In an opinion published Friday, the CNIL warns of the dangers of the current version of the future EUCS directive. The Commission criticizes the lack of protection against extraterritoriality of certain laws, particularly American ones. She is campaigning for a return to a SecNumCloud database.
The European Union Cybersecurity Scheme for Cloud Services, or EUCS, is a draft directive currently being developed in Europe. His ambitions are great. The future framework must replace national regulations such as SecNumCloud in France or C5 in Germany. Its objectives are clear: to raise the general level of security of cloud storage in Europe.
To achieve this, the draft directive proposes four security levels: Basic, Substantial, High and High+. The higher we climb in these levels, the more obligations there are. Until spring, High roughly corresponded to the “classic” SecNumCloud certification. High+ used the latest version of the French certification (3.2). This includes a section on sovereignty and is impervious to extraterritorial laws.
However, in a new version published in April, the project no longer contained anything on the question of sovereignty. A situation denounced by the former director of ANSSI, Guillaume Poupard: “We must recognize that a majority of Member States of the European Union clearly have other priorities than developing digital Europe “.
He then indicated that certain member countries of the Union could have other priorities, in particular “their tax revenues”. And for good reason: in High+, the old version simply prohibited the storage of the most sensitive data in non-European solutions. “Exit” therefore the GAFAM.
The CNIL takes a stand for SecNumCloud
“Data stored by a company subject to non-European law, as is the case with hosts whose parent companies are located in the United States, may be exposed to the risk of having to communicate data to public authorities of that country. country,” points out the CNIL in a press release published on July 19.
The Commission points out that this is generally not a problem. Under the Data Privacy Framework, data may be stored with providers located in “suitable” countries. This is the case for the United States. But what about the most sensitive data? The CNIL’s position is clear: “data hosted in the European Union should not be subject to a risk of unauthorized access by authorities of third countries”. The American Cloud Act, if not directly cited, is clearly in the crosshairs.
The recommendation is therefore to “use a service provider exclusively subject to European law and offering the adequate level of protection”. In France, this recommendation results in SecNumCloud certification. It “understands this criterion and thus allows data protection against access by foreign authorities”.
EUCS: “gaps and risks”
The CNIL confirms in its press release that this provision “no longer appears in the European cloud cybersecurity certification project EUCS piloted by the European Union Agency for Cybersecurity (ENISA)”. And, even at the highest levels of certification. Not even optional.
The CNIL recalls that it has recommended “for a long time” to ensure protection against extraterritorial laws for the most sensitive data. Furthermore, EUCS, in its current state, “does not make it possible to stimulate European cloud offerings”. However, this offer is essential to meet “the development and deployment needs” of AI systems. Another problem highlighted by the CNIL is access to public procurement for European players. This, while the United States itself has a program (FedRAMP) for American actors.
Above all, EUCS cannot be used by public and private actors to “outsource their most sensitive projects to the cloud”. The CNIL cites as a good example the government and its “cloud at the center” doctrine, which requires public authorities to store data “of particular sensitivity” in a cloud not subject to extra-European laws which could “imply communication injunctions”.
The EUCS project is currently on standby, a logical consequence of the renewal of the European Parliament. Ursula von der Leyen has just been re-elected as head of the European Commission, but the latter must be constituted. It is only once this step has been completed that discussions – and negotiations – will resume.
Note that as it stands, the EUCS directive would a priori allow offers like Bleu and S3NS to be certified at the High+ level. The question of SecNumCloud certification remains unresolved, even if S3NS has just embarked on the process.
A surprising position? Not really
The CNIL’s position could raise some eyebrows. In her press release, she cites the national health data system (SNDS) as an example of very sensitive personal data. However, we remember the controversy surrounding the positive opinion given on the storage of this same data in Azure. As a reminder, it authorized the Health Data Hub (Health Data Platform) to store data from the European EMC2 project at Microsoft.
The deputy Philippe Latombe, commissioner at the CNIL, told us that the CNIL’s decision had been made in law. In this case, that of the Data Privacy Framework which establishes an adequacy between the European and American regulatory frameworks.
The CNIL “judges in law. She is obliged to apply it. There is nothing that prohibits the EMC2 project from being stored at Microsoft,” the MP supported. He added that the CNIL’s decision left “enough influence for everyone to be able to contest it”. Furthermore, the Commission’s position was clearly perceptible between the lines.
The position of the CNIL is therefore not surprising, because it is precisely a question of giving its opinion. Opinion which also comes just a few days after ANSSI’s recommendations on the storage of sensitive data in the cloud. They could be easily summarized: SecNumCloud.
This article is originally published on next.ink
