The Banking and Payments Federation Ireland (BPFI) has warned that a new EU cybersecurity scheme could be “particularly problematic” for banks.
he EU Cybersecurity Certification Scheme for Cloud Services, currently being drafted by the EU’s cybersecurity agency ENISA, will set standards for cloud services providers.
The draft proposal contains provisions for “data sovereignty”. This would place limits on how some cloud companies can operate in the EU, including data being held within the bloc.
In a letter to the Department of Finance, BPFI chief executive Brian Hayes said that this could present challenges for banks that work with non-EU cloud services providers, or CSPs.
“As a critical sector to the economy, such requirements are particularly problematic for the banking industry, which has high cybersecurity needs and close relationships with a number of non-EU CSPs, many of which are market leading in both technical innovation and cybersecurity,” the letter stated.
“Unless addressed, we believe this will limit competition and quality in the EU cloud market and increase concentration risks, undermining the security needs of companies and inhibiting future
innovation.”
The Department of Finance is in discussions with the National Cyber Security Centre on the matter.
“These issues require more analysis and discussion to see what impact the proposals could have,” said a spokeswoman.
The sovereignty requirements are favoured by the European Commission but have been opposed by a handful of member states.
German ministers wrote to the European Commission last month, calling for further discussion on the certificate’s provisions, including data sovereignty.
As reported by Euractiv, the German officials stated that there is now a “high common demand to discuss the issue of transparency regarding the drafting process”.
Gloss