Time to navigate the data regulation and European sovereign cloud

I had the honour of being the presenter in our livecast that covered the regulatory situation broadly. We had guests directly from the European Commission and the Gaia-X project, heard fresh experiences from Nordic organisations, and tips on how to start with sovereign cloud. 

Regulatory status update from the European Commission

The keynote was presented by Salla Saastamoinen, the Acting Director-General of the European Commission’s Directorate-General for Justice and Consumers. She gave a high-level overview of data protection policies and the regulatory framework that are aiming at establishing European data sovereignty.

“How and by whom data is managed can have a serious impact on our competitiveness and way of life,” she said, explaining the reasoning behind the regulation that affects cloud services.

Looming in the background are open questions concerning transatlantic data transfers. They have been complicated by the US Cloud Act and the Schrems II judgment by the European Court of Justice. Salla Saastamoinen said that intense discussions are ongoing with the US administration to find a stable solution.

The EU has a clear goal: ensuring that European businesses and public sector organisations remain in control of their data and have their data in the cloud processed according to European rules and values.

Salla Saastamoinen also touched upon interoperability as the most interesting part in the forthcoming European data governance act for buyers of cloud services. Interoperability allows freedom from vendor lock-in, and smooth data transfer from one cloud to another. 

Watch the 10-minute keynote! 

Gaia-X as a key component to digital sovereignty

To facilitate interoperability and European sovereign cloud, an organisation called Gaia-X has been established. Its CEO Francesco Bonfiglio described how cloud is vital for a data economy, but how cloud is nothing without data to feed it.

“Cloud is a primary ingredient like salt. You need it everywhere, but you can’t cook a dish just with salt,” he said.

Bonfiglio pointed out that Europe is a minimal player in the cloud, and is feeding other data economies with high-quality data. To remain competitive, the data flow must be reversed. Therefore, Gaia-X has been created to reduce dependencies on non-sovereign, non-European technologies. It aims to create a new ecosystem for innovation for Europe and to incentivise the creation of new digital services through data sovereignty.

Gaia-X delivers three things: 1) technical specifications and policy rules, 2) key components to enable transparency, interoperability and control, and 3) labels that certify the Gaia-X compliance of services.

Watch Francesco Bonfiglio's 20-minute presentation! 

How to comply with the regulations - Nordic experiences

In the panel discussion, we had representatives from Nordic private and public sector organisations sharing first-hand experiences. While everyone seems to be struggling to some extent, there are differences between the Nordic countries.

For instance, the public sector in Sweden is in ‘wait’ mode. Jörgen Sandström, CIO of the Swedish city of Västerås, said that municipalities possess plenty of sensitive citizen data. He admitted living in great uncertainty concerning regulation, making any long-term decisions difficult. Therefore, the city is discussing with cloud suppliers to make intermediate solutions until there is more clarity.

Petteri Miinalainen, CIO of Finnish insurance company Fennia, said that the Schrems II ruling forced the company to pause its large cloud transformation process on the fly to ensure compliance with the legal framework. Fennia has taken strict measures in building the new environment and is looking for solutions to ensure data is duly protected.

Maria Rautavirta, Director of the Data Business Unit at the Finnish Ministry of Transport and Communications that also has an influence on national and EU level policies, encouraged organisations to start using cloud, sharing data and building data capabilities.

Data Protection Officer Nancy Yue Liu from the Norwegian Diakonhjemmet said that, when doing global research, they struggle with GDPR compliance when transferring data with non-EU research institutes. To mitigate risks, data anonymisation is used as much as possible, and a risk assessment checklist has been created to help product owners and researchers.

Watch the panel below!

Practical guidance with sovereign cloud

Next, Patrick Verhoeven, Director, Multi-cloud strategy at VMware, discussed drivers behind sovereign cloud. VMware’s sovereign cloud framework provides not only data sovereignty and jurisdictional control, but also ensures the integrity, security, compliance, and interoperability of data.

“The very essence of the way that VMware defines sovereign cloud is that it’s about protecting and unlocking the value of critical data,” Verhoeven said, and presented VMware’s sovereign cloud initiative to designate cloud service providers.

Finally, Yulia Filipovich, lead compliance manager at TietoEVRY, shared an example of how a Nordic bank can embark on its journey to cloud. With expert advice, it classified all data and applications and made a cloud assessment to deploy data to the right cloud. She noted that non-EU clouds should not be considered taboo, but their use requires meticulous planning to mitigate compliance risks.

Watch "The practical guide to sovereign cloud today" presentation! 

To conclude, the livecast confirmed that data sovereignty is about foundational values such as democracy and freedom. It is also practical and has business value. There’s no need to wait. It’s time to act!

Learn more about our services here to ensure that your data is protected and kept sovereign with a trusted, cloud infrastructure and data platform provider.