Non-EU cloud providers looking to gain the EU’s cybersecurity label for sensitive data may be in for a tough go.
According to a draft of new legislation seen by Reuters, the EU is preparing strict rules that non-EU cloud providers must meet in order to receive the coveted cybersecurity label.
The cloud providers will be required to partner with an EU-based company in order to qualify, and would only be eligible for a minority stake in the joint venture. All data handled by the venture would need to be stored in the EU, and EU data laws would take precedent over all others.
“Certified cloud services are operated only by companies based in the EU, with no entity from outside the EU having effective control over the CSP (cloud service provider), to mitigate the risk of non-EU interfering powers undermining EU regulations, norms and values,” the document said.
“Undertakings whose registered head office or headquarters are not established in a ember State of the EU shall not, directly or indirectly, solely or jointly, hold positive or negative effective control of the CSP applying for the certification of a cloud service,” it added.
As Reuters points out, US cloud providers are likely to balk at the new legislation, and it will likely have a significant impact on the market.