According to an EU draft document seen by Reuters, non-EU cloud service providers such as Amazon, Alphabet’s Google, Microsoft, and others wishing to obtain an EU cybersecurity certification to handle sensitive data can only do so through a joint venture with an EU-based company.

Employees who have access to EU data would have to go through special screening and have to be located in the 27-country bloc, according to the document. U.S. tech titans and others involved in the joint venture are only allowed to have a modest ownership.

The paper further states that all cloud service customer data must be stored and processed in the EU, and that EU rules apply to cloud service providers regardless of whether they are based in the EU or not.

The most recent draft proposal from the EU cybersecurity agency ENISA is for an EU certification scheme (EUCS), which would certify the security of cloud services and dictate how governments and corporations within the EU choose a vendor for their operations.

The new rules highlight EU worries about involvement from non-EU nations, but they are sure to draw criticism from U.S. IT firms concerned about being excluded from the European market.

In the future years, Big Tech expects the government cloud market to drive development, and a potential AI boom following the success of OpenAI’s ChatGPT might further increase demand for cloud services.

To reduce the potential of non-EU interfering powers undermining EU legislation, conventions, and values, the paper stated that “Certified cloud services are operated only by companies based in the EU, with no entity from outside the EU having effective control over the CSP (cloud service provider).”

“Undertakings whose registered head office or headquarters are not established in a member State of the EU shall not, directly or indirectly, solely or jointly, hold positive or negative effective control of the CSP applying for the certification of a cloud service,” it stated.

According to the document, the stricter regulations would apply to sensitive personal and non-personal data if a breach could jeopardize the protection of intellectual property, public order, or human life or health.

According to a source in the business, the most recent draft might cause fragmentation of the EU single market because any nation would be free to implement the criteria whenever it saw suitable.

The strategy, according to the U.S. Chamber of Commerce, puts American businesses at a disadvantage. The EU claims that the actions are required to safeguard the privacy and data rights of the union.

Later this month, the draft will be reviewed by EU nations, and the European Commission will then adopt the final plan.