Late in 2022, an update of the Dutch Corporate Governance Code was released to include a section on governance of IT. The code prescribes rules of conduct for directors of listed companies to protect the interests of shareholders, employees and other stakeholders.
The revision means that listed in their annual reports for 2023 companies will be required to explain how they ensure that crucial IT systems continue to run smoothly and securely. To make this insightful, the Dutch professional association of auditors, Norea, has developed a digital financial statement: the “IT in control” statement.
Michiel Steltman is a core team member of the Dutch Online Trust Coalition (OTC), an alliance of more than 20 organisations from business, science, and government committed to a trustworthy cloud. According to Steltman, this digital equivalence of the annual financial report is a step in the right direction, but there is still a lot of work to be done.
“For example, there’s a need for better cooperation among regulators to ensure that companies do not need to meet dozens of different lists with security requirements and have 10 different auditors checking almost all the same things,” he said.
“It is complicated for customers and other stakeholders such as consumers, shareholders, citizens, financiers, as well as auditors and regulators, to get assurance on the reliability of cloud services.
“There may often be a proprietary statement on a provider’s website that you just have to rely on. Or maybe there are reports available, but these can only be accessed by auditors,” he said, adding that this makes it difficult to assess how a cloud provider has its security in place.
For providers, on the other hand, the difficulty is that stakeholders often all demand additional evidence to prove that all legal reliability requirements are met.
“Especially for the smaller players, and we have many of them in the Netherlands, this is impossible,” said Steltman. “Every audit or certification costs time and money. If we remain impassive about this in the Netherlands, we run the risk that soon only the big tech will remain, and we as consumers will lose our freedom of choice.”
To arrive at a situation where both providers can demonstrate what they have done to ensure security and stakeholders can reliably understand this, the OTC has identified three pillars. The first is to work towards standardised and harmonised security and IT governance frameworks. Second is that audits and inspections should also be standardised and meet set requirements. Third, there should be reports that are accessible and usable by all stakeholders.
“At the moment, the second and third pillars are still hardly happening, and this creates problems and a jungle of labels and certifications. If any of these three pillars are missing, the necessary trust and assurance will not occur,” said Steltman.
At the European level, work on the European Union Cybersecurity Certification Scheme on Cloud Services (EUCS) directive, which is being developed by ENISA, has been going on for some time.
“Initially, this was a French-German marriage, where they wanted to cast the German C5 [Cloud Computing Compliance Controls Catalogue] together with the French SecNumCloud into a new seal of approval,” said Steltman.
“As the Online Trust Coalition, we were able to add some important principles from the Dutch hallmark Zeker Online. Our ideas around auditing and reporting ended up in the EUCS. We are quite proud of that.”
Reuse and cooperation crucial
The next step envisioned by the OTC is the reuse of declarations and statements. “Our concern is that despite the EU’s good intentions to harmonise, regulators will still come up with their own lists and compliance checks again,” said Steltman. That’s where Norea’s “IT in control” statement comes in.
“This way, companies can show that they are in control with respect to their IT and security, which can include the use of suppliers that use the EUCS. That may be a strict inspection with a long list of requirements, but such a yearly audit should then suffice for many purposes,” said Steltman.
The crux lies in the fact that buyers must accept that this is the standard by which organisations prove that their affairs are in order. “Currently, we’re still in a situation where everyone draws up their own security requirements and wants to request proof of this in their own way.”
Steltman is convinced that cloud providers want to prove that they have their security under control: “But it is impossible to have to do that tailor-made for every customer. That’s where the regulatory burden lies in practice, not in taking the security measures themselves. And this is exactly why it is vital that we work towards standardisation and harmonisation.”
The Netherlands has a large, broad digital sector with many SME players. To keep the market healthy, it is crucial that they can continue to compete and not get bogged down in regulation, hallmarks, and labels.
“Otherwise, the same will happen as happened in the telecoms market – only the big companies will remain. In doing so, you play right into the hands of the tech giants of this world and at the same time limit customers’ freedom of choice,” said Steltman.
Great need for EUCS
The European Union is also striving for harmonisation, but this has not yet been achieved in practice. Therefore, it’s necessary for the Netherlands to start taking steps themselves, Steltman believes.
“Regulators have to start relying more on the judgement of each other,” he said. “That is still a big challenge, although some of the Dutch regulators have now realised that they have to start working together because they all are already swamped.”
Meanwhile, the EUCS has been sitting on a shelf for two years already due to a conflict with France, much to Steltman’s frustration. The French government wants to exclude non-European cloud vendors from the highest level of cyber security assurance. To qualify for that level, applicants must prove that no non-European actors have access to the data – or, in other words, only work with and according to EU legislation.
According to Steltman, these are political influences that have no place in the development of EUCS: “There is a huge need for this scheme at the European level, which is why it should be released as soon as possible, free of political influences. After that, we can talk further about sovereignty.”