The Dutch government will be allowed to store sensitive data in commercial public cloud environments. Government entities will also be allowed to use cloud-based services provided by major providers. Alexandra van Huffelen, State Secretary for Digitalization, shared the news in a letter to the House of Representatives.

According to Van Huffelen, public cloud apps have become standard in business. The national government has delayed adoption for security and privacy reasons, but will soon start catching up.

Van Huffelen notes that the benefits now outweigh the risks. According to the state secretary, it’s time for a new cloud strategy for the central government. Public cloud services can be used at relatively low costs. Risks are increasingly manageable.

Van Huffelen says that large cloud providers invest great funds and expertise in securing services. Resultingly, the state secretary believes public cloud services are an attractive prospect for developing an innovative, transparent, flexible and efficient national government.

Conditions

However, the use of public cloud services is subject to conditions. For instance, commercial cloud services are not allowed for storing or processing confidential information. No services may be purchased from suppliers in countries with an active cyber program targeting the Netherlands. Furthermore, the Ministry of Defense falls outside the scope of the new policy.

In addition, all ministries must draw up a risk analysis before using public cloud services. This risk analysis must comply with a guideline to be presented by the government’s Chief Information Officer (CIO Rijk) before the end of the year. The CIO Rijk will also monitor the application of the policy.

Furthermore, all ministries must set up an exit strategy for their public cloud services. In principle, they can’t use public cloud services for storing and processing special personal data and the basic registration of personal data. All personal data storage and processing should take place in a responsible manner, in line with applicable privacy requirements.

The Dutch Data Protection Authority will be responsible for supervising the use of commercial public cloud services by the national government.

New strategy replaces old

The national government’s new cloud strategy corresponds with daily practice. Ministries have been using Microsoft’s systems for years, including Office and MS Teams. Through the new strategy, ministries and related government services can also use the public cloud environments and services of other providers, such as AWS and Google Cloud.

The latter was impossible in the former strategy, which took shape in 2011. The strategy focused on private cloud environments instead of public cloud environments. Both will be permitted in the near future.

Tip: Privacy authority bans Google Workspace in Danish municipalities