The cloud as a prerequisite for digital sovereignty
What technological and digital autonomy can the EU achieve? How does the European cloud ecosystem respond to the technological, data protection, and cybersecurity issues that underpin it?
At a recent ministerial conference on the construction of European digital sovereignty, Bruno Le Maire, Minister for the Economy, Finance, and Recovery, explained that the very theme of “digital sovereignty” has been “brought into fashion” by the economic crisis, the failures of production chains and the consequent lack of essential products, and the urgency of relocating new critical value chains (electric batteries, semi-conductors, etc.).
“The real sovereignty of the 21st century is not political, but technological,” he added. “You can be politically sovereign, but if your 5G communications networks are dependent on a foreign power that can get all the data that flows through them, you are not sovereign!”
He therefore advocated “a European technological awakening,” notably through innovation and regulation, “to guarantee the EU’s technological sovereignty.”
How does the European cloud ecosystem answer these challenges?
According to KPMG, by 2027-2030, the European market will grow from €53 billion in 2020 to €500 billion, representing a cumulative investment of around €200 billion and the creation of 600,000 jobs.
The industry is still largely dominated by the American giants Amazon, Microsoft and Google, which together account for 70% of the sector.
“The European cloud computing market is also a major challenge in terms of competition, competitiveness? and market alignment with clear and uniform rules,” says Jean-Charles Ferreri, Global Strategy Group, Senior Partner, at the Big 4.
For MEP Miapetra Kumpula-Natri, digital sovereignty requires the European Union to develop its own cloud tools: “There is room for European infrastructure and for players in the data economy,” she notes. “However, we need to look at how and by whom this data is used. And therefore implement the right rules. While personal data is well protected on paper, there are still gaps to be filled.”
On the operator side, Michel Paulin, CEO of OVHcloud, believes that the market wants an open, interoperable, and reversible cloud: “We are a strong advocate of open source,” he explains. “It is dangerous for this sector to be an oligopoly in the hands of a few entities that own the entire European or even global market. We have to exclude the players that don’t play the game and engage in entryism.”
To ensure that the EU has sufficient control over cloud technologies across its value chain and retains its autonomy, he advocates a long-term technological vision (10 years) and trusted cloud infrastructures, “which are not black boxes contrary to the principles of sovereignty”.
For Francesco Bonfiglio, President and CEO of GAIA-X, citizens must also understand that data security is not only an IT issue, but also the future of everyone. “For this, we need to create competitiveness in the market by being better than our competitors. Aggregation would thus be a solution,” suggests the CEO of the pan-European cloud infrastructure initiative.
“The EU market is extremely fragmented. We need to develop new cloud infrastructures that are federated, with offerings that combine our strengths and benefit our industry,” he says. “Through innovation, we can create new secure and competitive platforms, with a governance framework and federated services that will link the different infrastructures together. These solutions will ensure sovereignty and trust.”
Companies are significantly lagging behind
The European Union Agency for Cybersecurity (ENISA) is working on a European cybersecurity certification scheme for cloud services. The project—initiated by the European Commission—provides for the compliance of providers and their services with European cybersecurity and data protection requirements.
Juhan Lepassaar, its director, points out that cybersecurity—like all security—is not absolute: “It is a level of guarantee that can be given to individuals through a single legal framework that will strengthen trust and transparency in the internal market,” he explains. “This new certification scheme will build on standards, technical rules, and existing frameworks, such as the cloud certification schemes of the various Member States.
The aim is to help market players create cybersecurity in line with the EU’s values and digital sovereignty objectives in critical areas.
Cybersecurity and the GDPR are closely linked: “The former involves data protection. Therefore, cybersecurity compliance must meet the requirements in this area,” Lepassaar emphasises.
Marie-Laure Denis, President of the CNIL, reminds us that certification is a source of confidence: “It enables us to distinguish virtuous players and to give them important visibility,” she assures us, recalling that the CNIL is responsible for ensuring that European guarantees on data are respected and for reinforcing this confidence, which is essential for the development of the digital economy.
“We are therefore very careful that the high level of the certification scheme developed by ENISA incorporates right from the start the legal provisions required for the effective application of European law, in particular on access by foreign authorities to the data of Europeans,” she said. “We are also very vigilant to ensure that such data transferred outside the EU continues to benefit from the same level of guarantees as the GDPR.”
Will the EU really be able to impose these views on the U.S. giants? Citizens and companies will also have to get their act together to strengthen cybersecurity and the protection of their data. While the former “have widely adopted cloud applications in their daily lives, only 36% of European companies run part of their business applications in an environment that includes a public or private cloud,” notes KPMG. This is a significant gap that they will have to close quickly.
- Digital transition
- Cyber industrial safety
- Security and Stability in Cyberspace
- Cyber risks
- Operational security
- Antifraud action
- Digital identity & KYC
- Digital Sovereignty