Impacts of Cybersecurity Measures on EU Competitiveness

The Confederation of Industry of the Czech Republic together with the Czech Permanent Representation to the EU hosted an expert roundtable, "Strengthening the Cyber Resilience in the EU – Assessing the Impact of Protectionist Measures on Europe’s Competitiveness". The event brought together key stakeholders including representatives from EU Member States, policymakers, academics, and industry experts, for a discussion on the future of cyber resilience in Europe. The roundtable focused on the European Cybersecurity Certification Scheme for Cloud Services (EUCS), which emerged as one of the most discussed topics in Brussels and various capitals, particularly from a business standpoint.

The reason is that the EUCS, initially designed to harmonize cybersecurity standards across the EU, goes beyond mere technical requirements for ensuring the cyber resilience of cloud services and infrastructure. It encompasses what some Member States and industry stakeholders, including cloud users, have labeled as unsuitable non-technical requirements, such as the location of a company's headquarter, primacy of EU law requirements and strict localization measures. While some argue that these requirements serve as a measure to combat unlawful access to European data, many have raised concerns about their repercussions on various business aspects, including technology access, costs, international trade relations and the stated goal of increasing cybersecurity. In addition, particular Member States have voiced reservations regarding the development of this certification scheme, claiming the voice of Member States who are divided on the issue has not been listened to by Enisa and the Commission.

The event was opened by Ambassador Lucie Sestakova, Deputy Head of the Czech Permanent Representation to the EU. The Ambassador reiterated that the Czech Republic is concerned about certain aspects, especially the sovereignty requirements and that Prague is actively trying to find a balanced approach and to broker a compromise.

Vice-President of the Confederation of Industry Milena Jabůrková, who moderated the panel, stated that business associations have been following the issue closely and has repeatedly challenged both the process itself, due to its lack of transparency and industry involvement.

The roundtable provided a platform for diverse perspectives, fostering an informed dialogue that considered the opportunities and challenges posed by the EUCS requirements, which have generated concern among industry associations, with over 40 position papers and letters being published on EUCS since 2022, as well as among Member States, which are divided on the subject. More recently, this also came to the attention of MEPs, who have asked for a political debate and an impact assessment for the political criteria in the draft scheme. Panelists underscored the importance of transparent negotiations and development of technical measures based on thorough impact assessment.

The Director of ECIPE and author of the study The Economic Impacts of the Proposed EUCS Exclusionary Requirements: Estimates for EU Member States emphasized the economic risk that sovereignty requirements entail. Matthias Bauer noted that, despite claims from the Commission and ENISA, that these requirements will apply to a very limited number of workloads, in fact the language in the scheme gives substantial discretion to Member States on what can fall under the scope. Under various scenarios, he warned that ‘the projected losses in annual EU GDP could vary from EUR 29 billion to EUR 610 billion within approx. two years of implementation.’ Moreover, he emphasized that the impact in relative terms would be higher on smaller countries that rely extensively on imports of non-EU cloud services.

The event acknowledged the delicate balance between safeguarding the highest level of resilience and avoiding protectionist tendencies. Discussions highlighted the risks associated with fragmentation and protectionism.

Participants at the roundtable agreed that the success lies in the ability to foster a collaborative approach to cybersecurity legislation, ensuring the EU remains at the forefront of innovation while safeguarding its strategic interests. Milena Jaburkova, concluded the discussion by saying, "In the current geopolitical situation, the European Union cannot manage security challenges, including those in cybersecurity, alone. We need collaboration with our democratic partners. Exporting technological nationalism is not the way forward."

Discussion Panel

• Matthias BAUER, Director and Senior Economist, ECIPE
• Charlotte ANDERSDOTTER, International Director, Head of EU Office in Brussels, Confederation of Swedish Enterprise
• Thorwald-Eirik KALJO, Counsellor for Digital and Cyber Affairs, Permanent Representation of Estonia to the EU
• Valérie HOESS, Head of Digital and AML Policy, Deutsche Bank AG
• Johan KLYKENS, Director of CCB-Certification Authority, Belgium