ENISA leans into EU-based clouds with draft cybersecurity label

Time for AWS and pals to start thinking about JVs?

Cloud services providers that aren't based in Europe — like the Big Three — may have to team up with a cloud that is operated and maintained from the EU if they want ENISA's stamp of approval for handling sensitive data.

ENISA, the European Union's cybersecurity agency, is currently developing a cybersecurity certification scheme that aims to better protect member-state governments' and businesses' data. This reportedly includes a new proposal that would require any non-European cloud providers to form a joint-venture with an EU-based provider if they want to earn a coveted ENISA cybersecurity label.

According to a draft of the new rules seen by Reuters, US cloud giants like Amazon, Microsoft and Google — or any other non-EU provider — can only have a minority stake in the joint venture. Additionally, any employees with access to EU data would be required to reside in one of the 27 member countries, and undergo specific screening to handle EU data.

The majority company in the cloudy JV must be operated and maintained from the EU, all customer data must be stored and processed in the EU, and, unsurprisingly, EU laws take precedence over other countries' regulations, according to the draft proposal.

ENISA has't yet responded to The Register's request to see the proposal, but according to Reuters, it specifically says: 

Certified cloud services are operated only by companies based in the EU, with no entity from outside the EU having effective control over the CSP (cloud service provider), to mitigate the risk of non-EU interfering powers undermining EU regulations, norms and values.

Member countries will review the proposal later this month, and the regulations must be approved by the European Commission before they go into effect.

As of the first quarter of 2023, US-based companies dominate the European cloud infrastructure services market, with Amazon Web Services controlling 34 percent, Microsoft Azure coming in second with 26 percent, Google in third place with 13 percent, and IBM holding on to 3 percent, according to Synergy Research Group.

"The highest-ranked European companies in Q1 were SAP (ranked No. 7) and Deutsche Telekom (No. 8), both with a 2 percent share. No other European company had a share of 2 percent," John Dinsdale, chief analyst and research director at Synergy Research Group, told The Register.

Microsoft declined to comment on the EU proposal, while Amazon and Google didn't respond to The Register's inquiries. 

The US Chamber of Commerce has previously opposed adding these types of sovereignty requirements to the EU cybersecurity certification scheme. "This may ultimately lead to the very real threat of practically excluding American and other international cloud providers from the EU market," the American business lobbying group warned.

Additionally, in a joint statement on the European Cybersecurity Certification Scheme for Cloud Services, the US Chamber and a dozen other international organizations urged EU countries "to refrain from adopting requirements of a political – rather than technical – nature, which would exclude legitimate cloud suppliers and would not enhance effective cybersecurity controls." ®

More about


Send us news

Other stories you might like