EU Cloud Certification at an Impasse

At the centre of the dispute is the question of whether so-called sovereignty requirements, such as the obligation to store data exclusively in the EU, should be part of such a certification scheme. This is intended to protect European data from unauthorised access from third countries and at the same time strengthen the sovereignty of the EU.

According to the cep experts, an EUCS can fundamentally strengthen the trust of companies and public institutions in the EU in cyber-secure cloud services. "Including sovereignty requirements in the EUCS is understandable from a geopolitical and security policy perspective," says cep digital expert Philipp Eckhardt. "However, including them in the scheme in the way envisaged is legally tricky," warns cep lawyer Anja Hoffmann. "This is not just an apolitical concretisation of the rules of the EU Cybersecurity Act (CSA). Rather, it is an issue to be decided by the EU lawmakers." If the EU considers sovereignty requirements to be sensible, it should regulate them by law and not exclusively by way of an implementing regulation. "Even from an economic perspective, the inclusion of sovereignty requirements is not only associated with advantages," seconds Eckhardt. Restricting the usability of providers from third countries could distort competition and limit the choice of innovative cloud services for EU users.

In order not to delay the necessary strengthening of the cybersecurity of cloud services any longer, the cep experts argue that the EU Commission should adopt the EUCS without sovereignty requirements soon. In addition, the cep experts demand concrete adjustments to European cybersecurity laws (including the CSA that the Commission wants to revise in 2025) and the EU directives on public procurement and call on the Commission to develop guidelines on cloud sovereignty as a transitional solution. "Cloud infrastructures are a central cornerstone of the digital transformation and at the same time a sensitive area in terms of security policy. The EU should quickly find a comprehensive approach that strengthens cybersecurity in the EU and considers the concerns regarding a further weakening of digital cloud sovereignty," emphasises Eckhardt. "However, any future approach must be legally sound and compatible with both European and international law," demands Hoffmann.

This cepInput in English is an updated and expanded version of a cepInput that the cep already published in German in December 2024.