Cigref
Created 50 years ago, Cigref is an association that today brings together 150 major French public and private organizations, which are exclusively users of digital services and which together account for 1,700 billion euros in cumulative turnover and 50 billion euros in overall IT budgets.
ID: 252197741755-66
Lobbying Activity
Meeting with Benjamin Boegel (Cabinet of Executive Vice-President Henna Virkkunen), Silvia Bartolini (Cabinet of Executive Vice-President Henna Virkkunen), Xavier Coget (Cabinet of Executive Vice-President Henna Virkkunen)
6 Nov 2025 · Cybersecurity Framework
Meeting with Michele Piergiovanni (Cabinet of President Ursula von der Leyen)
6 Nov 2025 · To discuss European technological autonomy
Response to Digital package – digital omnibus
14 Oct 2025
Cigref, representing a network of 150 leading French companies and public administrations, welcomes the Digital Package and Omnibus initiative. As major users of digital technologies, our members face the daily operational and strategic consequences of fragmented, overlapping, and sometimes inconsistent EU digital regulations. We first wish to re-emphasise our support for robust EU tech rules as a mean of shielding European businesses from unfair practices by actors from third countries. At the same time, we recognise that the lack of clarity in the digital regulatory framework may inadvertently serve their interests. Therefore, we believe the priority should be to remove overlaps and contradictions that generate legal uncertainty and administrative burdens, ultimately weakening business competitiveness. We outline below several concrete examples and offer recommendations to ensure the Digital Omnibus answer these concerns.
Read full responseResponse to Review of the Digital Markets Act
23 Sept 2025
Why the DMA must capture cloud services now ? Cigrefs response to the European Commissions DMA Review Consultation While the DMA effectively targets consumer platforms such as search engines and app stores, it overlooks the most concentrated and strategic market: cloud servicesespecially those serving business users. This gap not only undermines the DMAs core objectives of fairness and contestability, but also imposes a growing cost on Europes digital sovereignty. As the European Commission assesses the DMAs impact, one adjustment is paramount: extending gatekeeper status to dominant cloud providers. The urgency is clear, and the price of inaction rises each year. This omission becomes even more critical as AI shifts from potential to realityevery AI service relies entirely on cloud infrastructure, with every AI service depending entirely on cloud infrastructure.
Read full responseResponse to European Data Union Strategy
18 Jul 2025
Europes digital future depends on our collective ability to secure access to high-quality data, foster responsible AI development, and manage cross-border data flows with sovereignty and trust. As a network representing major French companies, Cigref welcomes the opportunity to contribute to the consultation on the EU Data Strategy. Our response is informed by the diversity of our members' data practices, concerns around legal clarity, and strong expectations for strategic coherence and enhanced protection for sensitive data. Our members share the vision that digital development would support the burden reduction and automate compliance processes. We encourage EU institutions to promote such initiatives. Likewise, no data strategy would deliver its full potential without concrete actions to invest in skills and digital infrastructures (e.g., secure cloud platforms, 5G, High Performance Computing, data centers). The Data Governance Act (DGA) and Free Flow of Non-Personal Data Regulation (FFDR) have laid foundational principles. Yet, awareness and operationalization among companies remain uneven. The enforcement of the Data Act is seen as critical. 1. One objective: the free circulation of data The free, secure circulation of data, with traceability of exchanges, is essential to the creation of value. This is why the Gaia-X governance, legal and technical framework, with its federated, decentralized and trusted ecosystem, is so necessary. Companies are currently implementing projects within data spaces. Several hundred are underway, and some are already operational. For example, in the mobility and tourism sector, Eona-X has already deployed several use cases for the Paris 2024 Olympics. Data space stakeholders want to be able to compare suppliers' service offerings. This requires a harmonized description of services, based on clearly defined, shared, verifiable and standardized criteria. This enables data producers, consumers and users to make the most of their data by retaining control over data usage and the underlying technology, with verifiable rules for accessing and using data. Companies are looking to create new sources of value by developing sector-specific AI solutions or agentic AI. These approaches rely not only on trust in the cloud infrastructure hosting the models and learning data, but also on the origin of the data and respect for the consent given for their use. The description of the chain of consent must therefore comply with standards that ensure that it has been given for the intended use. That's why organizations developing or customizing AI models need to think carefully and in a structured way about the data they use and the various cloud services available to them. Gaia-X is the answer. A very short position paper explains the value of Gaia-X in the