In a delicate interdependence with the United States and in a difficult definition of its sovereign Cloud, the European Union still seems to also juggle internally on the management of its data between on the one hand, a General Protection Regulation Data (RGPD) of French design, certainly good for Europe but which needed it to settle in France as its President of the Republic said before the European Parliament, and on the other hand the request for almost all the other countries, as in defense and in a large number of fields, to also be able and then to monetize the data, a kind of European label between those who see a goal and others a stadium but who must walk together on their two feet with words that are very important.
Undoubtedly taking up some of our proposals, global realities and orientations expressed in June 2019 to the former European Commissioner for the Economy and the Digital Society, since transmitted to the Vice President and to the Commissioner in charge of digital http: // www. irce-oing.eu/2019/08/pour-un-fonds-europeen-sur-la-cybersecurite.html, as well as through a forum on solidarity and European segmentation http: //www.irce-oing. eu / 2020/06 / intelligence-segmentation-imbrication-in-search-of-solidarity-and-a-certain-European-industrial-and-economic-autonomy, and finally in response to the US Cloud Act , not always well understood, the development of the Digital Service Act, like the Digital Market Act, promised for 2023 must be both binding and open with a legislative framework and effective sanctioning measures in the manner of a Reasoned Buy European Act, showing that everyone is welcome with their knowledge and know-how, even knowing how to be in compliance with European rules, still sometimes to be defined, in order to offer European citizens the safest and most competitive environment in the world while respecting, even intelligent competition, as recalled by the recent skirmish between Commissioner Breton and the head of Google.
Even if a certain disappointment is felt among certain actors who have invested themselves in comparison with the efforts made, it is to be noted certain actions more or less coordinated but which, assembled and built on a global approach of even disruptive realities, can show a a certain intelligence reactive to the sound of the cannon for specific, measurable, realistic, achievable objectives, determined in time.
Institutional, state and territorial actions and facilitations
After the Cloud Initiative, institutions must now also appear to be more structuring than facilitating, without discouraging goodwill, in a plethora of initiatives and more or less related positions taken by mediating states, regulators, users and companies, while avoiding any form of national crystallization, for the benefit of a truly European dynamic, certainly united in diversity with an observation showing that we once again find the French, the Germans and others, often with the latter. But some also know how to promote a certain dynamic, such as Estonia, which could enhance its administrative simplification in a regional dimension, but also Luxembourg with its desire for identity as a digital nation, including cloud and PNR. Finally, we should note a Brittany region piloting an Interreg project with more than ten other regions involved throughout Europe on security.
Note that GAIA-X also invites to work in external interdependence by inviting non-European companies, including apparently like Google, as long as they share objectives of sovereignty and availability, as for European research, knowing that digital sovereignty does not exist. t has not yet been officially confirmed by the Commission, nor by its executive agency in this area, which claims to be unable to take a position on the origin and qualification of the digital relational tools now widely used with travel restrictions linked to the health crisis.
Perhaps it will also be a question of defining if the GAFA (M) are ultimately stateless or if they are linked to the United States which in any case does not appear as an enemy or even a competitor already for the ‘Germany, European economic leader, nor for the European Union in a strengthened transatlantic link.
Perhaps it will be necessary to note that digital and cybersecurity are not European or American-European strategic areas to face China, or even India, via the North Atlantic Treaty Organization. (NATO) and its skills that only France also seems to want to ignore.
OVH’s announced cooperation with Google, hailed by the French Secretary of State, eager to attract people to French territory, and aligning itself with Germany on this privileged transatlantic link is therefore no surprise. The German minister initiating the project nevertheless recalled that it will not be a question of competing with the American storage super-spaces of Amazon or Microsoft while giving a wish to offer European companies an alternative to American cloud providers AWS, Google Cloud and Microsoft Azure, which largely dominate the public Cloud market, and to give more visibility to European offers, recalling the Juncker initiatives on the Defense (industrial research) Fund, especially not wanting to oppose the NATO ..
But perhaps it should be noted that these GAFA (M), stronger in certain states, already have a technology that is too far ahead of which it is necessary to take advantage in interdependence, as does the search engine Qwant resulting from the open internet project. whose founder was already using usage memory, fighting against Google and then working with it to avoid legal struggles, certified by the French administrations, taken over by the Caisse des Dépôts and Microsoft, declaring himself a European tool when it is not than French for Europe.
In addition, the term “federated” is mentioned very frequently, whereas a French and a German do not understand it in the same way. It is the same with the term “sovereign”, undoubtedly too French connotation and which should be replaced even if it advances like a national or European shield, even wider still, or a more or less sacred lance.
