POSITION | DIGITALISATION | CLOUD COMPUTING
European Cybersecurity Certification Scheme for Cloud Services (EUCS) German Industry’s 7 key recommendations
17 June 2022 Certification schemes – Appropriate instruments to demonstrate a specific level of cybersecurity Cloud services are key enablers of the digital transformation of our society. They are of utmost importance for companies of all economic sectors and are increasingly used by organisations of all sizes. According to a recent survey, 8 out of 10 companies in Germany use cloud applications.1 Since companies utilise cloud services to store and / or process often highly sensitive data, cloud services must provide a risk-adequate level of cyber-resilience and data-protection. In order to enable users of cloud services to choose trustworthy cloud solutions that implement cybersecurity and data protection measures according to the user’s requirements, a common basis for certification can augment the transparency of the market. Therefore, German industry appreciates that the European Union Agency for Cybersecurity (ENISA) currently prepares, as one of the first cybersecurity certification schemes based on Article 8(1) of the European Cybersecurity Act (Regulation (EU) 2019/881), a “European Cybersecurity Certification Scheme for Cloud Services” (EUCS). Such a voluntary scheme can be an appropriate instrument for cloud service providers (CSPs) to demonstrate that they implement a specific level of cybersecurity which is appropriate for a certain range of intended application scenarios (intended use). German industry welcomes that the EUCS also contributes to the development of EU-wide agreed standards on cloud security. Despite this overall positive perception of the EUCS, German industry perceives the need for significant changes to the currently prepared draft scheme – both regarding the content of the EUCS as well as its drafting process. In any case, companies should have the choice whether they certify their cloud services against the EUCS or other relevant standards (for example European harmonised standards). A mandatory application of the EUCS should only be the ultima ratio if a voluntary approach turns out to be ineffective. In this regard, the German industry opposes any attempt to turn the certification of cloud services based on the EUCS mandatory for all entities falling within the scope of the NIS 2 directive. Especially we oppose a further fragmentation of the European regulatory framework by granting individual Member States the competence to make a certification based on the EUCS mandatory for private entities falling within the scope of NIS 2 and national laws implementing NIS 2.
1
https://www.bitkom-research.de/de/pressemitteilung/nutzung-von-cloud-computing-steigt-im-corona-jahr (representative survey conducted among 556 companies with 20 or more employees in Germany) Oliver Klein | Digitalisation and Innovation | T: +49 30 2028-1502 | o.klein@bdi