The U.S. Chamber of Commerce and a dozen other groups on Thursday cautioned the European Union against implementing rules that could shut out Alphabet (GOOGL.O) unit Google, Amazon (AMZN.O), Microsoft (MSFT.O), and other non-EU cloud services providers from the European market.
The Chamber, the National Foreign Trade Council, techUK, the Computer & Communications Industry Association, the Japan Association of New Economy, the Latin American Internet Association, and others laid out their concerns in a joint industry statement seen by Reuters.
The statement was addressed to relevant Commissioners at the European Commission, EU lawmakers, national governments, and EU cybersecurity agency ENISA early Thursday.
At issue is a draft proposal from ENISA for an EU certification scheme attesting to the cybersecurity of cloud services that would decide how companies and governments in the bloc choose a vendor for their business.
ENISA’s draft created in May seen by Reuters lays out requirements for a certified cloud service provider (CSP) intended to hinder and limit interference from non-EU nations with the operation of certified cloud services.
“The CSP’s registered head office and global headquarters shall be established in a member state of the EU,” the document said.
Cloud services would have to be conducted and managed from the EU, and all cloud service customer information stored and processed in the EU, with the bloc’s laws prevailing over non-EU laws including countries with extra-territorial measures.
The EU should avoid imposing requirements of a political, instead of technical nature, which would shut out legitimate cloud suppliers and would not complement effective cybersecurity controls, the Chamber and the other groups said.
“These EUCS (EU draft) requirements are seemingly designed to ensure that non-EU suppliers cannot access the EU market on an equal footing, thereby preventing European industries and governments from fully benefiting from the offerings of these global suppliers,” they said.
“If other countries were to pursue similar policies, European cloud providers could see their own opportunities in non-EU markets dwindle,” they said.
The groups also asked whether the scheme conforms to the World Trade Organization’s General Agreement on Trade in Services and the EU’s Government Procurement Agreement commitments.
ENISA, which refused to comment on the draft document, said the voluntary scheme details three levels.
“The highest level is intended to only be applicable to a small set of use cases requiring the highest level of security (e.g. highly sensitive government and highly critical infrastructure applications), for which some level of independence from non-EU laws will have to be ensured. Not all cloud services,” a spokesperson said.
“After consulting with the European Commission, ENISA is proposing two certification levels for assurance level ‘high’, in order to cater for the different needs identified in the European industry and member states,” she said.
ENISA sent n revised proposal to the Commission for discussion in September, which could bring about changes before a final text is implemented.
“The discussions are ongoing to have a balanced approach and no decision has been taken yet. The scheme should be fully in line with EU law, as well as with the EU’s international commitments, including on trade,” a spokesperson for the EU executive said.
The size of the global government cloud market is expected to extend to $71.2 billion by 2027 from $27.6 billion last year, based on market research firm Imarc Group. Cloud computing has become a key driver of growth for Big Tech in recent years.
