France has questioned the latest draft of the EU Cloud Certification Scheme (EUCS) that would allow member states to set national sovereignty requirements at the highest cybersecurity level of the scheme, according to a leaked letter sent to the European Commission’s Legal Service.

The EUCS aims to harmonise cloud security requirements in the EU, and the latest proposal by EU cybersecurity agency ENISA, seen by Euractiv, uses a three-layer approach.

It is unclear which part of French authorities penned the letter leaked by former Euractiv Tech Editor Luca Bertuzzi. However, it is the country’s permanent representation to the EU that generally addresses the Commission’s Legal Service.

The French Permanent Representation declined to comment on the letter.

Additional requirements

French politicians have been pushing for additional requirements, including some 2,000 cybersecurity requirements, on the third level of this new EU scheme.

These sovereignty requirements would require companies to be headquartered in EU member states to achieve the highest level of certification to be allowed to sell services to public or private entities that handle highly sensitive data.

They argue that it is important to save strategically important European data from the extraterritorial reach of US and Chinese laws.

Germany initially backed the proposal but then switched sides and joined Ireland, Slovakia, the Netherlands, and other smaller countries that opposed it.

In their view, these requirements would ensure that smaller countries would not get top-notch cloud services, most of which are leased from US-based companies.

To accommodate the two opposing views, the latest EUCS proposal allows countries to set their own standards on top of what is prescribed in the scheme.

This would allow France and like-minded countries to set their own sovereignty requirements.

In the leaked document, the French appear to be pushing back on this solution, too.

They also seek to clarify some key points on the latest EUCS draft, which go beyond the certification scheme itself.

The Commission’s legal service previously told member states that the 2019 Cybersecurity Act (CSA) does not cover the extraterritorial reach of non-EU states, the letter says. The CSA called for cybersecurity certification schemes, such as the EUCS.

The French authors of the letter ask the legal service to confirm this assessment of the CSA.

They also ask whether the Cybersecurity Act and EUCS are indeed meant to unify standards rather than divide them, possibly hinting that the current solution will lead to fragmentation of rules across the bloc.

France looks to affirm that it can establish its own sovereignty requirements, even if they are not part of the EUCS. But it also looks to go further than national security cases, implementing the most stringent criteria “in very specific cases […] regarding certain categories of sensitive data.”

EU cloud providers and major companies have also argued that the latest proposal will lead to market fragmentation.

[Edited by Alice Taylor]

Read more with Euractiv