The study concludes that the market for cloud computing certification schemes in the EU is highly fragmented: different initiatives have arisen at different levels, international standardisation organisations and European member states have launched their own public and public-private initiatives, with varying levels of success. The study analyses six certification schemes in depth, with the aim of comparing the key areas on which each focuses, such as procurement management, operational security, and security integrity.
The study uses these findings to suggest requirements for the minimum aspects that would need to be covered by an EU-wide cloud computing certification scheme, covering categories such as procedures and policies, business continuity, operational security, assets management, incident management, security assessment and more.
It becomes clear that one of the main reasons for the low adoption of cloud security certification schemes is the existence of different conformity assessments. Companies face countless challenges not only in identifying the most appropriate security certification scheme but also in deciding the proper conformity assessment method. The costly re-definition of processes needed to comply with the security controls required by certification schemes is also an important barrier.
Finally, the study investigates potential scenarios for the role that could be played by the public sector in creating certification schemes, from a market-driven situation to a high level of regulation, also including options such as the creation of an EU-wide certification scheme and mutual recognition of national schemes. This analysis of scenarios includes a qualitative impact assessment in terms of cost, complexity, security awareness and market.
The study puts its findings into the context of EU policies related to cloud computing and security certification, such as the Digital Single Market, the Directive on security of network and information systems (NIS Directive), the Cybersecurity Act and the Free Flow of non-personal Data.