back to article ENISA leans into EU-based clouds with draft cybersecurity label

Cloud services providers that aren't based in Europe — like the Big Three — may have to team up with a cloud that is operated and maintained from the EU if they want ENISA's stamp of approval for handling sensitive data. ENISA, the European Union's cybersecurity agency, is currently developing a cybersecurity certification …

  1. OhForF' Silver badge

    "practically excluding American and other international cloud providers from the EU market"

    is not a problem and might even be seen as a positive side effect if your job is to promote european interests.

    Not allowing foreign companies access to sensitive data is at least as good an argument to ban foreign providers as alleged security issues in 5G kit is to ban Huawei from the US market.

  2. ParlezVousFranglais

    Simple protectionism which the eurocrats will love themselves for:

    Step 1: create a certification that the big 3 will never agree to

    Step 2: mandate that all EU governments and institutions have to use a provider with said certification

    Step 3: realise that you can now only use SAP and their prices are 3 times as much as you were paying before...

    1. Lars
      Happy

      @ParlezVousFranglais

      Wrong, the big 3 will have to agree to it, and they will.

      1. ParlezVousFranglais

        I think that's what the EU is probably hoping, but all they are going to do is mandate themselves into paying a shedload more money for a lesser product

        Let's assume I'm Amazon and I provide "cloud". My intellectual property, what defines "my" cloud and makes it better (or worse) than MS or Google is how I create and manage my cloud, the tools, the processes, the procurement etc

        Now I'm told I can only provide "my" cloud, if I actually agree to give away all that IP to a third-party that I'm only allowed a minority stake in - a huge risk given that this is exactly how countless technology firms have had their fingers seriously burned when trying to operate in China

        The only possible way to do that is to retain a minority stake and license my IP to the other cloud provider at an extortionate rate. Now there are two "Amazons", my own native product un-certified, and a new certified product running exactly the same tech (or maybe a "lite" version), just with a badge that says it's somehow more secure and for three times the price.

        However, in exactly the same way as it has done for other areas of technology and defence, all this takes to unravel is a US edict forbidding any of the three to license their cloud IP to overseas third-party providers on the grounds of US national security - in fact right now they are probably actively lobbying the US behind the scenes to do exactly this.

        So with that, yes you might get your "ringfenced" EU cloud, working in exactly the same way but for a ton more money, and very probably in some kind of "cloud-lite" mode.

        So the EU governments and probably their various procurement teams will be mandated to use it, and all it will achieve is to cost them more. As we've seen with several high profile leaks from the US, you can have all the vetting you like, all the firewalls and security you like, and be sitting wherever you are instructed to sit, but if you want to leak info, you're gonna do it anyway, regardless of whether your platform has a pretty little logo attributed to it, and any "backdoors" hidden away in the system are going to be duplicated into the system you are licensing anyway. The EU majority owner of the JV won't actually develop anything in house as they will have to license in the whole platform, and those license fees will be fed back to the US companies anyway, thereby making them even richer than if said EU governments just licensed their normal product, and the majority owner will effectively be nothing more than a reseller

        Pure protectionism, the eurocrats will claim a victory, and one way or another the EU's citizens will pay way over the odds for a what will very likely be only a marginal increase in "security".

      2. Doctor Syntax Silver badge

        the big 3 will have to agree to it, and they will.

        Isn't "When you have them by the balls their hearts and minds will follow" an old American saying?

  3. Doctor Syntax Silver badge

    Either a JV or maybe some form of franchise. I think there must be lawyers around Seattle with some experience of that sort of thing.

  4. Doctor Syntax Silver badge

    "aims to better protect member-state governments' and businesses' data."

    I'd hope they haven't forgotten protecting their citizens' data as well. Not that it helps us here now that we've taken back control.

  5. IanRS

    And who will care?

    If 73% (top 3 providers) of the market cannot get your special sticker for their product without giving the crown jewels away, then they simply will not join your scheme. If the top providers in a market do not meet a particular criteria, then that criteria will not become a requirement for any kind of procurement where any thought is given to realistic requirements (rare, I know). Hence 'ENISA certified' will only ever be required by EU government projects who will then end up with just the bit-players in the arena who cannot play at that scale and government projects will take even longer to deliver. However, they will of course be so much more secure.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like