There is a risk of drastic access restrictions to cloud services in the EU and damage to the competitiveness of the European digital market against the global stakes, the CEE digital industry warns. Six organisations from the Czech Republic, Lithuania, Poland, Romania and Slovakia have signed a position paper regarding the forthcom-ing legislation on security certification of cloud services. The document was addressed to the region's govern-ments and EU institutions.

The European Union Agency for Cybersecurity (ENISA) is currently in the process of developing a European cloud service cybersecurity certification scheme (EUCS). Its aim is to define requirements for commercially available cloud technologies and their providers. It is expected to be incorporated into EU law by an appropriate act. The Central and Eastern European digital industry, grouped in the CEE Digital Coalition, sent a statement on the currently drafted legislation to EU authorities and regional leaders. The position paper was signed by digital industry organisations from the Czech Republic (SPCR), Lithuania (INFOBALT), Poland (Digital Poland Association), Romania (APDTIC and ANIS) and Slovakia (SAPIE)

Threat of competitiveness loss in the EU cloud services’ marker

Under the EU Cyber Security Act, the EUCS is to introduce three levels of service security certification. The cloud service providers, customers in many industries and some EU member state governments are concerned about the proposed requirements needed to obtain a 'high' level of service security certification. The CEE digital sector organisations believe that the requirements for service providers to obtain an appropriate security certif-icate must not stand in the way of a diverse, fair and competitive market development. Furthermore, it should not hinder cloud technology innovations in the EU.
-The provisions on 'sovereignty requirements', which do not relate to the technical aspects of cybersecurity, are worrying. For example, they specify that service providers who want to obtain the highest level of certification must have their headquarters in Europe. In addition, the providers cannot be subordinated to entities from outside the EU, notes Michał Kanownik, President of the Digital Poland Association which chairs the CEE Digital Coalition.
- Furthermore, the proposed regulations do not specify for which tools, and in which sectors the highest level of security certification of cloud services would be required. This carries the risk of uneven regulation interpretation in particular Member States and legal chaos in the EU. As a result, we risk violating the principles of the single inter-nal market of the European Union, adds Michał Kanownik.

Digital Three Seas proposals

Due to these concerns and other doubts, the region's industry organisations formulated a set of recommenda-tions for the European Union authorities in their position paper. According to them they would reduce the nega-tive impact of regulation on the region's digital market. In particular the industry calls to drop the requirements concerning the origin and ownership status of entities applying for a 'high' security certificate. “A requirement for the legitimate operation of the provider's branch in the EU would be equally effective and sufficient in this case" - wrote the authors of the document.
They also call for ensuring broad public consultation on the project, transparency in the development of the certification scheme and preserving the optional nature of the emerging certification framework. Representa-tives of the digital sector also request that the views of all concerned EU Member States be taken into account during the development of the EUCS. The paper highlights that the proposed provisions could have a significant impact on transatlantic business relations, which are crucial for CEE countries.
The position paper also emphasises the new regulations shall not only affect cloud service providers, but also their customers such as the banking, automotive or healthcare sectors, as well as a large number of small and medium-sized enterprises.
“As the regulations are going to affect a very broad range of market participants, the process of their creation must be transparent, and a public consultation procedure needs to be guaranteed" - states the document. The digital industry also asks for a thorough risk analysis and evaluation of the regulations' impact. It also urges to prepare guidelines to help comply with the planned obligations and requirements.
–We urge all institutions involved in the EUCS to be aware of regulation's impact on fair competition in the EU digital market, The access to cloud solutions is at great stake. In the age of rapid technological progress, regula-tion in the digital sphere should be time tested and respond to the current realities of the Digital Single Market. This is particularly important in the case of the EUCS Implementation Act. These provisions may limit the range of cloud services that are available to European consumers and businesses. Therefore, it is our duty to urge the EU authorities and our region's leaders to develop the European scheme of certification of cybersecurity of cloud ser-vices with caution, comments the President of the Digital Poland Association.