Will insurers in the EU still be allowed to use US clouds?
In recent years, the EU Commission has presented a number of proposals to increase the safety of digital services in Europe. Still, in the area of cloud services, companies are turning in particular to U.S. providers, partly because European solutions are not competitive or missing altogether. Regulation of these areas therefore requires a delicacy, for doing business could otherwise become very difficult for European companies.
In 2020, the European Cyber Security Agency (ENISA) was commissioned to develop a European Cybersecurity Certification Scheme for Cloud Services (EUCS) to strengthen the safety of cloud services within the EU.
According to the EUCS, cloud providers would in future be clustered into three security levels based on uniform and objective criteria: "basic", "substantial" and "high". Presently, the EUCS is intended to work on a voluntary basis. Cloud services users will thus benefit from better information to chose cloud service provider more sustainably. For companies, on the other hand, clear to invest even more in cyber security measures would be created.
No European consensus on concrete sovereignty requirements
There is discussion about whether so-called sovereignty requirements must be met in order to achieve the highest certification level ("high"). These would require complete independence from non-European legal acts, and possibly even a headquarters in EU territory.
This not only entails risks with regard to international trade law. There is also a fear that large U.S. hyperscalers, due to such sovereignty requirements, would not be able to meet the conditions for the highest level of certification.
Some countries, such as France and Italy, are reportedly in favor of such strict sovereignty requirements. However, other countries, such as the Netherlands and Sweden, see precisely this as a danger of slowing down innovation.
If the sovereignty requirements were to come into play, a possible future obligation for insurers to use only cloud providers of the highest security level. Cooperation with US cloud providers would then hardly be possible. Since the EU itself has no comparable alternatives, this would risk a technological step backwards.
In particular, regulations on IT oversight, such as the Digital Operational Resilience Act or the revised Network and Information Security Directive (NIS 2), show that European legislation could indeed develop in such a direction.
Data security and sovereignty: yes; De facto ban on use of U.S. clouds: no.
The GDV does support the goal of creating more security and sovereignty for European cloud data. Nevertheless, the industry is concerned about current plans to link the "high" security level to the requirement that there must be complete independence from legal regulations outside the EU.
Introducing new sovereignty requirements without careful consideration of the unintended consequences would weaken the industry's innovation and competitiveness.