We write to raise concerns ahead of the upcoming meeting of the EU-U.S. Trade and Technology Council (TTC) taking place in Sweden at the end of this month, regarding new and alarming revisions to the European Commission’s proposed European Cybersecurity Certification Scheme for Cloud Services (EUCS). We urge the United States to use upcoming meetings to engage with the European Commission and Member States to secure a durable solution that will enable American and European companies to compete on a level playing field, underpinned by transatlantic trust and safety, by removing nationality-based ownership restrictions of this draft measure.
While we support the overall goal of the EUCS to unify and harmonize the best security practices while reducing market barriers for businesses, we continue to be concerned about lack of transparency and public consultation, and the missing market impact assessment. For example, EU financial institutions and associations have voiced concerns that the so-called “sovereignty requirements” in EUCS would limit technology choice and be detrimental to the resilience and cybersecurity of digital and cloud solutions. Furthermore, the sovereignty requirements in EUCS appear contradictory to the recently adopted Digital Operational Resilience Act (DORA).
If not addressed before finalized, a discriminatory EUCS also threatens to inhibit robust transatlantic cooperation and collaboration in strategic emerging technologies such as artificial intelligence, machine learning, quantum computing, and biotechnology, including at the NATO level among allies.