EU relaxes cloud contract bidding rules for hyperscalers

Gets rid of requirement previously preventing Amazon, Google, and Microsoft from vying for contracts

The European Union (EU) has revised its cybersecurity labeling rules making it easier for Amazon, Google, and Microsoft to bid for EU cloud computing contracts.

First reported by Reuters, the change has seen the EU scrap a requirement that vendors be independent from non-EU laws.

The EU has been debating a cybersecurity certification scheme (CCS) to help governments and companies select vendors that are confirmed to be secure.

The EU's Cybersecurity Act that was adopted in 2019 formed the legal basis for EU-wide certification of cloud providers, and in December 2020, EU cybersecurity agency ENISA began public consultations towards a revised set of rules.

A previous draft required US hyperscalers to set up a joint venture with an EU-based company and to store and process customer data in Europe to qualify for the label, similar to the regulations imposed in France in 2021. This received much criticism, with potential customers of the cloud computing providers arguing that regulations should be based on technical provisions, not political and sovereignty obligations.

It is this requirement that has been dropped in the latest draft. Instead, cloud providers must just provide information about the location of the storage and processing of customer data. This draft is currently under review by EU countries, after which it will be adopted by the European Commission.

Data sovereignty challenges have been handled by cloud providers in a variety of ways. In France, where national laws required the 'joint venture' approach, Google joined up with Thales to create a compliant company, and Microsoft teamed up with Capgemini and Orange. Google also took a similar approach in Germany with T-Systems, and in Belgium with Proximus.

Oracle (OCI) has two sovereign cloud regions in Europe located in Spain and Germany. In November, the EU Commission selected OCI for a six-year agreement in which EU institutions, bodies, and agencies would use its cloud computing services.

Microsoft Cloud for Sovereignty launched in December 2023 and is available across all Azure regions. The offering enables customers to implement policies wherein data and applications must be kept within certain geographical boundaries, and will also have access to sovereign controls to protect and encrypt sensitive data which has been enabled through the sovereign landing zones (an Azure Landing Station with the necessary privacy, security and sovereignty controls) and Azure Confidential Computing.

AWS is also planning a European cloud region in Europe, with the first to be located in Germany.

EU relaxes cloud contract bidding rules for hyperscalers

More in Cloud & Hyperscale

Energy efficiency is driving many HPC users to the cloud

Fujitsu to use Oracle Alloy for sovereign cloud in Japan

Episode Powering the future: how can APAC’s high density rollout be powered sustainably?

More in Europe

Issue 51 - Iceland's AI moment

Avacon and enviaM to develop data center in Hanover, Germany

Discussion Panel: Strategic investment opportunities - FLAP-D vs Tier 2 data center markets

Tags

Unlocking data center profitability: A guide to DCIM solutions

The make vs. buy decision for data center infrastructure management software – A clear choice

2023 Data Center Market Trends: Hong Kong Asia's Connectivity Hub

Emerging Energy Storage Technologies