Decision on cloud certification scheme delayed to mid-July

A heavily debated decision on whether to go ahead with a voluntary certification scheme for cloud services (EUCS) has been pushed back to mid-July, two EU sources told Euronews.

The scheme is set to be used by companies to demonstrate that certified ICT solutions have the right level of cybersecurity protection for the EU market, but turned into a political battle over sovereignty requirements. The delay makes an agreement under the mandate of this von der Leyen Commission more unlikely.

EUCS was removed from today’s (18 June) meeting of the working group of ENISA — Europe’s cybersecurity agency – as the European Commission had yet to provide the experts with guidance on how the member states may add their own requirements, in particular related to sovereignty.

This further delayed the ongoing deadlock: the Commission asked Enisa to prepare the certification back in December 2019.

The issue became the subject of a political debate as France attempted to introduce sovereignty requirements within the text designed to exclude non-EU cloud companies from qualifying for the highest security options, to make it look like its own cloud certificate SecNumCloud.

This proposal was strongly resisted by several EU countries and industry, perceiving it as a protectionist move, and no deal has been reached since.

• Council denies French request for legal opinion on cyber certificate

• Commission evaluating role of ENISA amid deadlock over cyber certificates

• France requests legal opinion on cyber certificate, postponing deal

Legal clarification

Belgium – which is chairing ministerial meetings in the first half of 2024 – tried to solve the political issues by proposing to separate sovereignty from functional requirements.

Its proposal, backed by most member states, would "fully allow non-EU cloud providers to be certified on the highest level and have full access to the EU market, allowing competition in all tenders for which certification 'High' could be made obligatory, without prejudice of potential additional national sovereignty requirements for some entities."

In April, France asked the Council for legal clarification on the pending scheme. The country wanted to know how its adoption might impact the future of national schemes. The Council said it cannot comment on the work of the technical expert group, set up by the Commission.

After formal adoption by Enisa’s working group, more hurdles need to be taken.

The Commission will then need to publish an implementing act, which will be subject to a four-week public consultation before it's formally approved. Even after the scheme enters into force after the summer, provisions won't apply until 18 months after the deal.

Of the two other certificates proposed since 2019, only one has been approved, on baseline ICT products; another on 5G is still in progress.