2 min

The study was commissioned by a US non-profit industry group dedicated to “open markets”.

This week Reuters reports that a study commissioned by a tech lobbying group concludes that a proposed EU cloud security certification regime that could exclude US tech giants like Amazon, Google, Microsoft and other non-EU cloud services providers “is discriminatory and could lead to retaliatory measures”.

The European Centre for International Political Economy (ECIPE) report “underscores growing private concerns about the draft label plan among US tech giants”, Reuters says, noting that those companies have so far not made any public comment on it.

The study was commissioned by the Computer and Communications Industry Association (CCIA), a non-profit organisation that “promotes open markets, open systems, open networks, and full, fair, and open competition”, according to its website.

CCIA, which has offices in Washington and Brussels, has a Board of Directors that includes senior executives from US companies that include Amazon and Google. It is no wonder, then, that the CCIA would commission a study that would find against a new rule that so openly discriminates against its members.

At issue: new cyber security certification label

The dust-up started with EU cybersecurity agency ENISA’s new European Cybersecurity Certification Scheme for Cloud Services (EUCS) that requires cloud services providers to have their registered head office and global headquarters in the EU in order to get the security label. The companies also need to operate cloud services and store and process customer data in the European Union in order to qualify.

The certification would appear to fly in the face of the new EU-US Data Privacy Framework (DPF) recently ratified by the US and the European Commission.

ECIPE Director Matthias Bauer told Reuters: “I think the political intention is to squeeze out foreign suppliers but it will of course have also ramifications for EU businesses that are more or less relying on cloud computing services”.

“Member states should now call on the cybersecurity agency and also the European Commission to abandon politically motivated EUCS immunity requirements,” he added.

In accordance with EU regulations, ENISA is now waiting for an opinion from the 27 EU countries. A spokesperson told Reuters the agency “will then finalise the scheme by taking into utmost account this opinion and submit the final candidate scheme to the European Commission”.

Reuters further noted that the European Commission has so far declined to comment on the ECIPE report.