Digital Economy

Sovereign cloud: Europe steps up its defences (but everyone is going their own way)

It was France that realised that its citizens’ data was accessible to the US government and agencies. Protecting data sovereignty is becoming a strategic issue for Europe: European countries are adopting different approaches, but with a single objective

by P.Sol.

3' min read

Translated by AI
Versione italiana

3' min read

Translated by AI
Versione italiana

March 2024, Paris. The French Ministry of Health discovers that the health data of millions of citizens, hosted on the European Health Data Hub platform, is technically accessible to the US authorities. The service provider is Microsoft Azure, which is subject to the Cloud Act, the US law that allows US judges to order access to data held by US companies, wherever the servers are located. The loophole is the notorious FISA (Foreign Intelligence Surveillance Act), which allows the government and federal agencies to access the databases of US operators without restriction.

The story hit the headlines. The Council of State was called upon to address the issue, privacy organisations protested, and the government promised to migrate to European providers ‘as soon as possible’. Two years on, that promise has reshaped the EU’s entire cloud strategy. And France, Germany and Italia have taken three different approaches to prevent a repeat of the situation.

Loading...

Sovereignty or nothing

Paris has learnt the hard way. Following the Health Data Hub scandal, the Élysée Palace has adopted the principle of the “cloud de confiance”: sensitive government data must be stored on infrastructure that is immune to any non-European jurisdiction.

The key is the SecNumCloud certification, issued by ANSSI. Technical compliance alone is not enough: the provider must demonstrate that it is not subject to foreign laws that permit unauthorised access. For American hyperscalers, the only way in is through joint ventures in which the French hold a majority stake.

And so Bleu — the alliance between Orange, Capgemini and Microsoft — and S3ns, the partnership between Thales and Google, were born: American technology, but with encryption keys and governance in French hands. The price? Complexity and high costs, as the Court of Auditors highlighted in a recent report. But for Paris, sovereignty is non-negotiable.

Certify, don’t exclude

Berlin has opted for a different approach. Instead of building walls, it has raised the bar on regulations. The BSI, the Federal Office for Information Security, has developed the C5 (Cloud Computing Compliance Criteria Catalogue): a rigorous framework that imposes requirements for transparency, data protection and resilience. From 2024, every supplier working with the federal public administration must hold C5 certification.

What’s the difference compared to France? Amazon, Google and Microsoft can access it directly, without the need for local joint ventures. “We’re not aiming to reinvent the cloud,” explained a spokesperson for the Home Office. “We’re aiming to ensure that anyone who wants to work with us complies with our rules.”

Critics argue that technical certification does not resolve the legal issue: an American provider, however compliant it may be, remains subject to the Cloud Act. But Berlin is banking on regulatory deterrence rather than technological self-sufficiency.

 Public stronghold, private technology

Rome has sought to strike a balance between the various solutions. The Italian strategy, drawn up by the National Cybersecurity Agency (ACN) and AgID, classifies public administration data into three levels – ordinary, critical and strategic – with progressively stricter security and localisation requirements.

For the most sensitive data, the solution is the National Strategic Hub: four data centres between Milan and Rome, managed by a consortium with a majority public stake comprising TIM, Leonardo, CDP Equity and Sogei. The hyperscalers are not excluded, but are integrated: services from AWS, Google and Microsoft pass through the Hub’s infrastructure, with encryption keys remaining in Italia.

In June alone, over 280 local authorities began the migration process. The timetable envisages that the bulk of the transfers will be completed by next year.

Three countries, three models. France has opted for the highest degree of autonomy, accepting the associated costs and complexity. Germany has prioritised the market, imposing strict rules. Italia has built a public infrastructure that integrates private technologies under national control.

None of the three approaches can be considered perfect. But they all stem from the same realisation: following the Health Data Hub and the revelations about FISA and the Cloud Act, data sovereignty is no longer just a topic for conferences. It is a critical piece of infrastructure, just like motorways or the electricity grid.

The European campaign has only just begun. And for once, Italia isn’t playing defensively.

Copyright reserved ©
Loading...

Brand connect

Loading...

Newsletter

Notizie e approfondimenti sugli avvenimenti politici, economici e finanziari.

Iscriviti