Introduction
A pandemic, war in Europe, war in the Middle East, and countries threatening each other with tariffs are increasing the likelihood of trade wars, which will certainly have a global impact. The coronavirus pandemic at the beginning of this decade exposed our reliance on goods and services from countries around the world and the impact of interruptions in the supply chains of those goods and services. While the availability of online services was less affected during the COVID-19 pandemic, it did impact many of the technologies they rely on. The pandemic sparked interesting discussions on the European Union’s reliance on critical goods and services worldwide.
Recent geopolitical developments have increased the emphasis on our ‘Digital Sovereignty’. The invasion of Ukraine is an obvious one, but don’t forget that differing nation-states have attempted to influence elections or disrupt critical infrastructure. Essentially, how autonomous are we (or can we be) as an individual, company, nation, or the EU when determining our digital strategies? Digital sovereignty, arguably, is not a new concept. It is an overarching definition that attempts to create focus on the autonomy of any actor, but in what (or perhaps where)?
We can identify several key aspects when examining digital sovereignty. These are data, technologies, competence/knowledge, and while (cyber) security could/should be considered a part of all of these aspects, I am going to address some topics related to this separately. In this blog, I want to expand on these aspects and their recent developments. In a subsequent blog, I want to expand deeper into these different aspects and what to consider when determining your company’s way forward when considering digital sovereignty.
The ‘simplicity’ of Europe
We all know the European Parliament needs to consider the (differing) interests of the many countries it represents. This tends to make it a bit sluggish in terms of keeping up with geopolitical developments. Over the last decade, several new ‘acts’ were introduced with differing goals, but as an overall goal to address the European ‘Digital Space’ and strengthen our ‘Digital Sovereignty’. It is important to understand that these acts can impact your company’s operations and might require your company to act.
The European Parliament started with the introduction of several acts, among which are the Data, Digital Services (DSA), and Cyber Security Act. The Data Act attempts to address the fair use and sharing of data for individuals and businesses. The DSA attempts to prevent illegal and harmful activities and the spread of misinformation on online platforms. The Cyber Security Act attempts to provide a certification framework for IT products, processes, and services recognized across Europe. Part of the EU strategy is to take on skill gaps or shortages via several initiatives. Not unimportant is the NIS2 directive, which will be discussed in more detail at a later point.
An upcoming and more recent EU initiative is the AI Continent initiative, part of the Cloud and AI development act. This act attempts to address challenges related to the innovation gap with the US and China, increase Europe’s competitiveness in the AI and Cloud market, and enhance security while reducing the dependency we in Europe have on service providers outside of our continent. This is all in an attempt to improve our ‘Digital Sovereignty’.
When new laws are introduced based on European acts or initiatives, they typically also get an extra bit of ‘sauce’ from each nation. Take NIS2, the adoption of NIS2 in each EU member takes on different shapes, for example, Germany, where it’s the NIS2UmsuCG, in France, the “Loi de programmation relative à la sécurité intérieure” (LPSR), or the “decree no. 138, decreto legislativo 4” in Italy (huh!?!). When dealing with digital services from other EU nations, it’s important to understand that there might be ‘slight’ differences in the adoption of laws.
Don’t worry, it's just data
The importance of properly ensuring the availability of your data includes backups, redundancy, and disaster recovery. Securing your data (both at rest and in transit, just take a look at the data theft incident type here), storing your data, and transporting your data. These are all topics known to us, and (hopefully) taken into account as part of your company’s strategy. So, how does this impact our autonomy?
Consider the (additional) dimension of recent geopolitical developments, if a state decides to seize data, cut off power (albeit intentionally or not), or even cut off internet access. For example, consider the American Cloud Act, which can compel cloud providers to hand over data, even for European companies that have their data stored in Europe. China has similar laws, see Article 28 of its Cybersecurity Law.
Based on the limited information I give here, the scenarios stated in the paragraph above need to be considered. So, is your data secure? Can you continue your business elsewhere if the data in one location is compromised? What strategy is considered, and how does this impact your business continuity? Are there just backups or an architecture that geographically separates the availability of your service (across borders)? Not to mention the implications of regulations on the privacy-sensitive data of customers, for example, GDPR within the EU.
