Digital sovereignty: A CISO’s perspective
As far as our company (Électricité de France) is concerned, the battle for our digital sovereignty is well underway and campaigns are being conducted internally. We have taken digital sovereignty into account and adapted our technologies and strategies accordingly — especially for our business processes that rely on data processing. These are the cornerstone upon which the concepts of sovereignty and trust are built.
As an energy producer, our goals are to secure electricity production and to develop new production sites. In addition, it is alsoo keep our service commitments to customers, contribute to energy savings, protect the rights of citizens and the confidentiality of consumer information, and to secure our end-to-end supply chain to protect our strategic company assets.
Digital independence is essential for us to stay in control of our destiny. We must maintain our ability to choose our technologies, and independently evolve our sovereignty activities over the long term to protect our company, our customers’ interests, and our future.
Cybersecurity itself must be protected to develop a self-defense capability
To reach an adequate protection level, we must be free to choose our strategies for countering attackers and therefore to choose the best protection for our critical assets and any trade secrets.
We must preserve and control our freedom of choice as well as guaranteeing that our infrastructures are shielded from outside threats. Technological independence can also be a challenge for companies, which is why reversibility processes are necessary, even mandatory, to guarantee the continuity of our services.
To further illustrate, here are some examples of sovereignty issues:
Similar questions exist about Blockchain, which ensures the integrity, traceability and enforceability of transactions by using a shared, immutable ledger to provide a secure, immediate exchange of data or documents between multiple parties. How can we guarantee the integrity of the ledgers and thus the validity of the data or document? Protecting them against intrusion is key, as compromised data or falsified documents can have real strategic and business impacts and lead to a financial loss for the organization. However, sovereignty and autonomy are not just about security, technology or the economy. They also encompass human factors. There is a growing need for skills in the cybersecurity fields, which is why our organisation has implemented training pathways to create career opportunities in cybersecurity. Furthermore, we also conduct cyberthreat awareness campaigns for everyone from end users to decision makers.
Cybersecurity initiatives to expand digital autonomy
To expand our digital autonomy strategy in the EU cybersecurity market, our Group is one of the founders and key partners of Gaia-X. Gaia-X is a European initiative that is developing a software control and governance framework, and implementing a common set of policies and rules that can be applied to any existing cloud or technology stack. The Gaia-X framework is meant to be deployed on top of any existing cloud platform that chooses to adopt the Gaia-X standard. The main objectives are to enable transparency, controllability, portability and interoperability across data and services — along with protecting European sovereignty.
The objective of Gaia-X is to define what sovereignty means and how it will be applied in our data market by ensuring controllable services and verifiable independence from legislation or influence by non-European actors. This initiative has been publicly and supported by many public institutions as an important evolution in supporting the advancement of European sovereignty. European users will require Gaia-X compliant services, and non-European players will be free to adopt this sovereignty framework in order to operate in Europe.
Martine Gouriet, EDF’s Director of Digital Uses, is leading the work related to Gaia-X labeling, and we recently launched a survey of all Gaia-X members to establish the rules and criteria for three different types of labels.
The Gaia-X framework will define common service descriptors, compliance verifiers and registers — which will be accessible to all for inspection. Gaia-X labels will be assigned only to services (not operators) verified to be compliant with the labeling framework. Non-European players will be able to offer services labeled as level 1 and level 2. However, the criteria require that non-European players cannot be the main providers of level 3 services, although they can cooperate with the main service provider.
In the spirit of autonomy and independence, other initiatives are also underway, such as our active participation in ECSO, the European Cyber Security Organisation. The main goal of ECSO is to coordinate the development of the European cybersecurity ecosystem and support the protection of the European Digital Single Market, ultimately contributing to the advancement of Europe’s digital sovereignty and strategic autonomy. ESCO also contributes to the establishment and development of a network with our peers.
Our participation in the Brienne fund and our internal discussions on trusted cloud also contribute to our digital autonomy.
Finally, as a global organisation, digital sovereignty contributes in a positive way to the implementation of remote working. Along with other initiatives, it also helps our global organisation share business and technical expertise across the Group and within our extended enterprise.
About the author
Chief Information Security Officer, EDF Group
Graduate with a master engineering degree of ESIEA in 1994, Olivier Ligneul began his career in the telecom sector before joining more generalist information systems environments.
After joining the AT & T architecture teams, managed the technical hosting department of Colt Telecom, he held the position of DSI of an international group from 2005 to 2009. He joined the French cybersecurity national agency (ANSSI) when it was created, taking the head of the advisory activities focused mainly supporting projects leaded by ministries and infrastructure critical operators. He will actively participate in the publishing and promotion of the EBIOS method, the preparation of European Union, NATO and European programs, and the redesign of CISO and ISD training programs.
In 2012, he joined the CIO office of the economic and financial ministries and took charge of the technical and security dimensions of the information systems. His team was focusing more particularly on conducting structuring projects for the ministry, defining technological roadmap and associated standards, and pooling expertise between departments, in order to support the deployment of digital transformation programs.
In early 2015, Olivier Ligneul joined the EDF Group and became Group CISO. He is also a forensic legal expert attached to the Court of Appeal of Versailles, President of Club EBIOS, member of the board of Directors of CESIN and the European Cyber Security Organization (ECSO).