The European Union is contemplating an expansion of proposed cybersecurity labeling rules that would extend beyond major tech companies like Amazon, Google, and Microsoft, potentially impacting sectors such as banking and airlines. The latest draft of the rules, put forth by the EU cybersecurity agency ENISA, focuses on an EU certification scheme (EUCS) designed to validate the cybersecurity of cloud services. This certification plays a crucial role in how governments and companies within the EU choose vendors for their operations.
Key provisions from previous drafts remain, including the stipulation that major U.S. tech companies must form joint ventures with EU-based entities to qualify for the EU cybersecurity label. The latest draft reinforces requirements such as the operation and maintenance of cloud services within the EU and the storage and processing of customer data exclusively in the EU, with EU laws taking precedence.
These requirements are primarily applicable to the highest security level, but the latest draft introduces the possibility of extending these stringent criteria to the third-highest security level. The proposed rules are under review by EU countries, with the European Commission set to adopt a final scheme.
Tech lobbying group CCIA expressed concerns, stating that the broadening scope could impact a more extensive range of industries, potentially including banks, airlines, utility companies, and heavily regulated sectors. Alexandre Roure, CCIA Europe’s public policy director, emphasized that the draft suggests discriminatory requirements against foreign cloud providers could be extended to lower levels of assurance, raising concerns within various sectors.
On Tuesday, the European Banking Federation (EBF) and other financial entities criticized the proposed sovereignty requirements. The development of these cybersecurity labeling rules reflects the EU’s commitment to enhancing the security of cloud services and ensuring compliance with stringent standards across various industries.