The subject is tricky, but Oracle has decided to launch an offering called the EU Sovereign Cloud.

It claims to comply with current European requirements but is incompatible with the ANSSI’s SecNumCloud label. In the background, this initiative shows the battle being waged in the corridors of Brussels for EUCS certification.

Balancing act is the sport that Oracle has engaged in to present its EU Sovereign Cloud offering. It should be noted immediately that the term “sovereignty” is misused in view of the details of the offer. It offers a large part of the American company’s catalog, at the same price, on two data centers located in Spain (Madrid with Digital Realty) and Germany (Frankfurt with Equinix). The goal is to have the same functionalities as OCI but on separate infrastructures.

To operate this cloud, Oracle has created “two independent legal entities” in each of the countries, with European staff. But there’s a catch. These entities are entirely owned by Oracle, so they remain subject to the arsenal of US extraterritorial laws like the Cloud Act, the Patriot Act, or the FISA Act. It’s difficult, therefore, to offer this type of service to the public sector in France, which relies on the ANSSI’s SecNumCloud certification. The ANSSI has revised its framework to ensure immunity to extraterritorial laws, particularly by ensuring that the capital of operating companies is 61% European.

A partnership with Thales and a debate on European certification.

During a press conference, Richard Smith, Executive Vice President of Cloud and Technology Solutions at Oracle for the EMEA region, did not rule out the idea of forming partnerships in the future. However, for now, it’s out of the question to follow in the footsteps of Bleu or SENS. A collaboration with Thales has been announced for the encryption part. Customers can use the French company’s KMS to manage their encryption keys themselves. It should be noted that Oracle’s offering is available today for all EU and EEA (European Economic Area) countries and is targeting the public sector, as well as telecommunications and finance. While the entire portfolio is available, it will take a little longer to benefit from the Fusion Cloud Applications suite. This puts it alongside other cloud providers, Microsoft, Google, and AWS, with this type of offering.

With this initiative, Oracle plays on the ambiguity of the European regulations under discussion regarding certification levels or EUCS (European Cybersecurity Certification Scheme for Cloud Services). Today, the debate is intense between the camp supported by the French, who wish for the adopted standard to be as close as possible to SecNumCloud with strong requirements for immunity to extraterritorial laws. On the other hand, the camp promoted by the Netherlands, Ireland, and Sweden believes that this level of certification will exclude several players (including those with data centers on their territories). This is a battle not to be underestimated, as recently stated by Jean-Noël Barrot, Minister Delegate in charge of Digital Transformation during a hearing in the Senate on the Digital Space Regulation Bill: “SecNumCloud could be considered illegal if the level of certification chosen was not that one.” A door open for cloud providers’ marketing teams.

Jacques Cheminat, 2023 June 20th
lemondeinformatique.fr