Digital sovereignty: Europe divided in the cloud, Italy protects sensitive data

The first attempt dates back to 2019 with Gaia-X, the digital sovereignty project promoted by former German Minister of Economic Affairs Peter Altmaier and his French counterpart Bruno Le Maire, with the support of Commission President Ursula von der Leyen. On paper, a revolution. In fact, little: guidelines, principles on data security and privacy protection. But no infrastructure and no European cloud as an alternative to the hegemony of the United States of America, only addresses.

And so, the way in which EU countries are now declining the cloud strategy for public administration tells a story of a non-compact Europe split into three models (see map), as illustrated in a recent confidential strategic planning report that Il Sole 24 Ore was able to consult.

On the one hand, there are the excellences that are armouring their data with a sovereign cloud: these are the states that have made centralisation the cornerstone of the transition. Italy, France, Germany, Estonia, Finland, Greece - to name a few - have put a national public cloud first project on paper. Single pole, precise rules, government supervision. More control, more responsibility.

On the other, the variable-geometry cloud front: Ireland, the Netherlands, Poland, Portugal. Here the cloud first rule is applied in sections and implementation is left to individual administrations. The government sets the guidelines, then it's every man for himself. Lighter strategy, but also more uneven.

Finally, the third group: Belgium, Spain, Austria, Norway. No real cloud strategy. Only security regulations. There, the management of public data is still a technical affair, not a political one, so much so that they often travel on the infrastructures of large global players, with the risk that they end up outside the European perimeter.

Italy, in particular, is among the countries that started late, but thanks to the National Cloud Strategy defined by the Department for Digital Transformation and the National Cyber Security Agency, it has made up for lost time. Investments of about one billion provided for by the NRP have thus speeded up the implementation of data sovereignty of central and local public administrations, especially of 'strategic' digital information.

The key to security for the 502 Public Administrations (including the Prime Minister's Office, the Ministry of Defence and the Carabinieri) that make use of the National Strategic Pole - the company controlled by Tim, Leonardo, Cassa Depositi e Prestiti and Sogei - lies in four data centres allocated in Italy and, above all, in encryption. A unique code for the exclusive use of the Pa gives access to strategic information. Sovereignty is thus imposed on the Americans Amazon, Google, Microsoft and Oracle, whose services the Strategic Pole uses in any case. No visible data, no Cloud Act risk.

According to the wording presented last Friday, all public administration data can also end up on foreign servers. The amendment, however, explained to Il Sole 24 Ore by the undersecretary to the presidency of the Council for innovation, Alessio Butti, 'absolutely does not concern the high-reliability infrastructure (the PSN, ed.)' and therefore the strategic data of public administrations remain in Italy, while critical data can also go to other states, but only to the European Union.