Proposed changes to cybersecurity regulations in the European Union (EU) could require non-EU cloud service providers to form partnerships with EU-based entities in order to obtain an EU cybersecurity label, according to a draft document seen by Reuters. The move, if approved, would impact major players in the cloud computing industry such as Amazon, Microsoft, and Google, which currently dominate the European market for both personal and business sectors.
Under the proposed regulations, non-EU cloud providers would need to enter joint ventures with EU companies to handle sensitive data and obtain the EU cybersecurity label. Additionally, personnel responsible for handling sensitive data would need to be located within EU member states and undergo specific screening processes.
The draft document suggests the introduction of a new “high+” level alongside the existing “basic,” “substantial,” and “high” tiers of The Cybersecurity Act. The “high+” level would require an EU company to have complete control over the cloud service in order to mitigate the risk of non-EU entities undermining EU regulations, norms, and values. Both the “high” and “high+” levels would also be subject to data localization measures within the EU.
While the proposed changes aim to enhance cybersecurity and protect the EU’s interests, there is potential for discretion among individual countries to impose additional requirements as they see fit.
The European Commission is expected to finalize the rules after they are agreed upon by EU member states, following discussions at the upcoming ENISA Cybersecurity Certification Conference. The outcome of these discussions will shed more light on the potential impact and implementation of the new regulations for non-EU cloud service providers operating in the European market.