development of the European economy using generative AI here. 2. Data access and reuse: from volume to value The feedback we collected among our members is that data scarcity is not the main issue, data quality is. Our members report that identifying, qualifying, and standardizing data remains resource-intensive and complex, requiring considerable investments in time, skills, and governance. We welcome any initiative which aims at fostering pseudonymization, semantic alignment, or other technical processing, necessary for data exploitation or reuse, while keeping the highest standards in terms of traceability. We strongly support the objectives of the Data Act, as we believe it will enhance legal certainty when it comes to data sharing. However, additional guidance would be welcome to better clarify data ownership and rights, particularly in AI development. 3. A major concern: extra-territorial data flows & laws In an increasingly unstable geopolitical environment, European companies face mounting risks related to data use and international data transfers. The growing complexity of extra-EU data transfers has become one of our members
Read full responseResponse to Cloud and AI Development Act
2 Jul 2025
Cigref welcomes the opportunity to provide input on the European Commissions Call for Evidence on the new Cloud and Ai Act and the linked open consultation. The assocation represents approximately 160 French companies and public organizations that use digital technologies and cloud services. As though, it represents developers and suppliers of AI systems as well as users of cloud/edge services/AI systems. Through the consultation, the European Commission has taken up the issue of technological dependence. Cigref and its members share the European Commission's analysis to facilitate the installation of Datacenters in Europe and the greening of compute infrastructures and data centers for cloud and AI. But the heart of our response addresses the technological dependence of European companies on the cloud and its implications for the protection of sensitive data.
Read full responseMeeting with Roberto Viola (Director-General Communications Networks, Content and Technology) and
24 Jun 2025 · Digital Policies in Europe
Response to Digital services for simplifying business operations and reducing administrative costs – the business wallet
12 Jun 2025
Cigref Position on the European Business Wallet Initiative Cigref is a network of 160 major French companies and public administrations dedicated to enhancing our members digital capabilities. As representatives of significant users of digital solutions and services, we offer the following first thoughts on the European Business Wallet. Supporting the European Business Wallet initiative Cigref strongly endorses the European Commissions European Business Wallet initiative for its potential to transform business operations across the EU. As recognized in the Competitiveness Compass, this initiative will serve as a cornerstone for streamlined, digital business activities within the Union by: Providing a unique, legally compliant, and globally interoperable digital identity for businesses Significantly reducing administrative inefficiencies and regulatory burdens Creating a secure environment for businesses to verify counterparties and conduct transactions The Business Wallet will be a key horizontal enabler for the Commissions simplification agenda, allowing businesses to manage national and cross-border regulatory requirements, notifications, and compliance processes in one place. It will dramatically reduce manual processing, leading to efficiency gains and reduced administrative costs. Technical foundations A unique, legally compliant and worldwide interoperable digital identity for business will serve several use cases, especially for financial services, where Know Your Customer (KYC) requirements play a key role but also in the fight against money laundering. The EU Business Wallet should be built on the eIDAS components and rely on qualified trust services. The Commissions analysis rightly identifies key challenges driving the need for the European Business Wallet, including system fragmentation across Member States, complex compliance procedures, and resource-intensive administrative processes. Therefore, we believe that this EUBW should focus on trusted interactions and be built as a tool for businesses to verify their counterparties, thereby mitigating operational risks and reinforcing the integrity of digital transactions across the EU. It would be necessary to introduce control in the process to ensure that credentials remain valid over time. We invite the EC not to be too prescriptive in the standard used, interoperability by design should be a critical dimension. Cigref strongly shares the Commission's emphasis on trustworthiness and reliability within the Business Wallet framework. We will closely monitor the evolution of this regulation and remain actively engaged in discussions to ensure its effectiveness and successful implementation for businesses and innovation across Europe. Digital Identity is a sovereign capability of Member States with significant strategic stakes. Given its importance and the sensitive nature of the information it handles, it would be difficult to justify a EU business wallet built on non-sovereign technology. To ensure trust, security, and autonomy, the technological foundation of the wallet must itself be sovereign, aligning with Europe's broader objectives of digital independence and data protection.
