ASD Note on EU Cybersecurity Certification Scheme for Cloud Services

Deliberations on the proposed European Cybersecurity Certification Scheme for Cloud Services (EUCS) have been ongoing since December 2019. Much of the discussion have been centred around the inclusion of transparent and harmonised criteria at the highest assurance level of the EUCS scheme, previously introduced and labelled as “High+” requirements.

As European cloud users in a strategic ecosystem and being committed to EU’s digital competitiveness, the European aerospace, defence and security industries strongly advocate for the (re)integration of the High+ requirements. This would guarantee the protection and availability of the most sensitive European data against risks that could derive from an unregulated and unmonitored cloud storage and computing beyond the EU’s territory and legislative control, including service disruption (e.g. interruption of international data links) or unlawful access (e.g. through extraterritorial regulations or due to unclear or diverging rules on cryptography of data in transit and at rest).

Rationale

Cloud users, especially in strategic and highly sensitive sectors, require transparency and certainty about the level of protection of their data. There is a high likelihood that users will rely on the EUCS certification scheme to ensure that their data is correctly managed and adequately secured. However, if a future EUCS scheme leaves open the possibility of unexpected and unsanctioned data access, this would mean that the highest level available to users would not provide the latter with adequate protection or information.

EUCS is a voluntary certification scheme, therefore including the High+ requirements would not at all distort the market. Other assurance levels will still exist, and cloud providers not meeting the High+ criteria would remain able to offer their solutions in the EU market. At the same time, the existence of a High+ level would provide a unified EU reference to users, such as our industry, wishing to ensure for their most sensitive needs that suppliers can guarantee the required level of assurance.
The inclusion of such criteria is essential to the implementation of cloud strategies for European organisations operating in our sectors across the Union. Moreover, it would also remove the burden of having to comply with different national laws and contribute to industrial competitiveness, which is in line with the Commission’s strategic priorities. Furthermore, robust and harmonized criteria would foster increased cooperation within the EU and increase the efficiency of companies, allowing them to opt for single solutions across EU countries. By contrast shifting the responsibility for defining requirements to the national level would inevitably result in diverging national requirements and, consequently, legal, technical, and economic uncertainties for both EU cloud providers and users in the implementation of their cloud strategies. This would lead to regulatory and market fragmentation, which would be contrary the EUCS objective of fostering harmonisation.

The (re)introduction of the High+ requirements would also be fully consistent with the existing Gaia-X
labelling framework, and in particular, Label Level 31, which sets conditions relating to providing
continuous operating autonomy, supported by EU-located headquarters, control structure and
compliance with EU/EEA/Member States’ law (criteria P5.1.2 to P5.1.7). Label level 3 was developed by
Gaia-X based upon a clear market demand and it has proven its added value in providing information to
users without distorting market dynamics. Gaia-X has thereby set a blueprint for an open and robust EUCS, one that was jointly developed and adopted by both cloud providers and users in Europe.
Finally, as debate around AI regulation and protection is growing, it is also important to keep in mind that
AI relies heavily on cloud infrastructures and access. It is thus inconsistent to seek sufficiently protective
and robust AI solutions without considering the role of the underlying cloud infrastructure and without
incorporating the necessary High+ level.

Therefore, ASD calls on Member States and the Commission to re-introduce criteria for the High+ level
of assurance in the main body of the EUCS scheme. It is absolutely vital to avoid sacrificing European
long-term strategic interests for the sake of temporary expedience.