Digital Sovereignty: It is High Time to Have a Rant and Take Action!

Five months! Five months have elapsed since March 2020 and the announcement by the President of the French Republic of the introduction of lockdown measures on the French territory. Five months during which our country, our institutions, our economy, our companies, our employees, our clients, and all our fellow citizens have been living with COVID-19. One of the very first lessons of this crisis, in the face of the shortage of personal protective equipment, is the demonstration of the dependence of our industry and the weakness of a system based on outsourcing and on production sites located very far away from the place of distribution. Fortunately, in the face of emergency, we have found alternatives. Some of the jewels of our industry have thus diverted their industrial tool to help with the production of protective masks, breathing apparatuses or disinfectant gel.

Within companies, people also adapted. The security and safety directors of the largest French companies represented by the CDSE often had to play the role of crisis room coordinators. In this respect, they had to ensure business continuity and the protection of their employees and customers, both in France and abroad. Together with their CISO counterparts, they also had to allow the implementation of massive teleworking in the best operational conditions while ensuring a satisfactory level of cybersecurity. As a result, all companies have been forced to adapt to the demands of the crisis, which required us to increase the number of remote exchanges.

Stop cc’ing Beijing, Moscow, or Washington

However, in terms of digital tools, this crisis has once again shown us to what extent France was dependent… It must now be made clear: it is still very complicated to have a videoconference or share documents via a digital application without directly cc’ing Beijing, Moscow, or Washington! Within the CDSE, a survey conducted in June among its members shows that the criterion of sovereignty is currently present in 55% of the invitations to tender issued by the large French companies. It is already a good start, but it is certainly not enough. Because it is an emergency!

I share Alain Bauer’s view that “the next virus will probably be a cyber one” and that “the next sovereignty test will exceed that of the masks.” Because when it comes to digital sovereignty, France and Europe are decades behind. We have known it for years, but we have been working on it, trying things. We are told that we are almost there, that we can do it. But this crisis shows that we are not ready in time. On the issue of data, in particular, France does not have truly sovereign exchange or storage solutions. For instance, it is absolutely shocking that most OIVs (vital operators) and OSEs (essential services operators) store part of their data at Google or Amazon! It is also distressing to notice that the French government has decided to store the health information of millions of French on the servers of the American company Microsoft.

Defining sovereignty and setting comprehensive criteria for it

Five months! With the generalisation of mass teleworking, it has thus been five months that we are more than ever dependent on foreign powers and foreign tools. We must therefore act urgently! First, by defining the meaning of a sovereign solution: a solution that guarantees its users that their content will elude any extra-territoriality of foreign laws. It is thus necessary to set exhaustive criteria for these applications, such as shareholders nationality or data storage location. Likewise, it is essential to calculate the cost of this sovereignty, which must be understood both as an essential insurance and as a truly competitive advantage. One imaginable possibility would be to support the purchase of sovereign solutions through tax credits. In addition, these tools will have to be ergonomic, user-friendly, and focus on the design of the “user experience”, which is too often missing in French or European solutions. Finally, I would deem it legitimate to impose on the State services, the OIVs   and the OSEs to use such applications, even if imposing them would become superfluous if they are at the same price, offer the same functionalities and are easy to use, in addition to being sovereign!

On all these issues, we can undoubtedly trust “the large stakeholders of the sector”, but we can also “dare” to trust innovative French SMEs and SMIs. This ecosystem is indeed capable of developing the sovereign and competitive solutions we sorely need. The Recovery Plan must enable us to find the levers to encourage them to do so.  With the support of Bruno Le Maire, we at the CDSE have tried to bring a pragmatic response with a webinar organised by our Lab around the theme of sovereignty at the time of employees’ nomadism (https://www.cdse.fr/e-odyssee-du-cdse-lab-souverainete-et-nomadisme-des-collaborateurs-webinaire). We defined the needs of the companies, and for every need, we proposed a sovereign solution presented by a company. And it works: less than a week later, deals have already been signed!

So, we are out of excuses. The Sectoral Strategic Committee is working to provide initial responses, with the valuable support of the French Ministry of Economy and Finance. Nevertheless, time passes by, and every day we are closer to the first major digital crisis that will have incalculable consequences for our economy and the life of French citizens. It is an emergency, so it is high time to have a rant and take action!

Stéphane Volant is the president of the CDSE (Corporate Security Directors’ Club), which brings together security and safety professionals from nearly 150 of France’s largest companies. In this capacity, he sits as a user representative on the board of the CSF (Sectoral Strategic Committee) of the Security Industries.