Skip to main content
SpringerLink
Log in

Getting Critical: Making Sense of the EU Cybersecurity Framework for Cloud Providers

  • Chapter
  • First Online:
Legal Developments on Cybersecurity and Related Fields

Part of the book series: Law, Governance and Technology Series ((LGTS,volume 60))

  • 246 Accesses

Abstract

In this chapter, we review how the EU cybersecurity regulatory framework impacts providers of cloud computing services. We examine the evolving regulatory treatment of cloud services as an enabler of the EU’s digital economy and question whether all cloud services should be treated as critical infrastructure. Further, we look at how the safeguarding and incident notification obligations under the General Data Protection Regulation (‘GDPR’) and the Network and Information Systems Directive (‘NISD’) apply to cloud providers. We also consider how these obligations will develop under the NIS 2 Directive (‘NIS2’) and look at what newly developed voluntary assurance mechanisms mean for cloud providers, including codes of conduct and certification schemes. We conclude that, since cloud providers are typically subject to both NISD and GDPR and to jurisdiction from multiple regulators, they face divergent regulatory approaches, which can lead to unintended outcomes and high compliance costs.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 139.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 179.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (2016) OJ L 119 (‘GDPR’).

  2. 2.

    Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union [2016] OJ L 194/1 (‘NISD’).

  3. 3.

    Regulation (EU) 2019/881 of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (‘Cybersecurity Act’), OJ L 151.

  4. 4.

    Directive (EU) 2022/2555 of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (‘NIS2’), OJ L 333. Member States have until October 2024 to transpose NIS2 into national law (Art. 41).

  5. 5.

    Art. 2(u), 31, Recitals 20, 63 Regulation (EU) 2022/2554 of 14 December 2022 on digital operational resilience for the financial sector (‘DORA’), OJ L 333. DORA entered into force in 2023. Regulated entities need to comply with it from January 2025.

  6. 6.

    Directive (EU) 2022/2557 of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC (‘CERD’), OJ L 333.

  7. 7.

    Art.4-6, Recital 20, and Annex under (8) CERD.

  8. 8.

    Art.1(2), 8 and Recital 9, 20 CERD. See also EU Commission, ‘Proposal for a Directive on the resilience of critical entities’, 16 December 2020, COM(2020) 829 final, p. 3.

  9. 9.

    E.g. Directive 2013/40/EU on attacks against information systems (L 218/8, 14.8.2013).

  10. 10.

    Regulation (EU) 2014/910 on electronic identification and trust services for electronic transactions in the internal market (L 257/73, 28.8.2014).

  11. 11.

    Flexera, ‘State of the Cloud Report 2020’, (2020), https://info.flexera.com/SLO-CM-REPORT-State-of-the-Cloud-2020; Ponemon Institute, ‘Protecting Data in the Cloud’ (2019), <https://safenet.gemalto.com/cloud-security-research/> Accessed 10 March 2020.

  12. 12.

    Gartner, ‘Gartner Forecasts Worldwide Public Cloud End-User Spending to Grow 23% in 2021’, 21 April 2021, https://www.gartner.com/en/newsroom/press-releases/2021-04-21-gartner-forecasts-worldwide-public-cloud-end-user-spending-to-grow-23-percent-in-2021.

  13. 13.

    See generally Chapters 8–11 in Millard (2021).

  14. 14.

    National Institute of Standards and Technology, U.S. Department of Commerce, ‘Evaluation of Cloud Computing Services Based on NIST SP 800-145, Special Publication 500-322’ (2018).

  15. 15.

    See, for example, ISO/IEC 17788:2014 Cloud Computing – Overview and Vocabulary.

  16. 16.

    National Institute of Standards and Technology, U.S. Department of Commerce, ‘Evaluation of Cloud Computing Services Based on NIST SP 800-145, Special Publication 500-322’ (2018).

  17. 17.

    Art. 4(1)(a) NISD.

  18. 18.

    Directive 2002/21/EC on a common regulatory framework for electronic communications networks and services, OJ L 108/33, 24.4.2002 (‘Framework Directive’), as amended.

  19. 19.

    Art. 1(3) NISD.

  20. 20.

    Art. 4(1)(b) NISD. The definition is taken from Directive 2013/40/EU ‘on attacks against information systems’ OJ L 218/8/, 14.8.2103.

