EU discusses ban on US cloud services
Contents
Cyber security has always been a political issue in the EU. With new developments, decision-makers are faced with new tasks within cyber security. The EU Commission is currently working on a cloud certification that affects Microsoft Azure and Amazon Web Services (AWS), among others, and could become relevant for many companies. If the planned law goes through, costs in the billions can be expected.
The GDPR and foreign cloud services
The concerns are not new: countless companies - and private individuals - use cloud services from Microsoft, Amazon and Google. As these cloud services are all provided by companies headquartered outside the European Union, the data protection directives provided for by the European Commission are at most on the periphery of the cloud developers' field of vision.
Since the European Parliament published the data privacy Regulation (GDPR) in 2016, stricter rules have applied within the EU to the processing of data, the storage of information and the retrieval of personal content. In the USA, data privacy is regulated differently: Instead of a comprehensive, generally applicable law, there are individual laws for individual industries and areas. Basically, US companies determine the level of their data protection internally. Companies are obliged to comply with their own rules, but there are few external regulations.
When US companies such as Microsoft, Amazon and Google offer their services outside the United States and, above all, within the EU, the different legislations clash and problems arise. The European Union wants to eliminate these problems and ensure that cloud services from abroad are used in Europe in compliance with the GDPR.
What are the EU's plans for foreign cloud services?
In May 2023, the EU presented a draft that envisaged cloud service providers being awarded a cybersecurity seal through a stake in an EU company. This would require a minority shareholding and the employees with access to EU data would have to be based within the EU. A special audit would also be necessary.
However, the EU has now recognized a much greater security risk in US cloud services and is even discussing an EU-wide ban on the clouds of Microsoft, Amazon and Google. The reason: US companies are obliged to pass on all data to the US authorities on request. This also includes all data from EU companies and EU citizens who use the corresponding cloud applications. Handing over the data is a violation of European data protection directives and creates a dilemma that is likely to be complex to resolve.
The ban under discussion is very unlikely overall. However, it is becoming apparent that cloud services are to be kept out of "critical areas". The EU member states will decide individually which these are. The focus is on areas such as healthcare and public administration, i.e. areas that process very sensitive data.
According to a study by the European Center for International Political Economy (ECIPE), the implementation of a ban in certain areas would cost Germany alone up to 130 billion euros economically. Across the EU, the study estimates the costs at up to 610 billion euros.
The draft is very controversial within the European Union and it can be assumed that many member states will not give their approval in this form. It is therefore likely to result in a watered-down version of this law, which will not have too much of an impact on most companies.
Learn data privacy in AWS
data privacy and cyber security are fundamental skills that should be in place when dealing with cloud services. Regardless of EU directives, US providers generally offer a secure environment in their applications.
In our three-day Security Engineering on AWS training , you will learn the best practices for data protection and cyber security in Amazon Web Services. In addition to strategies for data protection, the course also offers you exercises in security automation and web server log analysis.
