荷兰国际关系研究所（Clingendael）：行动太迟了？欧洲对云计算主权的探

PolicyBrief

clingendael

NetherlandsInstituteofInternationalRelations

MARCH2024

Toolatetoact?Europe’squestforcloudsovereignty

AlexandreGomes&MaaikeOkano-Heijmans

AsEuropeangovernmentsstartadoptingcloudservices,thenotionofcloudsovereigntyis

stilllargelyunderexplored.Thefutureofthegovernments’informationtechnologylandscapeliesinhybridcloudsolutions,buttheEuropeancloudmarketisdominatedbyAmerican

providers.Europeanalternativesarescarceinquantityandinwhattheycanoffer.Cloud

sovereigntyrequiresqualitytechnology,butalsotrust,securityanddiversification–three

elementsthatarenotnecessarilyensuredbythecurrentAmericanoffers.Makingproper

dataclassificationandfindingtalenttomanagesuchlandscapesareotherimportant

challenges.ReducingcloudvulnerabilitiesrequiresgivingEuropeanproviderstheabilitytogrowanddevelopfittingandspecialisedsolutions,includingviatailoredpublicprocurementthatcan,overtime,contributetobuildingminimumviablecloudsinEUMemberStates.

Introduction

Inrecentyears,theNetherlandsandthe

EuropeanUnion(EU)havestartedtoacton

theirdesiretobemoreresilientandlesssubjecttogeopoliticaltensions.Nexttostrategic

autonomyinthedefenceandenergydomains,digitaleconomicsecurityishighonthepoliticalagenda.1Amidarapidlyevolvinggeopolitical

landscapeandtherisingdisruptivepotentialoftechnology,vulnerabilitiesinthedigitalsphereareproliferating.

ReducingdependenciesonexternalactorsisakeysteptowardsenhancingtheEuropeanbloc’s(digital)economicsecurityandtheEU’sabilitytomakeitsowndecisions.Sincethelate2010s,

Theauthorsaregratefultothemanyexpertswho

contributedtheirinputstothisClingendaelPolicyBrief.1MaaikeOkano-Heijmans,AlexandreGomesandDaniel

Kono,

StrengtheningdigitaleconomicsecurityinEurope

,

October2023.

EuropeangovernmentshavethusbeenpushingforreducedrelianceonChina’sHuaweifor

criticalpartsoftelecommunicationnetworksintheshiftfrom4Gto5Gnetworks.Today,theEUstandsatasimilarjuncturewithregardto

cloudservices(seeFigure1below).Asnotonlycompaniesbutalsogovernmentsareshifting

tocloud-basedITservices,dataprotection

andprotectionagainstexternalinterference

mustbecentralinthedebate.2Thistime,

however,theEU’sdependenceisnotonChinesecompanies,butonAmericanBigTech.

2The2013revelationsbywhistleblowerEdwardSnowdenaboutUSsurveillanceprogrammesabroadrangthe

initialalarms.Asoftheendof2023,nineoftheten

highestfinesappliedbecauseofnoncompliancewith

theEU’sGeneralDataProtectionRegulation(GDPR)

wereenforcedonAmericanBigTechcompanies,andoneonaChinesecompany.

2

ClingendaelPolicyBrief

Figure1IstheEUlivingits‘5Gmoment’oncloud?

EUPosition

Huaweiasamarketplayer

3G

Huaweiasanacceptable,dominantplayer

4G

Huaweiasanationalsecuritychallenge

5G

Telecom

sovereignty

2000s

2010s

2020s

Cloud

sovereignty

2005-2010

Cloudasground

breakingtechnology

•Privatesectorleading

migrationtocloudservices;

•Cloudnativestartemerging

2015-2020

Cloud-firstasnewparadigm

•Governments’aware-nessaboutcloud

servicesincreases

2020-2025

Cloudasanationalsecuritychallenge

•Awarenessaboutcloudsovereigntyincreases;

•EUCloudCertificationScheme

Source:

authors’

compilation

Thethreebiggestuniversalcloudservice

providers(CSPs)operatingintheEU–Google,AmazonandMicrosoft–haveacombined

marketshareof70percent.European

alternativestotheseAmericanCSPs–alsoknownashyperscalers–arelimited,bothinnumberandinscale.

