Share this article on:
Major technology companies outside the European Union looking for an EU cyber security label that allows them to handle sensitive data may have to adhere to new conditions.
According to Reuters, which has reportedly seen an EU draft document, major non-European cloud service providers like Google, Microsoft, and Amazon will now have to do so alongside an EU-based organisation.
The draft from the European Union Agency for Cybersecurity (ENISA) said that non-European tech giants could only have a minority stake, and any employees with permission to access EU data would need to be based within it and take part in a specific screening proves.
In addition, any EU laws regarding cloud management will take precedence over laws from other non-EU countries.
“Certified cloud services are operated only by companies based in the EU, with no entity from outside the EU having effective control over the CSP (cloud service provider), to mitigate the risk of non-EU interfering powers undermining EU regulations, norms and values,” the document said.
“Undertakings whose registered head office or headquarters are not established in a member state of the EU shall not, directly or indirectly, solely or jointly, hold positive or negative effective control of the CSP applying for the certification of a cloud service.”
The new rules will apply in scenarios where a breach of personal or non-personal data could have a negative impact on public safety, order, health or human life, or the “protection of intellectual property”.
However, the US Chamber of Commerce has expressed concern over the draft, saying that it could create a disparity between US companies. Additionally, as every EU country has the power to enforce the legislation, it could create a disparity as businesses look to base themselves in specific parts of the continent.
The EU, however, maintains that the legislation is a must for protecting its data safety and security. The draft will be reviewed by EU nations before any final legislation is adopted.