Latest news with #EUCS
Euronews
24-06-2025
- Business
- Euronews
Industry calls to safeguard independence of EU cybersecurity agency
Telecom operators, trade unions and industry groups have called for the EU's cyber agency ENISA to steer away from political interference and remain independent in response to a consultation on the European Commission's review of existing cybersecurity rules. In May, the Commission began gathering feedback on a revision to the bloc's 2019 Cybersecurity Act (CSA), which is being revamped in line with efforts to simplify existing rules. The proposal aimed to give the Athens-based ENISA a bigger mandate, including over the drafting of cybersecurity certification schemes, through which companies can demonstrate that their ICT solutions include the right level of cybersecurity protection for the EU market. Since 2019, the Commission requested three of these voluntary certification schemes: on baseline ICT products, 5G and cloud services, of which only the first has yet been adopted. The certification for cloud services (EUCS) turned into a political battle over sovereignty requirements. France has led resistance and wants to be sure that it can continue to use its own scheme – SecNum Cloud – after the adoption of EUCS. Tech industry association CCIA said ENISA's role in the certification scheme development 'should be explicitly grounded in technical independence, allowing it to make non-political decisions that reflect industry realities and cybersecurity best practices.' This was echoed by US tech company Amazon which said that the voluntary certification frameworks should be 'based purely on technical criteria'. 'We strongly believe that introducing non-technical factors could undermine the framework's effectiveness and create unnecessary barriers to innovation,' it added. Global consumer electronics company Lenovo, also warned against introducing non-technical criteria 'such as vendor nationality, ownership, or headquarters location—in cybersecurity risk assessments or certification schemes.' 'These measures risk undermining EU principles of non-discrimination, market access, fair competition, and proportionality, while offering little benefit to actual cybersecurity outcomes,' it said. There have been calls and plans from the Commission to increase the bloc's independence of suppliers from outside the EU. In the upcoming Cloud and AI Development Act, for example, the Commission plans to strengthen the EU's position in the industry. In the European Parliament lawmakers are also calling for measures to boost technological sovereignty and guarantee the bloc's independence and security by protecting its strategic infrastructure and reducing dependence on non-European technology providers. ENISA mandate The Commission began seeking feedback from industry and national governments on the functioning and scope of work of ENISA last year, as reported, in a bid to modify the agency's mandate and financial support. There seems to be support to increase its funding among the participants to the consultation. For example, Eco, a German association for the internet industry, said that the agency hadn't grown in terms of staff despite its expanded remit. 'Given the current geopolitical security challenges and the scale of global cyber threats, its financial resources remain limited compared to other EU bodies. [...] It is important to boost ENISA's role as the independent expert on European Cybersecurity. In order to operate independently and attract necessary resources, staff, and experts to the benefit of its mandate, ENISA has to leverage its public standing among the global community,' the contribution said. Henna Virkkunen, the EU Commissioner for technology, said earlier this year that she will carry out a so-called Digital Fitness Check – expected before the end of 2025 -- which will assess whether all existing tech rules are burdensome to companies, and identify areas for simplification. The CSA is expected to be part of that.
Euronews
11-04-2025
- Business
- Euronews
EU Commission starts consultation on revision of cybersecurity rules
ADVERTISEMENT The European Commission on Friday started gathering input to help revise the bloc's cyber rules, which date back to 2019, in line with efforts to simplify existing rules. The review of the Cybersecurity Act (CSA) will focus on the mandate of the EU's cyber agency ENISA, as well as the European Cybersecurity Certification Framework, and addressing ICT supply chain security challenges, the Commission's statement said. Euronews reported last year that the Commission already began seeking feedback from industry and national governments on the functioning and scope of work of ENISA, in a bid to potentially modify the agency's mandate and financial support. The CSA gave ENISA – which has some 100 staff members – a mandate to oversee the implementation of EU-wide cybersecurity rules. But one of its tasks, drafting a voluntary cybersecurity certification for cloud services (EUCS), has not advanced significantly since 2019. Related EU cloud scheme needs more privacy safeguards, French watchdog says Cyber certification to remain on hold despite Polish effort The EUCS is intended to be used by companies to demonstrate that certified ICT solutions have the right level of cybersecurity protection for the EU market, but it turned into a political battle over sovereignty requirements. There have been calls to make the system mandatory under the new CSA. Henna Virkkunen, the EU Commissioner for technology, said that she will carry out a so-called Digital Fitness Check this year which will assess whether all existing tech rules are burdensome to companies, and identify areas for simplification. The consultation comes weeks after Virkkunen said that she wants member states to adopt 5G security rules to protect networks from cyber threats and risks. In 2020, member states agreed to apply restrictions for suppliers considered to be high risk – such as China's Huawei and ZTE – including necessary exclusions, following security concerns, but only a limited number of countries have taken concrete steps to ban the companies. Interested parties, including member state competent authorities, cybersecurity authorities, industry and trade associations can give feedback to the consultation until 20 June.
Reuters
28-02-2025
- Business
- Reuters
Industry groups urge quick adoption of EU cybersecurity label that favours Big Tech
BRUSSELS, Feb 28 (Reuters) - Twenty-three industry groups across Europe have urged EU tech chief Henna Virkkunnen to adopt a draft cybersecurity certification scheme (EUCS) for cloud services that was tweaked last year in favour of Amazon (AMZN.O), opens new tab, Alphabet's (GOOGL.O), opens new tab Google and Microsoft (MSFT.O), opens new tab. The call came amid signs that the European Commission may delay adopting or even scrap the proposal, which has gone through several changes since it was unveiled by EU cybersecurity agency ENISA in 2020. The labelling scheme aims to help governments and companies pick a secure and trusted vendor for their cloud computing needs. The global cloud computing industry generates billions of euros in yearly revenue. "We would like to respectfully urge your support for the swift adoption of the European Cybersecurity Certification Scheme for Cloud Services," the groups said in a joint letter dated February 11 to Virkkunnen seen by Reuters. They said the March 2024 draft"made good progress in balancing between robust security standards and the inclusive, open-market principles that are critical for the growth and resilience of Europe's digital economy". The groups said the 2024 changes - which included scrapping provisions requiring U.S. tech giants to set up a joint venture or cooperate with an EU-based company to store customer data in the bloc in exchange for the highest level of the cybersecurity label - allow the scheme to focus on technical criteria rather than political ones. Signatories to the letter include Allied for StartUps, the American Chamber of Commerce in Estonia, Finland, Italy, Romania and Spain, the Association of German Banks, Germany's Association of the Internet Industry and Italian startup group InnovUp. The Irish Business and Employers Confederation, Dutch group Nederland Digitaal and Portugal's Association for the Promotion and Development of the Information Society also signed the letter. The Commission confirmed receipt of the letter and said it would reply in due course.
Euronews
27-02-2025
- Business
- Euronews
EU cloud certification should mimic French scheme, says nationalist lawmaker
A pending cloud certification scheme - which European companies will use to demonstrate that their digital systems are adequately cybersecurity protected for the EU market - should reflect France's own similar scheme, according to a Parliament report on technology sovereignty drafted by a far-right French lawmaker. 'When it comes to sensitive data, a European cybersecurity criterion should be introduced that takes sovereignty into account,' according to the report, seen by Euronews, which was submitted at the initiative of MEP Sarah Knafo, who belongs to the Europe of Sovereign Nations (ESN) group. The current European Cybersecurity Certification Scheme for Cloud Services (EUCS) does not provide sufficient guarantees regarding the hosting of European sensitive data, according to Knafo. 'In order to ensure that the hosting provider is not subject to non-European legislation, the EUCS certification would have to align with the guarantees required by the French SecNumCloud certification regarding the criteria of 'immunity' of data from extraterritorial laws and company control,' the report says. EU-level discussions around the voluntary cybersecurity certification scheme descended into a political scrap over sovereignty requirements after the Commission asked the EU's cybersecurity agency Enisa to start working on EUCS in 2019. France has led resistance to the proposal and wants to be sure that it can continue to use SecNum Cloud after the adoption of EUCS. A decision on EUCS has been pending with no clear timeframe of when it could make further progress. Some believe that the Commission wants hold revising the EUCS process until the Cyber Security Act (CSA), the related piece of regulation under which the EUCS will fall, has been reviewed. The CSA, which entered into force in 2019, was up for a review last year, but this hasn't yet happened. Cordon sanitaire The report is now awaiting a committee decision, in the Parliament's Industry, Research and Energy (ITRE) committee, before it will be voted on in plenary, after the summer. It remains to be seen how the report will be received. Knafo's ESN group faces a 'cordon sanitaire' from the more mainstream political groups. Knafo cites six recommendations to tackle the issue of technological sovereignty, and to aim for a guarantee of the bloc's independence and security by protecting its strategic infrastructure and reducing dependence on non-European technology providers.