Read full responseMeeting with Ioan-Dragos Tudorache (Cabinet of Executive Vice-President Stéphane Séjourné)
11 Jun 2025 · Exchange of views on tech sovereignty of the internal digital market.
Meeting with Denis Redonnet (Deputy Director-General Trade)
11 Jun 2025 · Discussion on EU dependency in the fields of cloud and software
Response to International Digital Strategy
21 May 2025
In a changing world, security and defence issues are becoming more pressing. In this unstable world, the EU must be more assertive and give itself the means to achieve strategic independence. To achieve this, the role of digital technology is key. This is why Cigref, which represents the major organisations that use digital solutions, supports the EU's approach. It is essential for the EU to define its strategic priorities so that it is less dependent on critical technologies supplied by non-European players (cloud, AI, semi-conductors, cybersecurity). This will require massive investment and support for the players involved (public procurement with a European preference) if it is to be in a position in the future to offer made in Europe digital solutions to its partners in third countries. The EU should develop European alternatives to the dominant American and Chinese platforms, but it must also stand firm on its positions and resist pressure from outside Europe. This means, among other things, not lowering the requirements of the DMA/DSA but turning them into real levers for action, by clearly including cloud services in the DMA. Independent critical infrastructures are one of the conditions for digital autonomy. To achieve this, investment, standards and norms are needed to support European players - Reconcile green and digital ambitions (e.g. green data centres) - Argue for the EU to be a standards-setter, not a follower: cybersecurity, AI Act, DSA/DMA, etc. Data security, which is the subject of the draft EUCS certification scheme, is a sine qua non for the EU's independence. The data security addressed by the draft EUCS certification scheme, which incorporates immunity criteria to extraterritorial laws, is a sine qua non condition of the EU's independence.
Read full responseResponse to How to master Europe’s digital infrastructure needs?
24 Jun 2024
How to master Europes digital infrastructure needs? A contribution of Cigref to the European Commissions White Paper Cigref welcomes the White paper How to master Europes digital infrastructure needs and the call to raise the resilience of Europes digital and telecom networks. The focus on industrial digital resilience resonates with key elements gathered in our Manifesto A Perspective on tomorrows digital world prepared ahead of the new legislative term. As Thierry Breton rightly said, digital network infrastructures are key for a competitive and resilient Europe. We understand that the future Digital Networks Act will focus on three pillars: investment, regulatory framework, and security, which are critical to achieve Europes digital ambitions. The White Paper analyses the main trends and challenges in the digital infrastructure sector and provides an overview of the current situation and future needs of the EU in terms of high-performance, secure, and sustainable digital networks and services, as well as the obstacles and risks that may hamper the achievement of the EUs digital objectives. This document opens a timely debate as the amount of data we generate is skyrocketing, which requires strategic thinking to ensure Europes independence. We share the vision that digital infrastructures are a key enabler of economic development, and the need to further secure and to invest in these technologies. We fully support the key message that the EU should assess and mitigate the risk of dependency on non-EU suppliers. Like the White paper, we would like to emphasize the critical importance of developing a robust, secure, and autonomous digital infrastructure to ensure Europe's competitiveness in the global digital economy. Digital Industrial policy Developing a strong industrial policy for digital is a key success factor for Europe to master its digital infrastructure needs. It requires three components: governance, investments and industrial targets. This industrial policy is critical to maintain/restore the competitiveness of our industries in the world. We need to re-think the innovation environment in Europe. As a share of GDP, European firms spend about half as much as their US peers on research and innovation, leading to an investment gap of around 270 billion a year. We need European Digital Champions to increase Europe's strategic independence in the digital realm. While respecting the multilateralism rules in the WTO, Europe should better defend its companies, especially the scale-up or innovative start-ups, able to develop innovative technologies and services. This industrial policy should aim at ensuring that European players, rather than hyperscalers, benefit from the growing digital internal market. Around 70% of foundational artificial intelligence models are being developed in the US and just three US companies account for 65% of the global cloud computing market. Strong policy actions are necessary to start closing the gap. This can be achieved through targeted investment programs and the development of European standards that prioritize the interests of European businesses and citizens. This perspective would also complement the work started with the Digital Markets Act which raised high expectations to really change the situation. Lock-in effects are still very strong and prevent European companies to really benefit from a more vivid market with European providers able to compete with third countries providers with top innovations and solutions.
