EU Cloud Cybersecurity Regulations Contain Many Pitfalls that Could Hinder Technology Development


Collaboration between nations and businesses to protect cloud solutions from cyberattacks is crucial and demands prudent regulation. However, the cloud cybersecurity certification program (EUCS) proposed by the European Commission and ENISA contains many potential pitfalls that could hinder the growth of this technology within the European Union, warns the Digital Poland Association in a message addressed to the European Parliament and member states.

The draft of the cloud cybersecurity certification program for the European Union was prepared by the European Commission and the European Union Agency for Cybersecurity (ENISA). Member states of the EU also participated in its formation. This is a voluntary certification program under which security requirements for cloud applications and infrastructure are defined. The European Commission is currently finalizing its text.

“This is a key piece of legislation that will standardize cybersecurity practices and standards for cloud solutions across the European Union. The current fragmentation and varied approaches within the Community make it hard to build resilience and effectively combat the growing threats posed by cyberattacks. So, closer cooperation is needed in this regard,” says Michał Kanownik, president of Digital Poland Association. The organization representing the Polish digital industry agrees with the idea underlying the act. However, it also notes that the proposed provisions contain many potential pitfalls that could hinder the development of cloud technologies within the European Union. The Association has relayed its reservations to the European Parliament and member state representatives.

EU countries may be deprived of advanced technologies

Digital Poland experts are particularly concerned about the proposal in the draft that requires cloud service providers to be based in the European Union. In the Association’s view, this might mean that many world-class and trusted providers of such technologies could be excluded from operating in the European market. “By intensifying the impact of these discriminating measures, the latest EUCS draft seems to predict a much broader scope of these sovereignty-related regulations than the declared intent of limiting them only to datasets related to national security. This broad high-level scope now risks including economic and health data, as well as other open categories. This could result in a large portion of the European industry and public services being deprived of access to advanced cloud processing technologies,” reads the letter from the Digital Poland Association experts.

The Association believes that this approach will affect the quality of security and resilience of cloud systems and will also cause disproportionate cost increases for both the public and private sectors. The Association also highlights that some member states currently lack the necessary infrastructure to store significant amounts of data and may find it challenging to meet EU requirements.

Key transatlantic cooperation and open debate

Digital Poland suggests that the European Union should collaborate with non-EU countries of similar views to develop a unified approach to cloud protection. As an example, it points to the existing data protection frameworks between the EU and the US. “Data flows between Europe and the United States are the largest in the world, and mutual frameworks have helped establish clear rules for them. Similarly, to ensure protection of EU citizens’ data, even when located outside the EEA, a common set of regulations should be established. In this way, the EU would ensure the safety of citizens’ data and compliance with EU law, while developing a system that is effective and allows data transfers to other liberal democracies,” emphasizes Digital Poland.

Experts are also concerned that many member state comments have been overlooked in the discussion about cloud certification regulations. In the view of representatives of the Polish digital industry, there is a lack of broader oversight of this process and a wider debate, posing a risk of introducing radical changes to European cybersecurity standards without adequate supervision. “Decision-makers need to speak up and ensure that the EUCS includes sensible solutions to enhance European cybersecurity, rather than opting for outdated regulations that could hinder the use of the most reliable technologies and expose European citizens to risk,” the Digital Poland experts conclude.