ITIF-歐洲的云安全制度應(yīng)該關(guān)注技術(shù)而不是國籍（英）-2023.3

Europe’s

Cloud

Security

Regime

ShouldFocus

on

Technology,

Not

NationalityNIGELCORY|

MARCH2023TheEU’snewcloudcybersecurityregimeshouldfocusongoodsecuritypractices,astheU.S.FedRAMPregimedoes.EmulatingChina’sprotectionistfocusonfirmnationalityisabadsecuritypracticethatweakenstransatlanticinfluenceovercybersecurityissuesglobally.KEY

TAKEAWAYS......LikeChina,

someEuropeanUnion(EU)countrieswanttomisusecloudcybersecurityrulesfortheprotectionistpurposeofreplacingleadingU.S.cloudfirmssuchasAWSandGooglewithlocal

champions.TheproposedEuropeanCybersecurityCertificationSchemeforCloudServices(EUCS)followsChina’sapproachofmakinglocalfirmownershipandcontrolthedefiningfactorsinascertainingwhetheracloudserviceprovidercanbetrusted.TheEUCSdiffersfromtheU.S.FederalRiskandAuthorizationManagementProgram(FedRAMP)inseveralrespects:Itfocusesonfirmownership,usesclosedandpoliticizedtechnicalstandards,andassessesservicesfortheprivatesector,notjustgovernment.ProtectionistproponentsoftheEUCS(namelyFrance)wantitall:localcloudfirms,notAmericanones,butwithallthecybersecurityassistancetheycangetfromtheU.S.governmentandthesameU.S.cloudfirms

theywanttoexcludefromtheirmarkets.AprotectionistEUCSwouldunderminetransatlanticdigitaltradebymakingthenewTransatlanticDataPrivacyFrameworkirrelevant,sinceU.S.firmswouldbeprecludedfrommanagingaconsiderableamountofEU

data,nevermindtransferringitoverseas.TheEUanditsmemberstatesshouldremovetheprotectionistrestrictions

fromtheEUCS,focusontheactualtechnicalitiesofcybersecurity,andworkwiththeUnitedStatesonglobalcybersecurityissuesthrough

theEU-U.S.TradeandTechnologyCouncil.CONTENTSKeyTakeaways1Introduction3StoppingDataFlowsandCloudMarketAccessUnderminesEuropean,Transatlantic,andGlobalCybersecurity5ExplainingtheU.S.FedRAMPSystemforCloudCybersecurity6HowAmerica’sFedRAMPDiffersFromEurope’s“Sovereignty”-BasedApproachtoCybersecurity8FedRAMPIsOpentoFirmsFromAroundtheWorld8FedRAMPFocusesonCybersecurityPractices,NotFirmStructureandOwnership8DataLocalizationIsaMisguidedbutThankfullyMinorPartofFedRAMP,YetItIsCentraltoSecNumCloudandtheEUCSProposal

9FedRAMPIsOnlyUsedbyFederalGovernmentAgenciesandDoesNotImpactU.S.CriticalInfrastructureortheBroaderCommercialCloudMarket9NISTCybersecurityStandardsAreOpen,Transparent,andTechnicallyFocused—ENISAandEUCSProcessesandStandardsAreNot

10Recommendations11UseStandards“Crosswalks”toBuildTransatlanticCybersecurityCooperation

12NegotiateaTransatlanticAgreementonLawEnforcementAccesstoData

13AllowtheMutualRecognitionofU.S./EUCybersecurityCertificationandAuditingPrograms14Conclusion

14Endnotes15INFORMATIONTECHNOLOGY&INNOVATIONFOUNDATION|MARCH2022PAGE2INTRODUCTIONLikeChina,someEuropeanUnion(EU)countrieswanttomisusecloudcybersecurityrulestoreplaceleadingU.S.cloudfirmssuchasAWS,Google,andMicrosoftwithlocalones—inotherwords,enactingdigitalprotectionism.1

TheEuropeanCybersecurityCertificationSchemeforCloudServices’(EUCS)isthevehiclebywhichtheEUwantstosneakthisprotectionistschemeintooperation.Atfirstglance,theEUCSissimilartowhattheU.S.FederalRiskandAuthorizationManagementProgram

