All major political groups are anticipated to back amendments mandating European Parliament approval for the adoption of cybersecurity certification schemes. This move comes in response to the politicization of the European Cloud Services scheme, where contentious sovereignty requirements were proposed by the European Commission, potentially excluding non-European providers from significant portions of the EU cloud market.
France initially introduced this exclusion of foreign cloud providers in its national scheme, SecNumCloud. However, Commissioner for the Internal Market Thierry Breton faced resistance from more pro-market countries, such as the Netherlands, when attempting to apply this approach at the EU level.
Bart Groothuis, a centrist MEP, along with other influential lawmakers in digital policy, has put forth an amendment to address this issue. Andrus Ansip, a signatory and former European Commissioner for the digital single market, supports the proposed amendment.
The key amendment aims to shift the adoption of certification schemes under the Cybersecurity Act from an implementing act to a delegated act. This alteration would grant the EU Parliament the authority to endorse or reject the scheme in its entirety.
Additionally, the Commission, in collaboration with the EU cybersecurity agency ENISA, would be required to conduct an impact assessment, engage in a public consultation, and consult relevant stakeholders and national representatives before adopting the schemes.
When evaluating the certification schemes, the EU executive must also assess the effectiveness of the procedures leading to consultation, preparation, and adoption of the certificates.
These amendments are part of the final compromise amendments for the Managed Security Services proposal, slated for adoption in the Committee on Industry, Research, and Energy.
While the intent behind the Cybersecurity Act and the Cyber Solidarity Act was to establish a cyber reserve of trusted contractors, the Commission’s handling of certification schemes led to discontent. The Commission’s proposal may make certification schemes mandatory for entities deemed essential for the EU economy under the revised Networks and Information Systems Directive (NIS2).
Support for the Groothuis amendment doesn’t necessarily equate to outright opposition to the sovereignty requirements in the cloud scheme. Instead, many MEPs are concerned with how the scheme was pushed by the EU executive rather than its content.
The initiative led by Groothuis sets a precedent, signaling that if delegated power is misused, the Parliament will take corrective action. Groothuis suggests that ENISA and the Commission should withdraw their sovereignty requirements from the cloud scheme.
The MEPs’ text may garner support from the coalition of countries that have thus far resisted the Commission’s approach. The Commission is slated to review the Cybersecurity Act by June 2024 officially.