The European Union is considering expanding cybersecurity regulations to encompass Big Tech companies, banks, and airlines, as a growing number of organizations transition to cloud-based services to foster innovation.
The EU Agency for Cybersecurity (ENISA) has introduced a proposed EU certification scheme (EUCS) aimed at enhancing the cybersecurity of cloud services and providing guidance for businesses and governments in selecting cloud vendors. This initiative would require major US tech firms such as Amazon, Alphabet’s Google, and Microsoft to collaborate with EU-based companies to obtain an EU cybersecurity label.
The proposal outlines obligations for cloud operations categorized into four security levels, with the fourth level being the most stringent. For services classified under the third and fourth levels, there will likely be strict mandates for operations to occur within the EU, including the stipulation that data must be stored and processed within EU borders, along with compliance with EU regulations.
The Computer and Communications Industry Association (CCIA), a technology lobbying group, has indicated that broadening the scope of this certification scheme could attract more industries to the EU and facilitate economic growth.
Alexandre Roure, CCIA Europe’s public policy director, emphasized, “Perhaps the most striking part of this new draft is that ENISA now suggests the requirements that discriminate against foreign cloud providers could also be extended to lower levels of assurance.” This expansion could impact not only banks but also airlines, utility companies, and other heavily regulated sectors.
The European Commission is currently reviewing the draft to move forward with the adoption of the scheme.