The European Union is weighing a plan that would require cloud providers to store all of their data within the bloc in order to qualify for its highest cybersecurity certification.
ENISA, the EU’s cybersecurity regulator, is drawing up the new, stricter requirements to ensure that no foreign government can interfere with EU data, according to a draft of the proposal seen by Bloomberg.
In practice, this would mean that US cloud providers such as Amazon.com Inc., Microsoft Corp. and Alphabet Inc. would have to find a way to ensure that the American government can’t access European cloud data in order to qualify. Non-EU cloud companies would have to either operate an EU legal entity separate from the parent company, or be part of a joint venture with a European cloud company.
A spokesperson for ENISA said that it couldn’t comment on a private document and that the proposal would need to be signed off by EU countries’ representatives. The spokesperson added that the highest level of certification is intended to be only applicable to a small set of cases that require extra security, such as highly critical infrastructure applications.
A spokesperson for Amazon’s AWS declined to comment on the draft proposal. Representatives for Microsoft and Alphabet didn’t immediately respond to a request for comment.
The higher standard could be used to select companies to compete for contracts to store sensitive government data. The draft proposal, which was first reported by Euractiv, would be voluntary and is still subject to change.
ENISA is proposing a two-tiered “high” level cybersecurity classification. Most American cloud providers can already meet the proposed “EL3” standard, which requires a level of transparency about data. The highest level — EL4 certification — would require the data be stored in the EU and not be subject to foreign government interference.
US companies had been concerned that ENISA would include some kind of EU ownership rules for cloud data — akin to what France already has in place — to achieve the highest certification. ENISA’s proposal will be easier for US companies to achieve. Oracle’s Sovereign Cloud offering, for example, likely meets the proposed EL4 requirements, according to two people familiar with the details.
--With assistance from Benoit Berthelot.
(Updates with ENISA comment in fourth paragraph)