POSITION | DIGITALISATION | CLOUD COMPUTING
European Cybersecurity Certification Scheme for Cloud Services (EUCS) German Industry’s 7 key recommendations
17 June 2022 Certification schemes – Appropriate instruments to demonstrate a specific level of cybersecurity Cloud services are key enablers of the digital transformation of our society. They are of utmost importance for companies of all economic sectors and are increasingly used by organisations of all sizes. According to a recent survey, 8 out of 10 companies in Germany use cloud applications.1 Since companies utilise cloud services to store and / or process often highly sensitive data, cloud services must provide a risk-adequate level of cyber-resilience and data-protection. In order to enable users of cloud services to choose trustworthy cloud solutions that implement cybersecurity and data protection measures according to the user’s requirements, a common basis for certification can augment the transparency of the market. Therefore, German industry appreciates that the European Union Agency for Cybersecurity (ENISA) currently prepares, as one of the first cybersecurity certification schemes based on Article 8(1) of the European Cybersecurity Act (Regulation (EU) 2019/881), a “European Cybersecurity Certification Scheme for Cloud Services” (EUCS). Such a voluntary scheme can be an appropriate instrument for cloud service providers (CSPs) to demonstrate that they implement a specific level of cybersecurity which is appropriate for a certain range of intended application scenarios (intended use). German industry welcomes that the EUCS also contributes to the development of EU-wide agreed standards on cloud security. Despite this overall positive perception of the EUCS, German industry perceives the need for significant changes to the currently prepared draft scheme – both regarding the content of the EUCS as well as its drafting process. In any case, companies should have the choice whether they certify their cloud services against the EUCS or other relevant standards (for example European harmonised standards). A mandatory application of the EUCS should only be the ultima ratio if a voluntary approach turns out to be ineffective. In this regard, the German industry opposes any attempt to turn the certification of cloud services based on the EUCS mandatory for all entities falling within the scope of the NIS 2 directive. Especially we oppose a further fragmentation of the European regulatory framework by granting individual Member States the competence to make a certification based on the EUCS mandatory for private entities falling within the scope of NIS 2 and national laws implementing NIS 2.
1
https://www.bitkom-research.de/de/pressemitteilung/nutzung-von-cloud-computing-steigt-im-corona-jahr (representative survey conducted among 556 companies with 20 or more employees in Germany) Oliver Klein | Digitalisation and Innovation | T: +49 30 2028-1502 | o.klein@bdi
European Cybersecurity Certification Scheme for Cloud Services (EUCS)
BDI’s position on the EUCS The EUCS, currently being prepared by the ENISA, does not only contain technical, but also genuine political requirements, in particular immunity requirements2. The inclusion of such requirements would mean that – depending on criteria such as the ownership structure, or the location of the headquarter of companies – certain CSPs would not be able to obtain a certification for the assurance level “high”. Rules regarding immunity to non-EU laws aim at increasing the protection of cloud users in Europe and strengthening trust in cloud services. These are very important political objectives, but the question of how to achieve these objectives should be discussed and decided within an ordinary legislative procedure at EU level. A certification scheme such as the EUCS, however, is no appropriate instrument to decide political questions. It should rather be limited to technical issues. This differentiation is crucial, as the currently envisaged approach of integrating provisions requiring immunity from non-EU laws into the EUCS would have far-reaching consequences for industry and the European cloud market, such as excluding certain CSPs from the possibility of attaining the highest certification level, so that they cannot provide offerings for a specific market segment. Moreover, European CSPs might also be affected by this approach, as there is a risk that governments in other countries could adopt countermeasures (e.g., measures that restrict the openness of markets in the respective regions) in future that could in turn lead to a discrimination against European companies in important markets. Negative effects will likely also arise for users of cloud services. Internationally oriented companies, for example, rely on globally operating CSPs in order to ensure worldwide interoperable IT and OT systems. Should the EUCS set immunity requirements for level “high”-certifications on the European market, international companies would – if the EUCS achieves de jure or de facto a far-reaching binding effect – have to use different cloud services in different regions of the world for use cases that require the certification level “high”. Ultimately, this would result in increasing operational costs with effects on the competitiveness of the companies concerned. Moreover, if the currently discussed immunity requirements were to enter into force, the number of CSPs that are able to provide services compliant with the assurance level “high” on the European market would be reduced significantly. While it is likely that over time new services that fulfil the requirements for a certification according to level “high” will emerge on the market,3 certain CSPs will no longer be able to provide services in this segment. This would mean that at least in the short- to medium-term, European industry would be confronted with fewer options in this market segment. From our perspective, these implications for the cloud market in Europe also need to be considered since a certification according to the assurance level “high” will be no exceptional case, limited, for example, to the processing of highly sensitive data by public authorities. Even though it is not possible at this stage to predict exactly for what percentage of cloud services this certification level will be relevant, it is not unlikely that the assurance level “high” will rather emerge as the de-facto-standard for cloud security, as legal and regulatory requirements in different sectors as well as customers’ expectations might make certifications according to the assurance level “high” in practice indispensable. For example, it might be that companies will pass on respective requirements to suppliers along value chains. If existing business partners do not meet the requirements of this level, users of cloud services