Asgrowingnumbersofconsumers,

companiesandgovernmentinstitutions

movetheirdatatothecloud,nowisthe

timefortheEUanditsMemberStatesto

developaunifiedviewonhowtobalance

technologicallyenabledefficiencywithpublicinterestandnationalsecurity.EUMember

StatessuchasFrance,theNetherlandsandEstoniahavedifferentunderstandingsof

whatcloudsovereigntymeans,andofthe

national(securityandeconomic)interests

thatunderpincloudsovereignty.Clarity

aboutthedesirablelevelofcloudsovereigntycaninformfinerdecision-makingonhow

toaddresscurrentdependenciesonnon-EuropeanCSPs.Thismustinvolveamixofbetterprotection,bolderregulationandstrongerEuropeanalternatives.

TheDutchgovernmentiswellawareofthegrowingimportanceofcloudservices.Cloudisoneoftenpolicyprioritieshighlightedin

theOctober2023DutchAgendaforDigital

OpenStrategicAutonomy(DOSA).3Themainjustificationforthisfocusoncloudisthewishtomaintaincontroloverstrategicandsensitivedata.Inaddition,theDutchgovernment’s

January2024reportontheStateofthe

digitalinfrastructure4detailsaccesstocloudservicesasoneoffivecriticalelementsof

digitalinfrastructure.

ThisClingendaelPolicyBriefseeksananswertothequestion:whatstepsmustbetakento

promoteandtoprotectEurope’stechnologicalsovereignty?Indoingso,itstartsbydetailingthemostimportantinternationalpolicy

developmentsoncloudservices,especiallyintheEUandintheNetherlands.Buildingonthis,

thepolicybriefthenoutlineskeyconsiderationsthatEUgovernmentsmustponderbefore

rampinguptheirusageofcloudservices.AstheEUiscurrentlylivingits’5Gmoment’oncloud,nowisthetimetoacttoupholdEurope’stech

sovereignty,alsointheclouddomain.

3TheweakEuropeanpositioninthemarketisamong

thereasonsindicatedforcloudbecomingafocusof

attention.See:GovernmentoftheNetherlands,

Agenda·

DigitaleOpenStrategischeAutonomie

,17October2023(inDutch).

4GovernmentoftheNetherlands,

Stateofthedigital·

infrastructure:thebackboneofourdigitaleconomy

,report,22January2024.

3

ClingendaelPolicyBrief

Figure2Threecloudmodels:traditional,cloud-onlyandhybrid

Traditional,on-premisemodelManagedin-house

Source:authors’compilation

CoreservicesSensitivedata

Legacyapplications

CSP1CSP2

Hybridmodel

On-premise+PublicCloud

CSP2

CSP1

CSP3

Cloud-onlymodel

PublicCloud

ManagedbyCSPs

Multicloudenvironment:

whenanorganisationrelies

onmultipleCSPs.

Theriseofcloudservices

Theemergenceofcloudservicesintheearly

2000swasamajorbreakthroughininformationtechnologies(IT).ITinfrastructureandservices5usedtobehostedonthepremises–thatis,

‘in-house’atanyspecificcompany,schoolor

governmentagency.Theprivatesector,which

istypicallymoreinclinedtotakerisksandtest

newsolutions,movedtocloudservicesfirst.

BusinessesstartedtransitioningtheirITservicestovirtualenvironments,deliveredremotelyandexternallymanagedbyCSPs.Doingsoofferedmuchsought-afterrelieffrommanagementbythein-houseITstaffofincreasinglylargeand

complexsystems,therebyallowingcompaniestofocusontheircorebusiness.Cloudcomputingalsoenablesthegrowinguseofadjacent

disruptivetechnologies,suchastheInternetofThingsandartificialintelligence(AI).