Not invented here (syndrome)
As engineers, we typically encounter the not invented here (NIH) syndrome in companies. From a national or European perspective, we should consider NIH when adopting new technologies (but then reverse it). The previous paragraphs hopefully provided some context on ‘the why’ you should at least put some question marks around outsourcing everything IT-related, especially to global service providers. I am not arguing that you cannot or should not rely on many of the global service providers or manufacturers available today. You should think about which of your (core) business processes can be affected if you do, and what risks that brings for your business.
We should consider the questions: is it locally sourced (national or EU), open source, and where is the infrastructure developed? It is essential to understand the technologies your company relies on, as well as those of any service providers whose critical business processes your company relies on. An interesting example of this was the Semiconductor chip shortage, which subsequently affected many vendors and their expected delivery times. This article highlights the complexity of the supply chain, of which semiconductors are just one component among many of the IT products we rely on. In short, it’s impossible to take everything into account when considering the selection of technologies and/or providers. But there are ways to mitigate some of the risks.
The omnipotent engineer (or developer)
The ‘IT’ guy that knows everything, a man in the basement that fixed everything (duizendpoot as we call them in Dutch). While that might have been possible in the 1980s, the IT landscape has expanded significantly. We have grown more reliant on IT systems, and it is used for many more applications. The shortage of skilled workers, especially in IT, is not a new problem. Multiple factors contribute to the skills shortage. Technologies change rapidly, and more specialized knowledge is required to handle the increasing number of introduced technologies, which contributes to the perception of ‘less skilled’ engineers. The increase in domains, for example, AI, has the same effect. Also, consider that more and more companies are ‘forced’ to adopt IT to stay ahead of their competitors. And the pond keeps getting smaller and smaller relative to the demand. This blog nicely highlights some of the nuances there.
So, how do you get the right personnel, who should you get, and what level of skill do they need? Should you recruit only on a national level, within the EU, or globally, or just outsource all IT-related work? I think this is the most difficult one of them all. The people you hire (or do not hire) tend to determine much of your company’s IT strategy. They can be the driving or limiting force in your company. They (should) understand the technologies your company relies on and how they affect your core business processes and services.
I’m secure, I accepted the risk(s)
The European Commission presented a new Cybersecurity strategy back in 2020. Part of this is the NIS2 directive. NIS2 will impact how companies within the EU have to handle their cybersecurity. For us Dutchies, this is called the ‘Cyberbeveiligingswet’. Additional sectors that have to adhere have been added to the new law based on NIS2. It is essential to determine if this law applies to your organization and how it affects your business.
If NIS2 applies to your company, you are required to register your company in the entity registry. You must do a risk assessment of your company’s cybersecurity posture and implement measures for preventing and reacting to security incidents. The board of a company must approve any measures and is required to be educated for this. Finally, if an incident occurs, your company is required to report this to a Computer Security Incident Response Team (CSIRT) and the regulator within 24 hours.
We were talking about ‘Digital Sovereignty’, why mention this? Our cyber defence directly ties into our ‘Digital Sovereignty’, properly securing your company, and depending on your domain, a nation’s critical infrastructure is an important factor in how ‘Sovereign’ your company, nation, and Europe can be. Not properly addressing your company’s cybersecurity, in addition to the negative effects on your company’s revenue, can also have legal consequences for people in the company, including board members.
In a (sovereign) Nutshell
Many of the aspects highlighted in this blog are things (I hope) we know, have acted upon, or are acting upon, way before the term ‘Digital Sovereignty’ came into the picture. While ‘Digital Sovereignty’ is just a term that attempts to emphasize some of the risks when relying on goods and services sourced in other parts of the world, these risks were always there. The EU and nation-states are attempting to act on and address some of the issues we are facing today. From my perspective, some of the assumptions that we made related to Globalization and stability in the previous decade are not that self-evident (anymore).
We need to adapt our strategies to consider these changes, for which the term ‘Digital Sovereignty’ can act as an ‘umbrella’ term to address them. This first blog is an attempt to highlight some of the complexities when defining an IT strategy that takes into consideration Digital Sovereignty. In the next blog, I want to dive a bit deeper into these different aspects and highlight strategies and considerations related to increasing the autonomy that a company could consider, especially small to mid-sized companies.
