Memorandum
Dr Jamal Shahin
Jan Philipp Albrecht
Assistant Professor in European Studies, University of Amsterdam and Vrije Universiteit (moderator)
Member of the European Parliament, Rapporteur on the Data Protection Regulation
Dr Shahin opened the event by saying
“Unified
that
of
standards in a digitized economy are
cybersecurity and cloud computing have
essential,” said Mr Albrecht, “otherwise
changed and widened greatly over the
we will see jurisdictions in the cloud
last few years, taking into consideration
competing with and contradicting each
issues such as data protection and
other.” However, he pointed out that this
privacy. He said that there is more global
needs time to come to fruition, as there is
agreement on these topics now than in
a deep conflict between the underlying
previous years, and there is also a lot of
values of what constitutes security not
overlay between these two topics, and
only
how security is managed in the digital age
individually and in society. He gave the
and in the cloud.
example
definitions
and
perceptions
in
frameworks
a
technical
of
for
IT
way
Edward
security
but
also
Snowden’s
revelations into the practices of Western intelligence services, which showed up the lack of control that many large
Memorandum – QED Conference on Cybersecurity & Cloud Computing| 2
organisations
have
own
and innovation of cloud services on the
infrastructure. Mr Albrecht pointed out
global digital market. He believes this
that telecommunications providers, for
would not be the case, saying that “to
example,
an
survive in the harsh global digital world
countries
of tomorrow, a lack of security will only
have
infrastructure
over
to
their
rely
produced
in
on
where it is almost impossible to check
hinder a company’s success.”
the source of the hardware or software elements installed in their system. He said that security standards therefore have to be enforced and respected not only in the EU but throughout the world. He also believes that where there is a lack
of standards
and
consequent
economic damage, those responsible should be held liable. The European Commission’s Network and Information Security (NIS) Directive which will soon be adopted and implemented seeks to solve this issue as regards sensitive infrastructures in the EU, but it does not address the vast number of products and services in the cloud, where further regulation is necessary. Lastly, he addressed the viewpoint that increased security would inhibit growth
Memorandum – QED Conference on Cybersecurity & Cloud Computing | 3
These
are
data
breach,
business
interruption and payment system. With regard to NIS he spoke about the agreement
to
have
a
“light
touch
approach” – which means that Cloud Service Providers have the responsibility themselves
Head of Unit H4 - Trust and Security, DG CNECT, European Commission Mr Boratyński spoke about the rationale of including Digital Service Providers and in particular Cloud Service Providers within the scope of the Network and Information Security (NIS) Directive. He said that cloud is a truly transformative technology that changes the concept of ITin a company or organisation. He explained that it was difficult in the NIS negotiations on the topic of cloud to agree on the recognition of Cloud Service Providers as a new type of “digital critical infrastructure”. He gave an example of a UK
report
choose
appropriate
security requirements. An additional key
Jakub Boratyński
recent
to
referring
to
four
catastrophic risk scenarios that were recently identified, and pointed out that
point is that only major incidents should be reported and the companies would be subject to inspections only ex post (i.e. in case of a problem that has emerged). Mr Boratyński is looking forward to working with Cloud Service Providers to ensure effective and efficient implementation of the Directive and to consult them in view of the Implementing Acts on Security Requirements and Incident Reporting. He also
expressed
satisfaction
with
the
technologically neutral, legal definition of cloud
that was
agreed
after much
discussion. He finished by saying that cloud is a new frontier and it is important to get regulation right, and that Cloud Service Providers have a key contribution to make to cybersecurity beyond the regulatory requirements.
three of them specifically mention cloud.
Memorandum – QED Conference on Cybersecurity & Cloud Computing | 4
Unfortunately, other sectors – including many public sector organizations – do not have
access
to
sufficient
risk
management in human resources and processes. He spoke about the economic difference “the economics of compliancy” when a hyper-scale cloud service is a standardized service, has a standardized
Andreas Ebert
contract and is multi-tenant. In such a
Regional Technology Officer, Microsoft
case, the benefit for each individual cloud customer is significant, as the cost of the
Mr Ebert is aware that “trust” is a broader societal value, which is not only built on technical compliancy and cyber security means. In conversations with customers, the
concept of trust is
component
in
these
a
constant
dialogues.
He
suggested that if the EU moves forward in the area of certifications, , standardization of these requirements play an important component to support the vision of a
compliancy for the global cloud service can be divided among all tenants – providing the customer a much more efficient approach
of current IT
applying
of
rational
understanding risk
its
legal
systems
in
his own
datacentre. This approach significantly reduces the cost per customer and is one of the
drivers
of accelerated
adoption in the EU.
sees some industries leading the way in concept
fulfill
obligations versus the much higher effort
European digital single market. Mr Ebert
the
to
and
management
techniques for cloud projects, such as the financial services industry and insurance companies.
5 | Memorandum – QED Conference on Cybersecurity & Cloud Computing
cloud
In addition, Mr Ebert remarked that many commercial
organizations
working
in
multiple jurisdictions within the EU and abroad appreciate the approach that large scale cloud services are certifying their service not only at EU level, but at global level.
