September 16, 2023

Feedback to the European Commission on the European Union Agency for Cybersecurity and EU Cybersecurity Framework

Feedback to the European Commission on the European Union Agency for Cybersecurity and EU Cybersecurity Framework 

The Coalition to Reduce Cyber Risk (“CR2”) and the Cybersecurity Coalition (“the Coalition”) submit this feedback in response to the evaluation launched by the European Commission (“the Commission”) for the European Agency for Cybersecurity (“ENISA”) and the EU Cybersecurity Certification Framework. We applaud the Commission and ENISA’s efforts to harmonize cybersecurity standards in Europe, including for cloud services via the European Cybersecurity Certification Scheme for Cloud Services (“EUCS”) and seek to ensure that it more effectively meets its public policy goals. 

Our members represent global organizations from numerous sectors, including IT, financial services, and communications, that are committed to security, trust, and economic growth and opportunity. Our members have deep expertise in cybersecurity and enterprise risk management, as well as unique insights into cross-sector independences and global interconnectivity, which drive the need for consistent, foundational approaches to cybersecurity risk management across sectors and geographies. As such, we have has set out to work collaboratively with public and private sector entities to improve cybersecurity risk management practices that will both enhance cybersecurity and support economic growth. 

Our organizations seek to improve international cybersecurity standards and outcomes, and we believe we have some unique insights to offer to ensure EUCS achieves its intended goals of resilience and security in the use of cloud services for the EU market. While we very much support the effort to raise and standardize cybersecurity standards across Europe, we have some concerns about the cybersecurity impacts of certain proposed EUCS requirements and the process that has been undertaken to develop the draft proposal. 

Cybersecurity Implications of Nationality Provisions 

Unlike other leading cloud certification schemes, under the proposed draft of EUCS, risk is not assessed solely by technical or administrative cybersecurity factors. In addition, the certification assesses the highest assurance levels (currently divided into 2 evaluation levels, “EL3” and “EL4”) by the nationality and ownership of the cloud services provider (“CSP”). As part of the voluntary scheme, CSPs seeking the highest evaluation levels of the certification would be subject to significant digital sovereignty, foreign law immunity, ownership, and data localization requirements.

 As we understand the proposal, with limited exceptions, EUCS would require EL4 CSPs to be both globally headquartered in the EU and owned by a European entity. Furthermore, this level requires strict data processing and storage of all cloud service customer data within Europe. 

Such measures, if they move forward, have a high risk of undermining resiliency and security. Across Europe, both public and private entities rely on best-in-class CSPs to support their cybersecurity needs across all sectors of the economy. Many of these state-of-the-art and cutting-edge technology providers are based outside of Europe. The restrictive certifications in EUCS would present a major challenge to public and private entities seeking access and cooperation with all non-EU cloud vendors, cybersecurity providers, and partners from the international security community. The exclusion of these vendors and partners will greatly inhibit the collective cybersecurity of the EU, leaving entities with reduced access to cybersecurity resources, potentially hindering incident response efforts, and creating significant obstacles to information sharing for cybersecurity purposes. 

Moreover, in the current challenging geopolitical context, such restrictions may be detrimental to transatlantic security cooperation and the security community. The ongoing conflict in Ukraine has reinforced the criticality of being able to access best-in-class global cloud service providers (“CSPs”) and cybersecurity talent. The mass migration of Ukrainian government and infrastructure data to CSPs based outside of Ukraine at the onset of the conflict greatly limited the impact of the numerous cyber and kinetic attacks the country faced. 

The prevention of cyber-attacks increasingly relies heavily on automation and access to global data sets for efficient, accurate, and rapid threat detection. Cross-border data sharing enables CSPs to have a comprehensive view of their networks and share critical security telemetry. This in turn increases their ability to rapidly discover, identify, track, and disrupt various types of malicious cyber activity.1 EUCS, if adopted with the limitations as currently drafted, would detrimentally undermine common data security best practices, as well as the overall security and resilience of the European Internal Market. 

We recommend that any potential limitations or restrictions on non-EU headquartered CSPs for EL3 and EL4 be removed, or that companies headquartered in countries that the EU has determined to the trustworthy may also be permitted to achieve certification at the highest levels to the same extent that EU-headquartered entities are permitted. Trustworthiness could be established through the NATO alliance, or through an adequacy determination by the EU. 

Transparency and Stakeholder Participation 

The effectiveness of any certification development relies in part on transparency. In the case of EUCS, ambiguous scope requirements have led to significant concerns across industry and at least seven EU member states. The highest certification levels (both EL3 and EL4) will apply to an exceedingly broad set of data workflows. The scoping appears to go beyond national security information, as well as commercial information. ENISA should foster increased transparency around these concerns and drafting process to enable a more secure certification, and one less influenced by special interests. 

1 CR2, “Better Connected: How International Data Flows Enable Stronger Cybersecurity” (April 2023), https://static1.squarespace.com/static/6463d2a33fe1fd69757b5356/t/6463fd009cf0b63b567d9a1e/16842 74461449/Better%2BConnected%2B%28CR2%29.pdf

Given the wide-reaching and complex nature of certification schemes, it is imperative that ENISA substantively engages with stakeholders early in the process to identify possible gaps and shortcomings. In general, opportunities for stakeholder participation in the ENISA certification processes have been far more limited than is typically the case in other OECD countries. 

In the case of EUCS, while a public consultation was launched in 2020, it was open for less than seven weeks over the winter holiday period. In addition, material changes have been incorporated into the draft since that original consultation fundamentally altering the usefulness of the certification for European cloud users. With the potential impacts of the proposed scheme in mind, more time should have been afforded to encourage more robust engagement from stakeholders.

 *** 

We inhabit an ever-evolving cyber threat and regulatory landscape. The increasingly globalized nature of today’s cyber threats necessitates greater collaboration among trusted partners and across borders. We appreciate the opportunity to share our concerns with you. As the dialogue around this topic continues to evolve, we would welcome the opportunity to further serve as a resource on both technical and policy questions to support ENISA in achieving its mandate and enabling stronger cybersecurity risk management across Europe. 

Respectfully Submitted, 

Coalition to Reduce Cyber Risk 

Cybersecurity Coalition 

September 16, 2023 

CC: Alex Botting, Venable LLP 

Ari Schwartz, Venable LLP