On privacy issues and problems, one of the priorities is the strengthening of cybersecurity policies by cloud service providers. For this reason, the European Cybersecurity Certification Scheme for Cloud Services (EUCS), one of the first IT security schemes in Europe, is being set up to obtain an official stamp of approval from European authorities. It includes rules, technical requirements, standards and procedures that strengthen the cybersecurity of ICT services and products offered to European citizens, initiated by the European Union Agency for Cybersecurity (ENISA).

The challenge is to harmonise a diverse set of market players, complex structures, and different systems in the member states to agree on single standards and an official stamp of approval by European authorities. The new standards will be applied to every cloud service, from infrastructure to applications, defining a very precise set of security requirements to comply to. ENISA's goal is to define a single, up-to-date framework, harmonising European regulations, international standards, industry best practices and certifications already in place in the Member States.

However, in order to ensure the transition from current national systems to a single framework, it is necessary to involve all actors, structures and the whole landscape of cloud services, establishing the guaranteed level of cybersecurity between 'Basic', 'Substantial' and 'High'.

The new standards will apply to every cloud service, from infrastructure to applications, defining a very precise set of security requirements. The doubts of the Americans: too complex procedures.

This is not an overhaul of the fundamentals of the previous SOG-IS MRA scheme in force, but the optimisation of certain IT security protocols to obtain the new certification.

The main benefits relate to the monitoring and compliance management of infrastructures, detailed information on vulnerabilities made publicly available, and increased consumer support, such as patch management for certified products.

However, there are still some open points, on which reflections are ongoing: for instance, the slow transition period needed for compliance and the sharing of additional requirements with developers, requirements that need to be better specified.

A very important country like the United States of America has objected, considering that the proposal will create overly complex legal compliance procedures without substantially increasing current levels of cyber security. The control procedures would be excessively restrictive. In addition, according to representatives of major technology industries such as Amazon, Microsoft, or Google, the new regulatory framework is likely to have serious repercussions on cloud service providers, and on the competitiveness of the European economy in general.​