Cloud, policy advice for the Draghi government. I-Com report

allowing access also to non-European companies that decide to subscribe to the standards and values ​​of the EU.

Still on the subject of enabling characteristics, a mention and operational planning must necessarily refer to the field of digital skills. Italy, as is well known, is the rear in Europe according to the Desi index in this area and cannot ignore the commitment to create an integrated plan for the development of 360 ° digital skills, to support both public actors both private. As for the former, it appears necessary to map the skills of managers and employees of the PA, in order to prepare an adequate training plan to fill any gaps that may emerge from the census. In relation to the private sector, specific initiatives should be aimed at students (through the strengthening of Higher Technical Institutes and encouraging the increase of STEM – Science, Technology, Engineering and Mathematics graduates, workers (updating and retraining of skills and Lifelong Learning) and citizens (training for access at least to basic services, in particular for the less digitalised categories).

As regards the possible policies aimed at optimizing the economic impact and the opening of the market, these can be identified in 7 actions:

– ensure high competitiveness of the cloud market with the participation of all national and international cloud service providers, in order to encourage greater investments, Italian and foreign, in innovation, infrastructures and technologies on the national territory and raise the level of development and of internal knowledge, promoting a collaboration based on common values ​​and principles, without geographical discrimination. In this regard, it is noted that political decision-makers are called upon to adopt great caution in making certain choices regarding technological sovereignty, since these could have negative consequences for the competitiveness of the country – which suffers an undeniable technological disadvantage towards the most advanced – risking to end up widening the investment and productivity gaps it suffers from and leaving it with less competition, less choice and less access to innovation;

– it seems appropriate to encourage greater investments in innovation and technologies on the national, Italian and foreign territory, in order to raise the level of development and internal knowledge relating to these areas;

– encourage the interoperability of services and the portability of data and applications, the use of open standards, favoring participation, integration and flexibility, in order to increase the level of innovation in the country and the sharing of technologies and best practices capable of improving the overall level of innovation of the system;

– continue and intensify the national programs (in particular the Transition Plan 4.0, the evolution of Impresa 4.0) and the incentives for accelerating the digital transformation of SMEs through cloud computing.

In particular, it is considered useful to encourage the adoption of cloud solutions by Italian small and medium-sized enterprises, with particular attention to strategic functions and services with high added value. It is also important to promote the transition to the cloud as a reference element in the choices of SMEs who want to access the resources of the Transition Plan 4.0, aimed at encouraging and supporting the competitiveness of our companies and enhancing Made in Italy;

– promote the diffusion of the cloud in the PA by accelerating the roadmap on the cloud-first policy envisaged by the Three-Year Plan for public ICT since 2018, according to a hybrid cloud model, with the aim of migrating the thousands of data centers currently missing and inefficient ones that fail to guarantee adequate safety standards. In particular, defining a Public Administration Migration Plan on the cloud with a three-year horizon, accelerating the consolidation of existing IT infrastructures also in hybrid mode and leveraging the market platforms offered by all cloud service providers certified by AgID, could allow a decisive simplification in the activities of the Italian PA, increasing its effectiveness in providing services to citizens and businesses, as well as allowing significant savings. The challenge for the PA is to be able to create a future-proof cloud infrastructure (flexible, to be able to adapt to changes in the context, and open), to be able to incorporate the innovations that may come from the market;

– promote the use of funds with which to enhance the experiences and skills present in the Public Administration, avoiding centralization on a single private market operator for the partnership management of the NSPs (National Strategic Poles) but strengthening the existing public infrastructure in order to to use it for applications that cannot be migrated to the market cloud;

– favor the accompaniment of new technologies and the modernization of applications through forms of incentives that reward the adoption of synergistic migration paths and the choice of operators who make sustainability a concrete commitment;

– as part of the coordination actions to be undertaken at an international level, provide for sector harmonization for the main data spaces and business ecosystems, in the wake of the Gaia-X project, and ensure harmonization with other legal and regulatory systems (including light of the Recommendations of the European Data Protection Board following the Schrems II judgment).

Still on the subject of harmonization, in relation to the management principles and operating practices, we suggest the opportunity to define methods for managing cross-border transfers and the related protection methods.

On this point, in evaluating and orienting EU-US relations, it is essential that the debate currently underway in the European Union and at national level is correctly reformulated and focused on the observation that the obligations of ostension attributed by it, albeit extensive, meet a series of important procedural limitations and guarantees that provide for the intervention of the judicial authorities, require a careful balancing of the interests involved and attribute to the recipients of the exhibition orders specific powers of opposition to protect the interests of States and individuals.

This debate is part of a very delicate moment in which the European Union is facing a moment of great complexity linked to the fact that, as is well known, the recent Schrems II ruling declared the adequacy decision of the Privacy Shield invalid , creating a regulatory gap as large as it is serious.

To address this condition of uncertainty, the European Data Protection Board (EDPB) has formulated a specific strategy to be followed to achieve compliance and enforcement while the European Data Protection Board has provided a series of important recommendations that provide indications about the procedural steps to be followed in making data transfers and also decline the possible measures to be taken, including cryptography taking on a leading role. These are particularly important initiatives which, on the one hand, have the merit of pursuing objectives of clarity, on the other, as highlighted in the course of the analysis, leave some issues unresolved which instead require rapid clarification and at the same time pose many questions about the proportionality of the proposed measures with respect to the objectives pursued, making it very evident, and urgent, a deepening of reflection and discussion with the stakeholders in the logic of ensuring a fair balance of all the interests involved.

