The European Association of CCP Clearing Houses (EACH) is calling for loosening of cloud regulations for EU clearing firms.
The view was in response to the EU Cybersecurity Certification Scheme for Cloud Services (ECUS) which comes under the EU Cybersecurity Act label.
The aim is to harmonise EU-wide standards and improve cybersecurity as well as enhance oversight and auditing tools on cloud services.
On the positive side, EACH said it welcomes the introduction of an EUCS and the benefits it brings, as well as the increased focus in the EU on harmonised emerging requirements on firms’ cyber and operational resilience overall.
However, it was concerned that EUCS’s focus on localisation provisions could affect the quality and security in the European cloud market, and make it more difficult for European companies to operate and compete globally.
More specifically for its members, it noted that restrictions under considerations within the EUCS would force CCPs to exit longstanding contracts with existing non-EU based CSPs without a suitable alternative.
“We believe this would undermine EU CCPs’ ability to manage their operational and cyber risk effectively hence affecting our ability to provide clearing services underpinned by best-in-class operational resilience,,” it added.
In addition, it voiced its concern that these measures would not add improvements to cyber security, and that in fact they could weaken it by hindering the exchange of information.
To rectify the situation EACH made several recommendations including implementing high level of resilience through enhanced contractual arrangements with CSPs, increased supervision of critical CSPs, and rights of access, (financial industry pool) audit and oversight , as introduced in Digital Operational Resilience Act.
It said this critical/level-high certified CSPs should be accompanied by a stakeholder engagement, an impact assessment, and consultations with the market participants before becoming a matter of discussion.
EACH advised that concerns relating to non-EU cloud providers should be addressed in international and cross-jurisdictional forums, such as the EU-US Trade and Technology Council meetings.
“We need to have a constructive dialogue on creating efficient and workable solutions,” it added,” it added.