(FedRAMP)doesfortheU.S.federalgovernment:providesaharmonizedapproachtocloudcybersecuritycertificationstobothensure

abetteroveralllevelofprotectionandreducethecostandcomplexityforfirmsandgovernmentagenciescontractingcloudservices.However,unlikeFedRAMP,theEUCSfollowsChina’sapproachinmakinglocalfirmownershipandcontrol—ratherthantheuseofbest-in-classcybersecuritypractices—thedefiningfactorsinascertainingwhetheracloudserviceprovider

canbedeemed“trusted”andallowedtooperateinthe

localmarket.Thiswouldhaveamajorimpactontransatlanticdigitaltrade.ByexcludingU.S.cloudfirms,theEUCSwouldmakethenewTransatlanticDataPrivacyFramework(TDPF)irrelevant,asU.S.firmswouldbeprecludedfrommanagingaconsiderableamountofdataintheEU,nevermindtransferitoverseas—whileabidingwiththeEU’sGeneralDataProtectionRegulation(GDPR).TheEUanditsmemberstatesshouldremovetheseprotectionistrestrictions,focusontheactualtechnicalitiesofcybersecurity,andworkwiththeUnitedStatesonglobalcybersecurityissuesattheEU-U.S.TradeandTechnologyCouncil(TTC).Iftheydonot,theBidenadministrationshouldretaliate.Perhapsnotsurprisingly,FranceisleadingthepushtousetheEUCSfordigitalprotectionism.ThisfollowsFrencheffortstoreplaceAmericantechfirmswithlocalonesinsearchengines,onlineshort-termhousingrentals,andcloudservices.2

TheEUCSisbasedonsovereigntyrequirementsincludedinFrance’snational“SecNumCloud”cybersecurityregime,whichincorporatesforeignownershipandmanagementrestrictions,forcedlocaldatastoragerequirementsforpersonalandnonpersonaldata,andlocalstaffrequirements.TwoearlierreportsfromtheInformationTechnologyandInnovationFoundation(ITIF)analyzetheseprovisions,explaininghowtheybreachFrenchandEUtradelawcommitmentsundertheWorldTradeOrganization’s(WTO’s)GovernmentProcurementAgreementandtheGeneralAgreementonTradeinServices.3

Inforcingforeignfirmstosetupminority-ownedjointventurestobedeemed“trusted,”theEUCSproposalunfortunatelycopiesChina’sapproach.4U.S.

FedRAMP

differs

from

the

EUCS

in

three

key

ways:

FedRAMP

focuses

on

cybersecuritytechnicalities,

not

firm

ownership;

FedRAMP

is

only

used

by

the

federal

government,

whilethe

EUCSmay

be

used

more

broadly

in

the

economy;

and

FedRAMP

is

based

on

open

and

transparent

standards,EUCS

is

not.Ultimately,Francewantsitallandhasthegalltopushforit:Itwantslocalcloudfirms,notAmericanones,plusallthecybersecurityassistanceitcangetfromtheU.S.government

andthosesameU.S.cloudfirms.FrenchpolicymakersusethehypotheticalriskthatU.S.lawenforcementagencieshaveextraterritorialaccesstodataunderU.S.law(namely,theClarifyingLawfulOverseasUseofDataActorCLOUDAct)totargetU.S.cloudfirms.5

EvenGuillaumePoupard,theoutgoingdirectorofFrance'scybersecurityagency,admittedthata100

percentFrench"sovereign"cloudisunrealistic.6

AfteryearsofleadingtheattackagainstU.S.cloudINFORMATIONTECHNOLOGY&INNOVATIONFOUNDATION|MARCH2022PAGE3providers,PoupardrecentlytoldtheFrenchSenatethatFrenchcustomerswillneedtocontinuetorelyonpartnershipswithU.S.providers.7

