ESBG calls for removing sovereignty requirements from ENISA’s EU Cloud Providers Certification Scheme (EUCS) through joint industry statement

The ongoing process of developing a cybersecurity certification scheme for cloud services (EUCS) has been raising serious concerns amongst the EU financial services industry. Therefore, on 26 October 2023, a joint industry statement was issued by ESBG, Afore Consulting, the Association for Financial Markets in Europe (AFME) the European Banking Federation (EBF), the European Payment Institutions Federation, and Insurance Europe.

With this statement, the stakeholders want to draw attention to certain aspects of the EUCS development process that have been raising concerns. This includes the insertion of sovereignty requirements on the EUCS draft text and the lack of engagement with the industry during this process.

Furthermore, the lack of transparency in the process is concerning. The last and only public consultation carried out on the draft certification scheme took place in 2021. Since then, the text has undergone significant changes, including the introduction of sovereignty requirements which had not been part of the consulted version. However, those changes have never been made officially available.

Therefore, the associations co-signing the statement call upon the European Commission and ENISA to:

• Remove the sovereignty requirements from the EUCS candidate scheme and adopt an implementing act which focuses purely on technical requirements that will strengthen the European internal market, as existing EU policies set out in the Digital Operational Resilience Act (DORA), GDPR, and NIS2 Directive provide the best tools for tackling operational resilience and oversight of ICT critical third-party providers;

and

• Actively engage with the industry during this process to ensure that the final scheme is adequate and fit for purpose.