Cigref’s « trusted cloud » referential expresses the generic trust needs of Cigref members as users of cloud services. It summarizes Cigref’s work carried out since 2019 by the « trusted cloud » working group, led by Vincent Niebel, CIO of the EDF Group.
This version, known as V2, takes into account the comments received during the call for comments on version V1 from Gaia-X European hubs and European user associations. This amended version includes a new and fourth axis aimed at characterizing the control of the environmental footprint of cloud services, in addition to the axes of security, control of dependencies on suppliers and immunity to non-European laws.
Why a trusted cloud referential for digital service users?
Cloud computing offers significant benefits and is now the must-have in terms of cost, flexibility, efficiency, optimization, security and scalability for its public and private sector customers. Cloud computing is now the technology sector, both in terms of infrastructure and software products, that leads all others.
Businesses are looking for trust in the cloud in order to greatly reduce their exposure to geopolitical and legal risks, as well as to interference and intelligence activities of economic interest. Indeed, for companies and public administrations, « to control your dependencies is to control your destiny ». And they express their needs, particularly in the digital field, in terms of controlling their dependencies, which are based on the main economic, geopolitical and strategic concerns.
- Enable businesses and public administrations to preserve their autonomy of assessment, decision and action, particularly with regard to their cloud service providers. For users, it is a question of controlling their dependence on the strategy of locking in cloud providers who are in a hegemonic position on the European cloud market. In this respect, the provisions of the European Digital Markets Act, relating to gatekeepers, and those under discussion in the Data Act, are welcomed by users.
- Anticipate the geostrategic dependence of our economy on non-European digital solutions. What happens in the event of blackmail on access to the resources of foreign cloud providers, targeting a company, a sector of activity, a State or the whole of the EU? The threat of a foreign power turning off the digital energy tap should be considered as a strategic risk.
- Protect the sensitive personal and non-personal information assets of companies and public administrations from legal access by non-European legislation with extraterritorial reach.
Ambitions for the trusted cloud
The aim of Cigref’s collective intelligence work is to characterise trust as expressed by Cigref’s members in terms of cloud solutions and services for the protection of their sensitive data and associated processing. This trusted cloud referential translates this need into functional and objective requirements.
This version 2 of the referential therefore sets out the requirements of the trust around 4 axes, the axis of security / cybersecurity, the axis of control of dependence on suppliers, the axis of immunity to non-European laws, and the new axis aiming to characterise the control of the environmental footprint of cloud services. This new requirement calls for transparency on the part of cloud providers. Most of them present the efforts they can make in this area in a formalism that is hardly compatible with an objective understanding of their real effects on their customers and their uses.
This version 2 of Cigref’s « trusted cloud » guidelines will, of course, evolve in the coming months to take into account technological, economic and regulatory developments that may have an impact on the characteristics of the cloud market and on the protection of sensitive data of Cigref members.
For sensitive non-personal data, it is particularly important to guard against the risks posed by foreign laws with extraterritorial scope for data collection, such as Section 702 of the US Foreign Intelligence & Surveillance Act (Executive Order 12 333), which was highlighted in the European Union Court of Justice’s judgment of 16 July 2020 invalidating the Privacy Shield in the context of the « Shremes II » case, or the Chinese National Intelligence Law of 28 June 2017, and in particular Articles 7 and 10 .
If Europe were to continue on its current trajectory and given the exponential growth of the public cloud market, within ten years or so, 90% of this market could be pre-empted by three American players who would have the possibility of constraining or even locking in their solutions and services to most of the most essential processes of all European companies and public administrations. And, to date, the competition to these players seems likely to come mainly from China.
Cigref is not in any way involved in a strategy to drive American suppliers out of the European market. Europe’s digital autarky is a chimera that can often mask protectionist aims. However, if the European digital market is to remain open, it must not be open to just any wind. This is why Cigref calls for the particular and short-term interests of companies and public administrations to be articulated, particularly through regulation. In this way, the latter will be able to benefit from the best solutions for their competitiveness, while taking into account the medium- and long-term risks that the loss of autonomy of the European continent in terms of digital technologies poses to the general interest and to the European economy.