Staff Report
France has thrown a wrench into the gears of a pending cybersecurity certification for cloud services (EUCS), as revealed by sources close to Euronews. The nation has sought the expertise of the Council’s legal service to delve deeper into the potential ramifications of adopting the EUCS, putting a halt to negotiations among member states.
At the heart of France’s inquiry lies its concern over the compatibility of the EUCS with existing national schemes, notably its own SecNumCloud, crafted by the French National Cybersecurity Agency (ANSSI) to fortify cloud solutions against the backdrop of escalating cyber threats.
Originally slated for approval by April 15, the EU cybersecurity certification faced a setback following France’s move. Now, with expert group meetings scheduled for May or June, the fate of the EUCS hangs in the balance.
Discussions surrounding a voluntary certification scheme for cloud services have spanned three years, initiated by a directive from the European Commission to ENISA in 2019. This scheme aims to enable companies to showcase the cybersecurity robustness of their ICT solutions within the EU market.
ENISA’s latest draft, however, omitted sovereignty requirements, a contentious issue that had sparked discord among EU countries and industry stakeholders. France had previously pushed for such provisions to exclude non-EU cloud entities from accessing top-tier security options, a stance met with resistance from various quarters.
In a recent development, EU corporations, including industry giants Airbus, Orange, and Deutsche Telekom, underscored the importance of sovereignty requirements in an open letter to the 27 EU member states. This signals ongoing debate and highlights the complexity of reaching a consensus on cybersecurity standards within the EU framework.
