The cloud computing continues its in-depth revolution of companies’ information systems. After a phase of massive adoption driven by economic and operational gains, new challenges are emerging around trust and securing strategic data.
Between strengthening regulatory requirements, the rise of sovereign cloud offerings, and ongoing innovation in security, the year 2024 will mark a turning point towards a trustworthy cloud in the French landscape. A brief overview of the major trends that will shape the upcoming months.
The sovereign cloud and the trusted cloud, cornerstones of the French cloud strategy
The sovereign cloud and the trusted cloud share a common goal: to offer French organizations, especially those handling critical data, the opportunity to leverage the benefits of cloud computing without compromising on security and control over their information.
In practice, these two concepts refer to a set of requirements and guarantees covering various aspects: data localization within the national territory, transparency of processing chains, reversibility of transfers, robustness of protections against cyberattacks, and more.
Ultimately, the aim is to preserve France’s technological sovereignty in the face of the increasing risks in the digital realm, whether it be espionage, sabotage, or the capture of data for commercial purposes.
This strategic shift towards the trusted cloud materialized in 2023 through several structuring measures and will continue in 2024. Notably, the “Cloud at the Center” program of the State, which safeguards the hosting of sensitive digital services of the administration on labeled SecNumCloud sovereign infrastructures.
The regulatory developments in 2024
The trend towards strengthening the regulatory framework is expected to intensify further in 2024 with the implementation of new regulations at both the French and European levels.
The European Union Cloud Services (EUCS), currently in its final drafting phase, will serve as a flagship document for defining trustworthy cloud services. This singular reference aims to eventually replace national initiatives such as the SecNumCloud certification in France, C5 in Germany, or ENS in Spain.
Furthermore, the key criteria of the EUCS include:
- Headquartered within the European Union.
- Assurances regarding immunity from the Cloud Act and extraterritoriality of non-European legislations.
- At least one data center located in Europe for the “High” level or all data centers based in the EU for the “High+” level.
- Residence of employees accessing data within the EU and thorough examination of their profiles.
- Expanded definition of “sensitive” data: personal or non-personal data whose disclosure could compromise public order, security, health, or the exercise of essential government functions.
Another major development is the NIS 2 regulation. Succeeding the NIS 1 text from 2016, the NIS 2 regulation (adopted in 2023) marks a turning point in the regulation of cybersecurity within the European Union. Its ambition? To standardize best practices in digital security across all sectors of the European economy.
In concrete terms, this new version expands its scope to new strategic sectors such as administration, telecommunications, social networks, and even the space industry. Importantly, thousands of private companies, regardless of size, are now affected.
Another significant evolution is the introduction of a proportionality mechanism in compliance requirements. In France, based on ANSSI recommendations, obligations will vary between “essential entities” considered the most critical and “important entities” with lower criticality.
In accordance with the GDPR, European Union member states have a 21-month deadline to transpose all provisions of the NIS 2 directive into their national law. As a result, the text sets October 17, 2024, as the deadline for the effective implementation of the new rules derived from NIS 2 within the national legislations of the 27 countries involved.
The SREN law (aimed at securing and regulating the digital space), adopted in its first reading on October 17, 2023, outlines several actions for 2024:
- Implementation by Arcom of a framework for age verification on pornographic websites, with the possibility of blocking non-compliant sites.
- Deployment of a cybersecurity filtering system to alert the general public to phishing attempts and scams.
- Establishment of additional penalties, including the suspension of social media accounts, for individuals convicted of cyberbullying.
- Expanded powers for Arcom to demand the rapid delisting of disinformation content spread by certain foreign media outlets.
Beyond these measures, the SREN law for the cloud will notably prohibit data transfer fees in the case of changing cloud service providers. This measure will facilitate competition and avoid situations of technological lock-in that could be detrimental to clients.
In the same spirit, the validity period of commercial assets, often used for customer loyalty, will be limited. The interoperability of cloud services will also be strengthened to enable greater fluidity in the flow of data between heterogeneous environments.
Published in 2023 by the European Commission, the Digital Operational Resilience Act (DORA) marks a decisive step for the cybersecurity of the financial sector. It imposes new ambitious requirements for digital risk management and business continuity.