Read full responseResponse to Report on the application of the General Data Protection Regulation
7 Feb 2024
The document enclosed is a summary of the main points underlined by business users of digital services regaring the zpplication of the GDPR. If GDPR led to a higher awareness for data protection, there are several challenges that businesses must deal with and that raised legal uncertainties : Reporting obligations are burdensome. Application of the GDPR in non-EU States. Unbalanced responsibility of the data holder. Unclear provisions leading to interpretation. Application of the GDPR and the different legislatives texts. These topics are further developped in the document.
Read full response15 Sept 2023
Cigref supports the Commission and the Council in their approach to digital regulation, particularly in the field of cybersecurity. As part of the review of its mandate and operations, we believe it is very important for ENISA to consult more widely with all cybersecurity stakeholders so that they can participate in the early stages of the review and development of cybersecurity regulations. This is why we are asking that the associations representing professional users of digital products and services, such as Cigref in France, Voice in Germany, Beltug in Belgium and CIO Platform Nederland, be involved in the work of the European Commission and ENISA from the outset. As the main beneficiaries of digital security, both for their own activities and for those of their customers, they are in a position to contribute to the debate at both strategic and operational levels, with concrete input. As with all of the European Commission's work, and in particular in steering the work of ENISA, Cigref attaches great importance to the notion of strategic autonomy. Indeed, if Europe does not manage to organise itself to establish its sovereignty, particularly in the cloud market, and if the steps it has taken in terms of legislation and investment do not produce the expected effects in the short term, its economy and therefore its businesses and public administrations will be faced with three systemic risks that our technological dependencies are constantly reinforcing: the geostrategic risk, the economic risk and the legislative risk. And the 3 pillars of data security - availability, confidentiality and integrity - are directly affected by these 3 risks. - Geostrategic risk to our economy from non-European digital solutions. The threat of a foreign power closing the digital energy tap must be considered as a strategic risk. - Economic risk. Businesses and public authorities need to preserve their autonomy of assessment, decision and action, particularly in relation to their cloud service providers. For users, this means controlling their dependence on the strategies of cloud providers who are hegemonic in the European cloud market. A supplier whose solution is taking on an increasingly dominant role in its customer's business may demand that its business model be modified. - Risk relating to non-European legislation with extraterritorial scope. It is necessary to protect the sensitive personal and non-personal information assets of companies and public administrations from legal access by non-European legislation with extraterritorial scope. For sensitive non-personal data, it is particularly important to guard against the risks posed by foreign laws authorising the plundering of data, under the heading of economic interest intelligence activities, such as section 702 of the US Foreign Intelligence and Surveillance Act or the Chinese National Intelligence Law of 28 June 2017, and in particular articles 7 and 10. In this case, the scope of section 702 of the FISA should encourage the European States to develop regulatory provisions to protect the sensitive data of the European economy confronted with the economic interest intelligence activity of the American intelligence agencies, a substantial part of their missions, for the benefit of their national industries and services. To reduce the latter risk, users are eagerly awaiting the EUCS certification scheme, which will provide significant protection against non-European legislation with extraterritorial scope. An urgent decision is essential, because time is against European interests: companies and public administrations are currently in the process of determining their cloud strategy, if it is not already being deployed. Finally, users are calling for the various security regulations (NIS2, Cyber Resilience Act, EUCS, etc.) to be brought into line with each other.
