The CISO Perspective on Digital Sovereignty
At a Glance
The battle for digital sovereignty is well underway, with organizations both large and small now working to adapt their technologies and strategies accordingly — especially for those processes that rely on data processing. In this article, EDF Group’s Chief Information Security Officer, Olivier Ligneul provides his perspective on what this has meant for his organization and how organizations can collaborate effectively to expand digital autonomy in the future.
6 Minute Read
EDF Group’s Chief Information Security Officer, Olivier Ligneul offers his perspective on how organizations are responding to the “battle for digital sovereignty” and adapting their technologies and strategies to ensure sovereignty and trust are maintained.
As far as our company (Électricité de France) is concerned, the battle for our digital sovereignty is well underway and campaigns are being conducted internally. We have taken digital sovereignty into account and adapted our technologies and strategies accordingly — especially for our business processes that rely on data processing. These are the cornerstone upon which the concepts of sovereignty and trust are built.
Our goals, as an energy producer, are to secure electricity production and to develop new production sites. In addition, we are also committed to keeping our high service levels to customers, contributing to energy savings, protecting the rights of citizens and the confidentiality of consumer information, and securing our end-to-end supply chain in order to protect our strategic company assets.
Digital independence is essential for us to stay in control of our destiny. We must maintain our ability to choose our technologies, and independently evolve our sovereignty activities over the long term to protect our company, our customers’ interests, and our future.
Cybersecurity itself must be protected to develop a self-defense capability
To reach an adequate protection level, we must be free to choose our strategies for countering attackers and therefore to choose the best protection for our critical assets and any trade secrets.
We must preserve and control our freedom of choice as well as guaranteeing that our infrastructures are shielded from outside threats. Technological independence can also be a challenge for companies, which is why reversibility processes are necessary, even mandatory, to guarantee the continuity of our services.
To further illustrate, here are some examples of sovereignty issues:
1 Digital twins (like a digital copy of a site plan, an event simulator, or modeling tools for nuclear power plants) use sensors to provide a link between the real world and the digital world. The integrity of the data generated by those assets is essential, as they contribute to the business’s decision-making processes and strategies.
2 Artificial intelligence (AI) can mimic the problem solving and decision making capabilities of the human mind, but how can you guarantee the integrity of algorithms and their outcomes? Can you secure the decision cycle based on the intent of the designer? In short, we must be able to verify that algorithms serve the original intent of the designer and haven’t been compromised.
3 Similar questions exist about blockchain, which ensures the integrity, traceability and enforceability of transactions by using a shared, immutable ledger to provide a secure, immediate exchange of data or documents between multiple parties.
How can we guarantee the integrity of the ledgers and thus the validity of the data or document? Protecting them against intrusion is key, as compromised data or falsified documents can have real strategic and business impacts and lead to a financial loss for the organization. However, sovereignty and autonomy are not just about security, technology, or the economy. They also encompass human factors.
There is a growing need for skills in the cybersecurity fields, which is why our organization has implemented training pathways to create career opportunities in cybersecurity. Furthermore, we also conduct cyberthreat awareness campaigns for everyone from end users to decision makers.
Cybersecurity initiatives to expand digital autonom
To expand our digital autonomy strategy in the EU cybersecurity market, our Group is one of the founders and key partners of Gaia-X. Gaia-X is a European initiative that is developing a software control and governance framework and implementing a common set of policies and rules that can be applied to any existing cloud or technology stack.
The Gaia-X framework is meant to be deployed on top of any existing cloud platform that chooses to adopt the Gaia-X standard. The main objectives are to enable transparency, controllability, portability and interoperability across data and services — along with protecting European sovereignty.
The objective of Gaia-X is to define what sovereignty means and how it will be applied in our data market by ensuring controllable services and verifiable independence from legislation or influence by non-European actors. This initiative has been publicly and supported by many public institutions as an important evolution in supporting the advancement of European sovereignty. European users will require Gaia-X compliant services, and non-European players will be free to adopt this sovereignty framework in order to operate in Europe.
Martine Gouriet, EDF’s Director of Digital Uses, is leading the work related to Gaia-X labeling, and we recently launched a survey of all Gaia-X members to establish the rules and criteria for three different types of labels.
The Gaia-X framework will define common service descriptors, compliance verifiers and registers — which will be accessible to all for inspection. Gaia-X labels will be assigned only to services (not operators) verified to be compliant with the labeling framework. Non-European players will be able to offer services labeled as level 1 and level 2. However, the criteria require that non-European players cannot be the main providers of level 3 services, although they can cooperate with the main service provider.
In the spirit of autonomy and independence, other initiatives are also underway, such as our active participation in ECSO, the European Cybersecurity Organization.
The main goal of ECSO is to coordinate the development of the European cybersecurity ecosystem and support the protection of the European Digital Single Market, ultimately contributing to the advancement of Europe’s digital sovereignty and strategic autonomy. ESCO also contributes to the establishment and development of a network with our peers.
Our participation in the Brienne fund and our internal discussions on trusted cloud also contribute to our digital autonomy.
Digital Vision: Cybersecurity 3 – Further Insights
From across Atos and beyond, find out more about cybersecurity challenges and how organizations can respond to cyber threats