Last week we saw yet another delay to the adoption of the European Agency for Cybersecurity's European Cybersecurity Certification Scheme for Cloud Services. According to ENISA, the EUCS cloud certification scheme aims to ensure consistent standards and introduce specific security requirements to offer safer cloud services and boost innovation.

It has been the subject of intense debate for years because of the possible inclusion of sovereignty requirements, pushed first and foremost by France. At a high level, such provisions would require a company to be headquartered in the EU to store European data within the EU and to strictly limit access to that data in order to qualify for the highest cybersecurity assurance level label.

The scheme underwent various changes to its initial version, in the works since 2020. Some draft sovereignty provisions were scrapped in the most recent version. While non-EU cloud service providers were eager to see this latest version adopted, the feeling was not shared by prominent European operators.

In a 10 April letter, Deutsche Telekom, OVHcloud, Airbus and other European companies highlighted the sovereignty requirements are necessary "to overcome market fragmentation, protect European organizations' most sensitive data, and encourage the development of sovereign cloud solutions in Europe." The companies believe the absence of such requirements would also be incompatible with the Data Act and initiatives like Gaia-X.

The letter further explains that introducing sovereignty requirements would not excessively restrict market access, as this scheme is voluntary and such requirements would only apply to the highest assurance level, noting the requirements still appear especially important in the context of the U.S. CLOUD Act.

Parliament is now expected to vote in May, since France also questioned the changes in the latest EUCS draft. It noted that the suggested removal of the sovereignty requirements from the EU-wide certification scheme while allowing for such criteria at a national level would result in divergence across member states.

EDPB approves strategy for 2024-2027

The European Data Protection Board approved its organizational strategy for 2024-2027, the first released under Chair Anu Talus. The EDPB will prioritize three objectives: enhancing cooperation among data protection authorities; the interplay between the EU digital package laws and data protection rules, whether in the commercial or law enforcement space; and promoting high legal standards and cooperation among DPAs and other (nonprivacy) regulators globally. The strategy is structured around four pillars and key actions and anticipates several upcoming guidelines.

Under Pillar 1, "Enhancing harmonization and promoting compliance," the EDPB intends to issue guidance on the application of the EU General Data Protection Regulation to vulnerable groups, for example, children, as well as guidance on legitimate interest and the development and implementation of codes of conduct and certification tools.

Under Pillar 2, "Reinforcing a common enforcement culture and effective cooperation," the EDPB will identify strategic cases to prioritize cross-border cooperation, commit to the "smooth functioning of the One Stop Shop," deliver opinions or binding decisions that provide "clear and robust responses," and prepare for upcoming procedural harmonization legislative changes.

Pillar 3 focuses on "Safeguarding data protection in the developing digital and cross-regulatory landscape." It announces forthcoming guidance on the interplay between the application of the GDPR and the EU Artificial Intelligence Act, the Data Act and others, which are not specified but could include the Data Governance Act, Digital Services Act, Digital Markets Act, and the newly adopted European Health Data Space. It also covers upcoming guidance on data protection and new technologies, like AI and digital identity, and an objective to secure cooperation with other regulatory authorities on matters impacting data protection.

Lastly, Pillar 4 focuses on "Contributing to the global dialogue on data protection" through information exchange with EU and European Economic Area DPAs, participation in the global dialogue on data transfers, access to personal data by public authorities and emerging technologies, cooperation between EDPB members and non-EU DPAs, continuing to work on the GDPR and the Law Enforcement Directive data transfer mechanisms, and providing further guidance on practical implementation of data transfer tools.

The EDPB will now develop two work programs to detail implementation.

Parliament adopts the EHDS

In the final stretch before the electoral break, the European Parliament adopted the European Health Data Space, with 445 votes in favor, 142 against and 39 abstentions. The European Commission published a Q&A on the EHDS, presenting it as a "health-specific data sharing framework establishing clear rules, common standards and practices, digital infrastructures and a governance framework for the use of electronic health data by patients and for research, innovation, policy making, patient safety, statistics or regulatory purposes." Its implementation could be tricky, though, as some provisions pertaining to secondary use of health data are particularly thorny.

DSA enforcement ramps up

The European Board for Digital Services held its third meeting, as DSA enforcement is ramping up. The board was established under the DSA to ensure its proper and consistent application.

Its first meeting took place 19 Feb., just two days after the DSA became fully applicable. At the time, the Commission met with some of the Digital Service Coordinators — as not all member states had designated them yet despite a February deadline — to discuss their roles in the DSA's enforcement, the importance of cooperation, DSA election guidelines, the interplay between the DSA and the AI Act, as well as proceedings the Commission opened against TikTok that day.

The board met again on 15 March, one day after several enforcement actions under the DSA were launched, and discussed the draft Implementing Act on Transparency Reporting, the upcoming draft Delegated Act on Data Access for Research and the conversion of codes of practice into codes of conduct under Article 45.

The third meeting came several days after additional obligations started applying to adult entertainment platforms designated as very large online platforms and just a few days after the launch of the Commission's newest investigations on certain TikTok Lite functions, which have since been voluntarily suspended in Europe. While the meeting's agenda was not publicly available in advance, it is clear the Commission takes DSA compliance and enforcement seriously. The board is meeting regularly, and it is almost difficult to keep track of all the ongoing investigations happening just a bit over two months since the DSA became fully applicable to all platforms.