For a time now, cyber security has developed into a foundation of economic stability, technological accomplishment, and cyber security. Spain is currently at a crossroads, as the European Union seeks to decide whether the adoption of a cybersecurity certification scheme could lead to a fundamental change in how cloud computing works over the next years.
The Balancing Act of Digital Security and Innovation
Apart from being a labeling scheme, the European Cybersecurity Certification Scheme for Cloud Services (EUCS) is more of an approach by the EU to provide for a spectrum of security standards that are both strict and market inclusive. This significance has been recognised by 23 industry groups who have called on EU tech chief Henna Virkkunen to swiftly move ahead with the drafting of that certification scheme that was altered in 2023.
The cloud computing industry is an important economic factor, has billions of euros in revenue every year. Nevertheless, it is more than just taking in revenue figures. Digital transformation principles underlie the backbone of all industries such as healthcare, finance, manufacturing, public administration, and have on the rise through cloud services.
A Shift Toward Technical Merit
It is worth noting that the March 2024 draft of the EUCS represents a departure from previous drafts. The certification scheme is one of several iterations of the scheme that was first unveiled by the EU cybersecurity agency ENISA in 2020. The most recent changes had removed the requirements for the major tech companies (Amazon, Google and Microsoft) to rely on joint venture or partnership with European companies for their highest level of cybersecurity certification.
While practically neutral this modification constitutes a radical change of approach. The current draft instead stresses technical rules, rather than geographical or political elements, for the security certification. "Industry groups have welcomed this change, because it accords with ‘inclusive, open market’ principles that are vital for supporting growth and resilience in Europe’s digital economy,' " a spokesperson for industry groups writes.
The Stakeholder Coalition
Its broad implications give a sense for who would be part of the broad coalition for the adoption of the EUCS. Among the signatories are the Allied for StartUps, the American Chamber of Commerce in various European countries, the Association of German Banks, the German Internet industry’s Association of the Internet Industry, InnovUp, an Italian startup group.
This shows that the certification scheme is not limited to a single international sector or national boundary. The EUCS has been backed, among other organizations, by the Irish Business and Employers Confederation, Nederland Digitaal and Portugal's Association for the Promotion and Development of the Information Society in line with the pan European interest for it.
Navigating Uncertainty
However, industry support has not led the European Commission to change its position. Signs point that the Commission may put off adoption or even scrap the proposal completely. Uncertainty generates such challenges for businesses trying to decide what cloud security strategy to adopt.
The goal of the labeling scheme was to design it in a way that enables governments and companies to then select the secure and trusted cloud vendors from a labeling scheme. Otherwise, cloud computing organizations could be unprepared to take proactive decisions on their cloud computing needs, thereby threatening security and perhaps efficiency.
The Global Context
Finally, by migrating to the cloud — a global, digitally connected environment — companies are gaining more valuable services for less cost, sometimes risking the life’s work of a whole industry. The EUCS could provide a model for international standard in that it addresses similar challenges as do the nations and organizations around the world.
An element of also accepting cloud computing as a global rather than European only solution is accepting the change to requirements that may not have been in Europe's favor, as much as in favor of international companies. Treating artificial barriers to international collaboration as potential threats to international security rather than potential facilitators stands to complement rather than undermine an objective of actually creating conditions for international cooperation on security issues.
Looking Forward
While the European Commission weighs its response to the industry letter, stakeholders across Europe stand by that it be a framework that at least protects security and promotes innovation at the same time. Evolution of the certification scheme is a result of the dual factors of technical security requirement, market dynamics and geopolitical considerations.
Cloud computing landscape continues to be evolved rapidly with new technologies and security challenges every now and then. To the extent that any certification scheme is flexible enough to adapt to these changes and yet also provides the appropriate security guarantee, any certification scheme is insecure in the face of change.
Conclusion
The launching of the European Cybersecurity Certification Scheme for Cloud Services is a landmark achievement in pushing through the EU digital strategy. The current draft has been widely supported by industry throughout Europe because it goes back to technical instead of political considerations.
In order to decide on the scheme’s future, the European Commission must consider the costs and benefits of creating security and clarity vs market disruption. The twenty three industry groups in the pro coalition have made a strong case for quick adoption as they say that the March 2024 draft had a nice flexible balance of the security requirements and market openness.
This process will have an outcome that will define both the European cloud computing market and the wider digital economy for years to come. In the age of cyber threats on the rise and we have also become highly dependent on digital, the most promising way forward in the European digital future is a combination of technical rigor and market pragmatism for the countries' cybersecurity frameworks.