Yet,thiswon’tstopFrance’songoingefforttoattackU.S.techfirms.However,itshouldhopefullygivepausetootherEUpolicymakersaboutthecybersecurity,trade,andeconomicrisksofblindlyfollowingFrance’slead.Incontrast,EuropeanpolicymakersshouldfollowAmerica’sFedRAMPleadinimplementingtheEUCS.FedRAMPdiffersfromSecNumCloudandEUCSsovereigntyrequirementsinthreekeyways.First,FedRAMPfocusesonthetechnicalitiesofcloudcybersecurityandnottheownershipofafirm;manyforeignfirmsarecertifiedunderFedRAMP.Second,FedRAMPonlyappliestothecloudservicesusedbyU.S.federalgovernmentagencies,notthebroadermarket.8SecNumCloudandtheEUCScouldpotentiallyapplytoabroadpartoftheEUeconomy.Third,theU.SNationalInstituteofStandardsandTechnology(NIST)setsthetechnicalcybersecuritystandardsusedbyFedRAMPinanopenandtransparentmanner,unliketheclosedandpoliticizedapproachtakenbytheEuropeanUnionAgencyforCybersecurity(ENISA)indevelopingthestandardsfortheEUCS.SomeEuropeanofficialshavejustifiedEUCSsovereigntyrequirements,inpartbecausetheymistakenlythinktheyarelikeprovisionsinFedRAMP—whichisfalse.Thisbriefingdetailsthesedifferencesandprovidesideasforaconstructivetransatlanticagendaoncybersecurity.ItexplainswhatFedRAMPis—and,mostimportantly,isn’t—incomparisonwithSecNumCloud,andhowit’scriticallyimportantthatEuroperemovetherestrictiveandmisguidedsovereigntyrequirementsintheEUCSproposal.Thereportthenoutlinesaconstructiveagendafortransatlanticcooperationoncybersecurity.Asummaryoftherecommendations:?

France,Germany,Italy,andtheirotherEUmemberstatesshouldremovethesovereigntyprovisionsintheirSecNumCloud-inspiredproposalfortheEUCS(andinFrance’sownSecNumCloud).TheUnitedStatesshouldrampupengagementwithGermanyandtheEuropeanCommissionatTTCtoensurethishappens.?

IfEuropefailstoremovetheserestrictions,theUnitedStatesshouldreevaluatecybersecuritycooperationandinformationsharingwiththeEUanditsmemberstatesanddevelopandinitiateretaliatorymeasures.?

TheEUandUnitedStatesshoulduseTTCtoimprovecybersecuritycooperationviastandards“crosswalks”toidentifycommonalities,differences,andpotentialfutureworktoensurecompatibilityinthedevelopmentanduseofcybersecuritystandardsintheirrespectivesystems.?

TheUnitedStatesandEUshouldprovidehigh-levelattentionandsupporttonewlyrestartedeffortsonane-evidence/CLOUDActagreement,justastheydidwiththeforthcomingTDPF.?

TheUnitedStatesandEUshouldworktowardthemutualrecognitionofU.S./EUCybersecuritycertificationandauditingprograms.INFORMATIONTECHNOLOGY&INNOVATIONFOUNDATION|MARCH2022PAGE4STOPPING

DATA

FLOWS

AND

CLOUD

MARKET

ACCESS

UNDERMINES

EUROPEAN,TRANSATLANTIC,

AND

GLOBAL

CYBERSECURITYCybersecurityconstitutesagrowingpartofforeign,trade,andnationalsecuritypolicy.However,ifleadingU.S.cloudprovidersarenot“trusted”inEurope,theycan’tshareinformationandtakecoordinatedactionaspartofthepublic-privatecollaborationneededtocombatglobalcybersecurityincidents.9

Thepublic-privatecollaborationandinformationsharingattheheartofinternationalcooperation

aregettingharder,withgrowingmarketaccessbarriersanddatatransferrestrictionsaroundtheworld.10Governmentcybersecurityagencies

alreadyfinditchallengingtohavecollaborative—andnotconfrontational—relationshipswithcloudfirms.11

Public-privatecybersecurityinformationsharingcanbedifficultinmanycountries,asfirmsneedlegalprotectionsfortheconfidentialityoftheinformationtheyshare(givenpotentiallegalandregulatoryimplications).Addingdatalocalization

andlocalcontrolandownershipbarrierswouldmakepublic-privatecollaborationevenmoredifficult,ifnotimpossible.12Forexample,inthefirstsystemicanalysisofdatalocalization’simpactoncybersecurity,PeterSwireandDeBraeKennedy-Mayohaveshownhowitseriouslyunderminesgoodcybersecurity.13Localizationpreventsthesharingofcybersecurity-relatedinformation.Italsoundermines13ofthe14controlsinoneofthemaininternationalstandardsforinformationandcybersecurity(ISO/IEC27002).14

Localizationalsopreventslocalorganizationsfrom

accessingbest-in-classcybersecurityservices.U.S.cloudfirmsneedmarketaccess,andseamlessdataflows,tobothshareinformationandtakepreventativeandremedialaction

intheeventofcyberattacks.Theyalsoneedtotransferdatatolearn

fromtheirglobaloperationstobetterdetectandrespondtocyberthreats

inEurope.UndertheEUCS,cloudproviderswouldnolongerbeabletoseamlesslymapglobalthreatpatternsagainstdomesticonesortracesignsofmaliciousactivityfromglobalnetworksontodomesticones.If

Europe

does

not

trust

U.S.

cloud

firms

at

home,

how

canthe

EU

and

United

States

make

the

case

togovernments

in

third-country

markets

to

trust

themas

part

of

new

transatlantic

efforts

to

support

theirfirms

in

building

digital

infrastructure

in

developing

countries?Forexample,in2022,GoogleCloudandothercloudfirmsdefendedthemselvesandtheircustomersfromthelargestdistributeddenial-of-serviceattackonrecord—at46millionrequestspersecond—inpartbecausetheywereabletoidentifyitearlyon,astherewereanomalousspikesinactivityfromIPaddressesinfourcountriessimultaneously:Brazil,India,Indonesia,andRussia.15

IfGoogleandotherglobalcloudproviderslosetheabilityto

collectandsharesecuritytelemetryfromaroundtheworld,it’sgoingtobefarmorechallengingtorespondtocyberthreatsandattacksinEuropeandelsewherearoundtheworld.Sovereignty

requirementswouldalsomakeitharder,ifnotimpossible,forU.S.firmstotakepreventativeactiontoprotectEuropeancustomersandcybersecurityagenciesintherun-uptoacyberattack.ItwouldalsobeharderforcloudproviderstoensureallservicevulnerabilitiesarepatchediftheirITinfrastructureisfragmentedordisconnectedfromtheglobalcloud.JointINFORMATIONTECHNOLOGY&INNOVATIONFOUNDATION|MARCH2022PAGE5incidentanalysisbetweengovernmentagenciesandfirmswouldalsobeharder,ifnotimpossible,ifU.S.andotherforeign

firmswereexcludedfromEurope’smarket.Europeancloudsovereigntyrequirementswouldprecludetransatlanticandglobalcybersecuritycooperationbeforeitevenstarts.In2022,theUnitedStatesandEuropelaunchedtheirfirstjointefforttofundtheirfirmsinbuildingsecurecriticalanddigitalinfrastructureindevelopingcountries(asanalternativetoChinesefirms).16

However,it’shardtoseehowthiscouldcontinueifEuropeenactssovereigntyrequirements.IfEuropedoesnottrustU.S.cloudfirmsathome,howcantheymakethecasetogovernmentsinthird-countrymarketstotrustthem?EXPLAINING

THE

U.S.

FEDRAMP

SYSTEM

FOR

CLOUD

CYBERSECURITYTheU.S.FedRAMPprogramprovidesastandardizedapproachtosecurityassessment,authorization,andcontinuousmonitoringforcloudservicesusedbyU.S.federalgovernmentagencies.17

AsITIFargued

in“ReformingFedRAMP:AGuidetoImprovingtheFederalProcurementandRiskManagementofCloudServices,”thetimeandcostofgettingFedRAMPcertifiedcouldbeimproved.18

However,overall,itprovidesacommon,highlevelofcloudcybersecurityprotection

insteadofeachagencydesigningits

owncloudcybersecurityspecificationsforcontracts.FedRAMPisspecificallytailoredtorisk.Itspecifiescontrolsaccordingtothreeimpactlevels:low,medium,andhigh.19