  21. 21.

    Directive 2000/31/EC on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market, OJ L 178/1, 17.7.2000.

  22. 22.

    See Walden (2018) at 4.4.2.

  23. 23.

    Art. 8(4)(f) Framework Directive: “ensuring that the integrity and security of public communications networks are maintained”.

  24. 24.

    Directive 2002/20/EC on the authorization of electronic communications networks and services OJ L 108/21, 24.4.2002, Annex, A.16: “Security of public networks against unauthorised access”.

  25. 25.

    The Framework Directive was amended in 2009 by Directive 2009/140/EC, which inserted Chapter IIIa: Security and Integrity of Networks and Services.

  26. 26.

    Art. 4 Directive 02/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, OJ L 201/37, 31.7.2002, as amended.

  27. 27.

    Chapter V Directive (EU) 2018/1972 establishing the European Electronic Communications Code (OJ L 321/36, 17.12.2018).

  28. 28.

    EU Commission, ‘Proposal for a Directive concerning measures to ensure a high common level of network and information security across the Union’ COM(2013) 48 final, 7.2.2013 (‘Proposal’), at Annex II.

  29. 29.

    Art. 3(8)(a) Proposal.

  30. 30.

    Recital 24 Proposal.

  31. 31.

    Recital 50 NISD.

  32. 32.

    Recital 48 NISD.

  33. 33.

    These hyperscale IaaS providers do face increasing competition from Chinese providers such as Alibaba and Tencent.

  34. 34.

    See e.g. https://www.forbes.com/sites/peterbendorsamuel/2020/03/02/hyperscale-cloud-providers-shaping-the-platform-marketplace/?sh=7f031956103d.

  35. 35.

    A similar argument can, and has, been made in respect of the GDPR.

  36. 36.

    With respect to measures designed to facilitate the porting of data between service providers, see Art. 6 Regulation (EU) 2018/1807 ‘on a framework for the free flow of non-personal data in the European Union’ (OJ L303/59, 28.11.2018). See also the Art. 20 GDPR.

  37. 37.

    European Commission, “Proposal for a Regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act)”, (2022), COM(2022) 68 final (‘Proposed Data Act’).

  38. 38.

    Art. 23, 26 Proposed Data Act.

  39. 39.

    See, for example, the US Securities and Exchange Commission, 17 CFR Parts 229 and 249 (Release Nos. 33-10459; 34-82746), Commission Statement and Guidance on Public Company Cybersecurity Disclosures (18 February 2018). See also UK consultation on ‘Restoring trust in audit and corporate governance’ with regard to resilience statements (March 2021).

  40. 40.

    See e.g. Samuelson (1993), p. 21; Pinkney (2002), pp. 62–82.

  41. 41.

    Recital 48 NISD.

  42. 42.

    Noto La Diega and Walden (2016).

  43. 43.

    Commission Delegated Regulation (EU) 2022/30 of 29 October 2021 supplementing Directive 2014/53/EU of the European Parliament and of the Council with regard to the application of the essential requirements referred to in Article 3(3), points (d), (e) and (f), of that Directive, OJ L 7.

  44. 44.

    Product Security and Telecommunications Infrastructure Act 2022.

  45. 45.

    Art. 3 and Annexes, NIS2. This applies to all cloud providers who do not qualify as micro, small and medium-sized enterprises (‘SMEs’) under Art. 2(1) of the Annex to Recommendation 2003/361/EC Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises. SMEs employ fewer than 250 persons and have an annual turnover not exceeding EUR 50 million, and/or an annual balance sheet total not exceeding EUR 43 million.

  46. 46.

    EU Commission, ‘Proposal for a Directive on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148’(2020) COM(2020) 823 final, Recital 11.

  47. 47.

    See Michels and Walden (2021), pp. 396–397.

  48. 48.

    Michels and Walden (2021), p. 397.

  49. 49.

    Art. 6(30), Recital 33 NIS2.

  50. 50.

    Art. 6(30), Recital 33 NIS2.

  51. 51.

    National Institute of Standards and Technology, U.S. Department of Commerce, Eric Simmon ‘Evaluation of Cloud Computing Services Based on NIST SP 800-145, Special Publication 500-322’ (2018), 3 <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.500-322.pdf> accessed 5 December 2019 (hereafter NIST, ‘Special Publication 500-322’).

