With no more meetings planned, certification is likely to be delayed still further.
ADVERTISEMENTData protection safeguards in the planned EU certification scheme for cloud services, EUCS, need to be improved, French privacy watchdog CNIL has said in a statement published late on Friday (19 July).
The concerns add to the French government doubts about the long overdue scheme, which aims to ensure ICT packages sold in the EU market are protected from cyberattacks, but which has been bedevilled by delays.
“In its current state, the European certification scheme for cloud services no longer allows providers to demonstrate that they protect stored data against access by a foreign power,” the French data protection authority said, drawing a contrast with France's own domestic system.
“The CNIL is calling for the level of personal data protection in this certification to be enhanced by reintroducing such guarantees,” it added.
CNIL says that for the most sensitive information – about healthcare, crime or children – data hosted in the EU should not be at risk of unauthorised access by authorities from outside the bloc.
Deadlock
Over recent years, the sovereignty requirements of EUCS turned into a political battle.
The European Commission asked Enisa – Europe’s cybersecurity agency – to prepare the certification back in December 2019, as secondary legislation under the Cybersecurity Act.
When the draft rules were being negotiated, France attempted to exclude non-EU cloud companies from running the most secure systems.
That would have made the EU plans more closely resemble its own national cloud certificate SecNumCloud, but would also have a significant impact given that major providers — including AWS and Microsoft — are all American.
France's proposal was strongly resisted by several EU countries and industry, who perceived it as a protectionist move, and no deal has been reached since.
The European Cybersecurity Certification Group — an expert group composed of representatives of national cybersecurity certification authorities — is still waiting for the Commission to provide it with guidance on whether member states can add extra sovereignty rules on top of the EU's, and it looks like they may have to wait a bit longer.
The meeting to prepare the draft text, originally planned for mid-July, did not take place, a spokesperson for the Commission told Euronews, and no new meeting is currently scheduled.
If experts give the green light, the Commission will start a public consultation before it publishes its implementing act, which will then take effect after 18 more months. The ongoing delay makes an agreement under the mandate of the current Commission, which expires at the end of October, unlikely.
Of the two other certificates proposed since 2019, only one has been approved, on baseline ICT products; another on 5G is still in progress.
