by Theophane Hartmann
The recent announcement of “a new, independent cloud for Europe” by Amazon Web Services (AWS) has underlined the growing divergence between the positions of Paris and Berlin regarding digital sovereignty in the cloud sector.
The move by AWS last week came as part of an overall trend whereby American hyperscalers – a term used to describe cloud service providers with massive operations – seek to address the concerns of EU countries looking to keep their data within Europe’s borders.
Past examples include leading market players like Microsoft, which announced its Microsoft Cloud for Sovereignty offer in July 2022, and Oracle, which launched its EU Sovereign Cloud offer last June.
“What worries me the most is that the German Federal Office for Information Security (BSI) has endorsed the AWS European Sovereign Cloud,” French centrist MP Philippe Latombe told Euractiv, explaining he fears that “the Germans start exerting pressure” against France’s highest cloud security certification, called SecNumCloud.
AWS was in fact the first cloud service provider to receive the BSI’s C5 testate, a German cloud security certification, based on the same international standard as SecNumCloud.
BSI’s Director General Claudia Plattner said in a statement that she was “very pleased to constructively accompany the local development of an AWS cloud, which will also contribute to European sovereignty in terms of security”.
What is a secure cloud?
According to Arnaud David, Director of European Affairs at AWS, the company has put in place technical building blocks, including safeguards, controls and security features that allow customers to enforce access restrictions so that nobody, including from AWS, can access customer data.
He further explained that AWS cannot access customer data unless the access is given by its customers and that AWS provides its customers with encryption tools. Moreover, only EU-resident AWS employees located in the EU will control operations of the AWS European sovereign cloud.
Conflicts of law
For MP Latombe, “AWS cloud cannot be sovereign because it is subject to the US FISA and Cloud Act,” legislations mandating US companies, US citizens or foreign subsidiaries on US soil to cooperate with the US security agencies.
According to AWS’s David, “if AWS is requested to send data to US administrations under the FISA, Amazon will challenge every request it deems inappropriate, especially if it is contrary to local law, like the EU’s General Data Protection Regulation (GDPR) in the EU.”
Of course, every company affirms it would not disclose sensitive information, at least until they are caught in the crossfire of conflicting jurisdictions.
“We are a global company subject to laws in every country where we operate, including US law,” David said, adding that this was also the case for EU companies with subsidiaries in the US.
Latombe disagrees, arguing that European cloud providers with operations in the United States are subject to US laws only through their US-based subsidiaries, which is not the case with AWS, a US-based company that must comply with US agencies globally.
Jean-Sebastien Mariez, founding partner of the French tech law firm Momentum Avocats, noted that “the location of data was hereafter irrelevant in the applicability of US laws”.
Moreover, while Amazon advertises that “only EU-resident AWS employees” located in the EU will access data, a 2022 memo by the Dutch National Cyber Security Center states that this does not necessarily mean protection from FISA and Cloud Act laws.
Traditionally, Paris could count on Berlin’s support to push digital sovereignty principles that favour their national champions over foreign providers. In contrast, smaller member states prefer to buy the best available technology regardless of its provenance.
But a Franco-German divergence on the concept of the sovereign cloud has been long in the making. Different understandings of what digital sovereignty meant for cloud infrastructure are what made the Gaia-X European digital sovereignty project lose its political momentum.
Tensions came to a head with the European Cloud Services scheme (EUCS), a cybersecurity certification scheme where France, via its Commissioner Thierry Breton, tried to replicate the sovereignty requirements of SecNumCloud at the EU level.
This attempt faced significant resistance from more liberal countries, led by the Netherlands. With the liberal Free Democratic Party occupying critical ministries in the current coalition government in Berlin, France not only did not receive support from Germany but was at times more or less openly criticised.
In this context, Latombe fears that Germans are taking a pro-US and anti-French position and, therefore, would be “exchanging their industrial dependency on Russian gas for a dependency on American digital companies”.
That is why he considers that giving the C5 certification to the AWS European Sovereign cloud was “a nook in [the French certification] SecNumCloud” since the French ANSSI and German BSI authorities have a mutual recognition agreement for security certificates, albeit only for the first security level at the moment.
A BSI spokesperson told Euractiv there was no specific connection between the AWS announcement and the currently discussed EUCS. Meanwhile, the German Digital Ministry said to Euractiv that it was “committed to ensuring that the [German] economy can access secure and powerful cloud structures to the extent required”.
The French ANSSI and the Digital Ministry declined Euractiv’s requests for comment. Latombe advertised on Monday (30 October) that he sent a written question to French Digital Minister Jean-Noel Barrot on the matter.
*first published in: Euractiv.com