According to a new EU draft paper, big non-European Union (EU) cloud service providers, such as Amazon, Google, and Microsoft, may only receive an EU cybersecurity certification by forming a joint venture with an EU-based firm.
Non-EU businesses participating in the joint venture would be limited to a minority ownership, and personnel having access to EU data will be subject to rigorous screening and must be situated within the EU’s 27-country bloc. Furthermore, the cloud service must be administered and maintained within the EU, and all client data must be kept and processed within EU borders. EU rules governing the cloud service provider will likewise take precedence over non-EU legislation.
The draft document highlights the importance of approved cloud services being run solely by EU-based enterprises, reducing the possibility of external organizations undermining EU legislation, conventions, and values. It expressly specifies that cloud service providers seeking certification should not be subject to the effective control, positive or negative, of organizations headquartered outside the EU.
Furthermore, the paper says that the stricter regulations will apply to both personal and non-personal data of substantial sensitivity, where a breach might have serious consequences for public order, public safety, human life or health, and intellectual property protection.
The sources for this piece include an article in Reuters.
