According to a draft document from the EU cybersecurity agency ENISA, non-European Union cloud service providers like Amazon [AMZN:US], Google [GOOGL:US], and Microsoft [MSFT:US] can only obtain an EU cybersecurity label for handling sensitive data through a joint venture with an EU-based company, as reported by Reuters on May 9. However, U.S. tech giants and other parties involved in the joint venture can only have a minority stake, and employees with access to EU data must undergo specific screening and be located within the EU. The cloud service must be operated and maintained from the EU, and all customer data must be stored and processed in the EU, with EU laws taking precedence over non-EU laws. The proposal concerns an EU certification scheme that would certify the cybersecurity of cloud services and determine how EU governments and companies choose a vendor for their business.
The new provisions will apply to personal and non-personal data of particular sensitivity, where a breach could have a negative impact on public order, public safety, human life or health, or the protection of intellectual property. The document also notes that the draft proposal may fragment the EU single market as each country can impose the requirements whenever they see fit. These stricter rules are intended to prevent interference from non-EU states, but they may lead to criticism from U.S. tech giants. The draft will be reviewed by EU countries later this month before the European Commission adopts a final scheme.