This Content Is Only For Paid Member
The European Union is contemplating the expansion of its proposed cybersecurity labeling rules, impacting not only major tech players like Amazon, Google, and Microsoft but also extending to sectors such as banks and airlines, according to the latest draft of the regulations.
This move by the EU aligns with the evolving landscape, where Big Tech is eyeing the government cloud market for future growth. Additionally, the surge in demand for cloud services, driven by the success of OpenAI’s ChatGPT and the anticipated boom in artificial intelligence, further emphasizes the need for robust cybersecurity measures.
The recent proposal from the EU’s cybersecurity agency, ENISA, revolves around the EU Certification Scheme (EUCS), aiming to validate the cybersecurity of cloud services. It outlines the criteria for governments and companies within the EU to select vendors for their business operations.
The draft retains key provisions from earlier versions, including the stipulation that U.S. tech giants must establish a joint venture with an EU-based company to qualify for the EU cybersecurity label. It also emphasizes that cloud services must be operated and maintained within the EU, and customer data must be stored and processed within the EU, with EU laws taking precedence over non-EU laws regarding the cloud service provider.
These obligations primarily apply to the highest security level, of which there are four. The latest draft introduces the possibility of extending these stringent requirements to the third-highest security level.
EU member states are currently reviewing the latest draft, and the European Commission is expected to adopt a final scheme based on their feedback.
Tech lobbying group CCIA expressed concerns about the broadening scope, noting that it could affect a wider range of industries. Alexandre Roure, CCIA Europe’s public policy director, highlighted the potential impact on various sectors, including banks, airlines, utility companies, and heavily regulated industries.
Criticism has also been voiced by the European Banking Federation (EBF), along with the European Savings Banks Group (ESBG), the Association for Financial Markets in Europe (AFME), the European Payment Institutions Federation (EPIF), and Insurance Europe. They raised concerns about the sovereignty requirements embedded in the proposed cybersecurity rules.
