1. Building Resilience? The Cybersecurity, Economic & Trade Impacts of Cloud Immunity Requirements
- Author:
- Matthias Bauer
- Publication Date:
- 03-2023
- Content Type:
- Policy Brief
- Institution:
- European Centre for International Political Economy (ECIPE)
- Abstract:
- EU Member States should call on the EU’s Cybersecurity Agency (ENISA) and the European Commission to abandon immunity requirements in the proposed EU Cloud Certification Scheme (EUCS). With immunity requirements in the EUCS, the EU risks opening a Pandora’s box, paving the way for data localisation, foreign ownership restrictions, and local establishment requirements in digital industries globally leading to rising trade tensions. ENISA’s current proposal could increase policymakers’ appetite for data localisation in the EU. It would empower the European Commission and Member State authorities to exclude foreign businesses from domestic cloud services markets and set a dangerous precedent for any data-intensive sector. The list of “sectors of high criticality” could be logically extended to both existing services (e.g., financial services) and to new technologies and business models, such as IoT in the energy and healthcare sectors, and autonomous driving in the transport sector. Non-EU jurisdictions would be pressured to respond in kind. EUCS immunity requirements would increase cloud adopters’ exposure to cybersecurity risks. Data localisation often creates obstacles to an integrated management approach towards cybersecurity risks. Country of headquarter and foreign ownership restrictions in the proposed EUCS risk removing global frontier cybersecurity technologies from Member State markets. Excluding these and other EU and non-EU companies from EU Member States could result in a long-lasting security deficit of EU cloud adopters vis-à-vis organisations that are still able to use reliable and often best-practice cloud services offered by providers from outside EU Member States. Immunity requirements in the EUCS are discriminatory by design. They could provoke retaliatory measures by EU trading partners, either unilaterally or through WTO or bilateral FTA (e.g., UK-EU) Dispute Settlement. Local establishment requirements and foreign ownership restrictions would by design discriminate against foreign cloud providers. US-headquartered companies, which currently serve more than 75% of the EU market, would be most affected by EU immunity requirements.[1] Depending on US preferences and the scope of the proposed EUCS, the EU could be subject to retaliatory tariffs of up to USD 12 billion worth of EU goods exports or equivalent restrictions for EU services exports to the US. Other governments could lodge complaints via the WTO as well (e.g., Singapore, Japan, Canada and others, where cloud development is advancing rapidly). EU suppliers are currently in no position to manage a broad-based transition to cloud, and thus such requirements would delay significant efficiency and security gains that current foreign suppliers could offer. A blanket exclusion of non-EU cloud vendors would also likely undermine Europe’s objective to achieve a 75% cloud adoption rate for EU enterprises. Sensitive European businesses and public sector organisations would have to delay migration and make do with legacy systems for a very long time. Contrary to large countries, these negative impacts would be much more pronounced for smaller EU Member States, which lack the presence of large domestic incumbents and generally rely much more on an open international trading regime for digital services. ENISA’s cloud certification scheme should be limited to technical and transparency requirements. Immunity requirements for non-personal data should be addressed in bilateral initiatives such as the EU-US Trade and Technology Council (TTC) or agreements requiring a company that sought to offer services of the highest level of sensitivity to be headquartered in a country granted adequacy with EU data protection rules, or a country that is an adherent to the OECD’s Trusted Government Access principles, or (concerning the US) a participant in the upcoming Trans-Atlantic Data Privacy Framework. Excluding foreign companies from operating in the EU would have far-reaching consequences. If that is the intent, it should require a sound legal analysis and the decision should be taken through a formal legislative procedure at the EU level.
- Topic:
- Economics, Markets, European Union, Cybersecurity, Digital Economy, Trade, and Resilience
- Political Geography:
- Europe