Digital and data sovereignty
Sovereignty refers to notions of autonomy, control and sometimes even frontiers, and it's not easy to generalize its application to the digital world. However, the concept regularly comes up in the concerns of users of our services. In most cases, it refers to reversibility, security and immunity to extraterritorial laws. In reality, each user has their own definition of sovereignty, depending on the criticality of their activity, the location of its sites, or the issues specific to its business.
Some organizations - or digital players - may also make the nationality of a technology a strong criterion of sovereignty: indeed, "national" technological players can provide guarantees in terms of strategic autonomy or flexibility. In most cases, however, this is not a sufficient or necessary condition of sovereignty.
Because every organization (public or private) has its own challenges, we prefer to refer to it as digital trust, by associating with it the concrete, measurable criteria we describe below.
Digital trust
Digital trust covers the notions of objectivity and transparency. It is based on a few measurable criteria: security, infrastructure resilience, confidentiality of data and exchanges, data integrity of the service provided, service reversibility and interoperability. It may also involve criteria linked to the nationality or shareholding composition of the digital service provider. All these criteria call on technical, operational or legal parameters (detailed below).
By providing factual, measurable information, users of digital services can make clear, transparent decisions about the hosting of their applications and critical data.
Data confidentiality
Data confidentiality is one of the key criteria for digital confidence. This notion is primarily determined by the encryption mechanisms used: mastering them ensures that data cannot be accessed or read by anyone other than authorized company personnel. In some cases, data stored in the cloud is encrypted using mechanisms provided by the "cloud provider" itself. At Orange Business, our offers enable you to retain control over the encryption keys.
Data confidentiality also concerns the partner's operating model: it is crucial, for example, that only the service provider's authorized personnel have access to the company's data.
Reversibility
The challenge of reversibility is both contractual and technological. In fact, a company may find it impossible to change its digital service provider, either because of contractual agreements, or because its information system is based on exclusive technology that makes any change costly and time-consuming.
It is therefore advisable for a company not to depend on a single technological "strain."
Resilience
With digital technology at the heart of all businesses, companies need to be able to operate their information systems under any circumstances (climatic crises, cyber threats, pandemics, etc.). This requirement involves working on connectivity, cloud, and cybersecurity aspects: offering a service - secure and stable - from "end to end" of the data value chain is therefore essential to guarantee customers the resilience of their business.
Operations
The operating model and governance of digital environments are key to ensure data confidentiality and immunity to extraterritorial laws. Indeed, even a solution hosted in the European Union, but operated and controlled by a non-European cloud service provider, does not offer all the legal guarantees required for certain business sectors.
The operating model is therefore a key factor in the trust that can be placed in a service. For example, as part of SecNumCloud qualification, ANSSI checks that all individuals with access to customer platforms are based in the EU. Qualification also guarantees the strict separation and independence of the service provider in terms of support, updates and maintenance in operational condition. In other words, a non-European technology partner has no access to any data in a SecNumCloud environment.
Regulation and compliance
European law has developed several tools designed to strengthen the cybersecurity of over 100,000 public and private entities, including the Critical Entities Resilience Directive (CER), the Directive on Digital Resilience for the Financial Sector (DORA), and regulations aimed at regulating digital services (preventing abuse of dominant positions by digital giants, combating illegal online content), principally the DMA and DSA.
All these regulations have a common objective: to increase the level of control over the European digital environment.
Immunity
Some countries have introduced so-called "extra-territorial" laws, allowing access to data beyond their national borders. One of the best known is the C.L.O.U.D. (Clarifying Lawful Overseas Use of Data) Act. The Cloud Act is a U.S. law passed in 2018 that aims to regulate access to data stored abroad by U.S.-based cloud service providers. It allows U.S. authorities to access electronic data stored abroad by U.S. companies, under certain conditions. The Cloud Act raises concerns about privacy and data sovereignty.
Immunity to extraterritorial laws is a crucial point in organizations' definitions of digital sovereignty.
Certification
Certification is a proof that a supplier's service complies with specific standards and requirements. Certifications also provide organizations with "presumptions of compliance" with cybersecurity and data protection regulations.
In addition to the well-known international certifications, such as ISO 27001 and SOC2, there are other more specific certifications - or qualifications - for cloud environments and managed services:
- In France, SecNumCloud qualification guarantees customers that the infrastructure they use complies with very strict requirements in terms of security, compartmentalization, operational management and even immunity to extra-territorial laws
- At European level, ENISA's project to develop the EUCS (European Union Cybersecurity Certification Scheme for Cloud Services) aims to homogenize security certifications for cloud environments in Europe, through several levels currently under discussion between member states
Sovereign cloud and trusted cloud
Of all the notions relating to digital sovereignty, the cloud is often the starting point. According to Gartner, by 2025, 51% of IT spending in each country will have shifted to the public cloud, compared with 41% in 2022. In this market, there are two main types of offer:
- Sovereign cloud solutions, where infrastructure and personnel are based in each country or region
- Trusted cloud solutions, which are SecNumCloud-qualified cloud solutions in France
Dataspace
Dataspace is a trusted digital space that enables the smooth exchange of data between players in the same sector (agriculture, media, health, education, etc.) to create value. This is the case of AgriConsent, the digital identity solution for farmers developed by Agdatahub, Orange Business, Dawex and In Group. Orange is a founding member of two initiatives working to develop dataspaces: GAIA-X and the Association for data intermediation.
Trusted AI
Trusted AI is first and foremost an ethical and legal framework based on respect for fundamental rights. An AI system is "trusted" when the assessment of its lifecycle meets the requirements defined by the European Commission (AI ACT), namely: human control and mastery, transparency, respect for privacy, robustness and technical safety, non-discrimination, and social and environmental responsibility.