Launched in 2019 by the European Commission, the European Cybersecurity Certification Scheme (EUCS) for Cloud Services will apply to all cloud services: IaaS, PaaS, SaaS, XaaS. Scheduled for 2024, the scheme still raises uncertainties and questions. Will organisations be able to comply in time?
In November 2019, the European Commission tasked the European Cybersecurity Agency (ENISA) with preparing a common candidate certification scheme for cloud services, EUCS (European Cybersecurity Certification Scheme for Cloud Services).
The scheme defines security and trust criteria applicable throughout the EU. Its aim is to ensure the resilience of its networks and information systems. Its legal framework was set out in the Cybersecurity Act.
The standard will guarantee a high level of competence and quality of service in cybersecurity, while demonstrating strong protection of sensitive data. It will also standardise and harmonise the cloud services market with EU regulations, international standards, industry best practices, as well as with existing certifications in EU member states.
Cloud services impacted
The certification scheme will apply to all types of cloud services: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), Software-as-a-Service (SaaS), Anything-as-a-Service (XaaS). The selected certificates will be applicable throughout the EU. The certification will be valid for three years and can be renewed.
In Luxembourg, the Institut luxembourgeois de la normalisation, de l’accréditation, de la sécurité et qualité des produits et services (ILNAS) will be the national cybersecurity certification authority responsible for supervision tasks.
According to Synergy Research Group, a U.S.-based research group, the European cloud market has quintupled in 2022 (compared to the beginning of 2017) to €10.4 billion. “While European service providers increased their cloud revenue by 167%, their market share fell from 27% to 13%, however, with their growth rate well below the overall growth of the cloud market,” it writes.
The three major hyperscalers – Amazon, Microsoft and Google – are the main beneficiaries of this growth, and now occupy 72% of the EU market. While European leaders SAP and Deutsche Telekom each account for only 2% of the European market share.
“The final scheme should be adopted mid-2023, and the first certificates should be published mid-2024,” predicted Jean-François Gillet, project manager of the Digital Trust Department at ILNAS, during a presentation in October 2022.
Business questions and uncertainties
“The scheme is currently still in draft form,” the ILNAS website stated in early April 2023.
How are enterprises and their cloud service providers preparing for it? What are the current issues and uncertainties raised by the scheme?
For Simon Petitjean (Cybersecurity Director, Offensive Security & Red Team Leader) and Xavier Roch Lhotellier (Consulting Director & Customer Transformation Leader), awareness of the importance of the sovereign cloud is gradually emerging among enterprises, but there is still a lot of work to be done to raise awareness.
“This would accelerate the momentum on this sensitive issue and offer a new horizon, that of a sovereign digital ecosystem, to European hosting companies in the face of the strong domination of American hyperscalers,” they explain.
Simon Petitjean, Xavier Roch Lhotellier, What are the main questions and uncertainties raised by the EUCS?
There has been a lot of talk about the EUCS for some time, but unfortunately today few concrete results are known. The discussion with the European Commission is probably taking place at the level of the Data Protection Officer and the legal experts of the hyperscalers, in order to move forward together to define a homogeneous framework. Also, on the ground, both in terms of expertise and the cloud service itself, we are not there yet.
Europeans are the world champions of regulation: where China and the United States innovate, we first work on how to regulate, before designing products and solutions.
We are a federal entity where decisions are taken by 27 Member States, each with its own vision of sovereignty. Ireland, Sweden and the Netherlands, for example, are opposed to this project in its current form. This is because it is contrary to their interests and risks excluding certain cloud actors with whom these countries wish to work.
ENISA’s job is to integrate all these national particularities, to design a supranational regulation that will take into account all these issues, and then quickly propose technical solutions that suit everyone. The challenge is therefore to respect sovereignty while remaining within the federal framework.
Moreover, if the EU manages to define an extremely precise regulation, do we then have the technical answers to move forward, when GAFAMs represent 69% of the European market?
We can therefore ask ourselves whether it is necessary to establish a European certification in the first place, or whether it would be more relevant to develop 100% European products first.
How are companies preparing?
Although accustomed to successive European regulations, organisations know that they will have to be agile and resilient in the face of what awaits them. Unfortunately, the reaction is too often late. This is why awareness raising is still needed. Cloud infrastructure service provider (IaaS) executives are well aware of the road ahead for the sovereign cloud.
While some of our customers are already concerned, they are not necessarily waiting for EUCS to come into effect tomorrow. Depending on their level of maturity, some of them are starting to think and act about the possible security requirements for cloud services that will be defined.
Should companies monitor service providers’ compliance with EUCS?
Let’s take some of the more general regulations or concepts that have already been introduced by the EU, such as cybersecurity: over the years, it has become apparent that companies rely on a presumption of cybersecurity on the part of external service providers.
When they chose an IT solution from a provider, they assumed that the provider would deliver the service in a secure and state-of-the-art manner. However, this is not the case: the perception of security varies from one provider to another.
In addition, some providers have offered security as an additional service: in other words, they have sold the solution before trying to sell security as an additional service.
Customers will likely expect service providers to comply with the EUCS. Will they have to check that the rules are being followed? It seems relatively simple to us: they can and should request a verification audit. In any case, relying 100% on a default trust approach is not what we can recommend.
Other issues should also emerge: will the client have expressed his need in a coherent way? Will the service provider have understood the regulations? Will the client have understood it too? Will they both have correctly identified their compliance obligations?
In concrete terms, how will companies be able to comply?
If we draw another parallel with GDPR: they first had to try to understand their data, to classify it well, to protect it well, and to make sure that they fit into the framework of this regulation.
It’s the same with EUCS: they will have to understand their business, understand the infrastructure that is deployed, the cloud solutions to be put in place and for what purposes.
What is PwC’s current position on the subject?
The effective date of the EUCS is not yet defined. We are not only waiting to see what will come out of the ad-hoc working group set up in 2020-2021, and the public consultation that followed, but are already moving forward hand in hand with local partners to propose alternative solutions that meet the security requirements necessary for our clients.
The implementation of the framework in national jurisdictions will rely on local regulators such as ILNAS. We believe that the major players and cloud services providers will be able to adapt intelligently so as not to slow down the development of solutions expected by their customers and consequently accelerate the shift to the cloud for some who are still too reluctant.
While incredible efforts are being invested in regulations, we must not forget that the most important thing in these efforts is the product and the IT solution.
