By Foo Yun Chee
BRUSSELS (Reuters) – The U.S. Chamber of Commerce and 12 other groups on Thursday warned the European Union against adopting rules that could exclude Amazon, Alphabet unit Google, Microsoft and other non-EU cloud services providers from the European market.
The Chamber, the National Foreign Trade Council, the Japan Association of New Economy, techUK, the Latin American Internet Association, the Computer & Communications Industry Association and others set out their concerns in a joint industry statement seen by Reuters.
At issue is a draft proposal from EU cybersecurity agency ENISA for an EU certification scheme vouching for the cybersecurity of cloud services that would determine how governments and companies in the bloc select a vendor for their business.
ENISA’s draft dated May seen by Reuters sets out requirements for a certified cloud service provider (CSP) aimed at preventing and limiting interference from non-EU states with the operation of certified cloud services.
“The CSP’s registered head office and global headquarters shall be established in a member state of the EU,” the document said.
Cloud services would have to be operated and maintained from the EU, and all cloud service customer data stored and processed in the EU, with the bloc’s laws taking precedence over non-EU laws including countries with extra-territorial measures.
The EU should refrain from adopting requirements of a political, rather than technical, nature, which would exclude legitimate cloud suppliers and would not enhance effective cybersecurity controls, the Chamber and the other groups said.
“These EUCS (EU draft) requirements are seemingly designed to ensure that non-EU suppliers cannot access the EU market on an equal footing, thereby preventing European industries and governments from fully benefiting from the offerings of these global suppliers,” they said.
“If other countries were to pursue similar policies, European cloud providers could see their own opportunities in non-EU markets dwindle,” they said.
ENISA said the draft scheme sets out three levels.
“The highest level is intended to be only be applicable to a small set of use cases requiring the highest level of security (e.g. highly sensitive government and highly critical infrastructure applications), for which some level of independence from non-EU laws will have to be ensured. Not all cloud services,” a spokesperson said.
ENISA sent an updated proposal to the European Commission for consultation in September, which could lead to changes before a final text is adopted.
The size of the global government cloud market is expected to reach $71.2 billion by 2027 from $27.6 billion in 2021, according to market research firm Imarc Group. Cloud computing has become a major driver of growth for Big Tech in recent years.
(Reporting by Foo Yun Chee; Editing by Lincoln Feast.)