US and other non-EU cloud providers will have to forfeit some of their control to EU-based partners if they are to maintain their position in the European market, reports have claimed.
According to a new draft document seen by Reuters, the proposed change will see non-EU-based cloud service providers having to enter a joint venture with EU-based bodies in order to obtain an EU cybersecurity label, which allows them to handle sensitive data.
Should it be approved, it will affect the three most prominent cloud providers that occupy between two-thirds and three-quarters of the entire market for both the personal and business sectors: Amazon, Microsoft, and Google.
US cloud in the EU
As well as having to enter a partnership with an EU company, staff chosen to handle sensitive data will have to be located within one of the Union’s member states and have undergone specific screening.
A ‘high+’ level appears to have been added to the ‘basic,’ ‘substantial,’ and ‘high’ tiers that form categories of The Cybersecurity Act, whereby ‘high+’ would require an EU company to have total control over the cloud service “to mitigate the risk of non-EU interfering powers undermining EU regulations, norms and values.”
‘High’ and ‘high+’ would also be subject to data localization measures within the EU.
Despite the apparent effort to protect the EU as a whole, one industry source suggested that each country would have the discretion to impose requirements as it sees fit (via Reuters).
It is believed that the European Commission may implement a final version of the rules once they have been agreed by the countries that make up the European Union, following discussions at the upcoming ENISA Cybersecurity Certification Conference.