5ITinfrastructureandservicesinclude:(1)hardinfra-structureservices,suchashostingandstorage;

(2)softinfrastructureanddevelopmentenvironments

andservices,suchasdatabasesandmiddleware;

and(3)matureapplicationsservices.CSPsdifferentiatethesebyoffering,respectively,Infrastructureasa

Service(IaaS);PlatformasaService(PaaS);andSoftwareasaService(SaaS).

Figure2depictstheconceptualdifference

betweenthetraditional,on-premisemodel

(ontheleft)andthecloud-onlymodel,whereallITservicesaremanagedbyCSPs(ontheright).Thehybridmodel(atthecentre)iscurrently

themostcommonmodelusedbycompanies.WhenanorganisationreliesonmultipleCSPs,

itissaidtohaveamulticloudenvironment.

Aspecialformofhybridcloudemergeswith

communityclouds.Acommunitycloudis

hybridcloudcomputinginfrastructurethat

isbuiltbyandaccessibletoamoreorless

restrictedgroupoforganisationswithcommoninterestsorrequirements.Communitycloudsoftenhaveasectoralnature(seethesection

onPromote,below).

Balancingefficiencyandsovereignty

Cloudmodelscomeindifferentforms,eachofwhichhasaspecificbalancebetween(tech-

enabled)efficiencyandownershipofthe

system–thatis,sovereignty,orownershipandtheabilitytomanagethesystemandthedatathat

runonit.‘Cloudservices’typicallyrefertopublicclouds,whichareownedanddevelopedbyCSPs.Thebest-knownexamplesareGoogleCloud

Platform,AmazonWebServicesandMicrosoft

Azure.MostCSPsalsoofferprivateclouds,whichresembletheon-premisemodelbutadditionallyoffersomeofthebenefitsofthepubliccloud.

4

ClingendaelPolicyBrief

Cloudbenefits

Cloudservicesofferthreeimportant

advantagesoveron-premiseITmanagement.First,byprovidingaccesstoalargerrange

ofmanagementandintelligenceservices

thannon-cloudalternatives,cloudservicesenablequickerandmoreflexibleapplications

development.Inaddition,cloudservicesenablemuchmorescalability,becausetheycaneasilyadjusttopeaksindemand.Finally,cloudservices

canbefinanciallyattractivetosmalland

medium-sizedenterprises(SMEs)–especially

start-ups.Cloudservicesallowthemtohave

basicinfrastructurewithout,orwithverylimited,initialcapitalcoststhatcanbeabigbarriertostartinganewbusiness.

Althoughcloudservicesarenotnecessarilycheaperthanon-premiseITservices,the

‘pay-as-you-go’cloudpricingmodelhas

democratisedaccesstocutting-edge

technology.Withcloud-firstbeingthecurrentstatusquoinITinfrastructuremanagement

–wherebycompaniesandorganisationsaimtorunalltheirITinfrastructureandservicesusingcloudservices,unlessthereisnoalternative–establishedenterprisesnolongerhavethe

strategicadvantagethattheyhadinthepast.6

Cloudchallenges

Migratingfromthetraditionalon-premisemodeltocloudservicesraisesimportantquestions.

TechnicalconsiderationsandchangesrequiredinITprocurement,managementandskillsets

aresubstantial.Withaviewtocloudsovereignty,organisationsmustdecidewhatinfrastructure,applicationsanddatatheywishtokeep

on-premiseandwhattomovetothecloud,andwithhowmanyandwhichCSPstoengage.

Theseconsiderationsmustgohandinhandwitharobustdataclassificationmechanism.Only

byproperlyclassifyingdata(thatis,identifyingwhatisrestricted,confidentialorpublic)canorganisationsmakewell-informeddecisions

aboutwhatmustremainon-premiseandwhatcanbemovedtoa(safe)cloud.

6Infact,establishedcompaniesmaybeatadisadvantage,astheyneedtomakelargeinvestmentstomigratefromtheirtraditionalmodeltocloudservices.

Governmentstothecloud?

Asgovernmentinstitutionsaremovingtothe

cloud,theyneedtotacklethesequestionswithdueconsiderationofpublicinterests.Ontheonehand,theymusttailortheiractionstocitizens’

expectationsofmoreandbettere-government–muchasconsumersdemandinnovationand

betterfunctionalityfromtheprivatesector.

