The European legislator is working on a scheme of cloud services certification with respect to the issues of security and the processing of personal data. The regulation could become mandatory for all companies that provide cloud services within the borders of the European Union but have their headquarters outside them: think of Google, Amazon, Microsoft and so on. The certification is also part of the provisions contained in the Directive NIS2which introduced new obligations in terms of cyber security for companies.
ENISAthe Union’s cyber security agency, has recently shared a draft of the proposed regulation with members of theEuropean Cybersecurity Certification Group.
In practice, i cloud service providers who wish to continue to offer themselves to European businesses and private users will have to show a “conformity label” to highlight compliance with the provisions on the processing of personal data. Furthermore, certification can only be obtained through a joint venture with a company based in the Union.
US tech giants and others involved in the joint venture they can only have one minority share and employees who have access to the data of individuals residing within the European borders will have to pass a specific verification procedure, as well as residing in the block of 27 countries of the European area.
The draft document notes that cloud services must also be operated and maintained in the European Union; the same user data must be archived ed processed in the Old Continent. Furthermore, European laws they must have the precedence on “non-EU” laws with respect to the behavior that the cloud service provider is required to observe.
On this and other points, the US Chamber of Commerce has previously stated that the new European Union proposal puts US companies on a level playing field disparity. The European Commission, on the other hand, says the moves are needed to protect data rights and the privacy of every single individual.
The proposal also states that stricter rules shall apply to personal and non-personal data of particular sensitivity for which a breach could have a negative impact on public policy, public safety, human life or health, or the protection of intellectual property.
The provision being prepared by the European institutions once again looks at the principle of data sovereignty according to which the European Union has the right to control and manage its data within its geographical borders. This means that data that is generated, collected or processed within Europe must be subject to European laws and regulations, with individual governments capable of protecting and regulating that data.
Foreign cloud providers and the so-called in general are therefore called into question over-the-top (OTT) or all platforms that provide users with the ability to access audio, video or communication content via the Internet, bypassing traditional telecommunications operators.