Would you prefer to see any changes to the present proposals before they’re gets passed into laws? “In the intervening time, they’ve these 4 different risk levels, and probably the most critical one — No. 4 — is one where they accept only open source and European solutions. That is the best risk level, but this is barely for 1% of the market. I hope that it’s higher understood that greater than 1% should care about this more.
“If you could have something which is totally not critical, possibly doesn’t possess any personal data in any respect — sure, it’s totally advantageous [to use non-EU suppliers]. But when you could have GDPR requirements, espionage protection, no vendor lock-in, and so forth, then there ought to be more of that [the highest requirement level].”
US firms have attempted to deal with European customers’ concerns in alternative ways, with sovereign marketed cloud services and joint ventures with European providers. Microsoft 365 Local is designed to run on premise. Where do you draw the road between what’s actually a sovereign solution and what some call ‘sovereignty washing? “Sovereignty has different dimensions, in fact. But for those who have a look at the issue of the CLOUD Act alone, which supplies foreign agencies full access to the information here, then the entire concept that it’s enough to have European data centers — that’s not enough. It’s clearly written within the CLOUD Act, that even with [European] data centers, or subsidiaries, it still applies.