The EU Agency for Network and Information Security (ENISA) is proposing a far-reaching “European Cybersecurity Certification Scheme for Cloud Services“ (EUCS) to be established in the European Union (EU). According to the latest draft of August 2023, leaked by Politico in September 2023, the proposed EUCS would by design prevent non-European vendors from providing “high assurance level” cloud services in the EU. In this study, we show that the proposed “immunity” requirements, i.e., foreign ownership and headquarter restrictions, local staff requirements, and data localisation would lead to significant losses in Member States’ aggregate economic activity and drive a big wedge between economic growth in the EU and the growth of non-EU economies. The projected losses in annual EU GDP will vary from EUR 610 billion to EUR 29 billion within approx. two years of implementation, contingent upon the specific sectoral coverage of high-assurance use cases under the cloud service evaluation level CS-EL4. The results fit into the overall picture of EU digital policy, which has weakened rather than strengthened the competitiveness of EU industries in the past. Our findings align with the broader impacts of EU digital policy, which runs the risk of exacerbating the growth gap and technology disparity between the EU and other advanced economies.
Cloud services have become increasingly popular and integral to Europe’s economy. Cloud services are granting businesses of all sizes equal access to global data and resources, stimulating collaboration, and bolstering competitiveness. Advanced cloud services are levelling the playing field in domestic commerce and international trade. Smaller enterprises can harness advanced IT capabilities, particularly cloud-based supply chain management, to streamline their operations. Cloud computing solutions are also playing a crucial role in modernising public services, offering transformative potential for government administrations and service quality.
Cloud services adoption is expected to grow substantially in the years ahead, driven by data analytics, AI applications as well as quantum and edge commuting solutions. The global cloud computing market is on a rapid growth trajectory and is expected to reach some EUR 2,080 billion by 2030. Industry forecasts indicate that cloud services and transversal cloud-based technologies like AI applications, quantum, and edge computing will experience consistent growth in innovation and are increasingly finding broader applications across various industries. Overall, the global market for IT services is highly competitive and dynamic, with global cloud service providers competing against a broad range of IT service providers of varying scale, including on-premises hardware vendors, private and co-located data centre providers and software providers.
Despite showing a trade deficit in international cloud services trade, trade in ICT and digitally enabled services is not a one-way-street for the EU. Recent trade data reveals that the total value of EU exports in digital and digitally enabled services to the rest of the world is roughly equivalent to the total value of EU imports from the rest of the world. This balance in trade is also observed in EU digital trade with the US, where EU exports of ICT services to the US nearly match US exports of digital services to the EU.
The proposed EUCS exclusionary requirements entail various negative consequences. As recognised by the European Commission’s latest progress report on digitisation in the EU, European companies have yet to reach the “Digital Decade” targets, especially when it comes to embracing cloud-supported technologies such as AI and big data, as the adoption of digital technologies remains significantly below these objectives. Exclusionary requirements would create operational inefficiencies and increased production costs for cloud services providers and cloud adopters. They would undermine investments in the domestic economy, resulting in reduced international trade, competition, and innovation. The imposition of exclusionary requirements by the EU could create a domino effect of restrictions caused by retaliation and protectionism.
Data localisation and nationality requirements stifle innovation and competition, particularly in data-driven industries. The creation of redundant capacities in the EU would have adverse environmental impacts, including increased energy consumption, land use, and electronic waste. Immunity requirements would increase rather than mitigate cybersecurity risks, creating a security deficit for EU cloud adopters that lose access to proven global risk detection and prevention solutions.
This study provides estimates of potential GDP and industry output effects from the implementation of exclusionary requirements under the proposed EUCS framework. It is shown that the strict “immunity” requirements in the EUCS cybersecurity certification framework would severely limit European customers’ access to advanced technologies, innovation and global ICT industry growth trends. The study’s findings highlight the significant economic consequences of potential restrictions on access to global cloud services across three scenarios of different sectoral coverage. It is shown that even in the least restrictive scenario, where “immunity” requirements would only be applied to a narrow spectrum of sectors and highly critical use cases, the reduction in the EU’s annual GDP could be substantial.