A
recurring
feedback
from
commercial customers in the EU is the desire to see the DSM (digital single market) implemented in a harmonized way, helping them to grow their business
Martina Ferracane Policy Analyst, ECIPE - European Centre for International Political Economy
much faster in the EU home market compared to the current fragmented
Ms
Ferracane
spoke
about
data
approach, as well as tackling the global
localisation which touches the hearth of
growth opportunity much more effectively.
cloud computing as it affects the ability to move data across border. She defined data
localisation
as
“a
Government
imposed restriction that results in the localisation of data within a certain jurisdiction�, and described how it can involve various degrees of local storage, processing and access. There is a clear increase in the implementation of data localisation measures. She debunked the myth that data security is a function of where the data is physically located. On the contrary, she pointed out that data can
6 | Memorandum – QED Conference on Cybersecurity & Cloud Computing
be
accessed
from
any
location,
independently from where the IP address is located. Ms
Ferracane
mentioned
some
quantitative studies carried out by ECIPE which address the issue of the cost of implementation According
to
of
data
the
localisation.
studies,
data
localisations results in a significant loss of GDP loss as well as reduced investment. Exports, of goods and services, will also be down with data localisation. She also pointed out that any data localisation measure requiring a foreign supplier to build new servers or use local servers gives a competitive advantage to local suppliers, and can therefore be seen as a violation
of
national
commitment under GATS.
treatment
Chris Muyldermans Counsel Regulatory Affairs, Corporate Public Affairs, KBC Group NV “Digitisation is a major challenge facing the
financial
industry,”
said
Ms
Muyldermans, “and for most players such as banks, asset managers and insurers, it is on top of their agenda.” She explained how KBC started its own journey towards the cloud in 2011. Their main drivers were and still are: cost saving, client-centricity, offering smart contracts to clients, and a faster time to market when introducing new, innovative digital channels. Based on their experience in the cloud, KBC calls for greater regulatory cooperation, as well as harmonisation in the digital financial services space. She mentioned that KBC experienced a lengthy approval process
7 | Memorandum – QED Conference on Cybersecurity & Cloud Computing
before being able to implement cloud technology, and in her opinion this will reoccur on blockchain, digital distribution channels, e-signatures, digital services, etc Ms Muyldermans believes that EBAENISA working on cloud guidelines is a good first step but much more is needed to facilitate digitisation of banking, or a single digital market in financial services. KBC would welcome the EC considering a
single digital
supervisory
approval
process across a range of activities via the Single Supervisory Mechanism and/or EBA. She remarked that there is no need for 28 different sets of rules on digital activities to be discussed with 28 Member States. In addition, a new outsourcing framework is needed that is specific to digital activities. The 2006 outsourcing guidelines are too general and more focused
on
operative
supervisory
guidance, and thus are not applicable with the cloud-outsourcing demands faced today.
8 | Memorandum – QED Conference on Cybersecurity & Cloud Computing
Open discussion
She remarked that there is no need for 28
single digital market in financial services.
different sets of rules on digital activities
KBC would welcome the EC considering
to be discussed with 28 Member States.
a
In addition, a new outsourcing framework
process across a range of activities via
is needed that is specific to digital
the Single Supervisory Mechanism and/or
activities.
KBC
EBA. The 2006 outsourcing guidelines
experienced a lengthy approval process
are too general and more focused on
before being able to implement cloud
operative supervisory guidance, and thus
technology, and in her opinion this will re-
are
occur on blockchain, digital distribution
outsourcing demands faced today.
channels, e-signatures, digital services,
Mr Albrecht was invited to share his
etc. Ms Muyldermans believes that EBA-
thoughts on the interaction between the
ENISA working on cloud guidelines is a
concepts of security and trust. He said
good first step but much more is needed
that regulators are
to facilitate digitisation of banking, or a
towards meeting the high demand for a
She
mentioned
that
single digital
not
9 | Memorandum – QED Conference on Cybersecurity & Cloud Computing
supervisory
applicable
with
approval
the
working
cloud-
strongly
trustworthy, digitized infrastructure and digital market. He believes Europe is on the right track, with most European providers wanting to gain an advantage in the market and be seen as a leader in security issues. Regarding
harmonisation
and
cooperation, the question was asked from the floor on the state of preparedness of Member States. Mr Boratyński said that a key component of the NIS allows Member States to decide who is and who is not in scope regarding essential services and therefore subject to the obligations of the Directive.
The
same
goes
for
the
definition of security requirements and the
bring
together
national
competent
establishment of reporting systems. He
authorities, but ultimately – from a legal
said that the framework of cooperation will
point of view – Member States retain a high degree of discretion. A delegate asked the panel’s views on the idea of direct
supervision
of
digital
service
providers by the EBA. Mr Ebert said his company has developed a standardised package that allows the financial sector to accelerate their own compliance and risk/security assessment to facilitate a specific core business case.
10 | Memorandum – QED Conference on Cybersecurity & Cloud Computing
He recognised however that a mutual
which requires an operator to
learning curve has to be experienced
personal data to be able to use it. She also
involving the regulator, the bank and the
remarked that the big problem is not
service provider. The question was asked
necessarily piracy of data, but tweaking of
as
to
data. This is of particular concern when it
personal data – and how it’s treated –
involves medical data. Ms Muyldermans
needs
Ferracane
said that the barrier between what people
commented that personal data is more
want to share and don’t want to share is
far-reaching than ever before; studies
becoming lower. She added that the
show that at least 75% of data could be
challenge for banks is how to use the data
described as personal. She gave the
that they already have in their possession,
example of a drilling machine in a factory,
in order to provide better services, such as
to
whether
to
people’s
change.
Ms
attitude
enter
smart contracts.
___________________________________________________________ Sponsored by:
Memorandum – QED Conference on Cybersecurity & Cloud Computing|11