We call on policymakers in EU Member State governments, EU institutions and the European Union Agency for Cybersecurity (ENISA) to firmly reject the proposed sovereignty requirements in the EU Cloud Services Certification (EUCS) with a view to a swift adoption of a workable and non-discriminatory EUCS.

We understand that a new draft of the EUCS was recently shared with Member States. According to accessible reports and information, the new EUCS draft from May 2023 maintains non-technical requirements – including absence of effective control from non-EU entities, independence from non-EU law and strict data localisation requirements – while the scope of application remains overly broad and unclear. In this context, we would like to reiterate the following concerns:

  1. Limited transparency and lack of stakeholder engagement
  2. Inclusion of ‘digital sovereignty’ requirements
  3. Conflicting Member States’ views
  4. Legal confusion and uncertainty caused by the interplay with other EU legislation
  5. Compliance with a World Trade Organisation (WTO) rules

The European Commission must swiftly adopt the EUCS by resolving the political deadlock and decide not to conflate legal and cybersecurity considerations in a technical instrument as we, and so many other stakeholders, have been publicly urging for since 20218. Any EU cybersecurity certification scheme should focus on technical measures to strengthen security and resiliency and, it should rely on and be aligned with consensus-based international standards that have proven to be efficient by way of broad industry adoption. There are options that enable a workable solution which does not include challenging requirements. These should be explored in a separate political process detached from the speedy implementation of the cybersecurity scheme. Members of the ECCG, ENISA and the Commission should proactively inform stakeholders on the status of the draft scheme in order to allow them to meaningfully contribute to the discussion before its submission.