Read full responseResponse to Virtual worlds, such as metaverse
28 Apr 2023
Le Cigref accueille favorablement cette initiative de lUE sur les mondes virtuels. Nous soutenons la nécessité dinvestir dans des acteurs européens pour le développement de métavers interopérables, respectueux de lenvironnement et éthiquement conforme aux valeurs européennes. Il est important de se saisir de ce sujet dès à présent pour éviter quun petit nombre de grands acteurs deviennent les futurs contrôleurs daccès aux mondes virtuels, laissant les entreprises européennes dans un rôle de simples consommatrices de technologies dominées par des pays tiers. En tant quassociation professionnelle qui représente les grandes entreprises et administrations françaises utilisatrices de solutions et services numériques, le Cigref a animé le travail exploratoire de ses membres sur les métavers et sur les principaux enjeux à prendre en compte au sein dune organisation dans lexpérimentation des dispositifs immersifs. Ce sont les principales conclusions de ce travail exploratoire que nous partageons avec la Commission dans le document joint.
Read full responseResponse to Cyber Resilience Act
20 Jan 2023
Effective cybersecurity regulation is crucial to enabling digital transformation of European companies. Beltug, Cigref, CIO Platform Nederland and Voice-e.v. welcome the Commissions ambition to improve the cybersecurity of products with digital elements to enable businesses to use products with digital elements securely in its Cyber Resilience Act (CRA). We support the focus on ensuring software security and the risk based approach as core principles. Together we represent the communities of Chief Information Officers (CIOs) and other senior leaders that are responsible for digital technologies and digital transformations within private or public organisations. All our members are European business users of digital technologies; they acquire, implement, and use digital technologies in practise. Thanks to our expertise, we recommend the EU co-legislators to focus on the objectives below to ensure a balanced and effective Cyber Resilience Act: I. Adopt a coherent approach with other EU legal instruments on cybersecurity II. Design a meaningful and practicable conformity assessment on the vulnerabilities III. Introduce the poluter pays for the damage principle in software IV. Mitigate the risk of disclosure of the vulnerabilities V. Strengthen the provisions regarding software and open-source elements VI. Include cloud orchestration as critical products VII. Definition and practical implementation of appropriate measures (art. 10.12) The attached document sets out these proposals in more detail.
Read full responseResponse to Evaluation of the procedural rules for the implementation of Articles 101 and 102 TFEU
6 Oct 2022
Créé il y a plus de 50 ans, le Cigref est une association financièrement indépendante, qui regroupe aujourd'hui +150 grands organismes français, publics et privés, exclusivement utilisateurs de services numériques, et qui représentent ensemble 1 700 milliards d'euros de chiffre d'affaires cumulé et 50 milliards d'euros de budget informatique global. Par la qualité de sa réflexion et la représentativité de ses membres, le Cigref est une composante fédératrice et un acteur important de la société numérique en France.
Nous appelons le législateur et les autorités de régulation à s’inspirer de la Loi sur les marchés numériques (Digital Markets Act) afin de réviser les règles du droit européen de la concurrence pour l’adapter à l’ère numérique.
