"Sovereignty is here to stay." European Union Agency for Cybersecurity Head of Unit, Market Certification and Standardization Andreas Mitrakas made that statement during the recent European Sovereign Cloud Day conference, noting that together, with the European Commission, the agency may pursue measures beyond certification, such as procurement rules and the Digital Europe funding program, to ensure a sovereign cloud option in the European market.

The EU Cloud Certification Scheme, drafted in 2021, prompted divisive discussions among EU member states for years over whether to insert data localization measures among other sovereignty requirements. Such provisions no longer appear in the most recent draft as it awaits the European Cybersecurity Certification Group's opinion and proceeds further through the European Commission's comitology process to become law.

In his report on European competitiveness published, former Italian prime minister and European Central Bank President Mario Draghi highlighted that "the EU should ensure that it has a competitive domestic industry that can meet the demand for 'sovereign cloud' solutions." Draghi recommends "adopting EU-wide data security policies for collaboration between EU and non-EU cloud providers, allowing access to US hyperscalers' latest cloud technologies while preserving encryption, security and ring-fenced services for trusted EU providers. At the same time, the EU should legislate mandatory standards for public sector procurement, thereby levelling the playing field for EU companies against larger non-EU players."

The European Commission has two official targets for the cloud market in Europe: to reach 75% cloud adoption by European businesses — the current average is around 45%, though certain regions such as the Nordics, are already close to 75% — and to deploy 10,000 climate-neutral highly secure edge nodes across Europe by 2030.

The Data Strategy will play an important role in this. The Data Act sets rules to remove barriers to cloud switching and contains provisions on unlawful access to data and standard contractual clauses to address the potential imbalance between client and cloud service provider.

Elsewhere:

  • The IAPP's Call for Volunteers is open until 4 Oct. to recruit advisory board members, KnowledgeNet Chapter chairs and Young Privacy Professionals.
  • Commission President Ursula von der Leyen discussed the suggested structure and portfolios of the College of Commissioners with European Parliament President Roberta Metsola and political group leaders.
  • The European Data Protection Board announced it will work with the Commission to develop guidance on the interplay between the EU General Data Protection Regulation and the Digital Markets Act, focusing on DMA obligations to digital gatekeepers that present a strong interplay with the GDPR.

To take up portfolios that will be of critical importance for the future development of the EU's digital policy, von der Leyen nominated Henna Virkkunen as executive vice-president for tech sovereignty, security and democracy, Michael McGrath as commissioner for democracy, justice and the rule of law and Stéphane Séjourné as the executive vice-president for prosperity and industrial strategy. This meeting paves the way for opening the evaluation process, including the confirmation hearings through October or early November.

Depending on when the process concludes, the new Commission may take office with some delay, possibly on 1 Dec.

"Developing a coherent interpretation of the DMA and GDPR while respecting each regulators' competences in areas where the GDPR applies and is referenced in the DMA is crucial to effectively implement the two regulatory frameworks and achieve their respective and complementary objectives," the Board said in its statement.

The Directorate General for Competition, in charge of DMA compliance, has portrayed the DMA as a "remedy and not as a sanction," and as a tool providing a possibility for the commission to impose structural remedies on gatekeepers in case of noncompliance.

Isabelle Roccia, CIPP/E, is the managing director, Europe, for the IAPP.