EU Cloud Sovereignty: Controversial Certification Scheme to Drive Sovereign Cloud Market

The European Union Agency for Cybersecurity (ENISA) has been working on developing a European Cybersecurity Certification Scheme for Cloud Services (EUCS) since 2020, and a final draft should be announced soon. The EUCS will form part of the European Cybersecurity Certification Framework, which also includes the newly endorsed Common Criteria (CC)-based EU Common Cybersecurity Certification (EUCC) scheme. While the EUCC and EUCS are voluntary frameworks, they will provide a benchmark that will likely form a de facto standard in the European Union (EU) in due course. This will have global repercussions, as EU instruments tend to set the bar globally. Therefore, stakeholders are paying close attention to its development.

One of the key tenets of the last EUCS draft is that cloud providers be headquartered in the EU and owned or controlled by an EU entity (either fully or through a joint venture). This is a hugely contentious issue, with advocates stating that it will drive forward the cloud provider market in Europe, which has been held back by powerful Cloud Service Providers (CSP) from the United States (and their equally powerful lobbies). Their monopoly in the cloud market has impeded the development of alternative home-grown solutions. Critics argue it is a protectionist measure, contrary to EU values, that it will stifle innovation and cut the lifeline of many European companies that have already migrated to the cloud. While the critics are technically correct, the monopoly of U.S.-based CSPs has, in fact, made it nearly impossible for any commercially viable alternatives to develop competitively. But perhaps more worrying is the mass export of EU data to the United States through these CSPs. And this is the primary intent of the protectionist wording in the EUCS; the concern being one of data protection, rather than focus on shoring up EU companies.

In response to this, the sovereign cloud movement has emerged, with CSPs keen to prove that they heard the EU loud and clear, and are willing to invest in building EU-based data centers, keeping data local, and guaranteeing data security in line with EU regulation (e.g., the General Data Protection Regulation (GDPR)). They may be U.S.-born, but they are keen to show they have the EU’s concerns at heart; enter the sovereign cloud. Data sovereignty has been a market trend for the last couple of years, but only recently has the notion of a sovereign cloud been picking up. In parallel, the telco sector has been pushing the private network narrative in a similar bid to capture this growing demand. All in all, whether the EUCS retains its sovereignty clause or not, demand for data sovereignty is here to stay, regardless of whether it is served up by CSPs on their cloud platforms or by telcos via private networks.

Data sovereignty demands are a boon for data security providers, especially for Hardware Security Module (HSM) vendors. Not only will CSPs and telcos need to invest in more HSMs as they build out sovereign cloud infrastructure, but this boom is likely to drive demand in particular for HSM-as-a-Service (HSMaaS). Organizations wishing to avail themselves of a sovereign cloud will do so on the premise that they will be able to retain control of the data; use of HSMs for encryption/decryption and key management are the tools to this end. However, with the data residing on the cloud, organizations will look to having the HSMs also available in the cloud. HSMaaS is the natural response to this evolution.

The market for HSMaaS is niche, but growing. Users of HSM products tend to be more risk averse, but moving to a sovereign cloud may make them more comfortable with HSMaaS, as long as they are sure they retain control of key material. Already present in the space are precursors like Utimaco and Thales, but CSPs are making a play for their own HSMaaS to lock in organizations to their cloud offerings. The advantage of the HSM Original Equipment Manufacturers (OEMs) is that their solutions tend to be cloud-agnostic; any cloud can be used really. But CSPs are getting wise to the game. While an HSM might not be the CSP’s end market (data storage is), they understand the importance of cloud sovereignty demands in the EU. Locking in clients won’t help, and so they are also considering opening up their HSM services so they can be used with other CSP platforms. There will be a level of coopetition between CSPs and HSM vendors in the space, but the latter should ensure they extoll their strengths in the cryptography and data security space. This is what will win them prospects in the sovereign cloud market.