Cloud service providers (CSPs) such as Google, Amazon, and Microsoft could be facing new regulatory challenges in the European Union (EU) as the region is reportedly working on a draft rule that will force non-European CSPs to join hands with European firms if they want to handle sensitive data on the cloud. An EU cybersecurity label will be issued to CSPs if they plan to handle sensitive data, and it will be contingent on the requirement that a joint venture is formed between a non-European cloud provider and an EU firm, with the latter having a majority stake in this partnership.
The draft document, seen by Reuters, has other notable restrictions too. Personnel who have access to sensitive data should reside in the EU and need to pass a screening process in order to be eligible for this role. Additionally, the cloud services hosting this data should be operated and maintained from the EU, and any data processing should similarly take place inside this geographical boundary. Moreover, stricter penalties will apply to a CSP if a data breach results in negative impacts on public safety, human health, or intellectual property. Another excerpt from the document also reads:
‘Certified cloud services are operated only by companies based in the EU, with no entity from outside the EU having effective control over the CSP (cloud service provider), to mitigate the risk of non-EU interfering powers undermining EU regulations, norms and values.
Undertakings whose registered head office or headquarters are not established in an ember State of the EU shall not, directly or indirectly, solely or jointly, hold positive or negative effective control of the CSP applying for the certification of a cloud service.’
If the draft rule becomes law, it will have major implications for both non-European CSPs and their European customers. In order to comply with the law, the two parties will have to ensure that the EU’s cybersecurity label is present on the cloud services being utilized. The requirement may even impact businesses already using platforms such as Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP) for their processes involving sensitive data, as they will be required to have the cybersecurity label in place in order to continue.
The timeline for the rollout of these new rules is currently unknown, which makes sense given that it’s currently in the draft stage. Countries in the EU bloc are expected to review this document later this month.