1) Les obligations et les interdictions inscrites dans le DMA pourraient être élargies à d’autres acteurs que les seuls « contrôleurs d’accès ». En effet, le cadre temporel du droit de la concurrence est inadapté au secteur du numérique, pour agir efficacement contre les pratiques contractuelles et commerciales déloyales. Or le DMA ne s’applique qu’à une poignée d’acteurs (les plus gros) bien que des situations de domination de marché et de dépendance des clients s’observent dans des marchés de niche et/ou concernant des acteurs de taille plus modeste.
2) Régulation ex ante, le DMA pourrait inspirer une rénovation du droit de la concurrence européen qui s’applique aux fournisseurs de services numériques critiques pour l’activité des entreprises et des organisations publiques, leur permettant de réagir avec plus d’agilité face à des pratiques déloyales. La vocation du droit de la concurrence est d’assurer un level playing field avec une égalité des chances grâce à l’application homogène des règles de la concurrence à tous les acteurs. La situation de marché de certains acteurs et la difficulté à qualifier les marchés pertinents sur des domaines technologiques complexes et évolutifs, rend très ardu (ou trop tardif) le recours au droit de la concurrence. De plus, le droit de la concurrence devrait prendre en compte les situations de dépendance et de verrouillage, et les comportements anticoncurrentiels qu’elles induisent chez les fournisseurs, après la signature du premier contrat.
3) Le rétablissement de pratiques de marché et de relations commerciales équilibrées nécessitent des sanctions efficaces et davantage de coopération entre et avec les autorités des marchés et de la concurrence locale, qui sont plusieurs à mener des enquêtes sectorielles sur les acteurs du cloud et leurs pratiques.
Ressources :
- Le document de consultation publique (rapport intermédiaire de juillet 2022) de l’autorité de la concurrence française qui s’est auto-saisit d’une enquête sectorielle sur le cloud : https://www.autoritedelaconcurrence.fr/sites/default/files/Consultation-publique-cloud.pdf
- Le rapport final de l’autorité des marchés et de la concurrence des Pays-Bas qui a investigué sur les pratiques des acteurs dans le cloud ainsi que ses propositions d’amendements au Data Act dérivant des conclusions dudit rapport :
o Market Study Cloud Services (septembre 2022) : https://www.acm.nl/en/publications/market-study-cloud-services
o ACM amendments to Data Act necessary for promoting competition among cloud providers : https://www.acm.nl/en/publications/acm-amendments-data-act-necessary-promoting-competition-among-cloud-providers
- La dernière publication du Cigref et de ses partenaires associatifs européens allemand, belge et néerlandais « 11 Fair Principles » : https://www.cigref.fr/a-balanced-cloud-market-11-fair-principles-to-unleash-europes-digital-potential
- Enfin, en PJ : un document interne élaboré par le Cigref à l’usage de ses membres, reprenant les différentes observations tirées des groupes de travail sur les grands éditeurs de logiciels et fournisseurs cloud (AWS, Google Cloud, IBM, Microsoft, Oracle, Salesforce, SAP).
Read full responseMeeting with Alin Mituța (Member of the European Parliament, Shadow rapporteur) and Banco Santander, S.A. and
20 Sept 2022 · Data Act
Response to Cyber Resilience Act
25 May 2022
Le Cigref accueille positivement la démarche de la Commission Européenne sur la mise en place d’une régulation sur la cyber-résilience. Nous soutenons la nécessité d'imposer des exigences en matière de cybersécurité sur tous les produits et services numériques dans l’ensemble de l’Union Européenne telles qu’envisagées par le Cyber Resilience Act.
En tant qu’association professionnelle qui représente les grandes entreprises et administrations françaises utilisatrices de solutions et services numériques, le Cigref a formulé une doctrine écosystémique de la sécurité numérique, impliquant les utilisateurs, les fournisseurs de produits et services numériques ainsi que le régulateur. Au niveau européen, le Cigref appelle alors à une réglementation en faveur de la sécurité par conception et de la sécurité d’exploitation des produits et services numériques sur tout leur cycle de vie.
