A deal on the pending EUCS scheme could come at the earliest at the end of May.
France’s request for legal clarification on the pending cybersecurity certification for cloud services (EUCS) has been rebuffed by the EU Council, a spokesperson told Euronews.
The request by the French, sent mid-April, blocked a deal among the national governments on the certification scheme drafted by EU cyber agency ENISA which would allow companies to demonstrate that certified ICT solutions offer the right level of cybersecurity protection for the EU market.
France wanted clarification on how adoption of the EUCS would impact the future of national schemes. The country has its own domestic security qualification – SecNumCloud – developed by the French National Cybersecurity Agency (ANSSI), designed to ensure the robustness of cloud solutions with rising cyberattacks.
The Council spokesperson said that the expert group responsible for working on the certification scheme is not a Council preparatory body, but a technical expert group, set up by the European Commission which deals with the implementation of cyber rules more generally. The Council’s legal department cannot therefore intervene to offer an opinion on the legislation.
Deadlock
Discussions have been ongoing for the past three years on voluntary certification for cloud services after the European Commission asked ENISA in 2019 to prepare such a scheme.
EUCS could now be greenlighted at the earliest during an informal expert group meeting in May, or June, when there’s a formal meeting scheduled. Last month’s attempt to reach a deal failed, despite ENISA’s new draft text which aimed to overcome a deadlock in the negotiations.
The latest text had left out so-called sovereignty requirements. France previously attempted to introduce such requirements within the text designed to exclude non-EU cloud companies from qualifying for the highest security options. This proposal was strongly resisted by several EU countries and industry, who perceived it as a protectionist move.
Last month (10 April), EU companies including aircraft manufacturer Airbus and telecom companies Orange and Deutsche Telekom called upon the 27 EU member states in an open letter to include sovereignty requirements in the proposal.
The French cybersecurity agency didn’t respond to a request for a comment in time for publication.
