After implementing one of the strictest data protection legislations, the European Union is now looking to accelerate on the topic of digital sovereignty with the EUCS cloud certification project. Since May 2018, the GDPR has established a set of rules concerning data protection.
These rules apply to all businesses operating within the European Union, which must now ensure their compliance with data protection.
On a European scale, France stands out as a pioneer in data protection and cloud security. Its numerous regulations, certifications, and qualifications – notably the SecNumCloud qualification, issued by the National Cybersecurity Agency of France (ANSSI) – are a good illustration of this.
Oodrive, a major player in French sovereign cloud and a holder of the SecNumCloud qualification, supports the European EUCS certification project, provided that it becomes a protective and demanding framework for organizations’ data in Europe. Here is our analysis.Bas du formulaire
The EUCS certification project, a European response to the SecNumCloud qualification.
In what context is the EUCS certification project developed?
The issues of independence and digital sovereignty are becoming increasingly urgent in Europe in the face of protectionist policies from the GAFAM and China.
It is within this context that discussions among the Twenty-seven are taking place around the European Union’s cloud certification project, EUCS (European Union Cybersecurity Certification Scheme for Cloud Services). The topic intertwines political, commercial, and technological stakes.
This European scheme for cloud service certification is expected to be adopted in 2024 and will replace national certifications (SecNumCloud in France, C5 in Germany, ENS in Spain).
The project is led by ENISA, the European Union Agency for Cybersecurity, and draws inspiration from existing national schemes.
What is the objective of EUCS?
The objective of this framework is to establish a cloud certification aimed at assessing the security of cloud service providers on a European scale, similar to the SecNumCloud qualification in France, awarded by ANSSI to a select few entities that meet the highest security criteria.
Implementing this framework will harmonize and strengthen cloud security and data protection requirements across all member states.
In the current discussions, the European EUCS cloud certification project envisions three possible certification levels.
These different security levels would be tailored based on usage and the sensitivity level of the data to be hosted:
- Basic Level
- Substantial Level
- High Level (itself divided into “high” and “high+”)
France, a European leader in cloud security
France’s leading role in cloud security with SecNumCloud
The creation of a European cloud reference framework is not a new topic for France, which indeed stands as a model at the European level in terms of security and digital sovereignty.
The awarding of the SecNumCloud reference, a security visa issued by ANSSI, attests to the adherence to a set of security rules ensuring a high level of requirements from technical, operational, and legal perspectives.
The French SecNumCloud reference serves as a benchmark in the design of the European EUCS cloud certification.
The French government is also pursuing an ambitious cloud strategy as part of its “cloud at the center” approach.
Cloud hosting is now considered the default mode for digital projects of the state, demonstrating that trusted cloud solutions have the potential to accelerate the digital transformation of the public sector.
EU Member States Divided on the Issue of European Digital Sovereignty
The European EUCS cloud certification project does not enjoy unanimous support among the different EU Member States.
For instance, France, Italy, and Spain advocate for strict protection of European data and therefore oppose the principle of data extraterritoriality.
These countries argue that it is necessary to safeguard European data from non-European legislations. The issue of immunity from foreign jurisdictions becomes even more crucial as the United States has recently extended the FISA law for several months.
The desire to include sovereignty requirements within the European EUCS cloud service certification is not met with consensus.
Led by the Netherlands, 12 other European countries – including Germany – oppose a version of the text that would contain overly stringent sovereignty requirements.
Oodrive’s Response to the European EUCS Cloud Certification Project
Yes to a demanding and protective European cloud certification
As a specialist in data security and trusted cloud services, Oodrive has always advocated for the implementation of stringent cloud security standards, both at the national and European levels.
Therefore, Oodrive closely follows the EUCS certification project and supports the creation of this framework, provided it becomes a high-level qualification – granted based on demanding criteria – to effectively protect European data from American hyperscalers.
Recent examples like the Health Data Hub and the permission given to Microsoft to store French health data represent serious breaches of data confidentiality.
French trusted cloud actors – gathered under Hexatrust, of which Oodrive is a part – also encourage the French government and European decision-makers to fully commit to a demanding and protective European cloud certification.
The aim is to enable Europe to maintain its technological independence and to foster the emergence of a European cloud and trust industry, rather than locking itself into technological and economic dependence on American GAFAMs.
For Alignment of EUCS Certification with SecNumCloud Standards
The SecNumCloud reference represents the most demanding label in terms of cloud trust. Regarding data localization, SecNumCloud mandates that data must be stored and processed within the EU.
The French trusted cloud sector wishes to maintain this data localization requirement – including for administrative and supervision operations of the service – for the highest levels of the EUCS certification.
Aligning with the requirements of the SecNumCloud label is an essential prerequisite to uphold the confidentiality of European data and to build a trusted cloud ecosystem on a European scale.
The EUCS certification project clearly demonstrates the need to promote a harmonized approach to cloud security in Europe, with the collaboration of all relevant stakeholders. This unique security reference aims to become a common framework across all EU Member States. It is therefore particularly relevant for building digital sovereignty on a European scale against major foreign technological powers. To meet all these objectives, Oodrive maintains that the EUCS certification must align with the requirements of the SecNumCloud qualification, the highest security reference at the European level.