Executive summary
The letter below calls on Member States, ECCG experts and the European Commission to include High+ criteria in the EUCS scheme or, at the very least, to freeze all EUCS discussions until an adequate alternative solution is found.
We invite all like-minded companies and organisations to support the joint letter.
The Letter
Putting EU Digital Sovereignty and Single Market to the test:
A Voluntary EUCS High+ is crucial for Competitiveness, Sovereignty and Digital Leadership
A Voluntary EUCS High+ is crucial for Competitiveness, Sovereignty and Digital Leadership
Cloud is the backbone of the digital economy and a key driver to boost European organizations’ digital transformation and, consequently, their competitiveness. To achieve this and encompass new digital evolutions and use cases, in particular AI, European users must have the assurance that these evolutions are not happening without a suitable level of protection of data, including the most sensitive ones. This must be done at EU level to avoid Single Market fragmentation. With the new Commission in place and its clear commitment to digital sovereignty, discussions on the European Cloud Services Cybersecurity Certification Scheme (EUCS) should more than ever proceed with the inclusion of High+ criteria.
This would be fully consistent with the Draghi report, which has for instance recommended the adoption of a single EU wide policy for the procurement of cloud services by public administrations, including data residency requirements and requiring at a minimum EU sovereign control of key elements for security and encryption. This recommendation has also been reflected in the Mission Letter to the Executive Vice-President for Tech Sovereignty, Security and Democracy.
We, as cloud users and providers, representatives from various European countries, economic sectors and all sizes of companies, strongly support the inclusion of High+ criteria in the EUCS, for the following reasons:
- Ensuring adequate data protection. Such criteria would provide an EU-wide standard allowing users to have transparency, choice, and the necessary protection for their most sensitive data against access or operational disruption resulting from non-EU extraterritorial laws.
- Guaranteeing freedom of choice. A voluntary High+ EUCS would in no way exclude non-European providers, but simply offer an alternative to European cloud users. Users would retain the freedom to opt for such a level or not: this is about enabling user choice, not about restricting it. Public and private users would be able to opt for High+ for particularly sensitive data while selecting other levels for the rest. We fully support the voluntary and user-centric approach taken so far, which could be explicitly enshrined in the EUCS to avoid any residual doubt about the potential implications of harmonizing such criteria. Last but not least, an EUCS High+ standard would also be fully consistent with recently adopted Gaia-X standards.
- Indispensable for cloud and AI uptake and successful EU digital transformation. In the absence of such harmonised criteria, numerous users, including a very significant number of EU SMEs, would not be in a position to opt for cloud solutions. They would have to leave their data stored “on-premise” which would impede their digital transformation and capacity to improve their cybersecurity capacities. Worse, they would be left with solutions that may be advertised as ‘sovereign’, but do not offer the protections they need. This scenario would significantly hinder cloud uptake and, hence, the development of common European data spaces and AI in the EU. This would, in turn, have a major impact on the EU industrial competitiveness. Moreover, it would disproportionately burden specific industrial sectors handling highly sensitive data as well as SMEs, which often lack the in-house capabilities and resources to come up with complex tailor-made solutions.
- Avoiding Single Market’s fragmentation. The absence of an adequate High+ EU-level would further fragment the Digital Single Market into divergent national standards, inducing major administrative complexities and compliance costs and hitting all companies, especially the smaller ones. It would run against the Commission’s overall simplification, competitiveness and Single Market priorities. It would also hinder European cloud providers to scale up their solutions in the Single Market. Any proposal aiming at keeping sovereignty requirements at national level (extension profiles, national labels) will therefore fail to address the issue.
The newly confirmed European Commission has committed itself to digital sovereignty. The EUCS puts the EU’s commitments to the test. It is a first step, but a crucial one. It is an opportunity to achieve greater sovereignty in the cloud space and in AI – one that is user-driven and one that cannot be missed, if the EU wants to truly reduce its dependencies.
A significant number of EU Cloud providers and users across all sectors, nationality and sizes – including 45,000 European SMEs active in the digital sector – have voiced their strong support for the inclusion of such High+ criteria.
Therefore, we, as cloud users and providers and representatives from various European economic sectors, strongly support the inclusion of High+ criteria in the EUCS. At the very least, we call for a freeze of all EUCS-related discussions until an adequate alternative solution is found.
About the initiative
EUCSHighPlus.EU is a community initiative with the aim of informing on the needs of European Cloud users with respect to the EU Cybersecurity Certification Scheme for Cloud Services (EUCS).
European cloud users who agree with this position and want to support the open letter are asked to contact the Airbus Brussels office, Avenue Marnix 28 1000 Brussels, at Airbus-Brussels-Office@airbus.com, which is responsible for this website.
Supporters
News Coverage
Privacy Notice
Airbus Brussels values the protection and confidentiality of your personal data. Airbus Brussels will use your personal data only for the purpose for which you have given permission. Airbus Brussels will not sell, rent, loan, trade or lease any personal information collected online or offline.
Airbus Brussels uses secure data networks that are protected by password protection systems.
Airbus Brussels' security and privacy policies will be periodically reviewed and enhanced as necessary. Only authorised individuals have access to the information provided by our contacts.
Our databases are located in the European Union.
