The European cloud technology market is currently dominated by a few non-EU actors. The "EUCLIDIA Now!" event on 29 September 2022 (Towards a resilient cloud infrastructure in Europe¹) showed that all cloud technologies exist in Europe, and that they even account for almost 50% of hyperscaler acquisitions. However, European actors often remain marginalised in the domestic market.

The hurdles to overcome for European technologies to access the EU markets continue to grow. At the European level, no less than 9 regulations, including the Cyber Resilience Act, EUCS and NIS2, are under discussion to add ever more standards to the creation of software in Europe, which will ultimately make it more difficult, if not impossible, to bring European cloud technologies to the EU market. 

In some EU countries, bringing to market a cloud technology already costs more than a million euros and takes more than 24 months to overcome ever-increasing barriers deriving from recent regulations. Ironically, it is now easier for a European cloud technology provider to access the market in China (3 months, hundred thousand euros) or in U.S or Japan where these obstacles do not exist. These barriers effectively prevent European SMEs from accessing the majority of markets on their own continent, whereas hyperscalers which do not comply by these regulations benefit from massive public purchase^{2 3 4 5 6 7 8 9}.

Furthermore, European OECD-inspired regulatory doctrines¹⁰ for digital security have repeatedly ignored the essential role of diversity and free competition in resilience, thus further increasing disinterest from policy-makers in the existence of a diverse and striving ecosystem of European cloud technology providers. Cloud infrastructure in Europe currently depends on very few, mostly non-European, cloud technologies¹¹. If there is a breach in one cloud operator, the same breach will likely happen with other operators and possibly impact all European cloud infrastructures. Effective resilience of European digital infrastructure can be achieved by leveraging 300 cloud technologies backed by 100 competitive European companies identified by EUCLIDIA, while entirely fulfilling the EU's cybersecurity objectives.

Facing these concerns and the risk of regulatory capture of the European cloud industry by non-EU players, EUCLIDIA is asking to reduce financial and normative barriers to enable market access for European technology creators, in particular: 

Ensure that the European Union Cybersecurity Certification Scheme for Cloud Services (EUCS) does not become mandatory in the majority of the European cloud market.

Exempt open-source created by private organisations from the costly administrative and technical requirements of the Cyber Resilience Act (CRA) and the Product Liability Act (PLD), just like it is exempted for individuals and governments.

Exempt cloud providers from implementing mandatory interoperability standards if they already provide effective interoperability through another approach.

Lift the ban on publishing AI cloud software without a legal traceability system as planned in the AI Act.

Revise the Digital Services Act (DSA) to put an end to the obligation to include backdoors in cloud software.

Ban pricing or technical barriers set by some cloud providers to prevent interoperability by charging a high price to recover data or by hiding technical information to interact with their service.

Considering the extraordinary diversity and innovation of European cloud technology creates, EUCLIDIA is asking to foster their access to the European market, in particular: 

Favour European technologies based on the principles of cultural exception and subsidiarity. These principles have already been used to protect European steel producers and the clothing industry, as well as in the music and film sectors. Quotas have not only protected these industries, but have also made them leaders in their sectors. From €53bn in 2020, the European cloud market should reach €560bn by 2030. EUCLIDIA is ready to work jointly with governments, policy-makers and companies to improve processes and regulatory frameworks. These aspects are key to secure access to these fast-growing markets for European cloud technologies based on the intrinsic cultural nature of software at the core of virtually all cloud technologies.

Encourage purchasing from SMEs. European cloud technologies are already being used by a majority of CAC40/DAX30 companies and are the core of many hyperscalers services. This European ecosystem is also the best way to respond to the legitimate concerns generated by extraterritorial laws such as the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), the Executive Order 12333, the Foreign Intelligence Surveillance Act (FISA) and the International Traffic in Arms Regulations (ITAR). 

Due to the NIS2 directive, the majority of the market will require the SaaS to pass "SecNumCloud" qualification or a European equivalent. Government, cities, operators of public infrastructure, operators of public services, etc. are all under the umbrella of NIS2. Larger companies tend to also follow the NIS2 directive, making the SecNumCloud close to mandatory. 

In addition, various regulations (CRA, PLD, AI Act) impose auditing the source to comply with certain public policy objectives. This requires to hire a team or a consulting firm, at a huge cost for an SME employing only a few employees.

Adding backdoors is also required for a cloud service (LPM, DSA, Chat Control), something that is not necessary for on-premise software. This requires to hire engineers.

It might also be wise to mitigate litigation risks by patent trolls now that the Unified Patent Court (UPC) is enforcing the most extreme doctrines on patentability of software. According to the Law, software can not be patented in Europe. But there are a lot of software patents that were granted using a legal trick that was ruled as "contra legem" in French courts. With the UPC, French courts rulings can be superseded, opening the door to constant litigation by patent trolls as it exists in the US. 

