EU Proposal Takes Aim at Major Cloud Providers

Jo writes that the EU’s new digital package could find large cloud providers operating in the bloc subject to potentially invasive oversight, as the EU strives for “data sovereignty”.

After years of worrying about the operational risk that cloud concentration poses to the financial system, European Union authorities have proposed a digital finance package—a set of proposals that, among many other measures, would single out cloud providers and subject them to a unified oversight regime.

The package, which was published last week, sets out a comprehensive framework for the regulation of tech in hot-button areas, including regulatory approaches to crypto assets and blockchain, increased power for firms to dictate the terms of contracts and service level agreements, better and more standardized resilience testing, and a single EU hub for reporting cyber security breaches.  

But it’s the provisions that are clearly aimed at gaining some kind of oversight of cloud providers that I found to be most interesting. Chapter V of the proposal, which is concerned with third-party resilience, would make cloud service providers like Amazon Web Services, Microsoft Azure, Google Cloud Platform, and IBM Cloud answerable to one of the three European Supervisory Authorities (ESAs): the European Securities and Markets Authority, European Banking Authority, and European Insurance and Occupational Pensions Authority.

If the proposal became law, the ESAs would have the power to designate a cloud provider as “critical” based on a set of criteria: Is the vendor providing infrastructure and other cloud services to a massive, systemically important financial entity, such as a too-big-to-fail bank? Or, to state the problem slightly differently (as the proposal does): If the services offered were to fail—let’s say a major cloud provider suffered an outage that rendered critical data inaccessible during a critical time—would that have a devastating, knock-on impact on the entire financial system, because the bank is so interconnected with other financial institutions? At the point of disaster, would another service provider be able to step into the breach, and could customers be ported over easily and quickly, minimizing systemic disruption?

Once these vendors are designated as critical, one of the ESAs becomes its “lead overseer.” The proposal states that critical service providers “shall cooperate in good faith with the lead overseer,” which will be able to impose fines and have the right to examine data and records, request phone logs and data traffic, and conduct on-site inspections, if necessary.

Now, the proposal doesn’t explicitly say that it’s referring to the giant cloud service providers; it calls them only “critical ICT third-party service providers.” But it’s clear which companies are being targeted here, as regulatory bodies in Europe have expressed their concerns over concentration risk and that service level agreements lock in clients to particular vendors. 

Firms in the EU already have the right to conduct audits of cloud providers, and they have to keep a close eye on their relationships with third parties—and their third parties’ third parties—under various rules, regulations, and guidelines. What this proposal would do is bring that all together in a much more comprehensive framework for operational resilience.

But it seems to me that this level of oversight of such firms is unprecedented in the EU.

While the major public cloud providers invest massive resources into their infrastructure, human resources, and resilience planning, you can’t plan for every scenario. Authorities are afraid of earthquakes, cyber attacks, climate events—any black swan that might swim along out of nowhere, taking down the grid and subjecting the financial system to a systemic shock or crisis.

These fears are compounded by the fact that not only do the vast majority of financial services firms have outsourcing relationships with the major cloud providers, but these companies are also all US-based entities, with their ultimate oversight conducted on another continent.

And then, of course, with this proposal the EU is trying to protect its markets. While the bloc has set the template for regulating data—with groundbreaking approaches such as the General Data Protection Regulation, which has inspired similar efforts worldwide—its leaders fear that it has fallen behind on emerging tech and innovation and is losing out to the US and China. As new EC president Ursula von der Leyen said in her first speech to the European Parliament, “We must have mastery and ownership of key technologies in Europe. These include quantum computing, artificial intelligence, blockchain, and critical chip technologies.”

The EC is collaborating with France, Germany, and about 100 companies and organizations—including Deutsche Bank and SAP—on a project to challenge the dominance of US big tech. The initiative, Project Gaia-X, aims to launch next year, and will consist of a network of cloud and data services operating across industries under the protection of European data laws. According to Wired, Gaia-X is fundamentally about “data sovereignty”—the idea that the EU will shape how data is managed and governed within its own borders.

So, perhaps what is important about this latest proposal is not just that EU supervisors are looking for ways to make the bloc safer from cloud outages; it’s also that it is part of a wider strategy to nurture tech and finance industries that can compete with the rest of the world.

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact or view our subscription options here:

You are currently unable to copy this content. Please contact to find out more.

You need to sign in to use this feature. If you don’t have a WatersTechnology account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here