US lobbyists commission report dismissing proposed EU cloud regulations

A proposed EU Cloud Certification Scheme has met with further criticism from a European policy think tank, although it turns out its report was commissioned by a Washington-based IT industry lobby group.

The European Cybersecurity Certification Scheme for Cloud Services (EUCS) is intended to put in place an EU-wide certification framework for IT services.

However, the proposals would also impose "sovereignty" requirements that force cloud providers to host services for EU customers on infrastructure sited within the EU, and to demonstrate their "immunity" from foreign law enforcement authorities demanding access to data.

The proposals have already met with opposition from the US, with a number of industry associations issuing a statement in December claiming that such rules would hamper big US cloud providers such as Amazon, Google, and Microsoft from doing business in Europe.

Now a report has been issued by the European Centre for International Political Economy (ECIPE) criticizing the EUCS proposals. It calls for the EU's Cybersecurity Agency (ENISA) and the European Commission to abandon the immunity requirements in EUCS, warning that it could "open a Pandora's box" by empowering the European Commission and individual member states to exclude foreign businesses from domestic cloud services markets.

The report, "Building Resilience? The Cybersecurity, Economic & Trade Impacts of Cloud Immunity Requirements", makes lots of claims about the proposed EU legislation. For example, that it could increase the exposure of cloud adopters to cybersecurity risks, that EU suppliers are "in no position to manage a broad-based transition to cloud," and that the new rules would "delay significant efficiency and security gains that current foreign suppliers could offer."

But the report itself was commissioned by the Computer & Communications Industry Association (CCIA), which is an international non-profit advocacy organization based in Washington DC to represent the interests of the IT and communications industries.

To be fair to ECIPE, it claims to be an independent and non-profit body, and that the opinions offered are "purely those of the author," but readers would be amazed how often such independent reports just happen to align very closely with the views of the organization that commissioned them.

For example, it claims that the immunity requirements in the EUCS are "discriminatory by design" and could provoke retaliatory measures against the EU by trading partners (meaning the US, of course). This might take the form of retaliatory tariffs of 25 percent on up to $12 billion of EU goods exports, based on an assumption that an immunity provision would effectively ban services from the three biggest cloud providers worth $2.9 billion, the report states. Alternatively, equivalent restrictions might be applied on EU services exports to the US.

75% European cloud? You're joking

The report is perhaps correct when it states that European providers are currently in no position to manage the EU's goal of 75 percent cloud adoption rate for enterprises, and this is because US companies currently serve more than 75 percent of the EU market, with the big three cloud providers alone accounting for 72 percent, according to figures from Synergy Research Group last year.

• US government sets a 30-day deadline for wiping TikTok from feds' phones
• Europe to consult on making Big Tech pay for the networks it floods
• EU lawmakers argue against signing US data-transfer pact
• Euronext says non, nein to US cloud providers services as rivals sign up

But European companies have themselves complained about anticompetitive practices from the big cloud providers, in particular Microsoft, which last year offered concessions in a bid to appease regulators.

Microsoft has also been taking steps to offer greater “data sovereignty” capabilities to EU users, in particular the introduction of an EU “Data Boundary” at the start of this year, which provided customers with the ability to store and process their customer data entirely within the EU for certain cloud services.

Meanwhile, enterprise spending on cloud services is growing, but at a reduced rate than in recent years, as organizations try to control costs amid rising inflation and a growing view by some that cloud investments may have not delivered on the promised results. ®