A year ago, we cautioned that the EU Cybersecurity Certification Scheme for Cloud Services (EUCS) threatened to embed ill-conceived economic protectionism into the EU’s cybersecurity rules. And, indeed, the European Commission, which has made clear its commitment to pursue “digital sovereignty” for the European Union, can claim some preliminary successes on that front.
A recent draft of EUCS shows that the European Union Agency for Cybersecurity (ENISA) heeded the Commission’s call, contrary to ENISA’s own prior recommendations. Most notably, the draft would preclude entities outside the EU and those under foreign ownership or control from receiving the highest level of cybersecurity certification.
Previous Developments
As we previously detailed in October 2022, EUCS is:
…supposed to be voluntary at first, but it is expected that it will become mandatory in the future, at least for some situations (e.g., public procurement). It was not initially billed as an industrial-policy measure and was instead meant to focus on technical security issues. Moreover, ENISA reportedly did not see the need to include such “digital sovereignty” requirements in the certification scheme, perhaps because they saw them as insufficiently grounded in genuine cybersecurity needs.
Despite ENISA’s position, the European Commission asked the agency to include the digital–sovereignty requirements. This move has been supported by a coalition of European businesses that hope to benefit from the protectionist nature of the scheme. Somewhat ironically, their official statement called on the European Commission to “not give in to the pressure of the ones who tend to promote their own economic interests,”
The governments of Denmark, Estonia, Greece, Ireland, Netherlands, Poland, and Sweden expressed “strong concerns” about the Commission’s move. In contrast, Germany called for a political discussion of the certification scheme that would take into account “the economic policy perspective.” In other words, German officials want the EU to consider using the cybersecurity-certification scheme to achieve protectionist goals.
The New EUCS Draft
Our earlier post highlighted that the European Commission directed ENISA to integrate digital-sovereignty provisions into EUCS. Based on the most recent publicly known EUCS draft from August 2023 (reported here), it looks like ENISA caved to that pressure.
The draft establishes three assurance levels for suppliers of cloud services, labeled “basic,” “substantial,” and “high,” with two further subcategories—CS-EL3 and CS-EL4—within the “high” assurance level. But notably, cloud-service providers (CSPs) headquartered outside the EU, or those with any degree of non-EU ownership or control, are barred from obtaining certification for assurance level CS-EL4.
As we noted a year ago, the EUCS requirements are expected to eventually become mandatory in many contexts. The CS-EL4 evaluation level is meant to apply to “the most sensitive cloud services”; reportedly, to those risks where a breach could reasonably be expected to result in “loss of reputation or competitive advantage.” Retaining the phrasing “loss of … competitive advantage” while excluding foreign-headquartered businesses betrays the draft’s protectionist intentions.
Precluding economic cooperation among allied democracies ultimately won’t make European cyberspace more secure. It will, instead, lead to increased economic isolation. Whatever the merits of promoting digital sovereignty through industrial policy, any such project must, at minimum, adhere to the principles of international cooperation and mutual benefit.
Why This Is a Bad Idea
There is no conclusive consensus on whether hard data localization is needed to enhance cybersecurity, with ENISA and various other experts all suggesting that strict adherence to national borders does not inherently increase security. The security concerns that some political actors have raised about data processing by EU allies—notably the United States—do not withstand scrutiny, especially given the strong U.S.-EU security partnerships seen during the Russian-Ukrainian conflict.
Furthermore, the argument for data localization as a guarantor of EU citizens’ privacy is undermined by the EU’s own struggles with privacy protection and state surveillance, revealing the dissonance between the EU’s stance toward data privacy and its stance toward trans-Atlantic data flows.
There are several strong arguments against hard localization and locking investors from allied democracies out of key parts of EU digital services.
Effect on start-ups
U.S. venture capitalists offer substantial expertise to startups, unlike their European counterparts, who have less tolerance for risk and less experience in areas like deep tech. Cooperation between U.S. and EU investors could be mutually beneficial, overcoming Europe’s bureaucratic and less dynamic funding environment.
