The public cloud market has seen huge developments over the past decade, with the Covid pandemic being an important accelerator. Cloud services have become more reliable, and are currently used by large numbers of citizens and businesses. The security of public cloud services has increased, and the large-scale deployment of updates and patches makes it far easier than before to fix errors in software. For these reasons, it was due time to revise the National Cloud Policy 2011.
The new policy allows Dutch government departments to use public cloud services. “Public cloud services offer an appealing perspective for the development of a more innovative, transparent, flexible and efficient digital government,” State secretary for digitisation Alexandra van Huffelen wrote to the Dutch Lower House. “Low initial costs and pay-per-use make the public cloud a transparent solution.
“Moreover, the risks are now more manageable than before, due to large investments by public cloud providers in securing their services. This is much more than the government is willing or able to invest in information security itself.”
Hence, the road to public clouds is finally free for Dutch public services, albeit under strict conditions.
Conditions for use incorporate, for example, the processing of personal data. Public clouds will not be allowed for use for basic registry, nor for the storage and processing of special personal data. All storage and processing of personal data has to comply with the General Data Protection Regulation.
Furthermore, civil servants are not allowed to store state secrets in any public cloud. Neither are they supposed to use cloud services from countries with “an active cyber programme that is aimed against Dutch interests”. Every Dutch government department itself is responsible for assessing and monitoring any relevant risk of using a public cloud service. The Dutch Ministry of Defence still remains excluded from the new policy, and will not be allowed to use public cloud services.
Even though Van Huffelen is rather positive regarding the new national cloud policy, she is aware that risks remain – even indirectly. For example, should a US cloud services provider be acquired by a Chinese state-owned enterprise, the use of that particular public cloud would no longer be permitted by Dutch public services.
All departments formulate their own cloud policy and strategy, based on the new National Cloud Policy. Those bodies of the government that do not form part of the civil service are requested to follow this advice. In addition, departments are required to incorporate an “exit strategy” in their contracts with public cloud providers to make sure that, in case of the acquisition example above, they are assured of immediate cancellation of the service. This exit strategy should also indicate how the data will be returned and destroyed on the side of the provider.
“The digital world is not without risks,” said Van Huffelen. “Not even if we had a fully self-managed cloud.”
According to the Dutch Central Bureau of Statistics, in 2020, 53% of Dutch businesses used the cloud, of which 39% used a public cloud.
Van Huffelen wrote in her letter that those businesses are also demanding a high degree of security and privacy. The Dutch central bank (DNB) has pioneered in managing cloud risks in the financial sector.
Today, 49% of Dutch banks use the cloud, of which 38% use a public cloud. Almost 60% of healthcare organisations in the Netherlands use a private cloud, and 43% of them also use a public cloud.
Moreover, research shows that over 50% of government organisations worldwide use office applications from the cloud. These numbers were an important accelerator to revise the Dutch National Cloud Policy of 2011.
Van Huffelen plans to start evaluating the new Cloud Policy from 2023.