NISTsetsthetechnicalrequirementsforeach

level.20

Thehighertheimpactlevel,themorebaselinecontrols

required:123controlsforlow-impactsystems,325formoderate-impactsystems,and421forhigh-impactsystems.Low-impactrisksincludedataintendedforpublicuse,soanylossofdatawouldn’tcompromiseanagency’smission,safety,finances,orreputation.Moderate-impactrisksincludedatathat’snotavailabletothepublic,suchaspersonallyidentifiableinformation,suchthatabreachcanhaveaseriousimpactonanagency’soperations.MostU.S.federalgovernmentagenciesoperateatthismoderate-impactlevel

(in2017,nearly80percentofFedRAMPapplicationswereforthislevel)giventheiruseof“controlled,unclassifiedinformation.”21High-impactrisksincludesensitive(butunclassified)federalinformation,suchaslawenforcement,emergencyservices,andhealth

caredata,sobreachestogovernmentsystemscontainingthisdatawouldbehighlydamaging.In2017,theDepartmentofDefense(DOD)accountedfor33percentofhigh-baselineuseintheU.S.government,followedbythedepartmentsofVeteransAffairs(16percent),HomelandSecurity(13percent),andJustice(10percent).22FedRAMPassessmentsarefocusedonspecificcloudservices.FedRAMP

doesnotassessandauthorizefirmsoverall,butrathertheir“cloudserviceoffering”(CSO)atspecificimpactlevels.EachCSOgoesthroughseveralassessmentsbeforeapproval.23

EachCSOReadinessAssessmentReport(RAR)isassessedwithinan“authorizationboundary,”whichisessentiallyareviewoftheinternalservices,components,andotherdevicesalongwithconnectionstoexternalservicesandsystems.24

Ifneeded,theRARwilldetailwhatchangesthefirmwillneedtomake(andbeconfirmed)beforeitsCSOisconsideredready.FedRAMPcertificationisnotaone-and-doneassessment.25

OnceaCSOisintheFedRAMPmarketplace,itwillneedtogothroughannualassessments.Also,monthlymonitoringdetailsneedtobesubmittedtotheJointAuthorizationBoard(JAB),whichisthedecision-makingbodyINFORMATIONTECHNOLOGY&INNOVATIONFOUNDATION|MARCH2022PAGE6forFedRAMP.26

Forexample,formoderate-/high-impactservices,cloudserviceprovidersmustmitigatealldiscoveredhigh-riskvulnerabilitieswithin30days,mitigatemoderate-vulnerabilityrisksin90days,andmitigatelow-vulnerabilityrisksin180days.FedRAMPusesexpertthird-partyassessmentorganizations(PAOs)toassessCSOs.PAOsincludespecialistITcompliance,auditing,andadvisoryfirmssuchasA-Lign,Schellman,Fortreum,Kratos,Lunarline,anddozensofothers.27

PAOsthemselvesmustmeetFedRAMP-specificrequirementsandinternationalbestpractices,suchasthestandardISO/IEC17020onrequirementsforbodiesperformingconformityassessments.28

PAOsassessesaCSO’sabilitytomaintainaclearlydefinedsystemboundary,abilitytodescribeintraandinter-systemdynamics,userandsensitivemetadataflow,risksassociatedwithinterconnectionsusedtotransmitfederalorsensitivedata,andrisksassociatedwiththeuseofexternalsystemsandservicesthatarenotFedRAMPauthorized,amongotherissues.FedRAMP

is

tailored

to

risk,

using

three

impact

levels:

low,

medium,

and

high.

In

2017,

nearly

80percent

of

FedRAMP

applications

were

for

the

moderate

level,

given

government

agencies’

use

of“controlled,

unclassified

information.”NISTmaintainsandupdatestheguidelinesandtechnicalstandardsattheheartofFedRAMP’sassessmentframework,especiallyNIST’s“specialpublications”onsystemcontrolsandriskmanagement.ThecurrentstandardisNIST’s“SpecialPublication800-53-SecurityandPrivacyControlsforFederalInformationSystemsandOrganizations”series.Withinthis“800series”publicationareguidelinesonmanyspecificissues.29

NISTcontinuouslyupdatesitsguidelines,andthenperiodically(everyfiveorsoyears)doesafullreviewandupdate.

