Coming Soon: A Single Track to EU Cybersecurity Certification in the Cloud

Recent Efforts to Streamline Cybersecurity in the Cloud

In recent years, the EU has become a standout champion in cybersecurity regulations. As cloud computing expands globally, the European Commission is working to form a trust-building policy framework for cloud services.

Keeping an eye on the horizon is critical for U.S. and international businesses and their ability to predict and prepare for game-changing regulations, just like GDPR. So, we thought we’d provide a quick update about ongoing efforts among European states to strengthen and streamline cybersecurity.

EU Cloud Computing

Last year, it was estimated that only 26% of EU enterprises use cloud computing. In 2020 and beyond, we expect cloud computing to be part of a massive digital transformation in Europe. The COVID-19 pandemic is just one of the most recent factors that is expediting businesses’ shift to the cloud. Over the next decade, EU will see growing adoption of cloud technology, particularly in sectors such as biotech and healthcare. In fact, plans are in the works by the European Commission to make a huge investment in “technological sovereignty” which will likely focus on building their own cloud data centers.

In response, regulating bodies in the EU are working to develop cybersecurity frameworks and programs fit for the cloud.

EU Cybersecurity Law

In 2019, the European Cybersecurity Act entered into force and founded ENISA, the European Union Agency for Cybersecurity. As laid out in article 48(2) of the Act, the European Commission has charged ENISA with the specific task of designing a cybersecurity certification candidate scheme for cloud services. It should be built taking into account existing and relevant schemes and standards.

Watch this short video to learn more about ENISA and its mission to strengthen cybersecurity.

Developing EU Cloud Computing Certification

Because cloud computing is viewed as an essential component of economic growth and a competitive single market, the European Commission’s Data Strategy was put in motion. The goal is to make cloud infrastructures more accessible, secure, sustainable, interoperable, scalable, and environmentally friendly.

ENISA’s goal now is to formalize a single cybersecurity certification scheme for cloud services. This new scheme should provide greater security assurance to businesses, public administrations, and users in the EU regardless of where data is stored or processed. The Cloud Service Provider Certification (CSP-CERT) Working Group, with participants from public and private sectors, has already proposed a draft of the new certification scheme and is now working on revisions.

Currently, France, Germany, Spain, and the Netherlands have enacted their own assessment and certification frameworks for cloud services. Yet, limiting it to a single certification scheme is important to supporting the free flow non-personal data without varying restrictions between information systems operating union countries. Unified certification for cloud services will further improve trust and security for cross-border data processing.

Ultimately, a single, well-designed cybersecurity certification program will help organizations in the EU to adopt cloud technologies with confidence. End customers will increasingly demand a switch to cloud-based services because of the unmistakable advantages they offer.

Additional EU Data Privacy & Security Efforts Focused on Cloud Computing

What are some of the other initiatives going on in Europe to regulate best practices and provide practical cybersecurity frameworks?

• The EU High Impact Project is supporting the creation of a federation of cloud infrastructures in member states.
• There are efforts in place to form a single European marketplace for cloud service.
• Work is being done to build a governance framework and EU Cloud Rulebook to explain compliance issues.
• The SWIPO (switching and porting) Codes of Conduct Working Group, a DSM cloud stakeholder group, has drafted self-regulatory Codes of Conduct related to data portability in the cloud.
• Two Codes of Conduct for data protection in the cloud are currently being reviewed by the European Data Protection Board.
• The European Commission is currently collaborating with stakeholders, supervisors and regulators to define standards.
• The EC has published guidelines on Standardised Cloud Service Level Agreements (SLA) to provide clarity for small businesses about the technical and legal aspects of cloud services offered in the European market.

Watch the recent session held by our AWA division. Webinar: “Cloud Basics”

I.S. Partners – Keeping You Up to Date on International Cybersecurity

Partner with us to ensure that your organization is ready to face all the new cybersecurity regulations entering into vigor. Get in touch with the professional auditors at I.S. Partners, LLC to make sure your team is on track for continued compliance. Call our office or request a quote today.

About The Author

David Dunkelberger

During his 25-year career, David has successfully delivered assurance, business advisory and investigative services to the financial institutions industry, primarily commercial banks and insurance companies. Additionally, he possesses solid competencies in risk-based auditing and internal control evaluation, and has generated significant cost savings for clients engaged in Sarbanes-Oxley compliance. He has held senior positions in both public accounting and private industry.

Prior to joining IS Partners, LLC, David managed forensic investigations at a nationally-recognized accounting firm and provided fraud detection, forensic investigation and litigation support services for the FDIC.

David graduated from Temple University in Philadelphia, PA.