Syntec Numérique and TECH IN France make ten recommendations for a European Cloud ambition

As the International Forum on Cybersecurity (FIC) opens today in Lille, digital industry professional organizations Syntec Numérique and TECH IN France are initiating joint work on Cloud and sovereignty issues in the digital space.

On this occasion, they have formulated ten recommendations to public authorities, which will guide their work. Godefroy de Bentzmann, President of Syntec Numérique, and Pierre-Marie Lehucher, President of TECH IN France, jointly state: “France’s ambitions in terms of digital sovereignty and the Cloud must take shape at European level, and be reflected in high standards and industrial offerings, while respecting market expectations.”

1. The emergence of European Cloud champions: an ambition served by an industrial policy

Complete cloud offerings already exist in Europe, but the challenge is to help them gain market share and become international champions. It’s not up to individual countries to create this offering. We need to strengthen the European offering, which is a response to Europe’s digital and technological ambitions. This approach will accelerate the development of offerings that reflect European values and contribute to Europe’s digital and technological sovereignty, in a highly competitive environment.

2. Digital sovereignty is based on a continuum of infrastructure control

The Cloud is based on an interconnected global infrastructure that integrates datacenter equipment, software, mobile networks and undersea cables that link continents and thus represent a key infrastructure of the global Internet. No strategy of digital sovereignty is conceivable without a global approach to infrastructure. Such a strategy presupposes a genuine European industrial policy, one that is both vertical, by supporting all the industries involved in the value chain, and horizontal, by striving to build the right standards framework.

3. A cyber defense doctrine based on an industrial strategy

France and Europe must ensure that the sovereign domain retains full autonomy of decision and action in the digital space. This implies an industrial policy that encourages the market to subscribe to this autonomy strategy.

4. Stimulating investment by sector

Public and private investment players must be mobilized in concert to support this industrial strategy, which involves targeting specific industries rather than individual companies.

5. Evaluating relevant data in terms of sovereignty

This may, of course, be national defense data, but also data relating to OIVs (Opérateur d’Importance Vitale) or OSEs (Opérateur de Services Essentiels), as well as economic data relating to industrial know-how, or protecting the knowledge derived from this data… A distinction needs to be made between data, to which different offers can then respond (private, public, hybrid, sovereign or not). Data of sovereign interest should be identified, and hosted in a sovereign cloud according to clearly defined standards. This is not yet the case in France, even though this characteristic is taken into account in other countries and regions. With the “SecNumCloud” label awarded by ANSSI, France has a relevant tool for qualifying trusted offerings, but has not developed adequate tools for qualifying sensitive data according to appropriate levels of protection. Moreover, these approaches need to be as European as possible.

6. Sovereignty and security: raising but grading standards

The RGPD, which is being emulated beyond Europe’s borders, is gradually demonstrating the ability of a European standard to impose itself on the market and constitute an element of sovereignty. This is also why these standards must be drawn up taking into account the impact on innovation, companies and their competitive dynamics. The level of standards, particularly in Cybersecurity, must be undeniably high, but also graduated in order to adapt to the different needs of demand, following the example of SecNumCloud or C5 standards, which address different levels. Cryptography, involving trusted third parties, is set to become a key dimension in raising standards.

7. Leverage public procurement

The public sector and companies in which the State is a major shareholder must set an example in data governance. This exemplary approach should lead, on the model of the “industrializing industry”, to the strengthening on the market of both “sovereign” offers for certain data, and those meeting more flexible compliance criteria and responding to other market needs.

8. Encourage interoperability, portability and standardization

Interoperability is crucial to the ability of players of all sizes to bring competitive products to market. Standardization must make it possible to frame and reinforce this interoperability, which can be based on de facto industry standards, unless we cut ourselves off from market realities. These open standards must be framed and documented within the framework of standardization, involving all market players.

9. Securing the regulatory framework for data

Faced with the extraterritoriality of other countries’ laws, national measures can only be effective if they are correlated at European level.

It is also necessary to provide a framework for cooperation between the European Union and other countries – for example, in the case of the Cloud Act, through the adoption of a reciprocal agreement with the United States defining cooperation on cross-border access to electronic evidence. In addition, the reinforcement of the 1968 blocking law could enable French companies to contest requests linked to the extraterritoriality of the law of other States, without constituting a fully satisfactory solution since the conflict of law generated leads to a situation of increased legal insecurity for all French companies concerned, whether technical service providers or major users, who are not sufficiently informed of the tools available to them.

10. Avoid repeating the mistakes of the Andromède project and work with all partners.

The Andromède project had opted to target specific companies and encourage them to develop Cloud subsidiaries “from scratch”. Today, it’s more a question of building on the recognized expertise of French companies that have acquired leadership in these areas, and working with the entire ecosystem. Within this ecosystem, non-French players also have a role to play, a role that the French strategy should enable us to clearly define over time.

Syntec Numérique and Tech In France are at the disposal of the public authorities to put these recommendations into practice.