Strengthening Cloud Security and Safeguarding Digital autonomy: Eurosmart’s View on the EUCS 

Strengthening Cloud Security and Safeguarding Digital autonomy: Eurosmart’s View on the EUCS 

Eurosmart, the leading association representing the digital security sector in Europe, warmly welcomes the ongoing efforts to define the European Union Cybersecurity Scheme for Cloud Services (EUCS).

The EUCS scheme marks a significant milestone in strengthening Europe’s resilience against evolving cyber threats and enhancing trust and security in digital technologies.

Beyond the technical requirements designed to protect cloud services, Eurosmart underscores the importance of safeguarding the most sensitive services from the extraterritorial laws of non-EU countries. A European cybersecurity certification ought to shield and assure the integrity of sensitive and strategic data for European businesses, while also ensuring that personal data processing aligns with the European values and fundamental rights. This is paramount for maintaining digital strategic autonomy.

In this context,  the digital security industry regrets that the latest version of the EUCS which is under consideration for adoption, no longer offers the possibility to guarantee a high level of security and protection against non-European extraterritorial legislations simultaneously.

Eurosmart calls on the European Commission and the Member States to take decisive actions to ensure the concreate protection of cloud services by reinstating the original proposal for transparent and harmonised criteria at the highest assurance level of the EUCS scheme, previously introduced and labelled as “High+” requirements. Establishing “immunity requirements” at the EU level is fundamental to safeguarding the most sensitive European data from risks associated with cloud storage and computing which go beyond the EU’s territory and its legislative control.  

For Cloud service providers and users in Europe, the “High+” level would drastically limit critical risks such as disruptions (caused for instance by interruptions of international data links), or unlawful access, potentially through extraterritorial regulations or ambiguous rules on cryptography for data in transit and at rest.