Forexample,NISTiscurrentlyrevisingguidelinesaspartofits“Revision5”withinanopenandtransparentprocess,withopportunitiesforindustryandgovernmentfeedback,toensureitaccuratelyreflectsbestpractices.30DatalocalizationisaverysmallandnarrowlytailoredpartofFedRAMP.FedRAMPdoesnotincludemisguideddatalocalizationrequirements,butindividualU.S.governmentagenciescanrequireitaspartofa

CSO.OnlyFedRAMP’shigh-impactservicesincludetheoptionforagenciestorequiredatalocalization.31

Onlyin2020didFedRAMP’sJABadddatalocalizationasanoptionalrequirementforaFedRAMPhigh-impactratingtocreatereciprocitybetweenFedRAMPandDOD‘sSecurityRequirementsGuide(SRG)—whichisDOD’sownprocessforauthorizingcloudproviders.DODSRGimpactlevel4isverysimilartoFedRAMPhigh,exceptthattheformercontainsadatalocalizationrequirement.JABandtheDefenseInformationSystemsAgencynegotiatedthiscompromisesothatinexchangeforJABaddingadatalocalizationoptiontoFedRAMPhigh,DODwouldgrantreciprocalauthorizationatimpactlevel4toanyCSOauthorizedatFedRAMPhigh.INFORMATIONTECHNOLOGY&INNOVATIONFOUNDATION|MARCH2022PAGE7HOW

AMERICA’S

FEDRAMP

DIFFERS

FROM

EUROPE’S

“SOVEREIGNTY”-BASEDAPPROACH

TO

CYBERSECURITYThefollowingsectionsdetailhowtheU.S.FedRAMPprogramisfundamentallydifferentfromFrance’sSecNumCloudandtheEUCSproposal.FedRAMP

Is

Open

to

Firms

From

Around

the

WorldFedRAMPisopentoU.S.andforeignfirms(seefigure1).CloudfirmsfromanycountrycanapplyforFedRAMPaccreditation;therearenonationalityorownershiprestrictions.AsofNovember2022,ofthe285FedRAMP-authorizedserviceofferingsandthe78undergoingreview,(atleast)20companieswereeitherheadquarteredabroadorU.S.subsidiariesofforeignfirms(e.g.,SiemensGovernmentTechnologiesInc.)thatareeitherFedRAMPauthorizedorpendingauthorization.TheseincludeAccenture(Ireland),Acendre(Australia),Blackberry(Canada),Canon(Japan),Collabware(Canada),Deloitte(UnitedKingdom),EnelX(Italy),EvidencePrime(Canada),ExLibris(Israel),Geotab(Canada),Hootsuite(Canada),Huddle(UnitedKingdom),Ipsos(France),ItamarMedical(Israel),MicroFocus(UnitedKingdom),Pexip(Norway),SAP(Germany),Siemens(Germany),ThomsonReuters(Canada),andWoltersKluwer(Netherlands).Accreditationlevelsvary;however,Accenture,Collabware,andSiemens,forexample,areallauthorizedatFedRAMPhigh.Figure

1:

Countries

with

firms

in

the

process

of

receiving

FedRAMP

accreditationFedRAMP

Focuses

on

Cybersecurity

Practices,

Not

Firm

Structure

and

OwnershipFedRAMPisfocusedondevelopingandauditingfirms’useofbest-in-classcybersecuritypractices,nottheownershiporcontroloffirms.ThebestanalogforFedRAMPinEuropeisGermany'sC5Standard,whichisalsoapurelytechnicalcybersecuritycertificationregime.32

Incontrast,manySecNumCloudrequirementsrelatetolegalaspects,organizationalstructure,andINFORMATIONTECHNOLOGY&INNOVATIONFOUNDATION|MARCH2022PAGE8investmentandownership—considerationsthatareunrelatedtotechnical-basedcertificationofcloudservicesorimprovingcybersecurity.Data

Localization

Is

a

Misguided

but

Thankfully

Minor

Part

of

FedRAMP,

Yet

It

IsCentral

to

SecNumCloud

and

the

EUCS

ProposalWhetherit’sinChina,France,ortheUnitedStates,datalocalizationisamisguidedpolicy—eveninthecaseofgovernmentdataandservices.Localizationdoesnotimprovedataprivacyorsecurity.33