  52. 52.

    E.g. AWS Outposts.

  53. 53.

    See further Michels and Walden (2021), pp. 396–398.

  54. 54.

    Art. 5(1)(f) GDPR.

  55. 55.

    See further Kamarinou et al. (2021).

  56. 56.

    See C-40/17, Fashion ID GmbH & Co KG v Verbraucherzentrale NRW eV [2020] 1 C.M.L.R. 16; Millard et al. (2019).

  57. 57.

    EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, at para. 12.

  58. 58.

    See Kamarinou et al. (2018).

  59. 59.

    Recital 78 GDPR.

  60. 60.

    See Fuster and Jasmontaite (2020), pp. 109–110; Wolters (2017), pp. 171–172.

  61. 61.

    Art. 16(1)-(2) NISD.

  62. 62.

    Art. 5(1)(f) GDPR.

  63. 63.

    Art. 32 GDPR.

  64. 64.

    Art. 16(1) NISD.

  65. 65.

    Commission Implementing Regulation (EU) 2018/151 laying down rules for application of Directive (EU) 2016/1148 as regards further specification of the elements to be taken into account by digital service providers, OJ L 26, Art. 2 (hereafter ‘Commission NIS Implementing Regulation’).

  66. 66.

    Art. 32(1)(b) and (c) GDPR.

  67. 67.

    Art. 32(1) GDPR.

  68. 68.

    See National Institute of Standards and Technology (‘NIST’), “NIST Framework for improving critical infrastructure cybersecurity v. 1.1”, (2018), p. 4.

  69. 69.

    European Commission, ‘Report assessing the consistency of the approaches taken by Member States in the identification of operators of essential services in accordance with Art. 23(1) of Directive 2016/1148/EU on security of network and information systems’, (2019) COM(2019) 546 final.

  70. 70.

    Art. 21 NIS2.

  71. 71.

    Art. 32(1) GDPR; Art. 16(1) NISD. The Art. 16(1) NISD reference to ‘proportionate’ measures suggests the cost of measures is a relevant factor, particularly since the Directive aims to avoid imposing disproportionate financial or administrative burdens on the regulated entities. See further NIS Cooperation Group, “Reference Document on security measures for Operators of Essential Services”, CG Publication 01/2018, p. 9.

  72. 72.

    Kamarinou et al. (2021), p. 318.

  73. 73.

    Wolters (2017), p. 171.

  74. 74.

    Michels and Walden (2021), pp. 409–412.

  75. 75.

    Banasiński and Rojszczak (2021), p. 10.

  76. 76.

    Art. 2(6) Commission NIS Implementing Regulation.

  77. 77.

    Art. 5(2) GDPR.

  78. 78.

    Wolters (2017), p. 175; Calliess and Baumgarten (2020), pp. 1167–1168.

  79. 79.

    ENISA, “Technical Guidelines for the implementation of minimum security measures for Digital Service Providers”, (2016), p. 11. See also, ENISA, “Guidelines on assessing DSP and OES compliance to the NISD security requirements”, (2018).

  80. 80.

    CNIL, “Security of Personal Data”, (2018), https://www.cnil.fr/sites/default/files/atoms/files/cnil_guide_securite_personnelle_gb_web.pdf.

  81. 81.

    Art. 32(1) GDPR.

  82. 82.

    Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

  83. 83.

    ENISA, “Cloud Security for Healthcare Services”, January 2021, p. 14.

  84. 84.

    Kuan Hon et al. (2021a), pp. 28–29.

  85. 85.

    Kamarinou et al. (2021), p. 317.

  86. 86.

    Kuan Hon et al. (2021a), p. 33.

  87. 87.

    Art. 28(3) GDPR.

  88. 88.

    Art. 28(4) GDPR.

  89. 89.

    Kuan Hon (2021b), pp. 116–117.

  90. 90.

    ENISA, “Cybersecurity certification is a global trade and trust instrument”, webinar slides, 11 January 2021, https://www.enisa.europa.eu/events/eventfiles/enisa-cybersecurity-certification-of-cloud-services-presentation p. 16.

  91. 91.

    ENISA, “EUCS – Cloud Service Scheme”, (2020).

  92. 92.

