Top

Tech-sponsored study criticises plan to exclude non-EU cloud vendors

Tech-sponsored study criticises plan to exclude non-EU cloud vendors
3D printed clouds and figurines are seen in front of the Google Cloud service logo in this illustration taken February 8, 2022. REUTERS/Dado Ruvic/Illustration

By Foo Yun Chee

BRUSSELS (Reuters) – A proposed European Union cloud security label that could exclude Amazon, Alphabet’s Google, Microsoft and other non-EU cloud services providers from the bloc is discriminatory and could lead to retaliatory measures, a study commissioned by a tech lobbying group said.

The European Centre for International Political Economy (ECIPE) report, which was commissioned by the Computer and Communications Industry Association (CCIA), underscores growing private concerns about the draft label plan among U.S. tech giants, which have so far not made any public comment on it.

At issue is a provision in EU cybersecurity agency ENISA’s certification scheme (EUCS) that requires cloud services providers to have their registered head office and global headquarters in the EU and to operate cloud services and store and process customer data in the 27-member bloc.

“I think the political intention is to squeeze out foreign suppliers but it will of course have also ramifications for EU businesses that are more or less relying on cloud computing services,” ECIPE Director Matthias Bauer told Reuters.

“Member states should now call on the cybersecurity agency and also the European Commission to abandon politically motivated EUCS immunity requirements,” he added.

ENISA is waiting for an opinion from EU countries, a spokesperson said and “will then finalise the scheme by taking into utmost account this opinion and submit the final candidate scheme to the European Commission”.

The EU executive declined to comment on the ECIPE report.

“The scheme should be fully in line with EU law, as well as with the EU’s international commitments, including on trade,” a Commission spokesperson said.

ECIPE said the proposal could set a dangerous precedent for any data-intensive sector, that could see the cybersecurity label become mandatory for new technologies such as internet connected devices in energy, healthcare and autonomous driving.

A ban could also trigger retaliatory measures by EU trading partners, the think tank said.