Governmentsthemselveswanttoimprovetheirefficiency,namelybyincreasinginteroperabilitywithintheirservicesandwiththeoutsideworld.

Ontheotherhand,governments’ITlandscapes

andresponsibilitiesaremorecomplexthanthoseofmostcompanies.Afterall,theyalsoface

criticalnationalsecurityconsiderations.Next

todataprivacyandcybersecurity,espionage

(challengesthatcompaniesalsoface)–thatis,

unlawful(foreign)accesstocitizens’,businesses’orgovernments’sensitivedata–isaparticularlychallengingrisktomanage.Afterall,citizensdonotnecessarilysharetheirdatavoluntarily:to

holdanIDcard,filetaxesortobenefitfromsocialservices,citizensaredefactoforcedtoshare

theirdata.Inaddition,governmentsfacegrowingpoliticalscrutinyfromlawmakers,whowantto

ensurethatcitizen’srightsareprotected.This

makesitevenmoreimportantforgovernmentstoguaranteeproperdatamanagement.

AmericanCSPsareattentivetothisdiscussion,andseveralhaveannouncedsovereigncloud

offers.However,itisstillearlytoassesstheir

viabilityfortworeasons.Firstly,theseoffershavenotyetbeensufficientlytested,andtheextent

towhichtheyrespondtoallconcernsandservegovernments’interestsareyettobeproven.

Secondly,thesesovereigncloudoffersmayprovetoocostlyforCSPsinthelong-run,inwhich

casetheycouldhaveanincentivetode-investinsovereigncloudoffersandleaveEuropeangovernmentsinavulnerableposition.

Fortheirpart,Chinesecompaniesareby

definitionexcludedfromhostingapplicationsanddatadeemedsensitive,asthecountryisidentifiedasrunningastructural,offensivecyberoffensiveagainsttheNetherlandsandDutchinterests.7

7NationalCoordinatorforCounterterrorismandSecurity,

CyberSecurityAssessmentNetherlands

,CSAN2022.

5

ClingendaelPolicyBrief

Box1.Theupcoming‘emailproblem’

ThemanygovernmentsandorganisationsthatcurrentlymanageMicrosoftOutlookon-premiseandareconsideringmovingtothecloudneedtobeawareoftheupcoming‘emailproblem’.

Microsoftownsoneofthemostpopularemailservicesworldwide,MicrosoftOutlook.If

currenttrendspersist,MicrosoftisexpectedtopushforallemailserverstobemigratedtoOutlook’scloudcounterpart,M365.Thiswouldmeanthatgovernments’emailserverswouldbehostedonMicrosoft’scloud.Suchamovewouldmostlikelyattractgreaterattentionfrom(stateandnon-state)hackers,makingitatemptingtargettogainaccesstogovernments’

–potentiallysensitive–data.

Figure3Threelayersofcloudsovereignty

3.

Cloudsovereigntyas

regulationcompliance

2.

Cloudsovereigntyas

datasovereignty

1.

Cloudsovereigntyasa

nationalsecurityquest

Source:authors’compilation

AsdetailedinBox1above,governmentsalreadyhavelesssovereigntyovertheirdatathan

theymightrealise,becauseof(over)relianceonasingleforeignsoftwarecompanythat

canunilaterallydecidetomoveitsservicestothecloud.

Akeypointtoconsiderforgovernments’tech

sovereigntyisthushowtodealwith(highly)

classifieddata.Thisistheheartofthediscussiononcloudsovereignty:howtobalancenew

technicalefficiencywhilenotjeopardisingnationalsecurity?

Setagainstthisbackdrop,cloudsovereigntyisofparamountimportanceforgovernments.Seekingtounpackthisbroadconcept,itis

usefultoenvisageamodelwiththreelayersof

sovereignty(seeFigure3).Theinnerlayerofthemodeliscloudsovereigntyasanationalsecuritymatter:whencloudsovereigntyisregardedasamatterofnationalsecurity,raisingthehigheststandardsofrequirementsondatalocation

andthecountryoforiginoftheCSPsthat

hostthedata.Themiddlelayeristhatofcloud

sovereigntyasdatasovereignty:whenthehighestrequirementistoensuredataprivacy,security

andlocalstorage,regardlessoftheCSPs’origins.Inthebroadestsense,cloudsovereigntymayberegardedasamatterofregulationcompliance:theabilitytogetCSPstocomplywithlocal

regulations,regardlessofwheredataislocated.