Forexample,thehackoftheU.S.OfficeofManagementandBudget—oneofthemostnotorioushacks,giventheU.S.governmentdatainvolved—occurredagainstdataserviceson-premisesinU.S.governmentagencies.34

Localization’suseinFedRAMPaspartofcontractswithspecificU.S.federalgovernmentagenciesmeansit’sverynarrowlyapplied.Itsusedoesnotimpactthebroader,andmuchlarger,commercialU.S.cloudservicesmarket.Data

localization

is

bad

for

cybersecurity,

regardless

of

whether

it

involves

commercial

orgovernment

data.TheUnitedStates’limiteduseoflocalizationislikeCanada’spubliccloudmarket,whichisalsoopentoforeignfirmsandproductsandrequireslimitedlocalstorageforsensitiveandclassifieddata(atrest)inCanada.

However,Canadastillallowsdatatomove(i.e.,dataintransit),asitrecognizesthatcertaincloudservicescanberunoutsideCanada.35

BoththeU.S.’sandCanada’snarrowconceptualizationandapplicationoflocalizationforsensitivegovernmentdataandservicesisfarpreferredover

thebroad,vaguenationalsecurityconcernsChina,France,andothersinEuropeassertasarationale

fordigitalprotectionism.FedRAMP

Is

Only

Used

by

Federal

Government

Agencies

and

Does

Not

Impact

U.S.Critical

Infrastructure

or

the

Broader

Commercial

Cloud

MarketFedRAMPisacloudcybersecurityframeworkspecificallyforcloudprovidersthat

storeorprocessdatafortheU.S.federalgovernment.Itisnotrequiredforthebroaderarrayofsectorsandfirmsdeemedpartofcriticalinfrastructure(asinSecNumCloud).36

TheU.S.government’sprocurementmarketforcloudservicesissmallrelativetotherestoftheeconomy.Incomparison,SecNumCloudandEUCSsovereigntyrequirementscouldeffectivelyprecludeforeigncloudfirmsfromprovidingservicestogovernmentagenciesand

orcompetingacross

abroadswathofthecommercialeconomy.Forexample,inFrance,itappliestofirmsprovidingservicestothegovernmentaswellasto600-plusfirmsthatoperate“vital”and“essential”services.AsIreland,Sweden,andtheNetherlandsdetailedin

aletteroutliningtheirconcernsaboutSecNumCloud,itexertsbroadcommercialandtradeimplications.TheEUCSisaworkinprogress,soitsscopeisstillinflux,butthereareseveralhighlyproblematicproposalsunderconsiderationthatwouldsubstantiallyexpanditsscopebeyondhigh-impactworkloadsaffectingclassifiedinformationandnationalsecuritytomoderate/substantialorlow/basicusecases(dependingonthetierterminologytheEUCSadopts).Thiswouldbeinadditiontocoveringcriticalinfrastructure,whichisabroadpartoftheeconomy,includingfinancialservices,energy,transportation,utilities,telecommunications,andothersectors.Alternatively,inthebest-casescenario,thereisalsoaproposaltonarrowthescopeINFORMATIONTECHNOLOGY&INNOVATIONFOUNDATION|MARCH2022PAGE9ofEUCSsothatitisnarrowerthanFedRAMP,applyingonlytonationalsecurityorclassifiedworkloads.TheEUCScouldhaveabroadimpactontheEU’sdigitaleconomy.Evenifitonlyappliestosensitiveandhigh-impactareas,it’sexpectedthatallproviderswouldstriveforthishighcertificationbecausecloudservicesareusuallyjustonepartofabroaderecosystemofprovidersforgovernmentagenciesandfirmsserving

vitalinfrastructureandrelatedsectors.Inthisway,itwillessentiallybecomemandatorytobecertifiedatthehighestlevel.37TheEUCS’sbroadapplicationwouldalsobecomemandatoryinmanysectorsifitisconnectedtorelevantEUlegislation,suchastheNetworkandInformationSecurity(NIS)Directive

andtheDigitalOperationalResilienceAct(DORA,whichisfocusedonICTsecurityforfinancialfirms).Moreover,EUCSsovereigntyrequirementscouldconflictwiththoserules.Forexample,theAssociationforFinancialMarketsinEurope(AFME)poi