“European Cloud providers should collaborate to develop an industry standard, thereby eliminating unfair competition”
On the initiative of Fabasoft, the two EU Working Groups CSPCert and SWIPO held a conference with top-ranking international experts in Vienna: “Cyber security and Cloud computing: How Europe can achieve the ultimate competitive advantage in the digital world market”. The conference opened with a discussion between the Austrian author Robert Menasse and Tarek Leitner, TV anchor of the Austrian Broadcasting Corporation ORF, in which Menasse made a case for taking the term “republic” and the equality of all citizens of Europe seriously. The fully booked DSM (Digital Single Market) Cloud Stakeholder Conference focused on the significance of Cloud computing to the European Single Market and the progress of the “Cloud Working Groups”.
Representing Margarete Schramböck, Federal Minister for Digital Affairs, policy advisor Martin Atassi opened the conference with the words that it was the task of politics to keep up with the speed of digital development and set the necessary rules. He emphasised Austria’s determination to play a leading role in artificial intelligence and robotics with core applications as well as niche products. On the basis of a White Paper drawn up by the Austrian Council on Robotics and Artificial Intelligence, a motion to develop the AIM AT (Artificial Intelligence Mission Austria) 2030 by the third quarter of the year 2019 was submitted to the Austrian Ministerial Council. Functionality and privacy must be kept in balance in all digital developments – this is why cyber security is so important.
Deciding between collaboration and a strict set of rules
Pearse O’Donohue, Director of Future Networks at DG CONNECT at the European Commission, talked about current strategies to strengthen Europe’s Digital Single Market and the development of high-quality Cloud and data services. With regard to the latest regulatory initiatives concerning the free flow of non-personal data in Europe as well as the European Cyber Act, he emphasised the role which the current self-regulating initiatives are playing to create a better, more secure and more open Cloud environment. “Cloud providers are certainly in competition with one another. But right now they can choose to collaborate in order to create conditions that will benefit themselves as well as their users. The alternative to collaboration is strict regulation without having a say,” O’Donohue explained. What is more: “Since all companies have the same technical know-how they also have the same problems concerning data security and the requirement that their clients can seamlessly transfer their data if they choose to switch their providers. This is why European Cloud providers should now pool their resources to develop a solution that works for the entire industry and will thus become an industry standard. That being so, there will be no unfair competition.”
Javier Cáceres, Programme Manager Cloud Sector, DG DIGIT, commented on “Cloud II: Phase II“, a public procurement by the European Commission aimed at providing the European institutions with a contractual instrument for access to Cloud services and consulting. In response to the dynamics of the Cloud business, the process will include a Dynamic Purchasing System (DPS) enabling the registration of providers and constant assessments of new services. Cáceres also talked about GovSEC, a risk assessment process on the basis of an adaptive framework which allows system owners to examine the following important questions: What are the dangers and threats they are facing, where and how should the process be implemented and managed, and against whom should they defend themselves? Based on the answers to these questions, the optimum security tools required for specific use cases can be chosen. From now on (December 2018), all DIGIT data centre services are using this risk assessment.
A panel headed by Pierre Chastanet, Head of the EC Unit Cloud & Software, discussed data protection regulations. CISPE Chairman Alban Schmutz emphasised that the CISPE norm (Cloud Infrastructure Service Provider in Europe) was dealing with processes and that it was the first native code of the EU General Data Protection Regulation, covering security, data protection, copyright and public procurement. With CISPE, Cloud infrastructure providers do not have access to customer data. Storage and processing are exclusively taking place in Europe. Daniele Catteddu, CTO of Cloud Security Alliance, illustrated that the Cloud Security Alliance’s code focused on transparency and information in order to build trust in the Cloud ecosystem. Helmut Fallmann, member of the Managing Board of Fabasoft AG, reported on the EU Data Protection Code of Conduct for Cloud Service Providers. Compliance with this code is overseen by the monitoring body SCOPE Europe. He also talked about the organisational development regarding the transfer of the former WP29 into the European Data Protection Board (DPA = Data Protection Authority, Brussels) by spring 2019.
To Ross Dawson, Australian tech futurist and keynote speaker, platforms are generally a byword for connectivity, participation, data as a centrepiece and integration – in short, a byword for economy in a continuous state of development. The current evolutionary platform trend is clearly focused on open, accepted standards. According to Dawson, the main issues of the future will be strategy fine-tuning, community building, the right positioning, coverage and scope.
“If you want to survive, you need to adapt your services”
At the end of the event, the two organising Working Groups CSPCert and SWIPO offered insights into the status quo of their successes. The Working Group “Cloud Security Certification” (CSPCert) deals with later transformations concerning Cloud platforms via PaaS, the establishment of a common market place with a global API catalogue as well as the creation of structures on the basis of open source and open standards. These transformations are of particular significance to the banking industry. Danièle von Nouy, Chair of the ECB Supervisory Board, was quoted saying: “If you want to survive, you need to adapt your services”. The benefits of Cloud security certification include the fulfilment of technical and regulatory requirements, trust and risk minimisation, legal and contractual obligations by default, level playing fields with Cloud service providers, a rise in Cloud acceptance and Cloud implementation as well as the free flow of data.
The Working Group “Cloud Switching and Porting Data” (SWIPO) has been developing a code of conduct under the patronage of the European Commission. Industry has assumed the leading role in order to prevent a vendor lock-in. In the course of implementation, requirements have been merged to make the administration of Cloud switching and data porting easier for providers in the interest of their customers. With its systemic, global and agile approach, the SWIPO code of conduct aims at ensuring widespread acceptance of Cloud services and wants to serve as a blueprint for the implementation of Cloud switching and data portability.
Pierre Chastanet summarised that the success of the European Digital Single Market depended on the following four protagonists: General Data Protection Regulation, free flow of data (non-personal data), NIS and electronic identity. With the help of the Cyber Security Act and the results of the Cloud Working Groups CSPCert and SWIPO, the finishing straight is almost in sight.