Amazon, Alphabet's Google, Microsoft, and other non-European Union cloud service providers looking to secure an EU cybersecurity label to handle sensitive data can only do so via a joint venture with an EU-based company, according to an EU draft document seen by Reuters.
US tech giants and others involved in the joint venture can
only have a minority stake, and employees that have access to EU data would
have to undergo specific screening and have to be located in the 27-country
bloc, the document said.
The document adds the cloud service must be operated and
maintained from the EU, all cloud service customer data stored and processed in
the EU, and that EU laws take precedence over non-EU laws regarding the cloud
service provider.
The latest draft proposal from the EU cybersecurity agency
ENISA concerns an EU certification scheme (EUCS) that would vouch for the
cybersecurity of cloud services and determine how governments and companies in
the bloc select a vendor for their business.
While the new provisions underscore EU concerns of
interference from non-EU states, they are likely to spark criticism from US
tech giants worried about being shut out from the European market.
Big Tech is looking to the government cloud market to drive
growth in the coming years while a potential boom in AI after the viral success
of OpenAI's ChatGPT could also boost demand for cloud services.
"Certified cloud services are operated only by
companies based in the EU, with no entity from outside the EU having effective
control over the CSP (cloud service provider), to mitigate the risk of non-EU
interfering powers undermining EU regulations, norms and values," the
document said.
"Undertakings whose registered head office or
headquarters are not established in a Member State of the EU shall not,
directly or indirectly, solely or jointly, hold positive or negative effective
control of the CSP applying for the certification of a cloud service," it
said.
The document said the tougher rules will apply to personal
and non-personal data of particular sensitivity where a breach may have a
negative impact on public order, public safety, human life or health, or the
protection of intellectual property.
The latest draft could fragment the EU single market as each
country has full discretion to impose the requirements whenever it sees fit, an
industry source said.
The US Chamber of Commerce has previously said that the plan
puts US companies on an unequal footing. The EU says the moves are necessary to
protect the bloc's data rights and privacy.
EU countries will review the draft later this month after
which the European Commission will adopt a final scheme. © Reuters