EU Council rejects French request for clarification on cybersecurity certification

France’s inquiry, sent in mid-April, has stalled the progress towards a deal among national governments on the certification scheme, which is being drafted by the EU cyber agency ENISA.

The EUCS aims to enable companies to demonstrate that certified ICT solutions meet the required level of cybersecurity protection for the EU market. However, France sought clarity on how the adoption of EUCS would impact national schemes, citing its own domestic security qualification, SecNumCloud, developed by the French National Cybersecurity Agency (ANSSI).

The Council spokesperson clarified that the expert group working on the certification scheme falls under the jurisdiction of the European Commission and is not a Council preparatory body. Therefore, the Council’s legal department cannot provide an opinion on the legislation.

Discussions on the voluntary certification for cloud services have been ongoing for three years since the European Commission tasked ENISA with preparing the scheme in 2019. The latest attempt to reach a consensus failed despite ENISA’s new draft text, which omitted sovereignty requirements that had caused deadlock in negotiations.

France had previously advocated for sovereignty requirements to exclude non-EU cloud companies from accessing the highest security options, but this proposal faced opposition from other EU countries and industry stakeholders who viewed it as protectionist.

The delay in reaching a deal could push the approval of EUCS to an informal expert group meeting in May or June, or during a scheduled formal meeting in June. In the meantime, EU companies, including Airbus, Orange, and Deutsche Telekom, have urged EU member states to reconsider including sovereignty requirements in the proposal.