Cyber certificate debate to land on plate of incoming Commission

The longstanding debate on voluntary cybersecurity certificates for cloud services (EUCS) will likely land on the plate of the incoming European Commission since it is unlikely to be resolved before the end of this mandate, a spokesperson for the EU’s cybersecurity office ENISA told Euronews.

Debate on the draft text is taking place within a working group of ENISA, and was already delayed before the summer, due to additional guidance on sovereignty questions, as Euronews reported in June.

According to a Commission official, the next working group meeting is planned for the autumn, with no official date confirmed yet. 

The scheme, drafted by ENISA at the request of the Commission in 2019, is set to be used by companies to demonstrate that certified ICT solutions have the right level of cybersecurity protection for the EU market, but turned into a political battle over sovereignty requirements.

Incoming Tech Commissioner Henna Virkkunen is set to oversee the debate, once she is approved by the European Parliament and the new college takes office.

According to her mission letter, sent by President Ursula von der Leyen, she will have to “contribute to strengthening cybersecurity”, notably by improving the adoption processes of such schemes. 

Deadlock

France attempted to introduce sovereignty requirements within the text, designed to exclude non-EU cloud companies from qualifying for the highest security options, and resembling its own cloud certificate SecNumCloud. 

This proposal was strongly resisted by several EU countries and industry, perceiving it as a protectionist move, and no deal has been reached since. 

The Commission now still needs to provide the experts with guidance on how the member states may add their own requirements. Once they rubber stamp it, the EU executive will publish an implementing act. The provisions will not apply until 18 months after entry into force.  

The delay in the pending scheme coincides with the evaluation of the Cybersecurity Act itself. The Commission began a consultation earlier this year among companies and governments quizzing them among other things about the role of Enisa.

The Act – which was approved in 2019 – gives ENISA a mandate to support the coordination of the EU in case of large-scale cross-border cyberattacks and crises.

Of the two other certificates proposed by the Commission since 2019, only one has been approved, on baseline ICT products. Another one, on 5G, is still in progress.

Earlier this week, the Commission said it has requested ENISA to provide support for another certification, this time of European Digital Identity Wallets.