EU lawmakers have removed sovereignty requirements for the proposed cybersecurity labeling scheme, marking a move away from rules that critics say would severely inhibit non-EU providers.
The proposals would have required cloud providers outside the EU to establish a “joint venture” with providers based in the union due to data sovereignty and security rules.
However, the new changes mean that cloud providers will only be required to provide information about their organizational data structures, according to documents seen by Reuters.
This will include information about where data is stored and customers' data processing practices.
The move by lawmakers marks a major shift, and while non-EU businesses are expected to welcome the changes, the decision to remove sovereignty requirements could lead to further confusion.
Several major companies had already begun to take relevant measures to ensure compliance with the impending regulation.
EU member states will now review the edited draft, after which the European Commission will finalize the requirements.
Cybersecurity labeling rules caught attention
Original proposals for the rules would have required non-EU cloud operators to establish a joint venture with an EU-based company to qualify for the EU cybersecurity label.
These non-EU operators would have only received a “minority stake” in these joint ventures, specifically designed as contact points for EU regulators within the region.
This would also have required non-EU cloud providers, such as Microsoft or Google, to store and process customer data within the region.
“Certified cloud services are operated solely by EU-based companies, with no non-EU entity having effective control over the CSP (cloud service provider), to mitigate the risk that powers of Interference outside the EU undermines EU regulations, standards and values. ”the original document said.
These original requirements drew sharp criticism from several groups, including European banks, clearinghouses and insurance groups, who argued that technical provisions should take precedence over political and sovereignty obligations.
The proposed regulation drew similar criticism from those with interests in the non-EU cloud provider ecosystem, with several officials and trade bodies expressing concerns about the regulation's demands.
This reaction came at a time when cloud industry stakeholders were at odds with EU lawmakers over their approach to regulation.
In March 2023, the European Center for International Political Economy (ECIPE) published a report that described the demands in the original draft as “discriminatory” towards cloud providers operating outside the EU.
These changes come amid a period of increased regulatory scrutiny for hyperscale cloud providers like Microsoft.
The tech giant has come under frequent criticism for its alleged lackluster attempts to alter data sovereignty rules to comply with EU regulations.
Microsoft recently entered into talks with Cloud Infrastructure Service Providers in Europe (CISPE) with a view to resolving an EU antitrust complaint filed in November 2022.