European startups face challenges with governmental-funding inefficiencies and scarce exit opportunities, making the investment landscape conservative and risk-averse. In contrast, American investment has been notably positive in the Central and Eastern Europe (CEE) region, significantly surpassing European contributions.
Direct investment
U.S. investments in the EU—such as Google’s in Poland—are symbiotic, bolstering local tech ecosystems by building infrastructure and providing jobs. This investment cycle promotes education and professional experience, crucial for tech-sector expansion, especially in smaller nations.
Many EU startups are founded by individuals with experience in American companies, suggesting that such experience is instrumental in entrepreneurial growth. This impact is expected to be felt most notably in regions with significant U.S. investment, enriching the local talent base and enhancing the startup environment.
Negative economic impact
Matthias Bauer and Philipp Lamprecht have calculated that, under the maximalist approach to hard data localization promoted by the French government, the EU’s annual GDP “is projected to decrease by 3.9% when accounting for lost cloud capacities and forgone cloud capacity and productivity growth, within 2 years of implementation.”
Even under narrower approaches, Bauer and Lamprecht still find a drop in aggregate annual GDP of as much as 29 billion euros. Smaller countries would be hit particularly hard, with, e.g., Cyprus experiencing short-term losses in aggregate GDP as high as 10.2%.
FedRAMP’s alternative model
It is worth noting how the EUCS draft’s discriminatory nature contrasts with the U.S. Federal Risk and Authorization Management Program (FedRAMP), a voluntary program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
The EUCS and FedRAMP certification schemes differ markedly in their focus, scope, and openness to foreign providers. FedRAMP employs a pragmatic, risk-based approach to determine security requirements based on the impact level of a potential breach. The only localization mandates it imposes are limited to the small minority of systems deemed highest risk. And even then, service providers may be wholly foreign-owned.
EUCS, by contrast, would require data localization and local ownership across a much wider range of public- and private-sector systems, all in the name of digital sovereignty. The immunity from foreign laws the draft promises would, however, be difficult for any global provider to guarantee.
FedRAMP enables secure collaboration with international partners—including EU firms—while guarding against threats from adversaries. As an alternative, the EU could assess the trustworthiness of foreign providers based on factors like NATO membership, rather than imposing blanket restrictions. This more targeted approach could advance Europe’s cybersecurity and digital growth, while protecting its core interests.
Overall, the pursuit of digital sovereignty through hard data localization and exclusionary certification schemes not only fails to enhance cybersecurity and privacy protection, but also risks stifling innovation and economic growth. The exclusion of foreign entities—particularly those from allied democracies—from EUCS’ highest certification level is a protectionist measure that could lead to economic isolation. It undermines the potential for international cooperation and mutual benefit in the digital sphere. Furthermore, it could have detrimental effects on start-ups and direct investment, which are crucial for the development and competitiveness of Europe’s digital economy.
Conclusion
In light of the recent developments, we maintain that the pursuit of cybersecurity protections should not be conflated with protectionism. The proposed EUCS risks erecting digital barriers between the EU and its democratic allies in the name of “digital sovereignty.” The purported security rationale for its restrictive data localization and foreign ownership provisions, however, does not withstand scrutiny.
EUCS imposes blanket restrictions beyond the more targeted, risk-based approach of programs like FedRAMP. Its expected broad application to the public and private sectors would hamper EU access to world-leading cloud solutions. Meanwhile, the costs of digital protectionism, both economic and in terms of lost innovation, could be severe for both European businesses and consumers.
For EU cybersecurity policy to be effective, it should be guided by evidence over politics, and should balance security with openness. As democratic allies confronting shared threats, the EU and United States have more to gain from bridging any divides in their cybersecurity approaches. With care, common certification standards could even become a means for Europe to positively shape global digital rules. But the current EUCS draft risks weakening, not strengthening, Europe’s cyber defenses.
