{"id":92385,"date":"2023-06-06T05:00:00","date_gmt":"2023-06-06T05:00:00","guid":{"rendered":"https:\/\/cloudnewshub.com\/?p=92385"},"modified":"2023-06-06T05:00:00","modified_gmt":"2023-06-06T05:00:00","slug":"netherlands-makes-case-for-harmonisation-of-cloud-security-standards","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=92385","title":{"rendered":"Netherlands makes case for harmonisation of cloud security standards"},"content":{"rendered":"
<\/div>\n

Late in 2022, an update of the Dutch Corporate Governance Code was released to include a section on governance of IT. The code prescribes rules of conduct for directors of listed companies to protect the interests of shareholders, employees and other stakeholders.  <\/p>\n

The revision means that listed in their annual reports for 2023 companies will be required to explain how they ensure that crucial IT systems continue to run smoothly and securely. To make this insightful, the Dutch professional association of auditors, Norea, has developed a digital financial statement: the \u201cIT in control\u201d statement.  <\/p>\n

Michiel Steltman is a core team member of the Dutch Online Trust Coalition (OTC), an alliance of more than 20 organisations from business, science, and government committed to a trustworthy cloud. According to Steltman, this digital equivalence of the annual financial report is a step in the right direction, but there is still a lot of work to be done.  <\/p>\n

\u201cFor example, there\u2019s a need for better cooperation among regulators to ensure that companies do not need to meet dozens of different lists with security requirements and have 10 different auditors checking almost all the same things,\u201d he said. <\/p>\n

\u201cIt is complicated for customers and other stakeholders such as consumers, shareholders, citizens, financiers, as well as auditors and regulators, to get assurance on the reliability of cloud services.<\/p>\n

\u201cThere may often be a proprietary statement on a provider\u2019s website that you just have to rely on. Or maybe there are reports available, but these can only be accessed by auditors,\u201d he said, adding that this makes it difficult to assess how a cloud provider has its security in place.  <\/p>\n

For providers, on the other hand, the difficulty is that stakeholders often all demand additional evidence to prove that all legal reliability requirements are met.<\/p>\n

\u201cEspecially for the smaller players, and we have many of them in the Netherlands, this is impossible,\u201d said Steltman. \u201cEvery audit or certification costs time and money. If we remain impassive about this in the Netherlands, we run the risk that soon only the big tech will remain, and we as consumers will lose our freedom of choice.\u201d<\/p>\n

To arrive at a situation where both providers can demonstrate what they have done to ensure security and stakeholders can reliably understand this, the OTC has identified three pillars. The first is to work towards standardised and harmonised security and IT governance frameworks. Second is that audits and inspections should also be standardised and meet set requirements. Third, there should be reports that are accessible and usable by all stakeholders.<\/p>\n

\u201cAt the moment, the second and third pillars are still hardly happening, and this creates problems and a jungle of labels and certifications. If any of these three pillars are missing, the necessary trust and assurance will not occur,\u201d said Steltman.<\/p>\n

At the European level, work on the European Union Cybersecurity Certification Scheme on Cloud Services (EUCS) directive, which is being developed by ENISA, has been going on for some time.<\/p>\n

\u201cInitially, this was a French-German marriage, where they wanted to cast the German C5 [Cloud Computing Compliance Controls Catalogue] together with the French SecNumCloud into a new seal of approval,\u201d said Steltman.<\/p>\n

\u201cAs the Online Trust Coalition, we were able to add some important principles from the Dutch hallmark Zeker Online. Our ideas around auditing and reporting ended up in the EUCS. We are quite proud of that.\u201d<\/p>\n

\n

<\/i>Reuse and cooperation crucial <\/h3>\n

The next step envisioned by the OTC is the reuse of declarations and statements. \u201cOur concern is that despite the EU\u2019s good intentions to harmonise, regulators will still come up with their own lists and compliance checks again,\u201d said Steltman. That\u2019s where Norea\u2019s \u201cIT in control\u201d statement comes in. <\/p>\n

\u201cThis way, companies can show that they are in control with respect to their IT and security, which can include the use of suppliers that use the EUCS. That may be a strict inspection with a long list of requirements, but such a yearly audit should then suffice for many purposes,\u201d said Steltman.<\/p>\n

The crux lies in the fact that buyers must accept that this is the standard by which organisations prove that their affairs are in order. \u201cCurrently, we\u2019re still in a situation where everyone draws up their own security requirements and wants to request proof of this in their own way.\u201d<\/p>\n

Steltman is convinced that cloud providers want to prove that they have their security under control: \u201cBut it is impossible to have to do that tailor-made for every customer. That\u2019s where the regulatory burden lies in practice, not in taking the security measures themselves. And this is exactly why it is vital that we work towards standardisation and harmonisation.\u201d<\/p>\n

The Netherlands has a large, broad digital sector with many SME players. To keep the market healthy, it is crucial that they can continue to compete and not get bogged down in regulation, hallmarks, and labels.<\/p>\n

\u201cOtherwise, the same will happen as happened in the telecoms market \u2013 only the big companies will remain. In doing so, you play right into the hands of the tech giants of this world and at the same time limit customers\u2019 freedom of choice,\u201d said Steltman. <\/p>\n<\/section>\n

\n

<\/i>Great need for EUCS <\/h3>\n

The European Union is also striving for harmonisation, but this has not yet been achieved in practice. Therefore, it\u2019s necessary for the Netherlands to start taking steps themselves, Steltman believes.<\/p>\n

\u201cRegulators have to start relying more on the judgement of each other,\u201d he said. \u201cThat is still a big challenge, although some of the Dutch regulators have now realised that they have to start working together because they all are already swamped.\u201d<\/p>\n

Meanwhile, the EUCS has been sitting on a shelf for two years already due to a conflict with France, much to Steltman\u2019s frustration. The French government wants to exclude non-European cloud vendors from the highest level of cyber security assurance. To qualify for that level, applicants must prove that no non-European actors have access to the data \u2013 or, in other words, only work with and according to EU legislation. <\/p>\n

According to Steltman, these are political influences that have no place in the development of EUCS: \u201cThere is a huge need for this scheme at the European level, which is why it should be released as soon as possible, free of political influences. After that, we can talk further about sovereignty.\u201d <\/p>\n<\/section>\n","protected":false},"excerpt":{"rendered":"

Late in 2022, an update of the Dutch Corporate Governance Code was released to include a section on governance of IT. The code prescribes rules of conduct for directors of listed companies to protect the interests of shareholders, employees and other stakeholders.   The revision means that listed in their annual reports for 2023 companies will […]<\/p>\n","protected":false},"author":1,"featured_media":92386,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[533],"tags":[],"class_list":["post-92385","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-it"],"_links":{"self":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/92385","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=92385"}],"version-history":[{"count":0,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/92385\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/media\/92386"}],"wp:attachment":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=92385"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=92385"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=92385"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}