• The latest version of the European Cybersecurity Certification Scheme (EUCS) eliminates the requirement of data storage in the EU, thus favouring cloud providers from overseas.
• Sovereignty criteria – removed from the EUCS draft – aimed at preventing unauthorised access to data hosted or processed by extra EU providers.
• DIGITAL SME supports the inclusion of those so-called ´immunity´ or ´sovereignty´ criteria into the EUCS. By protecting users and sensitive European data against unlawful access, the scheme would also encourage the development of trustworthy cloud services by European providers.

Recent changes to the EUCS scheme have removed the “immunity” or “sovereignty” requirements necessary for the highest level of cybersecurity – High+. These requirements entailed that the level High+ could not be achieved without data being stored in Europe. This guarantees that foreign jurisdictions cannot compel access to the data stored within the cloud.

In its Policy Paper on ´EUCS – An opportunity for Europe´s Digital Sovereignty´, the European DIGITAL SME Alliance calls for the return of these “sovereignty requirements” not just to safeguard the data of European citizens and businesses, but to reinforce the principle of European digital sovereignty and the primacy of EU digital law with regard to European data.

The Case for Stronger Immunity Requirements:

1. Improving Competitiveness of European Cloud Providers:  If the EU aims to cultivate reliable cloud service providers within its borders, it must enforce stringent security requirements that do not give the keys to European data protection to third-party actors.  Weakening these requirements will only perpetuate the existing dependence on non-European providers, contrary to the EU’s strategic goals of fostering a secure, competitive digital ecosystem. In fact, Big Tech providers of cloud services may find it easier ways in bidding for EU cloud computing contracts, after the removal of those requirements.
2. Preventing Fragmentation through Harmonized Provisions: It is crucial to implement harmonized cybersecurity requirements across the EU, rather than leaving them to be managed at the national level.  This would also support ensuring alignment with other EU digital and cybersecurity laws, such as the Data Act, the Cybersecurity Act, the Artificial Intelligence Act, and the Chips Act.
3. Establishing Unified Reference Point for a True Digital Single Market: The inclusion of sovereignty criteria into the EUCS will also serve to provide cloud services users, including SMEs, with a unified EU standard and reference point. Otherwise, a multitude of potential national standards would produce fragmentation in the market and jeopardise cross-country cooperation and business activities. Thus, the inclusion of those criteria is also essential to realise a true Digital Single Market.

Conclusion: A Call to Strengthen the EUCS for Europe’s Digital Future

To secure Europe’s digital sovereignty and enhance trust in cloud services, DIGITAL SME deems it essential that policymakers include the ‘immunity’ or ´sovereignty´ requirements in the EUCS as an essential way to preserve European sovereignty and foster its technological leadership.

To support this effort, DIGITAL SME has also joined other cloud users, signing a letter calling for the return of the High+ certification and sovereignty requirements: https://eucshighplus.eu/.