The draft document suggests the introduction of a new “high+” level alongside the existing “basic,” “substantial,” and “high” tiers of The Cybersecurity Act. The “high+” level would require an EU company to have complete control over the cloud service in order to mitigate the risk of non-EU entities undermining EU regulations, norms, and values. Both the “high” and “high+” levels would also be subject to data localization measures within the EU.