Par le Cyber Resilience Act, le Cigref invite la Commission européenne à formuler des exigences de cybersécurité obligatoires pour les fournisseurs de services et produits numériques qui ont une activité en Europe pour améliorer la sécurité globale des systèmes d’information des entreprises et des administrations européennes.
Dans cette perspective, l’industrie du numérique devrait faire l’objet de normes minimales de sécurité, telles qu’elles existent dans d’autres industries.
Dans cette même logique, les fournisseurs devraient être soumis à une obligation d’information et d’action concernant les failles découvertes dans leurs produits et services.
Dans le même temps, la sécurité des produits et services numériques devrait être pensée sur l’ensemble du cycle de vie, de la conception à l’intégration, en passant par l’architecture, la configuration et l’administration.
Dans l’établissement de sa feuille de route, la Commission européenne peut s’appuyer et valoriser des cadres de travail préexistants sur la sécurité numérique par conception, notamment le rapport de l’OCDE, "Enhancing the digital security of products”, publié en février 2021, ou encore le rapport issu du groupe de travail 6 de l’Appel de Paris qui formule des recommandations pour la sécurisation de la chaîne d’approvisionnement des TIC.
De plus, la Commission européenne peut s’inspirer de la norme ISO 5055:2021 qui a été créée pour compléter la norme ISO 25023 relative à la qualité des applications sur 4 axes : Robustesse, Efficience de la performance, Maintenabilité et Sécurité des applications.
Le document joint expose plus en détails ces propositions.
Read full responseResponse to Data Act (including the review of the Directive 96/9/EC on the legal protection of databases)
13 May 2022
Beltug, Cigref, CIO Platform Nederland and Voice-e.v. jointly support the Commission’s ambition to ensure fairness in how the value of data is allocated among actors who are active on different levels of the data value chain. Data is not only a core component of the digital economy, but also a strategic asset of business users, in all sectors. All organisations within our associations have many years of experience with digital transformation and the processing of data. Therefore, our members have high expectations regarding the Data Act proposal. Indeed, clear rules across the single market are essential to foster innovation, growth, and trust. In that purpose, our associations have also endorsed the work led by Cigref with its members for three years on trusted cloud. Trust is the cornerstone to free data circulation, and it is based on 3 pillars: cybersecurity, mastered dependency from IT vendors, protection against third-States legislations. Data Act must deploy the appropriate legal framework to guarantee these pillars.
The Data Act is largely welcomed by our four associations and their professional IT user organisations, with a very positive stance on chapter VI article 23 (Switching between data processing services), chapter VII article 27 (International contexts non-personal data safeguards) and chapter VIII article 28 and 30 (Interoperability). The provisions are well in line with calls made by our associations for years. It will be critical to ensure that the unfair and prejudicial contractual, technical and commercial practices of supplier relations are well encompassed by the legal formulations of the text, in coherence with the DMA.
Nonetheless, several provisions would require clarifications, especially considering that many businesses are both users of digital solutions and data producers. Balancing trade secrets or confidentiality to protect companies' assets with open access and fostering innovation is a complex mechanism. In the attached document, our associations highlight some of the questions that were raised by their members during a dedicated discussion on the Data Act. We understand that some of our concerns could be lifted thanks to an open dialogue with the European institutions and we are open for further discussion.
Our attached contribution is organised in 7 points:
1. Our understanding of the Data Act and preliminary open questions
2. Switching between data processing services, a long-awaited ambition
3. Unfair contractual terms, a reality also for large businesses
4. A necessary complement to the GDPR on data portability
5. Clarity on the scope of obligations on data holders, a requisite for concrete implementation
6. Interoperability standards, a question of credibility
7. Clear rules for international data transfers, a matter of sovereignty
In addition, few examples of use cases in appendice.