    Opinion 17/2021 on the draft decision of the French Supervisory Authority regarding the European code of conduct submitted by the Cloud Infrastructure Service Providers (CISPE), adopted 19 May 2021 and Opinion 16/2021 on the draft decision of the Belgian Supervisory Authority regarding the “EU Data Protection Code of Conduct for Cloud Service Providers” submitted by Scope Europe. Both adopted on 19 May 2021.

  93. 93.

    Art. 56(2), Recitals 91-92 Cybersecurity Act.

  94. 94.

    Art. 32(3), 40, 42 GDPR. The GDPR also mentions ‘approved certification mechanisms’. See, for example, the GDPR-CARPA certification scheme adopted in Luxembourg: https://cnpd.public.lu/en/actualites/national/2022/06/adpoption-gdpr-carpa.html.

  95. 95.

    Art. 24 NIS2.

  96. 96.

    Art. 8 Cybersecurity Act.

  97. 97.

    European Commission, ‘Towards a more secure and trusted cloud in Europe’, 9 December 2019, https://ec.europa.eu/digital-single-market/en/news/towards-more-secure-and-trusted-cloud-europe; ENISA, “EUCS – Cloud Service Scheme”, (2020), 49–50.

  98. 98.

    See ENISA, ‘Learn more about EU Cybersecurity Certification’, https://www.enisa.europa.eu/topics/certification/eu-cybersecurity-certification-faq accessed 28 March 2023.

  99. 99.

    ENISA, “Cybersecurity certification is a global trade and trust instrument”, webinar slides, 11 January 2021, https://www.enisa.europa.eu/events/eventfiles/enisa-cybersecurity-certification-of-cloud-services-presentation pp. 24, 34–36.

  100. 100.

    Art. 52(1), (6)-(7), 53(1) Cybersecurity Act; ENISA, “EUCS – Cloud Service Scheme”, (2020), pp. 19–20, 24–26.

  101. 101.

    ENISA, “EUCS – Cloud Service Scheme”, (2020), pp. 81–159.

  102. 102.

    ENISA, “EUCS – Cloud Service Scheme”, (2020), p. 82.

  103. 103.

    ENISA, “EUCS – Cloud Service Scheme”, (2020), p. 82.

  104. 104.

    ENISA, “EUCS – Cloud Service Scheme”, (2020), p. 9.

  105. 105.

    ENISA refers to this as ‘composition’ on a ‘base cloud service’, see ENISA, “EUCS – Cloud Service Scheme”, (2020), pp. 74–75.

  106. 106.

    Art. 40(6)-(7) GDPR.

  107. 107.

    Art. 40(9) GDPR.

  108. 108.

    EDPB, “EDPB adopts opinions on first transnational codes of conduct”, 20 May 2021, https://edpb.europa.eu/news/news/2021/edpb-adopts-opinions-first-transnational-codes-conduct-statement-data-governance-act_en.

  109. 109.

    CNIL, “The CNIL approves the first European code of conduct for cloud infrastructure service providers (IaaS)” (2021), https://www.cnil.fr/en/cnil-approves-first-european-code-conduct-cloud-infrastructure-service-providers-iaas.

  110. 110.

    CISPE Code, 9 February 2021, available at https://cispe.cloud/, pp. 5–6.

  111. 111.

    https://cispe.cloud/members/.

  112. 112.

    Belgian Data Protection Authority, “Approval decision of the “Eu Data Protection Code of Conduct for Cloud Service Providers” (2021), Decision n° 05/2021 of 20 May 2021 https://www.dataprotectionauthority.be/publications/decision-n05-2021-of-20-may-2021.pdf.

  113. 113.

    EUCoC, pp. 3–4.

  114. 114.

    https://eucoc.cloud/en/home/.

  115. 115.

    CISPE Code, Annex A, pp. 58-71; EUCoC, pp. 17-20, 24, Annex A, pp. 29–46.

  116. 116.

    CISPE Code, p. 14.

  117. 117.

    CISPE Code, p. 19.

  118. 118.

    CISPE Code, p. 18.

  119. 119.

    AWS, “Shared Responsibility Model”, https://aws.amazon.com/compliance/shared-responsibility-model/.

  120. 120.

    CISPE Code, p. 18.

  121. 121.

    CISPE Code, p. 9.

  122. 122.

    EUCoC, pp. 4, 9, 17, 20.