AfirststeptoenhancingEuropeandigital

economicsecurityinthelongtermistodevelopandactonaclearerunderstandingofcloud

6

ClingendaelPolicyBrief

Figure4EuropeanCSPs’marketshareasapercentageoftotalEuropeancloudrevenues

10

EuropeanCloudRevenues(EURbillion)

8

6

4

2

0

MarketShareofEuropeanCloudProviders

25%

EuropeanCloudProviderShare

20%

15%

10%

5%

EuropeanMarketSize

0%

Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3Q4Q1Q217171717181818181919191920202020212121212222

Source:

SynergyResearchGroup

sovereignty:asanationalsecuritymatter,as

adatasovereigntyquestion,asaregulation

compliancechallenge–orasamixofthethree.Havingsuchclaritywillenablegovernmentstomakeinformeddecisionsastheycontemplate

investmentstotaketheirowndatatothepubliccloudaswellastoenhancethecompetitivenessofEuropeancloudcompaniesandenvironments.

(Geo)Politicisationofcloudservices?

TheEUisatacrossroads.Likemostdevelopedeconomies,EUinstitutionsandMemberStatesareshiftingtocloud-basedITservices.8This

moveraisesconcernsaboutdependencies

onnon-EUCSPs,insimilarwaysasduringtherolloutof5Gnetworksin2017.Then,theUnited

8TheUnitedKingdom,inparticular,hasbeenaleaderintheuseofpubliccloudapplicationsingovernmentorganisationsformanyyears,withtheUKG-Cloudinitiative.See:GovernmentoftheUnitedKingdom,

Guidance:applyingtotheG-Cloudframework

,lastupdatedinMarch2022.

StatespushedtheglobaldebateonthenationalsecurityimplicationsofHuawei’srolein5G

networks,inwhichtheChinesecompanywasaleader.HelpedbyanewlycreatedEUtoolboxfor5Gsecurity,9manyEuropeangovernmentsendedupformallyorinformallybanningHuaweifrom

(partsof)their5Gnetworksbasedonconcernsaboutpossibleespionageandcyberattacks

carriedoutthroughHuawei’snetworks.10

Today,theEUstandsatasimilarjuncturewithregardtocloudservices.Thistime,however,thedependenceisnotonaChinesecompanybut

onAmericanBigTech.AmazonWebServices(AWS),MicrosoftAzureandGoogleCloud

Platform(GCP)haveacombinedmarketshare

9EuropeanCommission,

TheEUtoolboxfor5Gsecurity

,

29January2020.

10In2022,theBidenadministrationbannedHuawei

andZTE’stelecommunicationsequipmentaltogether.

See:CNET,

Huaweibantimeline:detainedCFOmakes·

dealwithUSJusticeDepartment

,30September2021;

andReuters,

USbansnewHuawei,ZTEequipmentsales,·

citingnationalsecurityrisk

,1December2022.

7

ClingendaelPolicyBrief

Figure5ConceptualdifferencebetweenwhattheAmericanhyperscalersandEuropeanCSPs

canoffer

StorageDatabasesMonitoringNetworkingAutomationSecurity

AmericanCSPs(hyperscalers):

•One-stopshop(e.g.AWS,Azure,GCP)

EuropeanCloudlandscape:

•Subsetofspecificcloudservices(e.g.OVH,

Scaleway,SAP)

Source:

authors’

compilation

23

45

79

EUCSP1EUCSP2EUCSP3EUCSP4

of70percentintheEU.11Americancompanies

IBMandOraclerankfourthandfifthlargest.

ThebiggestEuropeanCSPs,DeutscheTelekomandSAP,onlyholdabout2percentmarketshareeach–andtheirscopeisnotcomparabletotheirAmericancounterparts.Indeed,asillustrated

inFigure4,theshareofEuropeanCSPs’cloudrevenuehasbeendiminishinginthepastfiveyearsandisnowbelow15percent.

