CEO minutes – March 2024
This week was very interesting for me. Right on Monday, I attended the Cloudfest event in Rust, Germany. Like every year, representatives from nearly all the significant cloud and hosting service providers from around the world gathered at the Europa Park amusement park. There were technologies on display from small providers, starting “hipster” companies, to the well-known names in the industry. The air was filled with excitement, new technologies were on display, and the feeling of excitement for the future was even better, given that the main partner this year was the Czech company Wedos. That made me happy.
On Tuesday, I had the opportunity to attend the Prague Cyber Security event organized by the National Cyber and Information Security Agency, where, in contrast, the regulation of cloud services EUCS was discussed, not only about the regulation of AI but also about how we will fare in the “age of quantum.”
On Wednesday, I then participated in a discussion on Czech Radio about how important it is for the state to have the option of an emergency brake in the form of restrictions on the use of technologies and suppliers in critical infrastructure, with the “elephant in the room” in the Czech Republic being mainly the company Huawei, because operators use their products to operate their networks and provide services not only to citizens but also to the state. It was once again a unique opportunity to see the third perspective of the problem.
This week, I therefore had the opportunity to perceive perspectives from three sources:
- Public cloud providers
- The viewpoint of problems from the position of EU state representatives
- Large telecommunications companies
What a week it was. Food for thought. I’m still processing it.
This all led me to reflect – Is regulation appropriate? If so, when and how. What should motivate states to introduce regulation and why.
The result of the mental exercise, which I took away from my experience this week and more or less motivated me to write my first article ever, is roughly as follows:
- The EU has a tendency to overregulate itself, which can lead to our own long-term technological non-competitiveness. Technological companies that will be “nurtured” by EU states or can have global success don’t even exist yet (especially in AI). We all keep asking ourselves whether Europe has a chance to raise its own giants. Founders will be around 15 years old today, and all the regulations that will come into effect during their productive lives will only discourage them from entrepreneurship. The barrier to entry will be too high.
- Regulations will lead to software tool authors, application and platform developers being forced to operate their services with large multinational corporations (Google, Microsoft, AWS, etc.). This will harm them as well as smaller hosting companies or cloud providers and ultimately also users, because the “subscription” to products will be higher (generally, costs at hyper-scale providers are always higher than at smaller cloud providers).
- States should define cyberspace in the same way as they do state borders, legislatively. If I have data stored in Germany, German laws apply to that data. If I have it stored in the Czech Republic, Czech laws apply to the data. In our case. Define clear rules for everyone. This would, after all, also help mobile operators or the energy industry. Within the EU, there should, of course, be an effort by every state to harmonize legislation.
- People should be able to directly find out in applications in which state (even within the EU), their data is stored.
- States and the EU should not define regulations based on “fear” or “concerns,” but rather on the basis of specific knowledge or the current geopolitical situation (this is what the National Cyber and Information Security Agency is striving for, and that is the right approach). Only this way can the form of laws remain timeless. We definitely should not venture into regulating something that does not yet exist on the market (quantum computers) or about which we do not know how it will develop in the future (AI).
- GOV data should always and under all circumstances remain within the infrastructure operated by the state. There are tendencies to classify data as essential and less essential, but thanks to artificial intelligence and rapid analysis, even seemingly insignificant data can be quite useful “for the wrong hands.”
However, it’s most likely that nothing will change in the approach of the EU states. EUCS, NIS2 are coming into effect just as GDPR did before them. This could lead to situation where:
- Cloud services in the EU, and thus applications operated on them, can only be offered to customers if you have data with large providers (because for smaller cloud companies, the costs associated with compliance will become more and more unsustainable…). Just the SOC2 certification costs a company about 50 000 USD in direct expenses.
- AI regulation will lead to the throttling of innovative companies in the EU.
- State organizations will continue to store data in hyperscale cloud services and will always make them “readable” for the states from which these companies originate. Thus, it will lead to what many states do not want in the EU suppliers from China or Russia, but just from the opposite spectrum. Data and information will continue to be handed over to somebody and therefore will be potentially readable for someone.
- Ordinary people will continue to be unable to find out how their Whatsapp, Facebook, LinkedIn, or TikTok actually physically stores data. And if so, with difficulty. Not in the settings of their own profile – directly in the app.
I might be wrong, and maybe it is so, but are we proceeding correctly? I ask myself. Both as someone who stands behind our own cloud products that we sell worldwide and as someone who has been dealing with cybersecurity for the last 7 years. But primarily, I ask myself as a citizen of the Czech Republic and thus the EU.
In the eyes of EU legislation experts, I would be categorized as a “protectionist.”
One thing is certain, though. Our data will mean absolutely everything in the future.