The EUCS Criteria Harmonizes Cloud Security: an interview with Niki Klaus, CEO of Nixu Certification.
9 Oct, 2023
By Niki Klaus (Nixu)

If Europe excels in something, it’s the creation of regulations. The new EUCS criteria harmonize cloud service security in the EU.

Source: Toni Stubin – Tietoviikko

The European Union’s cybersecurity agency, ENISA, aims to standardize cloud service security in Europe. The EUCS certification, or European Cybersecurity Certification Scheme for Cloud Services, is designed to determine the security level of cloud service providers. EUCS is much needed. There are many national security criteria in Europe, so a common certification would provide a clearer framework for security assessment. “I believe that EUCS will replace at least some national certifications. For example, the PiTuKri (Criteria to Assess the Information Security of Cloud Services) criteria for assessing the security of cloud services used in Finland will likely be replaced,” says Niki Klaus, CEO of Nixu Certification.

EUCS has three levels for defining cloud security. The Basic level covers minimum requirements, High represents top-tier security, and Substantial, according to ENISA, represents enterprise-level security. The agency anticipates that most service providers and their customers will opt for this level. Although EUCS is voluntary, Klaus believes that at least the largest players in the industry will obtain the certification. It’s possible that the largest users of cloud services and the public sector will start requiring EUCS from their suppliers. “The certification also provides transparency for service users about how things are handled.

A draft certification was published in December 2020. Klaus speculates that the final version may become available no earlier than the end of 2024. He notes that evaluating cloud service security is complex, and it’s still difficult to say how challenging it will be to obtain the EUCS certification. “The three different levels of EUCS may make the situation somewhat easier, but it’s not a walk in the park. In my opinion, based on the draft, it’s worth starting to take action.Companies can consider which level of services they will offer. The requirements will likely remain largely as presented now.”.