  123. 123.

    EUCoC, p. 17.

  124. 124.

    ENISA, “EUCS – Cloud Service Scheme”, (2020), p. 9; CISPE Code, p. 9; EUCoC, p. 2.

  125. 125.

    Kuan Hon et al. (2021b), pp. 127–132.

  126. 126.

    Art. 52(1) Cybersecurity Act: “The assurance level shall be commensurate with the level of the risk associated with the intended use of the ICT service.”

  127. 127.

    Art. 4(7) NISD.

  128. 128.

    Art. 16(3) NISD.

  129. 129.

    Art. 16(4) NISD.

  130. 130.

    Commission NIS Implementing Regulation, Art. 4.

  131. 131.

    Michels and Walden (2021), pp. 397–399.

  132. 132.

    Art. 16(4) NISD.

  133. 133.

    Art. 33(1) GDPR.

  134. 134.

    Art. 34(1) GDPR.

  135. 135.

    Art. 33(2) GDPR.

  136. 136.

    Art. 4(12) GDPR

  137. 137.

    Michels and Walden (2021), pp. 412–414.

  138. 138.

    Kamarinou et al. (2021), p. 323.

  139. 139.

    Art. 23(3)(a) NIS2.

  140. 140.

    Groothuis B, “Draft report on the proposal for a directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union”, 3 May 2021, 2020/0359(COD), pp. 38–39.

  141. 141.

    Recital 64 NISD provides that a DSP’s main establishment “in principle corresponds to the place where the provider has its head office in the Union”.

  142. 142.

    European Commission, “Implementation of the NIS Directive in Ireland”, https://digital-strategy.ec.europa.eu/en/policies/nis-directive-ireland.

  143. 143.

    Art. 18 NISD. Recital 65 clarifies that the mere accessibility of services in the EU is insufficient to determine whether a DSP is offering services in the EU, but that other factors, such as currency and language of the service or the mentioning of customers in the EU, are relevant.

  144. 144.

    Art. 26 (1)(b), 2-3 and Recitals 113-116 NIS2.

  145. 145.

    Recital 122 GDPR.

  146. 146.

    Art. 56 GDPR.

  147. 147.

    Data Protection Commission, https://www.dataprotection.ie/.

  148. 148.

    Art. 60 GDPR.

  149. 149.

    Art. 65(1)(a) GDPR.

  150. 150.

    EDPB, Binding decision 1/2021 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding WhatsApp Ireland under Article 65(1)(a) GDPR (28 July 2021). See also Decision 1/2020 (9 November 2020) concerning a decision by the DPC regarding Twitter International, in which the DPC’s decision was upheld.

  151. 151.

    Art. 56(2) and (3) GDPR.

  152. 152.

    Article 29 Data Protection Working Party, “Guidelines for identifying a controller or processor’s lead supervisory authority”, WP244 rev.01 (2017), adopted by the EDPB on 25 May 2018, https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-identifying-controller-or-processors-lead_en, p. 9 (‘A29WP Guidelines for identifying lead supervisory authority’).

  153. 153.

    Recital 36 GDPR.

  154. 154.

    A29WP Guidelines for identifying lead supervisory authority, p. 10.

  155. 155.

    See e.g. Recital 95 Cybersecurity Act.

  156. 156.

    Regulation (EC) No 765/2008 of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93, Art. 4.

  157. 157.

    Art. 58 Cybersecurity Act.

  158. 158.

    Art. 60, Recital 65 Cybersecurity Act; ENISA, “EUCS – Cloud Service Scheme”, (2020), pp. 26, 29.

  159. 159.

    Recitals 73, 97 Cybersecurity Act.

  160. 160.

    ENISA, “EUCS – Cloud Service Scheme”, (2020), pp. 39–48.

  161. 161.

    Art. 58(7)-(8) Cybersecurity Act.

  162. 162.

    CISPE Code, pp. 40–41; EUCoC, pp. 21–23.

  163. 163.

    CISPE Code, pp. 47–48; EUCoC, p. 21.

  164. 164.

