However, the paper also mentions that immunity standards are necessary to protect sensitive data and that assurance levels ‘basic’ and ‘substantial’ do not provide sufficient protection.
5 rating levels
A fourth option combines the first two to create both “High” and “Substantial” sublevels. The plus side is that this approach offers all the benefits of the extended profile while making communication and operations easier.
Nevertheless, the joint document reiterates concerns about ambiguity, mandatory nature, lack of flexibility, legal challenges, and lack of consistency with other certification schemes.
Reliability evaluation
The proposed alternative falls outside the scope of the Cybersecurity Act and includes the introduction of a European rating mechanism based on reliability of non-EU cloud operators and supplies as a prerequisite for entering the single market. increase.
Ratings may be based on security and legislative criteria such as extraterritoriality, data transfer and compliance with European data protection regulations. German IT Security Law 2.0 and the risk profile of the 5G Toolbox are mentioned as potential building blocks.
This approach does not affect technical certification and leaves maximum flexibility to customize requirements of a political nature. Still, the process will be further delayed as new initiatives will be required.
Additional drawbacks are that scope can hardly be future-proofed, compatibility with trade agreements must be evaluated, user choice may be limited, and non-EU providers It creates uncertainty for
Integration with compliance
A final idea is to introduce exemption requirements under EU law, such as data law. This already includes provisions for international data transfers.
Therefore, although there are no criteria in the scheme itself, cloud providers must demonstrate compliance with relevant legislation in order to qualify for the scheme.
The strengths listed are that these standards will be politically debated, that EUCS will move forward, and that the approach will be targeted and potentially applicable to all assurance levels and future schemes. am.
Nonetheless, this scenario means that current or future legislation will need to be amended to add the immunity aspect, which is significantly time consuming.
[Edited by Alice Taylor]
[ad_2]
Source link
