The public cloud market has seen huge growth over the past decade, with the Covid pandemic being a key accelerator. Cloud services have become more reliable and are currently used by a large number of citizens and businesses. Public cloud services have increased security, and the large-scale deployment of updates and patches makes it easier than ever to fix software bugs. For this reason, it was time to amend the National Cloud Policy 2011.
The new policy allows Dutch government departments to use public cloud services Secretary of State for Digitization Alexandra Van Hafelen Wrote in the Dutch Lower House. “Low upfront costs and pay-per-use make public cloud a transparent solution.
“Furthermore, the risks are now more manageable than ever due to the large investment public cloud providers have made to secure their services. That’s far more than governments themselves are willing or able to invest in data security.”
Hence, the road to the public cloud is finally free for Dutch public services, albeit under strict conditions.
Furthermore, government employees are not allowed to store state secrets in any public cloud. They are also not supposed to use cloud services from countries with “an active cyber program aimed against Dutch interests.” Each Dutch government department is itself responsible for assessing and monitoring the relevant risks of using a public cloud service The Dutch Ministry of Defense is still excluded from the new policy and will not be allowed to use public cloud services
Although van Hafelen is rather positive about the new national cloud policy, he is aware that risks remain – even indirectly. For example, if a US cloud service provider is acquired by a Chinese state-owned enterprise, use of that particular public cloud will no longer be permitted by Dutch public services.
All departments develop their own cloud policies and strategies based on the new national cloud policy. Government agencies which are not part of the civil service are requested to follow this advice. Additionally, departments should include an “exit strategy” in their contracts with public cloud providers to ensure that, in the case of the acquisition example above, they are assured of immediate termination of service. This exit strategy will also dictate how the data will be returned and destroyed on the provider side.
“The digital world is not without risk,” Van Hafelen said. “We didn’t have a fully self-managed cloud though.”
According to the Dutch Central Bureau of Statistics, in 2020, 53% of Dutch businesses used the cloud, of which 39% used the public cloud.
Van Hafelen wrote in his letter that those businesses are also demanding higher levels of security and privacy. The Dutch central bank (DNB) has pioneered cloud risk management in the financial sector.
Today, 49% of Dutch banks use the cloud, of which 38% use the public cloud. About 60% of healthcare organizations in the Netherlands use a private cloud and 43% of them use a public cloud.
Moreover, research shows that more than 50% of government organizations worldwide use Office applications from the cloud. These numbers were an important catalyst for revising the Dutch national cloud policy in 2011.
Van Hafelen plans to start evaluating the new cloud policy from 2023.