Cloud

Digital sovereignty: how do we maintain control of the cloud?

November 11, 2024 - 3 minutes reading time
Article by Gerco Koks

Sovereignty in relation to public cloud usage is a hot topic in the world of technology and governance. As more government organizations transition to the cloud, concerns about national control, data storage, and regulations are growing. The public sector faces the challenge of utilizing modern cloud solutions while ensuring data protection and sovereignty. This debate is more relevant than ever and forces us to reflect on what digital autonomy means in a world that is becoming increasingly dependent on international technological services. In this article, you will  read about the paradox between the benefits and risks surrounding digital autonomy in the public cloud.

What is sovereignty?

Sovereignty, in the context of digital services, refers to the degree to which a country or organization has control over its own data and infrastructure. When using public cloud services, such as those from hyperscalers, this control is not automatically guaranteed. Although all these companies offer their services from European data centers, legal control often falls under American legislation, such as the controversial Cloud Act. This creates the potential for the American government to access privacy-sensitive data, even if it is physically stored in Europe. And that's something we certainly don't want.

This raises questions about who actually has access to data, how that data is protected, and what the consequences are for the autonomy of government institutions using such services. The use of public cloud thus brings specific risks regarding sovereignty. For government agencies and organizations processing sensitive data, such as health information or basic registrations, these risks can be substantial.

The difference between private cloud and public cloud is important here. In a public cloud, the infrastructure is shared by multiple customers. This means that control over data and processes often lies with the cloud provider. In a private cloud, the infrastructure is used exclusively by one organization. This leads to more direct control and fewer sovereignty risks. Sovereignty issues mainly arise with the use of public cloud, where legal and operational control is often more complicated.

Government positions

In the Netherlands, the government has recognized this problem and established guidelines in the Government-wide Cloud Policy 2022 to manage the risks of cloud usage. This policy establishes that special rules apply to certain types of government data. Below is an overview:

It is interesting that there's a strict rule for basic registrations. These are only allowed to be stored or processed in the public cloud with an explicit explanation. After all, some basic registrations contain open information accessible to everyone. Specifically for the Basic Registration of Persons (BRP), special rules are already included for both 'regular' and special personal data. Does this make the addition of basic registrations to the above exception list redundant?

Lack of competitive European alternatives

One of the challenges is the lack of qualitatively comparable European cloud services. Although there are initiatives, such as Gaia-X, a European project aiming to build a competitive cloud ecosystem, the largest and most innovative cloud players remain established outside Europe. This creates an enormous challenge in balancing sovereignty and the need for advanced cloud solutions, including the huge benefits that come with such solutions.

Without competitive European alternatives, government institutions remain dependent on primarily American companies for their cloud transformation. This presents policymakers with a dilemma: stick to ideals of sovereignty or accept that globalization and technological progress are reality.

Good balance

The dependence on American cloud providers, and the associated discussion around sovereignty risks, is complex and nuanced. Yet it's clear that the public cloud offers enormous benefits. The challenge is to maximize these benefits without compromising sovereignty and data protection. Finding a good balance requires implementing appropriate measures to minimize sovereignty risks as much as possible.

Contributor(s)

Gerco Koks is the chief architect at Centric and writes about cloud, digital transformations, and digitization within the government. He does this from various perspectives, such as architecture, technology, and software engineering.

Topics
Digital transformation Cloud Retail Finance Public Logistic
Want to know how we can help you with your organisation?
Explore our cloud solutions
Related articles
5 tips for a successful cloud adoption
Cloud Retail Finance Public Logistic
More and more organizations are moving to the cloud. A logical move, because cloud offers many advantages ...
Cloud and SaaS: what's the difference?
Cloud Retail Finance Public Logistic
In this article, you'll discover what the difference is between cloud and SaaS.
How do you avoid cloud bill shock?
Cloud
In this article you will read all about the cloud bill shock.

Explore our cloud solutions

Insights on technology