Strengthening the EU’s Cybersecurity: The New EU Cybersecurity Certification Framework for Cloud Services
By Despina Spanou, Head of Cabinet for European Commission Vice President Margaritis Schinas | Business Partners, Sept-Oct 2021

Usually required in sensitive marketplace areas or industries where a failure could have serious consequences, such as negatively impacting the welfare or health of the people using that product, product certification is a clear sign of a well-regulated and mature economy and society and creates trust between sellers/manufacturers and end users/consumers.

European consumers know that products available in the European Union either are certified or of high quality, safety and security standards because they comply with the EU’s legislative framework. The necessity to ensure high safety and security standards and create trust towards products available in the EU internal market is the approach we also took when we started shaping the Cybersecurity Act. At that time, I was part of the team responsible for drafting the Act as well as negotiating this file with the EU co-legislators, the Council and the European Parliament.

The Cybersecurity Act, which entered into force in 2019, introduced an EU-wide cybersecurity certification framework, along with a new mandate for ENISA, the EU Agency for Cybersecurity. The idea behind this cybersecurity framework was to apply the EU approach on the safety of products to a possible certification framework for digital products, but starting with a voluntary approach. We decided to go for a voluntary approach because on the one hand, we knew that cybersecurity was a dynamic and constantly evolving sector, and on the other hand, because we wanted to test this approach and, if successful, to gradually evolve it. Today, the EU is already working on developing three cybersecurity certification schemes: the EU Common Criteria certification scheme (EUCC), the EU Cloud Services certification scheme (EUCS), and a scheme for 5G security.

Cybersecurity certification is part and parcel of the European Commission’s work towards a genuine Security Union

Cloud security has always been one of the priority areas we had in mind while we were drafting the Cybersecurity Act. The increasing role cloud services play in our socioeconomic life is evident. Businesses and government entities rely more and more on cloud services for on-demand storage, processing power and computing resources. The Covid-19 pandemic accelerated even further the shift to cloud solutions. According to some studies, the enterprise use of cloud solutions increased by 50% between January and April 2020, notably during the time that we were adapting to the pandemic reality. The Covid-19 pandemic changed our lives in many ways; among these changes was also the fast digitalisation of our life, either professional or personal. We had to rely on digital infrastructure to meet the needs of a remote life. The pandemic illustrated how cloud infrastructure could support our digital life and how critical cloud solutions proved to be for specific sectors such as education, to enable moving to distance learning. I read that in a recent survey with global IT leaders, 82% said they had increased their use of cloud in dire response to the pandemic. This makes cloud certification even more pertinent as we have to ensure the security of the cloud solutions we use and especially for critical areas of our economy and society.

The idea behind the EU certification scheme on cloud services is not only to provide cybersecurity assurance throughout the cloud supply chain, but also to use it as a lead example of how certification schemes should be and can actually work in market terms. The EU certification candidate scheme on cloud services meets perfectly the criteria we had set as European Commission: It is a voluntary scheme, it covers the three levels of assurance provided in the Cybersecurity Act—as different services might require different levels of assurance against cybersecurity risks (basic, substantial and high)—and it embodies the national schemes and international standards that already exist, in order to not duplicate, discard them or start from scratch when there is work that has already been done.

European cybersecurity schemes have the potential to become global reference schemes

The European Union Cybersecurity Certification Scheme on Cloud Services (EUCS) candidate scheme is based on input by experts, which includes members from industry, and participants from Member States and European Institutions. The Certification scheme is currently under development. The resulting certificate will be recognised in all EU Member States, making it easier for cloud providers to offer their services across the EU as well as eliminating any market-entry barrier for SMEs and new businesses in this sector, and for users to understand the security features of the services they use. Overall, such a certification will also enhance the EU’s cybersecurity.

The European Commission has an ambitious vision for cybersecurity, and cybersecurity certification is part of this vision. Cybersecurity certification is also part and parcel of the European Commission’s work towards a genuine Security Union. As you will notice in our Security Union Strategy 2020-2025, we have shifted our approach to security. As it is impossible today to cover all sectors of our economy and society and products, our approach to security is based on the threat landscape. In this context, in December 2020, we proposed a review of the legislation on critical infrastructure as well as the review of the Network Information Systems Directive (the so-called NIS) that we presented. NIS2 is adapting the current NIS Directive to the current threat landscape, by expanding its scope to all critical infrastructure, such as manufacturing or public administration. As all these sectors depend largely on cloud systems, the EU certification scheme on cloud service will be instrumental in ensuring the highest level of protection of our critical infrastructure.

Recently we even proposed a new Regulation on general product safety, which takes into account evolving risks for consumer safety linked to digital technologies, including the extension of the concept of safety to cybersecurity features.

We believe that Europe will become a leading force in cybersecurity certification. European cybersecurity schemes have the potential to become global reference schemes; they will be a key element of our transatlantic agenda. They enable a globalised market—a market that we do not exclude ourselves from, but that we open Europe to through these schemes.