From February 7 to 8, 2022, was held the conference "Building digital sovereignty in Europe", as part of the presidency of France at the Council of Europe. Objectives: To draw up an update on digital issues and rules issued by the E.U. in terms of Cloud, cybersecurity and data protection.
Facing with the multiplication of threats in cyberspace, the conference discussed the emergence of a European model of cybersecurity, through European legislative initiatives (revision of the NIS directive on the security of networks and information systems), the mechanisms of increased solidarity between Member States, and the reinforcement of an industrial fabric (GAIA-X; trusted cloud; European certification scheme of the European Cyber Security Agency - ENISA).
The European Cloud value chain.
Cloud computing has indeed become a strategic issue overlooked by American players.
So how can European cloud operators can make the most of it? And what will be the value chain of the European Cloud?
First of all every speaker agreed that Sovereignty implies the ability to choose its own Cloud infrastructure. The crucial question is to understand who owns and who manages the data.
The stakes of the Cloud market and data market are indeed significant for Europe.
The French National Digital Council estimates that by 2030, inter-company data flows will increase by 15%. It is therefore important to promote secure cloud solutions, in which datas are protected from extraterritorial legal issues.
When data is transferred beyond the EU, the question of data accessibility by foreign governments arises. "The French data protection commission -CNIL- is very active in assisting cloud operators to host their infrastructures on secure European clouds, where data is located in Europe and managed by European companies," confirmed Marie-Laure Denis, director of the CNIL.
The definition of sovereignty is freedom of choice
What to expect from the large partnerships built around the french trusted cloud between US hyperscalers and French operators? For the CNIL, the situation is clear. "These partnerships are promising. Yes, but only if data security is managed in Europe."
For the Gaia-X CEO Francisco Bonfiglio, the "challenges are not only IT-related but also data-related." He promotes the federation of infrastructure and cloud services at the European level.
So why did the Gaia-X association has accepted non-European players as members? "All our members want to be able to play on the European field and that's why we need to build interoperable rules" explained the CEO.
The idea of a Cloud trust index to evaluate the best providers has even been raised.
Sovereignty and data protection.
The question of sovereignty and data protection was also widely discussed by the European Commissioner for Justice, who stated that there is an urgent need to reduce digital dependency in the cloud industry. In this context, the new DGA - Data Governance Act - may be the new cornerstone of european data protection
"There is indeed a need for more transparency around public and strategic data, especially in the field of health. To create trust, we must also avoid monopolistic situations" has commented the Directorate of Security and Defense Policy of the European External Action Service (EEAS)
We need to reduce digital dependency in the field of Cloud and develop Europe's technological strength. Didier Reynders, European Commissioner for Justice.
From digital sovereignty to strategic autonomy
ENISA - the European Network and Information Security Agency - would rather use the term"strategic autonomy" than "digital sovereignty".
"Of course, Europe needs cooperation, but it also needs balance. We need to be able to ensure security and data protection mechanisms, especially for the most critical services," explained Juhan Lepassaar, director general of the European agency.
The ENISA's certification scheme is built around transparency and on several levels of assessment: in self-declaration mode at a first level, then certified by third parties, but also in security by design mode for the most critical services.
On the cybersecurity side, it should be noted that an European exercise is currently underway and will end on February 21. The use of all European cybersecurity mechanisms are simulated, as well as the mechanisms for mutual assistance and the political response.