The development of the cloud business in Europe has become a source of international tension. At the heart of the issue is a project by ENISA (European Union Agency for Cybersecurity) to establish a European certification system to ensure the security of cloud services operating within the EU’s borders.

According to Reuters, which has seen the document, the proposed regulation aims to govern the conditions under which governments and companies in the EU can access a Cloud Service Provider (CSP).

This regulatory proposal includes some binding measures that are causing significant concern outside the old continent. Notably, it stipulates that “the CSP’s headquarters and global headquarters will be established in an EU Member State,” and that “cloud services should be operated and maintained from the EU, with all customer data of cloud services stored and processed in the EU, with EU law taking precedence over non-European laws, including those of countries with extraterritorial measures,” according to the news agency.

This perspective is deeply worrying for the three American leaders in the sector and around ten other professional associations.

“These requirements appear to be designed to ensure that non-European providers cannot access the EU market on an equal footing, thereby preventing European industries and governments from fully benefiting from the offerings of these global providers,” they expressed in a joint statement.

Measures to develop a European cloud.

They also vaguely threatened coercive measures in the event of such measures being adopted. “If other countries were to pursue similar policies, European cloud providers might see their own opportunities in non-European markets diminish,” they said, while questioning compliance with texts such as the General Agreement on Trade in Services of the World Trade Organization and the Agreement on Government Procurement of the EU.

However, ENISA has refused to comment on what would still be a draft document.

“Discussions are ongoing to achieve a balanced approach, and no decision has been made yet. The scheme should fully comply with EU law, as well as the EU’s international commitments, including trade,” a spokesman for the European executive told Reuters.

ENISA, however, mentions a certification system that would allow CSPs to act at three levels of criticality.

“The highest level is intended to apply only to a small set of use cases requiring the highest level of security (e.g., highly critical government and infrastructure applications), for which a certain degree of independence from non-European laws will be required. Not all cloud services will be subject to this,” explains the European agency.

*The signatories are: The App Association (ACT); American Chamber of Commerce to the European Union (AmCham EU); Coalition of Services Industries (CSI); Computer & Communications Industry Association (CCIA Europe); Internet and Competitive Networks Association (INCOMPAS); Information Technology Industry Council (ITI); Japan Association of New Economy (JANE); Latin American Internet Association (ALAI); National Foreign Trade Council (NFTC); Software & Information Industry Association (SIIA); techUK; U.S. Chamber of Commerce; United States Council for International Business (USCIB). Amazon, Microsoft, and Google,