EU Commission’s “multi-cloud strategy” raises consistency questions

US cloud service Oracle advertised on Monday (30 October) that the European Commission decided to include Oracle Cloud Infrastructure services into its offerings, raising consistency questions with its proposed cloud security schemes.

The EU executive has selected Oracle Cloud Infrastructure for a six-year overarching framework agreement that allows the US-based company to offer cloud services to the EU institutions, bodies and agencies.

“The cloud is a question of digital and industrial sovereignty,” stated Commissioner for Internal Market Thierry Breton earlier in April at the Forum on Cyber Security.

Breton has spearheaded the French push to create a European replica of its cloud security certification, SecNumCloud, introducing sovereignty requirements in the European Cloud Services (EUCS).

Therefore, the decision of the Commission to include the American Oracle in its cloud service offerings available to the EU administration seems at odds with its boasted drive toward technological sovereignty.

Multi-cloud strategy

A Commission spokesperson told Euractiv that “the European Commission operates a multi-cloud strategy”, explaining that the EU institutions, bodies and agencies will now have the possibility to “run mini-competitions that address their needs in IT supplies” and then select the cloud provider they consider best suited to their needs.

Oracle is not the first or only non-EU cloud service provider to be granted a framework contract and, therefore, to be granted the possibility to offer its services to the EU administration.

However, it is remarkable that these foreign cloud vendors would not qualify for the highest assurance level of EUCS, which, according to drafts circulated in May and August this year, would require the cloud service provider to be ‘controlled’ by a European company.

EU cloud certification headed for tiered approach on sovereignty criteria

A draft Cybersecurity Certification Scheme for Cloud Services, seen by EURACTIV, moved the requirement excluding non-European companies into a new subcategory.

A controversial scheme

In other words, the Commission might be setting a higher standard than it follows.

While EUCS is a voluntary scheme, it might become mandatory for entities considered essential for the European economy under the revised Networks and Information System Directive (NIS2).

However, the Commission’s attempt to introduce sovereignty requirements has faced significant opposition from industry and a growing coalition of member states led by the Netherlands.

Following the politicisation of what was meant to be a technical discussion, the European Parliament has also recently adopted a modification to the Cybersecurity Act, the legal basis for EUCS, which would empower MEPs to vote down cybersecurity certification schemes.

EU Parliament set to request involvement in cybersecurity certification schemes

All major political groups are expected to get behind amendments requiring the adoption of cybersecurity certification schemes to be rubberstamped by the European Parliament.

French approach losing momentum

One expert, speaking to Euractiv on the condition of anonymity, said that the French cloud certification scheme SecNumCloud is losing momentum in the EU.

Namely, the requirement that the shares of a cloud service provider cannot be owned by more than 24% of one company with headquarters out of the EU is now being dropped across Europe, except for the French SecNumCloud certification.

This is consistent with the decision by the German cybersecurity agency, the BSI, to grant the C5 certification to AWS European Sovereign Cloud, a cloud security certification based on the same international norm as SecNumCloud and the EU Commission’s wish not to exclude any provider from the European market.

By contrast, French lawmakers from the Senate tried making a protectionist move by submitting to a bill on digital space regulation the obligation for all public bodies to upload their data only on cloud services with SecNumCloud certification.

France set to regulate cloud market more than EU

A comprehensive bill aiming to secure and regulate the internet in France aims to strictly respect the new digital European regulations and, when it comes to cloud regulation, will go even further.

It was later dismissed by the National Assembly rapporteur, who considered that SecNumCloud-certified clouders would not have had the capacity to handle an upload of such a huge amount of data.

Some, like French centrist MP Philippe Latombe, or Austrian data protection activist Max Schrems, see American hyperscalers  – a term used to describe US cloud service providers with massive operations – as a danger to European companies.

Latombe perceives a potential danger that American companies and authorities could access European company’s data and therefore engaged in “economic intelligence,  retrieving EU trade secrets and target the EU’s industrial and knowledge base”, he told Euractiv.

Schrems also voiced doubts about the US becoming “the cloud provider of the world”, as they take “the view that foreigners don’t have privacy rights”, henceforth criticizing the European Commission in agreeing with the US on an agreement allowing personal EU data to be transferred to the US under the Data Privacy Framework.

France and Germany increasingly drift apart on digital sovereignty of cloud sector

The recent announcement of “a new, independent cloud for Europe” by Amazon Web Services has underlined the growing divergence between the positions of Paris and Berlin regarding digital sovereignty in the cloud sector.

[Edited by Luca Bertuzzi/Nathalie Weatherald]

Read more with Euractiv

EU policymakers brace for clash in thorny debate over platform workers' status

EU institutions are preparing for confrontation over the functioning of the legal presumption of employment, the most sensitive aspect of the Platform Workers Directive, in a trilogue next Thursday (9 November).