Read full responseResponse to Data Act (including the review of the Directive 96/9/EC on the legal protection of databases)
25 Jun 2021
Cigref welcomes the Commission’s objective to ensuring fairness in how the value from using data is shared among businesses, consumers, and accountable public bodies. We welcome a harmonized European approach with effectiveness, fairness, proportionality as guiding principles. This data strategy is also an opportunity to foster the international competitiveness of the EU market.
Through the Data Act, Cigref invites the Commission to provide a clear framework allowing the European Union to regain control over the players in the cloud market, by deciding on the rules that apply to data sharing, rules that need to be fair, equitable and loyal.
In this perspective, it is decisive to guarantee that data owners retain full control over whether they can share or transfer data, to whom, and on what terms. The evolution of digital services within companies transformed the concept of data use, storage, ownership, and control. The digitization of the economy led to creating business solutions where data is jointly owned by the digital service providers, in particular software publishers and cloud computing service providers, and its business customers. Commercially overly sensitive datasets should be protected, in particular when considering the overall shift of IT solutions to cloud-based services, most of them being gatekeepers.
Business data are from now on, a sensitive and very valuable assets for organizations, that the future “Data Act” should protect from the exposure of extra European laws as well as any undesirable access and use, especially from external parties. In this regards, Cigref believes it is essential that the future Data Act should be an instrument for the protection of sensitive corporate data, with a scope at least equivalent to that of "business secrecy", in order to protect them against, in particular, non-European legislation in the same way as personal data, as recalled by the CJEU in its ruling of 16 July 2020 on the invalidation of the Privacy Shield.
Therefore, Cigref would also welcome provisions to end unfair practices by IT suppliers which absorb with unilateral contracts, data from their business clients. Failure to consider these risks can be detrimental for European economy. Corporate data is particularly exposed in Software as a Service, exponentially growing cloud market. Indeed, Cigref members report that, while SaaS solution providers declare they manage personal data very well (in accordance with the laws in force), the preservation of and respect for the confidentiality of their customers' data are much less clear and very poorly regulated. For example, some online service providers contractually grant themselves the right to analyse their customers' data for market research purposes and, in addition, grant themselves ownership of the analysis results. In many cases, these clauses cannot (or only with great difficulty) be changed or removed, and the anonymisation of the data cannot be checked by the customer. This data can be sensitive for the company and give the supplier a strategic advantage.
Moreover, Cigref supports the ambition to improve portability for business users of cloud services. Evidence showed that self-regulatory (‘SWIPO’) codes of conduct did not achieved its objectives, according the user organizations Cigref represents, due to the structural unbalance of means between users and providers of digital services. Self-regulation failed to efficiently mitigate unfair practices. A clear European framework with clear prohibitions would be key to foster Europe’s competitiveness and innovation. To prevent vendor lock-in, business users need to easily switch cloud providers with their data and applications. To move from concept to reality, true portability is the cornerstone of any regulation on data.
Cigref is looking forward to contributing to the upcoming consultation and strongly encourages that any legislative initiative would be aligned with the P2B and the DMA.
Read full response15 Apr 2021
BELTUG, CIGREF, CIO PLATFORM NEDERLAND and VOICE represent business users of digital technologies in Belgium, France, the Netherlands and Germany. We form communities of Chief Information Officers (CIOs) and other senior leaders who are responsible for digital technologies and digital transformation within private or public organisations.
Please find attached the Joint opinion and Recommendations of our associations with regard to the DMA, divided in 3 parts:
1. The definition of gatekeepers: a too restrictive view of platforms,
2. The proposed remedies: high expectations and potentialities on blacklisted practices,
3. The ex-ante approach in a fast-evolving market: an imperative need for an evolutive regulation.
Contact: Danielle Jacobs, CEO of Beltug
Email: danielle.jacobs@beltug.be
BELTUG vzw/asbl: 488493238396-32
Read full response