New security proposals could mean cloud service providers have to shift their practices to be more EU-focused.
The ENISA proposals to harmonise security could require that cloud services should be operated and maintained within the EU. The EUCS should be viewed in light of the General Data Protection Regulation and data transfers generally. While the principle of GDPR is that personal data can flow outside the EU, this is subject to maintaining appropriate safeguards for the protection of that data.
Don't forget that in recent years, the transfer mechanisms between the EU and USA – Safe Harbour and Privacy Shield – have been invalidated partially due to broad US snooping laws. With this background, it becomes easier to understand the EU’s push to keeping data – particularly sensitive data – inside the EU and away from intrusion by overseas government agencies. Global providers may be able to adjust their corporate structure to allow for EU branches or joint ventures with a local company. Smaller providers will not have this flexibility. In fact, global providers are unlikely to welcome this as it will complicate their corporate structures and trading arrangements.
This suggests that, since the EU has not been entirely successful in exporting GDPR standards across the globe, it is becoming more protectionist. US providers – and those here in the UK – will likely be adversely affected as a result.
If you need advice, contact me firstname.lastname@example.org or +44 (0) 20 7611 2338.
"Certified cloud services are operated only by companies based in the EU, with no entity from outside the EU having effective control over the provider"