In an effort to strengthen cybersecurity and protect sensitive data, the Chinese government has implemented regulatory measures for cloud service providers. These measures aim to ensure the security and compliance of cloud services in China while also facilitating market access for domestic enterprises.

As part of these regulations, a Chinese cloud service provider must initially obtain an ICP (Internet Content Provider) license, a mandatory requirement for companies operating within the country. The cost of this license does not exceed 60,000 RMB (8,000 euros). Following this, the cloud service provider must establish a proper Beian system for the client, connected to the local public authority platform, with the Beian system incurring a cost of 15,000 RMB (2,000 euros). Lastly, the provider must undergo security assessments and obtain rating reports, incurring a cost of around 100,000 RMB (15,000 euros).

Consequently, a local company seeking to provide a cloud service on public markets will need to invest approximately 25,000 euros, navigating through these regulatory requirements imposed by the Chinese government.

Only providing a cloud service to the U.S Federal government, a tiny share of the cloud market in the U.S, requires spending at leasr 250,000 dollars to go through the Federal Risk and Authorization Management Program (FedRAMP). Like in the EU, this regulation contributes to the exclusion of smaller companies and the strengthening of dominant and financially strongers companies in the cloud market¹². However, the cost of U.S Federal regulations are still three to four times lower European and French ones.

The U.S has now also committed itself to introducing more regulation in the name of a cybersecurity imperative. However, Mark Burgess has shown that adding bureaucratic procedures in the name of cybersecurity tends to hinder cybersecurity¹³. Bureaucracy encourages a preference for scrupulous monitoring of procedures put in place to the detriment of rapid reaction, which is key to neutralising a cyber attack. Furthermore, the lack of diversity for the resilience of cloud infrastructures was also pointed out by senior risk managers of top U.S financial institutions. According to them, "Tri-opoly of cloud vendors [AWS, Azure, GCP] “poses systemic risk”¹⁴. 

2. (2021) Government of Greece and AWS sign Statement of Strategic Intent to accelerate the formation of regional space hub, Amazon. https://www.aboutamazon.eu/news/aws/government-of-greece-and-aws-sign-statement-of-strategic-intent-to-accelerate-the-formation-of-regional-space-hub 

3. Grallet, G (2021) « Que la SNCF confie son cloud à Amazon est une hérésie »​​​​​​​, Le Point https://www.lepoint.fr/technologie/que-la-sncf-confie-son-cloud-a-amazon-est-une-heresie-12-12-2021-2456408_58.php 

4. (2019) AWS IoT Helps Deutsche Bahn Improve Operational Efficiency across 6,500 trains and 37,000 miles of Track, Amazon. https://aws.amazon.com/fr/solutions/case-studies/deutsche-bahn-case-study/

5. (2022) AU CNAM, un laboratoire virtuel au cœur de l’apprentissage immersif, Microsoft. https://customers.microsoft.com/fr-FR/story/1542001917739416263-conservatoire-national-des-arts-et-metiers-higher-education-azure-fr-france

6. (2022) Cyprus reaches for the cloud with AWS, Financial Mirror.​​​​​​​ https://www.financialmirror.com/2022/05/17/cyprus-reaches-for-the-cloud-with-aws/ 

7. Comune di Padova: Keeping local citizens informed in real time with Google Cloud, Google Cloud. https://cloud.google.com/customers/comunedipadova/

8. Swinhoe, D (2023) Microsoft's Italian Azure region to open soon​​​​​​​, DCD. https://www.datacenterdynamics.com/en/news/microsofts-italian-azure-region-to-open-soon/ 

9. University of Barcelona Institute of Cosmos Sciences: Unveiling the mysteries of our galaxy with Google Cloud, Google Cloud. https://cloud.google.com/customers/universityofbarcelona/ 

10. OECD (2022), OECD Policy Framework on Digital Security​​​​​​​, OECD Publishing, Paris. https://www.oecd.org/digital/digital-security/

11. As cybersecurity expert Eric Filiol explained back in 2022, "The real problem - and it's a global hypocrisy - is that all systems are under attack because they use the same technologies"​​​​​​​. In Debey, A (2023) «La nouvelle loi européenne sur le numérique est un jeu de dupes irréalisable»​​​​​​​, L'Impertinent. https://www.limpertinentmedia.com/post/interview-la-nouvelle-loi-europeenne-sur-le-numerique-est-un-jeu-de-dupes-irrealisable

12. All-In-Podcast (2023) All-In Summit: Bill Gurley presents 2,851 Miles, Youtube. https://www.youtube.com/watch?app=desktop&v=F9cO3-MLHOM

13. Burgess, M. and Debois, P. (2021) Promising Digital Risk Management: What not to do in Cybersecurity, XtAxis Press

14. Xiao, M (2023) Banks call for direct oversight of cloud providers by US regulators, Risk.net. https://www.risk.net/risk-management/7957488/banks-call-for-direct-oversight-of-cloud-providers-by-us-regulators