4.2 SECURITY, USER PROTECTION AND RESILIENCE

A second fundamental issue, indicated in the operational diagram, concerns data security and user protection, understood both as a public entity and as a private entity. In this regard, the first and fundamental aspect is constituted by the infrastructures, with respect to which it is considered important to make available forms of data localization and related management processes in the European Union, as well as advanced methods of segregation of information:

– the segregation of data, in particular, concerns the various security methods and systems offered to users, both public and private, to guarantee access to data only for the latter. In fact, the data segregation procedures include forms of encryption, access regulation and identity control;

– this type of technology is also particularly important because it protects public and private users even in the event of any requests for access to data made to international providers by non-European countries, since encryption guarantees the impossibility of use of the data to anyone who does not have the key, including the suppliers themselves.

At a regulatory level, also in light of the provisions set out in the law on the cyber security perimeter, the importance of the following actions is emphasized:

– carry out a classification of strategic data and assets to assess which ones need a particular level of protection, with criteria that guarantee the best trade-off between security and market competitiveness. In this regard, the case of the United Kingdom, which is the country most active in Europe in the field of digitization and the economy of data in terms of investments, value, and training, is of great interest to the other Member States of the Union. With the Data Classification Strategy, in fact, a classification system was introduced that takes into account both the digital and uniform management of PA information and data, and the actual degree of sensitive information within them, identifying those worthy of maximum protection measures. The British case therefore shows the opportunity to classify data in order to distinguish them by level of risk and consequently by level of protection;

– guarantee full control over data – through governance methods – aligned with European and market standards and the dissemination of Codes of Conduct – such as that of CISPE (Cloud Infrastructure Services Providers in Europe) – which help public and private individuals to ensure that their cloud infrastructure provider uses appropriate data protection standards that comply with the General Data Protection Regulation (GDPR)

– define and disclose any cross-border data transfer obligations;

As regards the harmonization of management principles and operating practices, it is suggested to evaluate the possibility of:

– establish transparent and defined procedures for the migration to the cloud, in order to guarantee and reassure in particular public administrations and SMEs on the operations to be carried out;

– carry out systematic checks and rigorous security procedures to prevent unauthorized access and manipulation of data, applications and algorithms, as well as to define the areas and methods of access allowed to law enforcement agencies.

Finally, to ensure complete protection, an aspect that should not be underestimated also concerns the human factor. In this regard, it seems appropriate to promote ad hoc programs for training in IT security for employees of the PA and SMEs, relating in particular to knowledge and practices aimed at significantly reducing the level of risk that often derives from incorrect and poor practices. aware.

As regards the issue of resilience, the importance of which was also highlighted by the renewed awareness of the need to strengthen the system to prevent or deal with any crisis situations:

– the opportunity of moving to the cloud is further observed, compared to the current management of hundreds of data centers, in particular as regards local PAs;

– furthermore, it appears a priority to ensure the continuity of cloud services at the infrastructural level, in particular through redundancy of solutions, portability and interoperability, tracing and recoverability of data. This, as evident, is directly linked to the possibility for the local PAs themselves, as well as the central ones and the companies themselves, to access the widest range of solutions, without any limitations, in particular relating to the best and most technologically advanced solutions available. on the international market.

Support and promotion of resilient infrastructures and technologies are also desirable through regulatory interventions. About that:

– forecasts such as those contained in the Curaitalia dl, aimed at simplifying the purchase of a cloud solution by the PA, contrast the emergency situation caused by the spread of Covid19 by favoring agile work, are favorably emphasized;

– the opportunity is highlighted to further support the diffusion of enabling technologies that are flexible and capable of organizing solutions also suitable for emergency contexts.

At the level of management principles and operating practices, it seems appropriate to prepare formalized procedures for the restart of operations, data recovery and the reporting and analysis of security incidents, in agreement with the authorities in charge and in the wake of the law on cyber security perimeter and related implementing decrees currently being drawn up.

A final mention is related to digital skills designed to promote the resilience of the system. In this regard, it is considered appropriate:

– promote forms of computer literacy aimed at the use of flexible applications adaptable to different work contexts, together with the adhesion and consolidation of smart working practices;

– involve the hi-tech companies themselves, both Italian and international, in training, with a view to systematizing the best practices available and educating the workers of PA and companies to the use of cloud solutions that can guarantee, at the same time, greater security, flexibility and maximum deployment of the potential that a full digital transformation brings with it.

Finally, in order to synthesize in an organic way the ideas and proposals that emerged from the analysis of the multiple facets relating to the relationship between digital sovereignty and cloud computing, the main themes have been summarized in Fig. 4.1.

In particular, the figure has a vertical dimension, which encompasses the areas that act as enablers, such as infrastructures, services and skills, and those that operate as harmonizers, in particular regulations, management principles and operational practices; and a horizontal dimension, which identifies the level of competitiveness and innovation, insisting on the main issues to think about in terms of policies, such as economic impact and market opening, user safety and protection and resilience.

The diagram thus constituted is aimed at the dual objective of detailing, on the one hand, the different fields in which to direct the discussion and, on the other, to provide an overview aimed at optimizing the search for the best trade-off between the regulation of various areas connected to the cloud and the overall impact on the country system.