By Théophane Hartmann | Euractiv.com Est. 6min 31-10-2023 (updated: 03-11-2023 ) Content-Type: Analysis, News Analysis Based on factual reporting, although it Incorporates the expertise of the author/producer and may offer interpretations and conclusions.News Based on facts, either observed and verified directly by the reporter, or reported and verified from knowledgeable sources. "What worries me the most is that the German Federal Office for Information Security (BSI) has endorsed the AWS European Sovereign Cloud," French centrist Member of Parliament Philippe Latombe told Euractiv, explaining he fears that "the Germans start exerting pressure against France" highest cloud security certification, called SecNumCloud. [Yu Chun Christopher Wong / Shutterstock] Euractiv is part of the Trust Project >>> Languages: Français | DeutschPrint Email Facebook X LinkedIn WhatsApp Telegram Corrections:Updated to clarify source comments. The recent announcement of “a new, independent cloud for Europe” by Amazon Web Services (AWS) has underlined the growing divergence between the positions of Paris and Berlin regarding digital sovereignty in the cloud sector. The move by AWS last week came as part of an overall trend whereby American hyperscalers – a term used to describe cloud service providers with massive operations – seek to address the concerns of EU countries looking to keep their data within Europe’s borders. Past examples include leading market players like Microsoft, which announced its Microsoft Cloud for Sovereignty offer in July 2022, and Oracle, which launched its EU Sovereign Cloud offer last June. “What worries me the most is that the German Federal Office for Information Security (BSI) has endorsed the AWS European Sovereign Cloud,” French centrist MP Philippe Latombe told Euractiv, explaining he fears that “the Germans start exerting pressure” against France’s highest cloud security certification, called SecNumCloud. AWS was in fact the first cloud service provider to receive the BSI’s C5 testate, a German cloud security certification, based on the same international standard as SecNumCloud. BSI’s Director General Claudia Plattner said in a statement that she was “very pleased to constructively accompany the local development of an AWS cloud, which will also contribute to European sovereignty in terms of security”. What is a secure cloud? According to Arnaud David, Director of European Affairs at AWS, the company has put in place technical building blocks, including safeguards, controls and security features that allow customers to enforce access restrictions so that nobody, including from AWS, can access customer data. He further explained that AWS cannot access customer data unless the access is given by its customers and that AWS provides its customers with encryption tools. Moreover, only EU-resident AWS employees located in the EU will control operations of the AWS European sovereign cloud. France set to regulate cloud market more than EU A comprehensive bill aiming to secure and regulate the internet in France aims to strictly respect the new digital European regulations and, when it comes to cloud regulation, will go even further. Conflicts of law For MP Latombe, “AWS cloud cannot be sovereign because it is subject to the US FISA and Cloud Act,” legislations mandating US companies, US citizens or foreign subsidiaries on US soil to cooperate with the US security agencies. According to AWS’s David, “if AWS is requested to send data to US administrations under the FISA, Amazon will challenge every request it deems inappropriate, especially if it is contrary to local law, like the EU’s General Data Protection Regulation (GDPR) in the EU.” Of course, every company affirms it would not disclose sensitive information, at least until they are caught in the crossfire of conflicting jurisdictions. “We are a global company subject to laws in every country where we operate, including US law,” David said, adding that this was also the case for EU companies with subsidiaries in the US. Latombe disagrees, arguing that European cloud providers with operations in the United States are subject to US laws only through their US-based subsidiaries, which is not the case with AWS, a US-based company that must comply with US agencies globally. Jean-Sébastien Mariez, founding partner of the French tech law firm Momentum Avocats, noted that “since the Cloud Act, the location of data is irrelevant in the applicability of US laws”. Moreover, while Amazon advertises that “only EU-resident AWS employees” located in the EU will access data, a 2022 memo by the Dutch National Cyber Security Center states that this does not necessarily mean protection from FISA and Cloud Act laws. European cloud providers call "not to give in to the pressure" over sovereignty requirements European cloud companies want to stand together as EU Agency for Cybersecurity (ENISA) is due to present its new certification scheme to ensure that services are impervious to extraterritorial laws, despite strong opposition. Franco-German divergence Traditionally, Paris could count on Berlin’s support to push digital sovereignty principles that favour their national champions over foreign providers. In contrast, smaller member states prefer to buy the best available technology regardless of its provenance. But a Franco-German divergence on the concept of the sovereign cloud has been long in the making. Different understandings of what digital sovereignty meant for cloud infrastructure are what made the Gaia-X European digital sovereignty project lose its political momentum. Tensions came to a head with the European Cloud Services scheme (EUCS), a cybersecurity certification scheme where France, via its Commissioner Thierry Breton, tried to replicate the sovereignty requirements of SecNumCloud at the EU level. This attempt faced significant resistance from more liberal countries, led by the Netherlands. With the liberal Free Democratic Party occupying critical ministries in the current coalition government in Berlin, France not only did not receive support from Germany but was at times more or less openly criticised. In this context, Latombe fears that Germans are taking a pro-US and anti-French position and, therefore, would be “exchanging their industrial dependency on Russian gas for a dependency on American digital companies”. That is why he considers that giving the C5 certification to the AWS European Sovereign cloud was “a nook in [the French certification] SecNumCloud” since the French ANSSI and German BSI authorities have a mutual recognition agreement for security certificates, albeit only for the first security level at the moment. A BSI spokesperson told Euractiv there was no specific connection between the AWS announcement and the currently discussed EUCS. Meanwhile, the German Digital Ministry said to Euractiv that it was “committed to ensuring that the [German] economy can access secure and powerful cloud structures to the extent required”. The French ANSSI and the Digital Ministry declined Euractiv’s requests for comment. Latombe advertised on Monday (30 October) that he sent a written question to French Digital Minister Jean-Noël Barrot on the matter. European Parliament readies position on the Data Act EURACTIV provides an overview of the main changes EU lawmakers introduced to the new data law ahead of the EU Parliament’s key votes. [Edited by Luca Bertuzzi/Nathalie Weatherald] Read more with Euractiv NGOs urge EU Commission to include porn websites in the 'systemic risk' clubSeveral civil society organisations have urged the European Commission to designate major porn websites as “very large online platforms” that have to follow a strict regime under the Digital Services Act (DSA), according to a letter seen by Euractiv.