In scenario 1 (broad critical sector coverage), reflecting political demands of the current French government, the EU’s annual GDP is projected to decrease by 3.9% when accounting for lost cloud capacities and forgone cloud capacity and productivity growth, within 2 years of implementation. For scenario 2 (medium critical sector coverage) and scenario 3 (narrow critical sector coverage), the estimated annual losses in GDP amount to -2% and -0.2%, respectively. In terms of current EU GDP, annual losses would amount to EUR 610 billion, EUR 317 billion, and EUR 29 billion, respectively, underscoring the significant magnitude of the potential impacts.
For the broad critical sector coverage scenario, our results also show that the EU’s annual GDP losses accumulate over longer periods of time. After 5 years following the implementation of exclusionary EUCS requirements, the annual growth losses for the EU and its Member States remain significant. This is due to the inability of European businesses and the EU’s public sector to tap into the worldwide innovation and productivity gains offered by globally accessible technologies and services. For the EU, we estimate the annual GDP loss to be -3.6%, with a trend to further accumulate in subsequent years.
EUCS impact: distribution of annual real GDP losses, in billion EUR, following 5 years of implementation
Our estimations also reveal that smaller EU countries would be disproportionately impacted by GDP losses compared to larger countries. In the short-term, small EU countries that are characterised by high-value-added production, including digital and digitally enabled services, and which rely heavily on imported ICT services, show the largest relative losses in annual GDP. In the most restrictive scenario with broad critical sector coverage, short-term losses in aggregate GDP would be most pronounced in Cyprus (-10.2%), Luxembourg (-9.3%), Malta (-8.5%), the Netherlands (-5.8%), Belgium (-5.4%), Denmark (-4.9%), Ireland (-4.7%), and Sweden (-4.6%). The largest EU economies, Germany, France, Italy, the Netherlands, and Spain would generally experience the highest absolute losses in economic output.
Looking into the future, the same pattern will apply following 5 years of the implementation of exclusionary requirements, where Cyprus (-6.5%), Malta (-5%), Luxembourg (-4.8%), the Netherlands (-4.3%), Denmark (-4.1%), Ireland (-4.1%), Belgium (-4%), Latvia (-3.8%), Slovenia (-3.7%), Sweden (-3.8%), Greece (-3.6%), and Estonia (-3.6%) would be the most disproportionately hit. Following the same 5-year period, Germany, France, Italy, the Netherlands, and Spain would also experience the highest absolute losses in economic output. Over longer time horizons, small and less economically developed countries, such as Bulgaria, Croatia, Greece, Lithuania, Poland, Portugal, and Romania stand to lose long-term growth potential due to exclusionary cloud „immunity“ rules, which would have detrimental effects on these countries’ economic advancement and efforts towards achieving economic convergence with more prosperous EU nations.
EUCS impact: distribution of annual real GDP losses, in %, following 5 years of implementation
The study’s findings underscore the potential economic repercussions of limiting EU access to global cloud services, with smaller EU countries and sectors reliant on ICT services being particularly vulnerable. The economic impacts extend to larger EU economies as well, emphasising the importance of considering the broader short- and long-term implications of restrictions on cloud and ICT services imports on Europe’s economies. EU Member States should thus call on ENISA and the European Commission to abandon discriminatory and potentially far-reaching “immunity” requirements in the proposed cloud certification scheme, EUCS.
 European Commission (2023). Report on the state of the Digital Decade. 27 September 2023. Available at https://digital-strategy.ec.europa.eu/en/library/2023-report-state-digital-decade.
 EU Agency for Network and Information Security (ENISA) 2023 draft EUCS, version V1.0.335, as of August 2023. This study has been conducted based on the publicly available EUCS draft versions from May and August 23, and is without prejudice to any future versions of the scheme.
This ECIPE Occasional Paper is an independent report funded by the Computer and Communications Industry Association (CCIA Europe). The opinions offered herein are purely those of the author. They do not necessarily represent the views of CCIA Europe.