    CNIL, “Code of conduct: CNIL grants first accreditation to a monitoring body”, 16 July 2021, https://www.cnil.fr/en/code-conduct-cnil-grants-first-accreditation-monitoring-body; Belgian SA, “Accreditation of the “Scope Europe” for the monitoring of the “EU Cloud Code of Conduct””, Decision n° 06/2021 of 20 May 2021, https://www.dataprotectionauthority.be/publications/decision-n-06-2021-of-20-may-2021.pdf. For a list of CISPE accredited MBs, see https://www.codeofconduct.cloud/monitoring-bodies/ accessed 29 March 2023.

  165. 165.

    CISPE Code, pp. 48, 50.

  166. 166.

    CISPE Code, pp. 42–43; EUCoC, pp. 24–25, 27.

  167. 167.

    CISPE Code, pp. 52–54; EUCoC, pp. 28–29.

  168. 168.

    Art. 17 and Recital 60 NISD.

  169. 169.

    Art. 21 NISD.

  170. 170.

    Commission, “Impact Assessment Report accompanying the document Proposal for a Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union” Part 1 of 3, 16 December 2020, SWD(2020) 345 final, pp. 25–26 (‘Commission Impact Assessment’).

  171. 171.

    Art. 32-33 and Recital 122 NIS2.

  172. 172.

    Art. 34 NIS2.

  173. 173.

    Art. 20 NIS2.

  174. 174.

    Art.32(5)-(6) NIS2.

  175. 175.

    The Commission did not address this point in detail. See e.g. Commission Impact Assessment Part 1, pp. 64–65. Recital 128 NIS2 states only that the Directive does not “require Member States to provide for criminal or civil liability with regard to natural persons with responsibility for ensuring that an entity complies with this Directive for damage suffered by third parties as a result of an infringement of this Directive.”

  176. 176.

    Art. 83(4)-(5) GDPR.

  177. 177.

    Art. 58(8) Cyberscurity Act.

  178. 178.

    Art. 65 Cybersecurity Act.

  179. 179.

    DCMS, ‘Security of Network and Information Systems: Government response to the public consultation’ (January 2018), p. 16. See also Cole and Schmitz-Berndt (2019), p. 18.

  180. 180.

    Art. 35(2) NIS2.

  181. 181.

    EU Commission, ‘Proposal for a Directive on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148’(2020) COM(2020) 823 final, p. 5.

  182. 182.

    Commission Impact Assessment Part 1, p. 26.

  183. 183.

    CNIL, “Credential stuffing: la CNIL sanctionne un responsable de traitement et son sous-traitant”, 27 January 2021, https://www.cnil.fr/fr/credential-stuffing-la-cnil-sanctionne-un-responsable-de-traitement-et-son-sous-traitant. In the UK, in October 2020, the ICO fined British Airways £20m for data breach affecting more than 400,000 customers (see https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/10/ico-fines-british-airways-20m-for-data-breach-affecting-more-than-400-000-customers); and Marriott International Inc. £18.4million for failing to keep customers’ personal data secure (see https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/10/ico-fines-marriott-international-inc-184million-for-failing-to-keep-customers-personal-data-secure/).

  184. 184.

    ICCL, “Europe’s enforcement paralysis” (2021), https://www.iccl.ie/wp-content/uploads/2021/09/Europes-enforcement-paralysis-2021-ICCL-report-on-GDPR-enforcement.pdf.

  185. 185.

    Commission Impact Assessment, Part 3, pp. 5,12.

  186. 186.

    Kamara et al. (2019), p. 141.

  187. 187.

    European Commission, “A European strategy for data”, (2020) 19.2.2020 COM(2020) 66 final; European Commission, “2030 Digital Compass: the European way for the Digital Decade”, (2021) 9.3.2021 COM(2021) 118 final (‘2030 Digital Compass’). See further ENISA, “Cybersecurity Research Directions for the EU's Digital Strategic Autonomy”, April 2021; European Political Strategy Centre, “Rethinking Strategic Autonomy in the Digital Age”, EPSC Strategic Notes, Issue 30, July 2019, https://op.europa.eu/en/publication-detail/-/publication/889dd7b7-0cde-11ea-8c1f-01aa75ed71a1/language-en.

  188. 188.

    European Commission, “2030 Digital Compass”, pp. 7–8. See further European Commission, “Updating the 2020 New Industrial Strategy: Building a stronger Single Market for Europe’s recovery” (2021), 5.5.2021 COM(2021) 350 final.