Beyond collaboration on the same business, GAIA-X has just germinated a partnership between the French OVHCLOUD a priori declared the European leader of the cloud installed in France, whose boss is not of French origin, and German T-Systems to offer an open and trusted public cloud offer, from 2021 in Germany and hopefully in France, offering TS customers the benefit of data centers with the Deutsch Telekom network, T-Syst providing its water cooling. This complementarity is to be welcomed because on the one hand it addresses the essential contribution of energy, without treating it entirely with a need also for an energy source to avoid data loss with why not Siemens or Roll-Royce certainly British , and on the other hand it allows a possible mutual knowledge by segmentation, as during the constitution of the European team in the NATO ACCS program, looking at the other necessary skills other than electronic for the sensors to be complementary and stronger together. OVH must also consolidate its web with European participations and not be a French tool for Europe, as we recommended for Qwant before being recapitalized by Caisse des Dépôts and Microsoft.
Regarding the financial taxation of GAFA (M), which increased their turnover with the crisis, which operate without margins but on their cash as the large food distributors, which also divide the European states with always the same cleavage , which also make a large number of booksellers work through reduced-cost shipments, the solution may lie in a greater incentive for financial solidarity, even tax-free, or in cyber, digital and digital research on the spot to immediately own remedies for sudden attacks, especially with the upcoming digital euro.
A real cyber and digital strategy could facilitate and maintain relations between companies and other organizations. These industrial structures must finally integrate project brooding such as the brooding of start-ups and then SMEs by groups, and develop both a pack hunting and wing hunting approach. Intermediate-Size Enterprises (ETIs) must be able to adapt their model and their general strategic, structural, identity and decision-making policy, and will be the cornerstone between the French and German models which must not necessarily be copied but overlap with common arrangements between the two countries.
Now let’s finally focus on reinforced European presences in French trade fairs and events, as already partly at the FIC trade fair in Lille or perhaps finally with the cyber pole of Brittany.
Labels and certifications
The labels, of voluntary initiative, as well as the certifications, represent advantages for structuring, in quality and confidence, by sifting the wheat from the opportunistic chaff, with attribution and verification processes, often allowing under -close to also help companies and other organizations to discover a real customer and supplier relationship.
The disadvantages also exist for the same causes of audits or processes diverted from their common sense as well as for often political and territorial labels said of excellence which can hide certain negative realities of taxation rather than membership and therefore often incompetence. or inconsistency as we have seen in the competitiveness clusters.
Likewise, let us not forget that public contracts must not discriminate against companies that have not chosen certification, such as ISO 9001 or 14001, which themselves often went beyond the standards requested which mobilize time and money. , and which must be able to assert a possible equivalence. In this area, projects relating to digital and cybersecurity should draw inspiration from examples in other older areas and can also advance them.
Initiatives are emerging through other facilitating organizations such as ECSO with the label of geographical origin “Cybersecurity made in Europe” for the moment more IGP than PDO without any notion of certification on products or services. This should not replace a necessary permanent presence and in particular French industrial presence in the Brussels seminars of ENISA. French industry and its SMEs or start-ups admit to relying too much on ANSSI, whose job it is not, but perhaps also by directive. The French and German national agencies control and lock the European agency with a certain rivalry and relative confidence between the French ANSSI which certifies on clearances and people and the German BSI which instead certifies on the process, tools and installations. The two mixed certification approaches can also be valued under a label approach of complementary elements, yet displayed, but which does not manage to be implemented, and which the managers, with also their personalities, do not want to come and talk about, with the same realities as other European agencies including EASA. However, this could set an example in the cloud but also its applications including passenger name records (PNR) different land, air sea, and which should also be treated globally to move forward, but also in many others. areas including taxation where visions differ between states which should not remain divided. Perhaps we need to bring this once again to European level to see it finally succeed.
Structuring finance, which will be discussed later, could also provide for an ethical label for the origin of funds but also for their use which must not prevent innovation, which itself can also use a quality label for taking account of previous projects in terms of time and money optimization.
In terms of optimizing approaches, we could also imagine the example of cloud labels related to health, the notion of Public Private Partnership, the civil-military and / or public-private dual, but also the portage and / or brooding between group and SME, which are not obliged to live by equity investments but to find the beneficial link for all as can do for example Dassault System. There may also be the opportunity of labeled links with the factory of the future or 4.0, digital transformation, Smart Data and Artificial Intelligence with structures and means adapted to the desired tasks, which some analyzed as being the basis of GAIA-X, also with a risk of mixing according to some specialists.