In some documents also referred to as ‘sovereignty requirements’. The conception and roll-out of “sovereign cloud” offerings illustrates that there are already developments in the market aiming at the provision of cloud services that meet a particularly high level of cloud security. 2
3
2
European Cybersecurity Certification Scheme for Cloud Services (EUCS)
would have to migrate their data and services to other providers that fulfil these requirements causing significant efforts for providers and customers. Instead of integrating political immunity requirements into the EUCS, the scheme should rather encompass comprehensive transparency requirements for cloud service providers (e.g., regarding the jurisdictions, a CSP is subject to), which facilitate an informed decision by users of cloud services. Therefore, German industry urges the European Commission, Member States, the ENISA as well as the working group responsible for drafting the EUCS to refrain from including political requirements in the EUCS and to limit it to technical specifications. The definition of effective technical measures is crucial to enhance cybersecurity, and hence, should be the exclusive focus of the EUCS process. On the other hand, political topics such as the implications of ownership structures of companies should be discussed and decided within an ordinary legislative procedure. This would reflect the impact of the envisaged measures, guarantee a high level of transparency and the participation of all stakeholders, affected by these topics, as well as the execution of a comprehensive impact assessment. Such a political process also contributes to the ongoing discussion on Europe’s digital sovereignty. Furthermore, cloud computing-related security concerns as well as questions concerning cross border data flows also should be addressed in multilateral formats. Comparable process standards should also apply to the drafting of technical certification schemes: As the process of preparing the EUCS has not been very transparent and participatory so far, it is also key to involve all relevant stakeholders more closely in the further process and to publish regularly and transparently status updates on the EUCS. This is also urgently needed in order to better assess the EUCS’ most likely impact, for example with regard to “sovereign cloud” business models (currently being jointly developed and rolled out by European and non-European CSPs), the often dynamically changing ownership structure of listed companies, different roles companies can take on within transnational data ecosystems and value chains, or the use of cloud services by small and medium-sized enterprises (SMEs). In addition, greater transparency allows for a better evaluation of the exact scope of the EUCS (i.e., which market actors and cloud services may be affected). Moreover, the preparation of the EUCS must be aligned with other ongoing cloud initiatives at European level (for instance the preparation of the EU Cloud Rulebook or the cloud-related provisions of the Data Act) in order to avoid a fragmented landscape of technical rules and standards for cloud computing in Europe.
German industry’s 7 key recommendations ▪
Limiting the EUCS to technical specifications: Political topics such as the implications of ownership structures of companies should be discussed and decided within an ordinary legislative procedure at EU level.
▪
The EUCS should rather encompass comprehensive transparency requirements for cloud service providers (e.g., regarding the jurisdictions, a CSP is subject to), on the basis of which users of cloud services can make an informed decision.
▪
Given the high importance of accelerating digital transformation and economic recovery, underpinned by resilience, the policy focus must be on bolstering a secure European digital ecosystem by applying state-of-the-art, risk-adequate cybersecurity technologies, coupled with best-practice methodologies.
▪
Specifying the intended scope for level “high”: To enhance clarity for companies, the European Commission and Member States should swiftly specify for which companies / sectors level “high” is intended. 3
European Cybersecurity Certification Scheme for Cloud Services (EUCS)
▪
Enhancing the participation of stakeholders: All relevant stakeholders from all affected sectors should be involved more closely in the further process of preparing the EUCS.
▪
Companies should have the choice whether they certify their cloud services against the EUCS or other relevant standards (e.g., European harmonised standards, ISO standards or national standards). A mandatory application of the EUCS – e.g. as an implementation of Article 21 NIS 2-Directive – should only be the ultima ratio if a voluntary approach turns out to be ineffective. Especially EU policymakers should refrain from any further fragmentation of the European regulatory framework by granting individual Member States the competencies to make a certification based on the EUCS mandatory for private entities falling within the scope of NIS 2 / national laws implementing NIS 2.
▪
Ensuring coherence with other cloud initiatives at European level: In order to avoid a fragmented landscape of technical rules and standards for cloud computing, coherence with other processes (e.g., the preparation of the EU Cloud Rulebook or the cloud-related provisions of the Data Act) must be ensured.
4
European Cybersecurity Certification Scheme for Cloud Services (EUCS)
Imprint Bundesverband der Deutschen Industrie e.V. (BDI) Breite Straße 29, 10178 Berlin www.bdi.eu T: +49 30 2028-0 EU Transparency Register: 1771817758-48 German Lobbyregisternummer R000534
Editors Oliver Klein Senior Manager Digitalisation and Innovation T: +49 30 2028-1502 o.klein@bdi.eu Steven Heckler Deputy Head of Department Digitalisiation and Innovation T: +49 30 2028-1523 s.heckler@bdi.eu
BDI document number: D 1581
5