Brussels – Data storage, processing, and sharing to deliver specific services on demand. In a word: the cloud. The telematics facility is fundamental to developing a single defense, security, and aerospace market. However, the European Union is not doing enough to create what would be needed and is doing so in a timeframe that the industry in the sector considers inappropriate.
The proposal for a European cybersecurity certification scheme for cloud services (EUCS) that the European Union Agency for Security IT (ENISA) and the European Cybersecurity Certification Group (ECCG) are expected to produce in the coming days does not meet the demands of an industry eager for certainty and equal standards.
ASD, the association of European security, defense, and aerospace companies, is ready to ask European decision-makers to review the delegated act used to implement the cybersecurity regulation so as to shape the EU digital market. The EU executive is being asked to avoid rules left to national states and set higher security standards, known as high+. Without these, investing becomes unattractive, and this is a problem.
In the context of the new defense program and the European Defense Strategy, “we believe that if we want to talk about the security of supply we have to talk about the security of supply chains and the secure ways of connecting these chains,” the chair of the ASD Task Force on cybersecurity, Giorgio Mosca (Leonardo) said in an interview with Eunews. There is no such situation at the moment. “We see at least two types of impacts.” The first is that “we will probably find ourselves more exposed to cyber-attacks,” because “if data is outside the European Union, we have communication channels outside of our control,” and this makes us more vulnerable and “also subject to possible disruptions.” Second, “we see an economic impact.” As Mosca explains, “In the Commission, we always talk about wanting to reduce the administrative burden and costs for businesses but doing so seems to us to be going in the opposite direction.”
The discussions on the proposed European cybersecurity certification system for cloud services (EUCS) have been ongoing since December 2019. It is a complex debate because it is very technical. There was reasoning, later eliminated, about introducing transparent and harmonized criteria at the highest assurance level of the EUCS system (high+ criteria). The European aerospace, defense, and security industries would like to see them reintroduced because of the strategic nature of the sector and because of security guarantees of the most sensitive European industrial data.
What is needed is a single European model with common rules. Higher security standards would not be mandatory at the European level but optional. However, it is “better to have them and decide whether to meet those standards than not,” is the view of the European Association of Defense Companies. “Clarity is needed for the industry in the sector, which is crucial for competitiveness,” the executive of Leonardo said, urging, on behalf of ASD, the new Commission to take the dossier back in its hand.
“It would be appropriate for the new Commission to comment” on this delegated act opinion and security standards for cloud services, especially when the single market, competitiveness, and defense are experiencing a new phase. Letta’s report on the single market, EU strategic agenda, and Draghi’s report on competitiveness “are theoretically linked,” so further reflection would be needed. With the understanding that on cloud security certificates, “work has been slow, and at this point, we may as well wait another six months,” Mosca acknowledges. High European security standards for cloud services would lay the groundwork to integrate an emerging single market. “The EU has an important role for harmonization, and eliminating security standards makes no sense because it produces exactly the opposite, a fragmentation,” Mosca further denounces.
The hope, which for industries of the sector is an invitation more than a wish, is that within the European Cybersecurity Certification Group, representatives of EU member states are willing to wait for a decision and see what the new European legislature proposes.
English version by the Translation Service of Withub