How to withdraw consent to be emailed or unsubscribe from receiving emails:
If you wish to stop receiving emails from Airbus Brussels, you may do so by clicking the ‘unsubscribe’ link at the bottom of any email. Alternatively, please email us at: Airbus-Brussels-Office@airbus.com or write to us at:
Airbus Brussels
Avenue Marnix 28
B-1000 Brussels
Belgium
Access to information and data rectification
You have the right to ask for a copy of the information Airbus Brussels has about you. Furthermore, you have, at any time, the right to access, modify, correct and remove your data collected in our database. You can request this by contacting Airbus Brussels by email: Airbus-Brussels-Office@airbus.com or in writing at:
Airbus Brussels
Avenue Marnix 28
B-1000 Brussels
Belgium
What personal data does Airbus Brussels process?
EUCSHighPlus.EU only collects the personal data needed to carry out a service requested by you (or by a third party).
When and why does Airbus Brussels process personal data?
Airbus Brussels only processes these data in certain situations:
- If you have explicitly given your permission to do so;
- Or, if it is necessary to process the data in order to provide a service you have requested (e.g. your address to send a publication);
- Or, if we are legally obliged to process the data.
How does Airbus Brussels treat personal data?
Data about persons who are minors and sensitive personal data are always treated as confidential and never made public. Your data is only used for the service you have requested (unless the conditions described in the paragraph above are met) and we never pass on contact details to third parties for commercial purposes.
How long does Airbus Brussels keep personal data?
If you submit an application form we will keep your data for the time needed to provide the service you have requested. Airbus Brussels may also decide to collect some data in an aggregated form, over a longer period of time, in order to evaluate and make adjustments to its own activities (e.g. website visitors).
Does Airbus Brussels keep my personal data safe?
Your data is processed in a way that is safe. We therefore use various security technologies and measures to protect your data from unauthorized access, use, loss or publication. These technologies and measures are tested on a regular basis and updated if necessary.
What can I do about my own personal data?
If you want to update any of your contact details, you can do so by emailing Airbus-Brussels-Office@airbus.com. You have the right to be ‘forgotten’. To request this, please contact Airbus-Brussels-Office@airbus.com. If you consider that your data have been handled incorrectly, you can submit a complaint to the Privacy Commission.
Contact us
The controller of your personal data, under applicable data privacy legislation and in regard to the processing of personal information, is:
Airbus Brussels
Avenue Marnix 28
B-1000 Brussels
Belgium
Email: Airbus-Brussels-Office@airbus.com
If you have questions about our privacy practices, you may contact us at the above address or by emailing Airbus-Brussels-Office@airbus.com
Airbus Brussels uses secure data networks that are protected by password protection systems.
Airbus Brussels' security and privacy policies will be periodically reviewed and enhanced as necessary. Only authorised individuals have access to the information provided by our contacts.
Our databases are located in the European Union.
How to withdraw consent to be emailed or unsubscribe from receiving emails:
If you wish to stop receiving emails from Airbus Brussels, you may do so by clicking the ‘unsubscribe’ link at the bottom of any email. Alternatively, please email us at: Airbus-Brussels-Office@airbus.com or write to us at:
Airbus Brussels
Avenue Marnix 28
B-1000 Brussels
Belgium
Access to information and data rectification
You have the right to ask for a copy of the information Airbus Brussels has about you. Furthermore, you have, at any time, the right to access, modify, correct and remove your data collected in our database. You can request this by contacting Airbus Brussels by email: Airbus-Brussels-Office@airbus.com or in writing at:
Airbus Brussels
Avenue Marnix 28
B-1000 Brussels
Belgium
What personal data does Airbus Brussels process?
EUCSHighPlus.EU only collects the personal data needed to carry out a service requested by you (or by a third party).
When and why does Airbus Brussels process personal data?
Airbus Brussels only processes these data in certain situations:
- If you have explicitly given your permission to do so;
- Or, if it is necessary to process the data in order to provide a service you have requested (e.g. your address to send a publication);
- Or, if we are legally obliged to process the data.
How does Airbus Brussels treat personal data?
Data about persons who are minors and sensitive personal data are always treated as confidential and never made public. Your data is only used for the service you have requested (unless the conditions described in the paragraph above are met) and we never pass on contact details to third parties for commercial purposes.
How long does Airbus Brussels keep personal data?
If you submit an application form we will keep your data for the time needed to provide the service you have requested. Airbus Brussels may also decide to collect some data in an aggregated form, over a longer period of time, in order to evaluate and make adjustments to its own activities (e.g. website visitors).
Does Airbus Brussels keep my personal data safe?
Your data is processed in a way that is safe. We therefore use various security technologies and measures to protect your data from unauthorized access, use, loss or publication. These technologies and measures are tested on a regular basis and updated if necessary.
What can I do about my own personal data?
If you want to update any of your contact details, you can do so by emailing Airbus-Brussels-Office@airbus.com. You have the right to be ‘forgotten’. To request this, please contact Airbus-Brussels-Office@airbus.com. If you consider that your data have been handled incorrectly, you can submit a complaint to the Privacy Commission.
Contact us
The controller of your personal data, under applicable data privacy legislation and in regard to the processing of personal information, is:
Airbus Brussels
Avenue Marnix 28
B-1000 Brussels
Belgium
Email: Airbus-Brussels-Office@airbus.com
If you have questions about our privacy practices, you may contact us at the above address or by emailing Airbus-Brussels-Office@airbus.com