US-based cloud service providers like Amazon, Google, and Microsoft can only obtain an EU cybersecurity label for handling sensitive data by partnering with an EU-based company, according to a draft document from the EU, Reuters news report said.
US tech giants involved in the joint venture can only have a minority stake and must ensure that employees with access to EU data undergo specific screening and are located in the EU.
The cloud service must be operated and maintained from the EU, and all customer data must be stored and processed in the EU, with EU laws taking precedence over non-EU laws regarding the cloud service provider.
The draft proposal from EU cybersecurity agency ENISA introduces an EU certification scheme (EUCS) that will guarantee the cybersecurity of cloud services and determine how governments and companies in the bloc select a vendor for their business. These provisions reflect the EU’s concerns about interference from non-EU states, but they are likely to face criticism from US tech giants concerned about being excluded from the European market.
The document specifies that certified cloud services must be operated only by companies based in the EU, and entities from outside the EU cannot have effective control over the cloud service provider to prevent non-EU interference. Tougher rules apply to personal and non-personal data of particular sensitivity, where a breach could negatively impact public order, public safety, human life or health, or the protection of intellectual property.
The draft could potentially fragment the EU single market as each country has full discretion to impose the requirements whenever it sees fit. The plan has already been criticized by the US Chamber of Commerce, which claims it puts US companies at a disadvantage. However, the EU says the measures are necessary to protect the bloc’s data rights and privacy. EU countries will review the draft later this month, after which the European Commission will adopt a final scheme.