Jason Oxman President and Chief Executive Officer at Information Technology Industry Council | Official website
BRUSSELS – Today, global tech trade association ITI, the Information Technology Industry Council, urged the European Commission, ENISA, and the ECCG to exclude sovereignty requirements as it finalizes the European Cybersecurity Certification Scheme for Cloud Service (EUCS).
In a statement to lawmakers, ITI commended the improvements in the most recent EUCS draft that removes sovereignty requirements, noting such criteria could undermine the EU’s cybersecurity landscape and restrict non-EU cloud service providers' market access.
“The EUCS is a technical security instrument and should not include politically motivated requirements such as data localization and ownership controls (PUA requirements). Such requirements are discriminatory and do not inherently enhance the security of cloud services,” ITI wrote in its statement.
The latest draft removes the sovereignty requirements from the scheme and maintains 3 assurance levels - “basic”, “substantial”, and “high”, as foreseen by Article 52 of the Cybersecurity Act. The scheme also provides for transparent security requirements, such as information for customers, instead.
“This balanced approach could allow for better harmonization at the EU level when it comes to functional elements, while still enabling member states to apply exceptionally their own national security requirements for the specific highest sensitive use cases,” ITI wrote.
