EU eyes new cybersecurity rules to keep cloud data in Europe

12 May 2023

Image: © artjazz/

The new ENISA regulation would force multinationals like Amazon and Google to enter joint ventures with EU-based companies if they wish to handle sensitive data.

The EU’s cybersecurity regulator is reportedly drafting new legislation that would force changes to how multinational cloud service providers operate in Europe.

The new rules seek to prevent sensitive EU data from being shared with other parts of the world, by forcing multinationals to operate with EU-based companies, according to a draft document seen by Reuters.

The draft regulation has been prepared by ENISA, the EU’s centre of cybersecurity expertise. This organisation was given a larger budget and more power after an EU parliament vote in 2018.

If the draft rules are approved, they would force multinationals like Amazon and Google to enter joint ventures with EU-based companies in order to handle sensitive cloud data.

These rules would also force these cloud services to be operated and maintained within the EU, while all customer data would have to be stored in the EU.

Multinational employees that have access to EU data would have to undergo screening and be located within the EU. The regulation is being created in order to “mitigate the risk of non-EU interfering powers undermining EU regulations, norms and values,” Reuters reports.

This draft regulation will reportedly be reviewed by EU countries later this month before it is adopted by the European Commission.

EU data protection

The European cloud market has grown rapidly in recent years but has become dominated by multinationals. By mid-2022, the total market was five times larger than it was in early 2017, according to Synergy Research Group.

European cloud service providers also grew revenues during this period, but their market share dropped by 27pc to 13pc. Amazon, Microsoft and Google meanwhile, had 72pc of the market by mid-2022.

Meanwhile, concerns have been raised in recent years about data transfers between the EU and the US, due to fears that the US doesn’t have the same protections around personal data. But both sides have been working to enable data transfers.

Last December, the EU began a process to adopt an adequacy decision for safe data transfers with the US. This followed actions taken by the US in October which implemented into US law the country’s commitments to the EU under the EU-US Data Privacy Framework (DPF).

The DPF was announced in March 2022 as a joint initiative by the EU and the US to balance both bodies’ reliance on cross-border and transatlantic data flows for economic purposes with citizens’ privacy and civil liberties.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic