More than a dozen industry associations including the US Chamber of Commerce this week issued a joint statement warning the EU against adopting rules that would effectively exclude US cloud providers like Amazon, Google, and Microsoft from doing business in much of Europe.
The statement filed by 13 industry associations, including the US Chamber of Commerce, Japan’s Association of New Economy, and the Latin American Internet Association, addresses proposed changes by the EU cybersecurity agency ENISA, that would change how and which cloud providers that governments and companies operating in member nations could use, according to documents passed to Reuters.
The issue at hand are changes to the European Cybersecurity Certification Scheme for Cloud Services (EUCS) proposed in May that Reuters reports would require cloud services to be operated and maintained from the EU and require that customer data be stored and processed in the continent according to its rules.
“These EUCS requirements are seemingly designed to ensure that non-EU suppliers cannot access the EU market on an equal footing, thereby preventing European industries and governments from fully benefiting from the offerings of these global suppliers,” the joint statement reads.
The letter also made the case that the provisions as drafted would not level the playing field and would instead considerably reduce the number of cloud offerings available in Europe, potentially resulting in higher costs for customers.
And there may be some truth to that according to John Dinsdale, chief analyst at Synergy Research Group, who previously told The Register that most European cloud providers instead target niche markets, and don’t come anywhere close to meeting the criteria require to complete with US cloud providers.
The Chamber appears to call out this fact in its statement, arguing that is the EU moves forward with these proposed changes, it could leave customers with existing cloud commitments in a lurch as they’re forced to invest significant time and resources to migrate their workloads and data off of non-EU clouds and onto those ill-equipped to support them.
“If the European Commission suggests the EU wants ’75 percent of Union enterprises’ to take up ‘cloud computing services, big data, and artificial intelligence,’ it should seek to expand — not decrease — the availability of cloud technologies in Europe,” the joint statement reads.
In response to questions, ENISA tells The Register that work on the EUCS is ongoing and no decision has been taken yet. A spokesperson for the agency said that many of the proposed changes are targeted at “use cases requiring the highest level of security,” like those involving sensitive government data or involving critical infrastructure.
The spokesperson added that the scheme in question is also voluntary, “so the fact that a cloud service cannot be certified at a given assurance level does not prevent this service from being used, if this is not defined by national legislation.”
The cloud battle for Europe
As The Register has previously reported, it’s not as though US cloud providers are struggling to find customers in Europe. A Synergy Research Group report from earlier this year found that Amazon Web Services (AWS), Google Cloud, and Microsoft Azure account for 72 percent of cloud spending in Europe and that top six providers are all based in the US.
American cloud dominance in Europe has been a point of contention for years now. Two of the more recent complaints filed with the European Commission come from French public cloud provider OVHCloud and Nextcloud, which have called Microsoft’s business practices anticompetitive. In may Microsoft offered a series of concessions over its licensing policies in a bid to appease regulators investigating the case.
Similarly, we’ve seen US cloud providers scramble to stay in compliance with EU data sovereignty and General Data Protection Regulation (GDPR) requirements. Earlier this year the European Data Protection Board (EDPB) initiated a probe into public sector use of the cloud to determine whether services complied with these requirements.
In the wake of the investigation every major cloud provider, including Google, Microsoft, Amazon, and Oracle, have rolled out sovereign cloud services. Broadly speaking, the services are aimed at public sector customers subject to GDPR restrictions on data collection and processing.
Microsoft in particular has committed to implementing a EU Data Boundary by the end of the year intended to ensure that EU customer data process all data within the EU. Meanwhile Google is being forced to pursue similar measures to continue doing business with EU institutions. ®