Progress on the cybersecurity certification for cloud services (EUCS) – which has been in a deadlock since 2019 – will likely come after the review of the Cybersecurity Act (CSA).
ADVERTISEMENTEU-level discussions around voluntary cybersecurity certification for cloud services (EUCS) are unlikely to progress in the first half of this year, despite efforts by Poland – which is chairing EU ministerial meetings until July – to reach an agreement, sources familiar with the matter have told Euronews.
In 2019, European cybersecurity agency ENISA started working on EUCS, at the request of the Commission. It is set to be used by companies to demonstrate that certified ICT solutions have the right level of cybersecurity protection for the EU market, but it turned into a political battle over sovereignty requirements.
In particular France has led resistance and wants to be sure that it can continue to use its own scheme – SecNum Cloud – after the adoption of EUCS.
The political division led to a delay meaning that the scheme still needs an opinion from the European Cybersecurity Certification Group (ECCG) from ENISA. Its next meeting could take place in February at the earliest.
Poland, which started chairing EU government meetings as of 1 January, is centering some of its presidency events in the first half of 2025 around cybersecurity such as the informal telecom ministers meeting on 4-5 March, and it plans to host a conference around ENISA standardisation.
Industry groups are sceptical, however, if this would lead to a breakthrough in the deadlock on EUCS.
BSA, a lobby for the global software industry, told Euronews that it “regrets” that the process for adopting the EUCS, remains incomplete after four years of discussion.
“The core issue is not where the data or the company is located but how well the data is protected that matters, hence focusing on the technical aspects of cybersecurity and not on political considerations,” a spokesperson for the company said.
“The latest draft of the EUCS reflects this rightful balance, and we urge the Commission to adopt the scheme as soon as possible. Europe cannot afford to lose more time in ensuring its cybersecurity resilience,” BSA added.
Cyber Security Act review
Others believe that the Commission would want to wait with revising the EUCS process until the Cyber Security Act (CSA), the related piece of regulation, has been reviewed.
A spokesperson for the Commission told Euronews that “the CSA is undergoing evaluation, but a decision to revise the CSA has not yet been taken.”
The CSA, which entered into force in 2019, allows EU cybersecurity agency ENISA to prepare certification schemes. It was up for a review last year, but this did not take place yet.
Of the two other certificates proposed since 2019, only one has been approved, on baseline ICT products; another on 5G is still in progress.
The mission letter of newly installed EU Commissioner for Technological Sovereignty, Security and Democracy Henna Virkkunen, said that she will “contribute to strengthening cybersecurity […] notably by improving the adoption process of European cybersecurity certification schemes.”