References

  • Banasiński C, Rojszczak M (2021) Cybersecurity of consumer products against the background of the EU model of cyberspace protection. J Cybersecur

    Google Scholar 

  • Calliess C, Baumgarten A (2020) Cybersecurity in the EU the example of the financial sector: a legal perspective. German Law J

    Google Scholar 

  • Cole M, Schmitz-Berndt S (2019) The Interplay between the NIS Directive and the GDPR in a Cybersecurity Threat Landscape. University of Luxembourg Law Working Paper Series Paper number 2019-017

    Google Scholar 

  • Fuster GG, Jasmontaite L (2020) Cybersecurity regulation in the European Union: the digital, the critical and fundamental rights. In: Christen M, Gordijn B, Loi M (eds) The ethics of cybersecurity. Springer

    Google Scholar 

  • Kamara I, Leenes R, Lachaud E, Stuurman K, van Lieshout M, Bodea G (2019) Data Protection Certification Mechanisms: Study on Articles 42 and 43 of the Regulation (EU) 2016/679, Report for European Commission

    Google Scholar 

  • Kamarinou D, Millard C, Oldani I (2018) Compliance as a Service, Queen Mary School of Law Legal Studies Research Paper No. 287/2018

    Google Scholar 

  • Kamarinou D, Millard C, Turton F (2021) Responsibilities of controllers and processors of personal data in clouds In: Millard C (ed) (2021) Cloud computing law 2nd edn. Oxford University Press

    Google Scholar 

  • Kuan Hon W, Millard C, Singh J (2021a) Control, security, and risk in the cloud. In: Millard C (ed) Cloud computing law, 2nd edn. Oxford University Press

    Google Scholar 

  • Kuan Hon W, Millard C, Walden I, Ward C (2021b) Negotiated contracts for cloud services. In: Millard C (ed) Cloud computing law, 2nd edn. Oxford University Press

    Google Scholar 

  • Michels JD, Walden I (2021) Cybersecurity and critical infrastructure. In: Millard C (ed) Cloud computing law, 2nd edn. Oxford University Press

    Google Scholar 

  • Millard C (ed) (2021) Cloud computing, 2nd edn. Oxford University Press

    Google Scholar 

  • Millard C et al (2019) At this rate, everyone will be a [joint] controller of personal data! Int Data Priv Law 9(4)

    Google Scholar 

  • Noto La Diega G, Walden I (2016) Contracting for the ‘Internet of Things’: looking into the nest. Eur J Law Technol 7(2)

    Google Scholar 

  • Pinkney K (2002) Putting blame where blame is due: software manufacturer and customer liability for security-related software failure. Albany Law J Sci Technol 13

    Google Scholar 

  • Samuelson P (1993) Liability for defective electronic information. Commun ACM

    Google Scholar 

  • Walden I (2018) European Union communications law. In: Telecommunications law and regulation, 5th edn. Oxford University Press

    Chapter  Google Scholar 

  • Wolters P (2017) The security of personal data under the GDPR: a harmonized duty or a shared responsibility? Int Data Priv Law 7:3

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Centre for Commercial Law Studies, Queen Mary University of London, London, UK

    Ian Walden & Johan David Michels

Authors
  1. Ian Walden
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Johan David Michels
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ian Walden .

Editor information

Editors and Affiliations

  1. School of Law, University of Minho, Braga, Portugal

    Francisco António Carneiro Pacheco de Andrade

  2. Faculty of Law Oporto, Catholic University of Portugal, Porto, Portugal

    Pedro Miguel Fernandes Freitas

  3. School of Law, University of Minho, Braga, Portugal

    Joana Rita de Sousa Covelo de Abreu

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Walden, I., Michels, J.D. (2024). Getting Critical: Making Sense of the EU Cybersecurity Framework for Cloud Providers. In: Carneiro Pacheco de Andrade, F.A., Fernandes Freitas, P.M., de Sousa Covelo de Abreu, J.R. (eds) Legal Developments on Cybersecurity and Related Fields. Law, Governance and Technology Series, vol 60. Springer, Cham. https://doi.org/10.1007/978-3-031-41820-4_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-41820-4_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-41819-8

  • Online ISBN: 978-3-031-41820-4

  • eBook Packages: Law and CriminologyLaw and Criminology (R0)

Publish with us

Policies and ethics

Search

Navigation