Regarding the cloud, DORA brings “Critical ICT Providers” (CTPP) into the regulatory scope, incorporating cloud service providers (CSP) into this category.
The integration of cloud providers and technology service providers into the regulatory scope reflects the regulators’ intent to challenge these actors and hold them more accountable for their key role in the operational resilience of financial institutions against cyber risks. This step will have a lasting impact on the cloud market for the sector.
From our perspective, 2024 will be the year of digital trust for the cloud. As seen, a series of regulatory measures is poised to significantly structure the cloud market, particularly in terms of sovereignty and data protection.
On this last point, various sectors are in dire need of regulations in this regard. This is particularly true for:
- Health: Health data is extremely sensitive, and in recent years, cyberattacks have been on the rise and are expected to continue in 2024. Hosting data on sovereign cloud infrastructures is therefore essential as a defense against data theft.
- Public sector: By centralizing a considerable volume of information about citizens and constituents, public entities bear a special responsibility for data protection. Any compromise of these vast databases could undermine the trust pact. A highly secure and transparent cloud thus serves as an assurance of resilience.
- Defense: Due to the extreme sensitivity of the information processed, the defense sector is on the front lines against state or terrorist digital threats. Any cyber vulnerability could have dramatic consequences for national security.
- Financial institutions: In an era where the economy is increasingly immaterial, the cybersecurity of financial institutions, guardians of strategic banking and stock market data, has become vital for overall economic stability. Strengthening their posture inevitably involves adopting a cloud that offers the highest level of assurance.
Cognitive security, a new asset for the cloud
Beyond the traditional technological safeguards of the cloud, cognitive security based on AI holds the promise of a more proactive approach to cybersecurity threats. By modeling attack patterns and anticipating their future developments, these cognitive systems aim to protect organizations upstream, rather than merely reacting.
Several cloud solution providers, including IBM, are incorporating elements of behavioral AI to detect anomalies and early indicators of phishing campaigns or advanced intrusions. Machine learning also allows for adapting the level of monitoring to risk profiles and context for a better cost-effectiveness ratio.
In the long run, cognitive security technologies applied to the cloud could enable dynamic access segmentation or automatic quarantine of threats. By endowing Security Operations Centers (SOCs) with anticipatory capabilities, these technologies will mark a decisive step forward in corporate cybersecurity against adversaries increasingly adept at nonlinear strategies.
Edge computing, the asset of IoT and connected healthcare
Edge computing, which involves bringing computing and storage resources closer to devices, is experiencing significant growth on the Internet of Things (IoT) landscape. By processing a portion of the data at the network’s edge before transferring it to the central cloud, Edge computing offers several competitive advantages:
- Time savings: By bringing processing capabilities closer to the data collection point, Edge computing reduces latency and optimizes response times for IoT applications and e-health.
- Resilience reinforcement: By reducing dependence on the central cloud, it ensures the continuity of critical processing even in the event of a network disruption with the distant data center.
These advantages make Edge computing a future-oriented technology for connected healthcare devices, including pacemakers, insulin pumps, or vital signs monitoring systems. By accelerating diagnostics and interventions while limiting cyber risks, Edge computing paves the way for a more responsive, reliable, and secure e-health ecosystem.
Conclusion
In the end, the year 2024 will mark a decisive turning point for the establishment of a trusted French cloud. Through the combined efforts of public authorities and private stakeholders, the technological and regulatory foundations for a resilient, reversible, and sovereign cloud are on the verge of being laid.
The implementation of foundational texts at the European level, the intensification of strategic projects in key sectors such as health or defense, and the ongoing innovation of offerings to enhance the native security of the cloud form a virtuous circle. This circle places trust and the protection of strategic data at the core of digital transformation.
Furthermore, this quest for digital trust embodies profound challenges of technological independence and freedom of choice in a globalized economy. In this regard, cloud computing solutions may be just the beginning of a broader political ambition to reshape a European digital third way that is both innovative and protective.
With Oodrive, choose today a trusted cloud, ensuring the sustainability of your information system! As a strategic partner, we assist you in the custom design of your sovereign cloud infrastructure. Our highly secure private cloud architectures, certified with the SecNumCloud label, address the specific challenges of protecting your critical data.