Joint industry statement on the need for a swift adoption of the EU Cybersecurity Certification Scheme for Cloud Services without sovereignty requirements

The American Chamber of Commerce to the EU and twelve other industry associations representing both cloud customers and cloud vendors operating across the European Digital Single Market call on Member States, EU institutions and the European Union Agency for Cybersecurity (ENISA) to firmly reject the proposed sovereignty requirements in the EU Cloud Services Certification (EUCS) and, rather, swiftly adopt of a workable and non-discriminatory EUCS, as sovereignty restrictions are politically motivated and do not add value to cybersecurity of cloud services in the EU. 
 
For well over a year, many European and international associations, industry actors and Member States have publicly expressed their concerns about the lack of progress with the examination of restrictive sovereignty requirements in the EUCS. Additionally, several Member States have also proposed alternative options to end the stalemate, such as a European evaluation mechanism based on trustworthiness for non-EU cloud providers. As a basis for discussion, our associations have outlined several concerns about the EUCS, including: 

1.Limited transparency and lack of stakeholder engagement;2.Inclusion of ‘digital sovereignty’ requirements;3.Conflicting Member States’ views;4.Legal confusion and uncertainty caused by the interplay with other EU legislation; and5.Compliance with a World Trade Organisation (WTO) rules

You can learn more about the need for a EUCS without sovereignty requirements by reading our joint industry statement.