ThestrategicadvantageofAmericanCSPslies

intheirall-encompassingofferingofservices

andfeatures.Functioningmuchlikean‘IKEA

forcomputing’,theyareaone-stopshopwherecustomerscanbuyalltheITservicestheymightpossiblyneed–rangingfromhardinfrastructuretoartificialintelligencetools.12Asillustrated

inFigure5,theirEuropeancounterparts,by

contrast,areonlyabletooffersubsetsofcloudservices.

Thedifferenceinscaleandscopebetween

AmericanandEuropeanCSPsissovastthat

mostintheindustryareoftheviewthatthereisnorealcompetitionbetweenthem–andthatitistoolatetochangethesituation.Aloose

11SynergyResearchGroup,

Europeancloudproviders·

continuetogrowbutstilllosemarketshare

,27September2022.

12BertHubert,

TakingtheAirbustotheIKEAcloud

,

11January2024.

analogywiththeaeronauticalindustryillustratesthecurrentstateofaffairsincloudservices:

ifEuropedidnothaveAirbustocompetewithBoeing,howlongwouldittaketodaytobuildsuchanenterprise?

TheEUanditsMemberStatesmustnow

considerwhichdependenciesmakeforcriticalvulnerabilities,andhowtoreduceormanagethose.Thisinvolvesactingonthequestion:

(how)canEuropeanCSPsreachthescale,

breadthofservicesandrelevancerequired

toensuretheEU’sdigitaleconomicsecurity?

Or,giventheenormousgapbetweenEuropeanandAmericanCSPs,canEuropestillbuild

‘minimumviableclouds’–thatis,trusted

EuropeancloudenvironmentswithsufficientandsecurecapabilitiestohostandrunEuropean

governments’mostsensitivedata?

Toinformtheanswerstothesekeyquestions,thenextsectionlooksatrecentdevelopmentsandinitiativesintheclouddomaininEurope

–andspecifically,theNetherlands–andinothercountriesofrelevance,namelytheUnitedStates.

Recentdevelopmentsandinitiatives

AimingtoenhanceEuropeancloudsovereignty,theEUanditsMemberStategovernments

inrecentyearshavestartedtoact,broadly

speaking,ontwopolicylines.First,theaimisto

8

ClingendaelPolicyBrief

Figure6EUpoliciesandinitiativeswithanimpactoncloudservices,setagainst

theProtect–Promoteframework

Protect

•GAIA-X

•ImportantProjectsofCommonEuropeanInterest:CloudInfrastructureandServices(IPCEICIS)

•Pan-EuropeanCloudFederations

•DataAct

•AllianceforIndustrialData,EdgeandCloud;EuropeanOpenScienceCloud

Promote

•EUCloudCertificationScheme(EUCS)

•NetworkandInformationSystemsDirectiverevised(NIS2)

•DigitalMarketsAct

•EUCloudRulebook

•Guidanceonpublicprocurement

Source:authors’compilation

‘protect’bothconsumersandEuropeancloud

businessesfromthedominatingAmericancloudplayers–includingaddressingconcernson

dataprotectionandprivacy,cyberattacks,andunlawfulaccesstodatabyforeignpartiesto

Europeancitizens,businessesandgovernments.Inaddition,theyalsoseekto‘promote’the

Europeancloudecosystemtogrow.Figure6

presentsthemainEUregulationsandinitiativesrelatedtocloudservices,setagainstthe

Protect–Promoteanalyticalframeworkthatwillbeelaborateduponbelow.13

Protect

SeekingtoenhanceEuropeancloudsovereignty,theEUispreparingtheEUCybersecuritySchemeforCloudServices(EUCS).Withthisvoluntary

certificationscheme–developedwithinthe

EuropeanCybersecurityAct(CSA)–theEUaimstoharmonisethesecurityofcloudserviceswithEUregulations.14Negotiationsaboutthenew

schemeillustratetheEU’sgrowingattentionforcloudsovereignty.Atthesametime,theyare

avividillustrationofdivergencesbetweenEUMemberStatesonwhatthisshouldentail.