Regarding certification which also remains voluntary, within the EU there is no concept of reliability on the tools and no regard for the original portage, wishing not to put borders and therefore in consistency with GAIA-X or search. Note Regulation (EU) 2019/881 which foresees that the EU will provide EU-wide certification programs in the form of a comprehensive set of rules, technical requirements, standards and procedures. Such systems, once adopted at EU level, for specific products, services or processes, will be valid and also recognized in all EU Member States. As in other areas, currently the landscape of cybersecurity certification of ICT products and services in the EU is still quite dispersed as there are a number of national and also international initiatives such as the so-called criteria commons (CCs) for information technology security assessment. We also note the Mutual Recognition Agreement (MRA) on the security of information systems (SOG-IS) with an upcoming first outline to be drawn up as part of the EU cybersecurity certification framework.
European cybersecurity certification systems could allow both self-assessments of conformity as for CE marking and certifications, with the assessment being carried out by third-party conformity assessment bodies. Following in particular our recommendations, a “smart” certification with three assurance levels is planned and each of them will provide a corresponding rigor and depth of the evaluation of the ICT product, the ICT service or the ICT process without necessarily differentiating the size or capabilities of the company. Through self-assessment of conformity only the basic level of assurance can be achieved, while for certifications a basic, substantial or high level of assurance can be achieved. The certification process, unlike the self-assessment of conformity, complies with the provisions of Regulation (EC) 765/2008 which defines the requirements for accreditation and market surveillance.
As with CE marking, under the aforementioned regulation, each Member State will appoint a national accreditation body (NAB), which will issue certificates of accreditation to conformity assessment bodies (CABs). Accreditation may be issued to conformity assessment bodies for one or more specific cybersecurity certification programs, for a maximum period of five years and may be renewed thereafter. For each European certification system, the national authorities will notify the European Commission of the conformity assessment bodies that have been accredited. Considering the EU-wide validation of the EU cybersecurity certification framework and the certificates issued, a producer or manufacturer of an ICT product, ICT service or ICT process may request an assessment process by any accredited conformity assessment body in the EU.
However, as with the CE marking with certain negative feedback from experience in the health sector, it will be necessary to avoid the risks of industrial impacts, process failures with potential or real prejudices of certain institutional decisions for companies. . National agencies must undertake to help their manufacturers to be referred to other organizations or to obtain a deadline for bringing them up to standard, without canceling the history, if they find themselves in difficulty, in particular with a notified body chosen in Europe elsewhere than in their country. In the event of a problem, it should be possible to contact ENISA in the event of a dispute. It is nevertheless recalled that in the CE marking, manufacturers or service providers can themselves certify whether they think they are capable of doing so and that the marking can only be affixed if there is a European regulation or constraint on the subject.
A reasoned European preference policy could be supplemented by a European “buy-cyber-act” with nevertheless taking into account the legal limits of certification and labels set out above and with the creation of an OCCAR-style agency in the armament for the management of major projects, in relation with ENISA. With strong management, it could in particular issue calls for tenders by claiming a budget allocated directly to SMEs, including a minimum quota from countries other than the prime contractor. Regarding the market, it could be interesting to include the European cyber offer in compensation exchanges, mainly abroad, because theoretically prohibited in Europe, perhaps with special treatment for GAFA (M) as explained more before.
Finally, the financial part of the equity capital, and undoubtedly the most important, must also integrate all these elements, or even be a structuring element of the ecosystem beyond the pure notion of profit or risk management.
Recently the “European cybersecurity investment platform” has emerged, bringing together funds such as ACE Management (France), Adara Ventures (Lux), ecapital entrepreneurial partners ag (Germany), KPN Ventures (Netherlands), P101 (Italy), Primomoglio SGR ( Italy), TIIN Capital BV (Netherlands) and Vendep Capital (Finland) which can be appreciated as real players in industrial policy with their objectives and realities, in particular calendar ones, which should be encouraged to support the European industrial fabric .
They must try to act in a search for segmentation, solidarity and relative intelligent industrial and economic autonomy.
This financial approach must also respond to the current dynamic of governance with the creation of a true European fund of funds guaranteed, or even supplemented by the institutions, now capable of a single European signature that can accompany in guarantee but also in capital, such as the European Innovation Council (EIC) does this in research on “unbankable” companies of up to 25% if strategic, with a lower rate of return claimed, as has been done by the Caisse des Dépôts et de consignation. The funds must also integrate the will of groups to acquire holdings in European SMEs.