The cybersecurity ecosystem fights for European digital sovereignty

In a reference to future major sporting events in France, the theme of this year’s edition was « European Sovereignty: Let’s give it a try! » and the manifesto presented to the new minister, Jean-Noël Barrot, was intended to give concrete expression of the entire ecosystem’s desire for sovereignty. « Everything has been said, written and sometimes overused about sovereignty, » acknowledged Jean-Noël de Galzain, President of Hexatrust, « but sovereignty is the oxygen in our blood and we need it if we want to continue to live. The new five-year term will enable us to correct some fairly recent mistakes and to build an ambitious industrial policy together. »

The current diagnosis may seem gloomy at first glance, and as Bernard Benhamou – Secretary General of the Institute for Digital Sovereignty- pointed out, there is still an urgent need to take action. « We have no industrial policy, we do not exist in terms of major digital players in Europe and the world. We do not have a Top 20, or real international players, » he said. Of course we have great companies and great startups and unicorns, but they never pass the glass ceiling to become real leaders. »

The reason for this is simple: « Unlike in Germany, there is no collaboration between large companies, SMEs and startups. Large organizations only know how to work with large equipment manufacturers. This is a question of corporate culture, as the large ones are suspicious of the small ones and doubt their reliability in the long term. In addition, the American Small Business Act system -which has allowed Amazon and other GAFAs to develop- does not exist in France for political reasons related to the lobbying of large companies that do not want to share the market.”

He also refers to the « prescribing » State, which in recent years has generally acted in the opposite way to what the « regulating » State is supposed to do, by choosing solutions from outside Europe. The most telling example is the Health Data Hub, a platform for health data, whose implementation was entrusted to Microsoft for eminently political reasons, as they had an off-the-shelf solution that was quick to deploy. But that was before it was « put on hold » as a result of an opinion from the CNIL, which expressed its wish that hosting and services related to its management be reserved exclusively for entities under the jurisdiction of the European Union, in the interests of personal data protection.

Fortunately, things are moving forward, and the political perception of these issues has shifted as a result of the Covid crisis and the war in Ukraine. Bruno Le Maire’s announcement at the inauguration of OVHcloud’s new datacenter in Strasbourg on September 12 that he would create a strategic committee on digital trust, chaired by Michel Paulin, CEO of OVHcloud, is proof of this. This was an ideal context for the Hexatrust manifesto, which is based on the five « R’s », five fundamental principles that need to be put in place to create a responsible digital environment: resilience, responsibility, reversibility, reciprocity and respect for privacy. The manifesto has been enthusiastically embraced by the entire ecosystem and proposes ten concrete measures that are easy to apply. The next step for the signatories is a meeting with Jean-Noël Barrot, the date of which has yet to be determined. To be continued…

The manifesto’s recommendations interpreted by Jean-Noël de Galzain

1. Raise awareness and provide training to citizens and companies on the use of European solutions

“I will take the example of Wallix’s action (editor’s note: Jean-Noël de Galzain’s company). Our Wallix Education plan takes us to engineering schools, undergraduate schools and soon business schools, to raise awareness among students of cyber risks and trusted digital technologies, and to train some of them in the use of our solutions. Secondly, as part of the strategic plan for the branch that I am leading, the objective is to train 4,000 apprentices in cybersecurity. Finally, we have launched a working group on this subject with the Cyber Campus.”

2. Create a catalog of sovereign solutions to be referenced as a priority by central procurement agencies (UGAP, the French government’s procurement department, sectoral agencies)

« Catalogs such as that of Anssi or Hexatrust already exist, and we are proposing to extend the catalog to the entire sector and, more importantly, to reference it with buyers, particularly the UGAP.”

3. Mobilize funds intended for the financing of startups, SMEs and growth companies to contribute to the emergence of international industrial champions, beyond the unicorns

« A number of initiatives are taking shape, such as the Cyber Booster at the Cyber Campus, a gas pedal announced by the Minister at the end of the year, and the creation by a number of entrepreneurs, including myself and my own company, of the €60 million Cyber Impact fund, to invest in cybersecurity startups. But for me, what is missing today is an investment fund for growth companies, to which between €300 and €500 million should be allocated in order to bring out three champions.”

4. Provide France Relance to help the demand to be equipped with European offers

« The 176 million euro fund dedicated to cyber was mainly used partly to conduct audits and to equip 200 hospitals. 20 million euros were recently added for 200 new hospitals, but I think we should continue to add to this fund for the 1,200 largest French establishments and extend it to vulnerable companies such as ETIs and SMEs -which are often under-equipped-, perhaps starting with regulated and sensitive sectors. »

5. Mobilize R&D funding to promote interoperability and portability of solutions with existing platforms

“Funds exist, in particular at the General Secretariat for Investment, and the idea is to direct them in particular towards everything related to cloud computing so that all the cybersecurity applications and software that organizations need are referenced and present in our cloud providers’ market places. Our cloud platforms are often criticized for being under-equipped and less advanced than those of the GAFAs. I think that they are just as good in terms of technology, but that we are lagging behind in terms of application catalogs.”

6. Make cyber insurance available to everyone, and particularly to protect small and very small businesses

“This measure is consistent with a recent government legislative proposal. However, I believe that reimbursing the ransoms paid by the victims would be a crime pusher and that the priority is to protect the most vulnerable companies.”

7. Stimulate the emergence of a European digital market with the creation of a European Tech Business Act

“We propose to model this system on the Small Business Act. The idea is to give priority to our offerings in certain market segments and to protect -thanks to current regulations- certain markets where there are issues related to cyber-resilience and sensitive data. I’m thinking of those affected by the NIS directive, known as « critical sectors ».

8. Make public procurement a lever for transforming the State and direct it towards European industries in accordance with the Sustainable Development Goals (SDGs) and in line with a yet to be invented « digital responsibility doctrine »

« Although a large number of SMEs have access to public orders, the volumes are very low due to the issue of risk and often a lack of appreciation of our offers, with the constant impression that « the grass is greener on the other side ». Our companies are also lagging behind in a number of areas, and the issue of integrators, who should be playing a greater role in building the value chain, also arises. We want at least 25% of public orders to go to SMEs. That’s what industrial policy is all about.”

9. Support the implementation of a coordinated economic diplomacy strategy between government departments, aimed at promoting the French digital industry’s export offerings

« This mission could be entrusted to Bercy, the Ministry of Europe and Foreign Affairs, or even to FrenchTech.”

10. Implement a Small Business Act at both the French and European levels to promote access to public procurement for innovative startups, SMEs and ETIs

« What we want to build at the European level, we also want to build at the national level. It is a question of our sovereignty, our autonomy and our economy, which do not depend on Europe but on our own determination to set up an industrial policy. Security is a regalian duty and secure digital technology, which I call trusted digital technology, is an emergency for all sectors and all players in the economy.”