13MaaikeOkano-Heijmans,

Openstrategicautonomy:·

thedigitaldimension

,January2023.

14TheCSAisacybersecuritycertificationframeworkto

standardiseinformationandcommunicationtechnology(ICT)products,servicesandprocesses.Inplacesince

28June2021,implementationismonitoredbytheEUagencyforcybersecurity(ENISA).See:EuropeanCommission,

TheEUCybersecurityAct

,April2023.

TheEUCSforeseesfourassurancelevelsforCSPs:highplus;high;substantial;andbasic.15ItrequirescloudcontractstobegovernedbyanEUcountry’slawforallEUCSassurance

levels.Forthe‘highplus’and‘high’levels,datamustbelocatedwithintheEU.Thenewlevelof‘highplus’isdesignedtobemetexclusivelybyEurope-basedCSPs,andaimsatbuildingtrust,unlockinggrowthandenhancing

Europeansovereignty.CrucialhereinistheextenttowhichtheEuropeansubsidiaryofacloudprovidercanbeconsideredasfalling

undertheparentcompany’sorgroup’scontrol.France,inparticular,pushedforaclausethat

wouldrequireCSPstobeoperatedonlyby

EU-basedcompanies,withnonon-European

entityexertingeffectivecontrol.AgroupofEUMemberStates,ledbytheNetherlandsandalsoincludingGermany,successfullypushedfora

softeningofthistext.16

Figure7summarisesthelinksbetweenthe

cloudsovereigntylayersproposedinFigure3andthedraftEUCSassurancelevels.

15See:

ENISA

.

16ThenewtextaddsthepossibilityforCSPsto

‘demonstratethattheyhaveputinplaceeffective

technical,organisationalandlegalmeasuresthat

preventnon-EUcompanieslinkedwiththecloud

providerfromexertingadecisiveinfluenceindecisions

relatedtoinvestigationrequests’.See:Euractiv,

EUcloud

schemeslightlytonesdownsovereigntyrequirements

,

22November2023.

9

ClingendaelPolicyBrief

Figure7ThedraftEUCloudCertificationScheme(EUCS)levelsinrelationtocloudsovereignty

3.

Cloudsovereignty

asregulation

compliance

2.

Cloudsovereignty

asdatasovereignty

1.

Cloudsovereignty

asanational

securityquest

CloudsovereigntylayerEUCSassurancelevelKeycharacteristics

Basic/Substantial

Regulationandsupervisionrequirements:

cloudcontractsaregovernedbythelawofanEUcountry;onlyEUcourtsandother

arbitrationbodieshavejurisdictionfordisputesrelatedtothecontracts.

High

Datalocalisationrequirements:

dataislocatedwithinEUborders.

HighPlus

Sovereigntyrequirements:

CSP’sglobalheadquartersarewithintheEU,withnoentityfromoutsidetheEUhaving

effectivecontrolovertheCSP.

Source:authors’compilationbasedontheEUCSdrafttextofNovember2023

WhiletheEUCS–ifenacted–canbeexpectedtoenhanceEurope’scloudsovereignty,two

challengespersist.First,EuropeanCSPsare

unlikelytoobtaincertificationforthe‘high

plus’assurancelevel,becauseofthevast

resourcesandeffortrequired.Second,the

potentialextraterritorialeffectofUSlegislationseemstoundermineEUregulationsthatseek

tostrengthencloudsovereignty.AsdetailedinBox2below,threeUSregulationsinparticularenabletheUSgovernmenttoforceAmericanCSPstohandovertheircustomers’data:

theClarifyingLawfulOverseasUseofDataAct(CLOUDAct);theForeignIntelligenceSurveillanceAct(FISA);andtheDefense

ProductionAct.

ThissuggeststhattheEUcannotjustregulateitselfoutoftheproblem:diversification

ofEuropeansolutionsisnotaluxurybuta

necessity.Hence,itisinEUgovernments’

interesttoinvestindevelopingEuropean

‘minimumviableclouds’–thatis,trustedc