Europe’s Cloud Security Regime Should Focus on Technology, Not Nationality

itif.org Europe’s Cloud Security Regime Should Focus on Technology, Not Nationality NIGEL CORY | MARCH 2023 The EU’s new cloud cybersecurity regime should focus on good security practices, as the U.S. FedRAMP regime does. Emulating China’s protectionist focus on firm nationality is a bad security practice that weakens transatlantic influence over cybersecurity issues globally. KEY TAKEAWAYS  Like China, some European Union (EU) countries want to misuse cloud cybersecurity rules for the protectionist purpose of replacing leading U.S. cloud firms such as AWS and Google with local champions.  The proposed European Cybersecurity Certification Scheme for Cloud Services (EUCS) follows China’s approach of making local firm ownership and control the defining factors in ascertaining whether a cloud service provider can be trusted.  The EUCS differs from the U.S. Federal Risk and Authorization Management Program (FedRAMP) in several respects: It focuses on firm ownership, uses closed and politicized technical standards, and assesses services for the private sector, not just government.  Protectionist proponents of the EUCS (namely France) want it all: local cloud firms, not American ones, but with all the cybersecurity assistance they can get from the U.S. government and the same U.S. cloud firms they want to exclude from their markets.  A protectionist EUCS would undermine transatlantic digital trade by making the new Transatlantic Data Privacy Framework irrelevant, since U.S. firms would be precluded from managing a considerable amount of EU data, never mind transferring it overseas.  The EU and its member states should remove the protectionist restrictions from the EUCS, focus on the actual technicalities of cybersecurity, and work with the United States on global cybersecurity issues through the EU-U.S. Trade and Technology Council. INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | MARCH 2022 PAGE 2 CONTENTS Key Takeaways ................................................................................................................... 1 Introduction ....................................................................................................................... 3 Stopping Data Flows and Cloud Market Access Undermines European, Transatlantic, and Global Cybersecurity ........................................................................................................... 5 Explaining the U.S. FedRAMP System for Cloud Cybersecurity ................................................ 6 How America’s FedRAMP Differs From Europe’s “Sovereignty”-Based Approach to Cybersecurity ..................................................................................................................... 8 FedRAMP Is Open to Firms From Around the World ............................................................ 8 FedRAMP Focuses on Cybersecurity Practices, Not Firm Structure and Ownership................. 8 Data Localization Is a Misguided but Thankfully Minor Part of FedRAMP, Yet It Is Central to SecNumCloud and the EUCS Proposal ............................................................... 9 FedRAMP Is Only Used by Federal Government Agencies and Does Not Impact U.S. Critical Infrastructure or the Broader Commercial Cloud Market ........................................... 9 NIST Cybersecurity Standards Are Open, Transparent, and Technically Focused—ENISA and EUCS Processes and Standards Are Not ......................................................... 10 Recommendations ............................................................................................................ 11 Use Standards “Crosswalks” to Build Transatlantic Cybersecurity Cooperation .................... 12 Negotiate a Transatlantic Agreement on Law Enforcement Access to Data .......................... 13 Allow the Mutual Recognition of U.S./EU Cybersecurity Certification and Auditing Programs ...................................................................................................................... 14 Conclusion ...................................................................................................................... 14 Endnotes ......................................................................................................................... 15 INFORMATION TECHNOLOGY & INNOVATION FOUNDATION | MARCH 2022 PAGE 3 INTRODUCTION Like China, some European Union (EU) countries want to misuse cloud cybersecurity rules to replace leading U.S. cloud firms such as AWS, Google, and Microsoft with local ones—in other words, enacting digital protectionism.1 The European Cybersecurity Certification Scheme for Cloud Services’ (EUCS) is the vehicle by which the EU wants to sneak this protectionist scheme into operation. At first glance, the EUCS is similar to what the U.S. Federal Risk and Authorization Management Program (FedRAMP) does for the U.S. federal government: provides a harmonized approach to cloud cyber