In its digital quest, the EU stands at a crossroads, employing the European Cybersecurity Certification Scheme (EUCS) to balance cybersecurity, autonomy and global aspirations while examining the efficiency of governance and sovereignty, Francesco Cappelletti Let’s write.

Francesco Cappelletti works as a policy and research officer at the European Liberal Forum (ELF) and is currently a PhD candidate in Cybersecurity Law at the Vrije Universiteit Brussels.

Securing EU data globally

‘Connecting the unconnected’ offers both opportunities and risks. With initiatives such as the revised NIS Directive, the Cybersecurity Act and the upcoming Cyber ​​Resilience Act, the EU has made great strides in cyber security. These aim to enhance cyber security, harmonize standards and establish an EU-wide certification framework.

Furthermore, ENISA is drafting a new EUCS. The scheme aims to ensure secure data flows across the EU while protecting the security of cloud systems for the Digital Single Market. The proposed cloud service plan includes sovereignty requirements to protect EU data from non-EU laws, such as data localization and corporate control, restrictions on foreign ownership, location of headquarters, and local staffing.

The EU’s ‘digital sovereignty’ aims to promote competitiveness and innovation in the digital single market, providing European digital industries with a level playing field to compete with major technology firms. This requires independent decision-making, strategic global collaboration, and aligning data controls with European standards.

However, this approach has been criticized for misinterpreting the reality of global European businesses. These rules may limit European cloud market options and fail to address non-EU access issues. The cloud services plan impacts how European companies do business around the world, especially with important partners like the US, hindering their growth and ability to compete. Such limitations could adversely affect the EU’s GDP and hinder its participation in global technological progress in the long term.

The plan could harm cybersecurity by limiting the transfer of top EU-approved data to other countries. Fragmented EU cybersecurity standards and practices hinder the effective fight against growing cyber risks.

Digital sovereignty and the cloud

As expected, sovereignty is one of the most important and divisive issues related to the EUCS. Semantics matter, and one has to wonder if the word doesn’t serve as a scarecrow to many people. Differing viewpoints among industry players and member states raise concerns about whether the current proposals are actually more politically motivated than in line with the EU’s digital aspirations.

For example, some EU countries may prefer stricter data protection and local control, emphasizing national security concerns and fear of data vulnerabilities. Conversely, others may support policies that encourage cross-border data flows to promote innovation and economic growth.

A different perspective suggests that establishing a strong, self-reliant European digital infrastructure could be a strategic move. In this sense, EU-based companies can support stricter EUCS standards that they can easily meet. Nonetheless, Europe must develop cloud computing and data management options while balancing sovereignty and interoperability, while remaining open to global technological advances.

Then again, digital sovereignty does not necessarily lead to technological isolation. Instead, it can be a catalyst for a competitive and innovative European digital market that adheres to European values ​​and standards.

This raises questions about the preparedness of European cloud providers to meet global standards. In the absence of American and other non-European technology, can Europe ensure the highest level of data security and effectively defend against the growing wave of cyber attacks?

Within the proposed scheme, a viable solution would be to remove sovereignty requirements from the EUCS. Regulations such as DORA, GDPR and NIS2 already provide robust tools to ensure operational resilience and monitor ICT critical third-party providers. And so, the focus should be on an implementing act focusing exclusively on technical requirements.

finding a balance

An open discussion is important to align diverse national interests and policy priorities arising from different levels of technological progress and different economic dependencies between EU member states. Balancing open trade, cybersecurity and sovereignty is a complex challenge for EU policymakers. Fast-paced innovation requires ‘smart’ policies that balance economic impact, stakeholder input, global trade, innovation and digital sovereignty.

The ongoing debate on the EUCS underlines the importance of striking such a balance, given the growing need for Europe to promote transparent and auditable digital services and move beyond mere certification-based trust. Given the fluid geopolitical landscape and the EU’s dependence on foreign technologies, an integrated European cloud infrastructure is essential to ensure digital autonomy and competitive strength in the global technological landscape.

The latest EUCS amendments suggest a more flexible, tiered approach to sovereignty, taking into account the concerns of EU states and non-EU providers. This approach could represent a middle path between EU-based companies and non-EU firms advocating flexibility, reflecting the need for dynamic policymaking in the digital sphere.

Amid these challenges, there emerges a critical need for an integrated EU strategy, drawn up by policy makers and in collaboration with stakeholders. This strategy should boost the tech industry, stabilize markets and protect data sovereignty. It is essential to prioritize the integration of data and infrastructure management, ensuring that the direction of the EUCS aligns with these goals and provides clear guidance to the industry.

