The European Union Agency for Cybersecurity (ENISA) has been tasked by the European Commission to prepare a cybersecurity certification candidate scheme for cloud services, taking into account existing and relevant schemes and standards. The EU Cybersecurity Act adopted in June 2019 provides the framework to develop a European-wide cybersecurity certification scheme for ICT services, products and processes.
Cloud uptake in Europe still needs stimulation. In 2018, only 1 in 4 businesses and 1 in 5 SMEs are using cloud computing in Europe. European businesses and public administrations are not benefitting from the competitive advantage that cloud can provide, for instance in terms of significant IT cost savings and almost unlimited and scalable computing power and data storage. Cloud infrastructures and services are indispensable to the provision of innovative services such as artificial intelligence, blockchain and big data analytics.
Trust in secure cloud infrastructures and services is an essential requirement to make data mobility a reality in Europe, as aimed at by the Free Flow of non-personal Data Regulation. A European-wide certification framework will provide increased assurance to businesses, public administrations and citizens that their data is equally secure no matter where it is processed or stored in Europe.
The European Commission aims at creating a more secure and trusted cloud in Europe. Cloud certification is an important way to do so. However, users currently face a highly fragmented market for cloud computing certification schemes in the EU, as evidenced by a study published by the European Commission last year.
In order to tackle this market fragmentation, the European Commission has encouraged providers, users and representatives of national cybersecurity certification authorities to explore options for the development of a single European cloud certification scheme. As a result, the DSM cloud stakeholder group on cloud certification (CSP CERT) was set-up at the end of 2017. Within 18 months, the self-regulatory working group presented its “Recommendations for the implementation of the CSP Certification scheme” in June 2019.
As a next step, ENISA will develop a cybersecurity certification scheme for cloud infrastructures and services, and then submit its proposal to the European Commission for adoption.
More information about ENISA’s upcoming action will be announced on ENISA’s website.
Call for expression of interest for an ad hoc Working Group (ENISA's website)