By Foo Yun Chee
BRUSSELS (Reuters) – Deutsche Telekom, Orange, Airbus and 15 other EU companies have criticised a proposal that would allow Amazon, Alphabet’s Google and Microsoft to bid for highly sensitive EU cloud computing contracts.
The draft plan from Belgium, which currently holds the rotating European Union presidency, concerns a certification scheme (EUCS) to vouch for the cybersecurity of cloud services and help governments and companies in the bloc to pick a secure and trusted vendor for their business.
The proposal scraps so-called sovereignty requirements from a previous draft which obliged U.S. tech giants to set up a joint venture or cooperate with an EU-based company to store and process customer data in the bloc in order to qualify for the highest level of the EU cybersecurity label.
The Belgian plan will be discussed by cybersecurity experts from the 27 EU countries on April 15, which could pave the way for the European Commission to adopt the cybersecurity scheme in the northern hemisphere autumn.
EU countries should reject this latest proposal without sovereignty requirements, Deutsche Telekom, Orange, Airbus and the other 15 companies said in a joint letter to authorities in their countries and to senior Commission officials.
“The inclusion of EU-HQ and European control requirements in the main scheme is necessary to mitigate the risk of unlawful data access on the basis of foreign laws,” they said in the letter seen by Reuters.
Without such requirements, European data could be accessed by foreign governments on the basis of their laws such as the U.S. Cloud Act or the Chinese National Intelligence Law, they warned.
Big Tech is looking to the lucrative government cloud market to spur growth while the EU on the other hand fears illegal state surveillance and the dominance of U.S. cloud providers.
The EU companies said the EU cybersecurity label should follow the example of Europe’s Gaia-X cloud computing platform created to reduce the EU’s dependence on Silicon Valley giants and which has sovereignty requirements.
They said the lack of sovereignty clauses could also hamper nascent EU cloud providers versus their bigger U.S. rivals.
“Removing such requirements from the scheme would seriously undermine the viability of sovereign cloud solutions in Europe – many of which are either in development or already available on the market,” the companies said.
Signatories to the joint letter include French power group EDF, French cloud services provider OVHcloud and Italian peer Aruba, Dassault Systemes, Germany’s Ionos, Telecom Italia, Austria’s Exoscale, French tech company Capgemini and Eutelsat.
(This story has been corrected to fix the date of the meeting to April 15, not March 15, in paragraph 4)
(Reporting by Foo Yun Chee; Editing by Emelia Sithole-Matarise)