This article was written by Luc Hendrikx, CEO of CIONET International. It is based on a discussion during a exclusive round table event with Belgian Digital Leaders on June 3^rd 2021. This event was organised by CIONET with the support of IBM.

The benefits of Public Cloud are commonly know. However, cloud solutions also have clear boundaries. Despite the constraints and limitations imposed on them, regulated industries also need to improve their customer experience and modernise their core applications. In order to transform and innovate faster, they also need to be able to integrate with third-party providers and require the agility and on-demand provisioning that public cloud offers.

The term "Public Cloud" is badly chosen. It suggests that access to applications and data in this cloud is available to the public, ie to everyone. Obviously this is not the case. However traditionally general believe was that you have less control over your data and security in the Cloud than on premise. This has led most organisations to conduct classification exercises on their data, applications and business processes on which they build their cloud migration strategy. Many organisations exclude migrating to Public Cloud for major parts of their landscape for regulatory reasons. Although Cyber Security specialists are gradually convinced that security and control in the Public Cloud is better than on premise when done right, many misconceptions still exist amongst risk management, regulatory and legal professionals. 

Some organisations have moved on and pivoted away from this approach. They reached a clear tipping point. If part of their business requires the benefits of the Public Cloud, they decide to go to Public Cloud despite the regulatory challenges. They start working with their technology partners, regulatory experts, risk managers, legal teams and their regulators to overcome these challenges. They start from the conviction that solutions exist! The major challenge is to select the right cloud service that matches the requirements of your use case. New techniques like Hyperprotect and Confidential Computing are maturing rapidly and create new opportunities. Be aware however that they also have a significant cost impact and can fundamentally change the business case.

If you want to move beyond the low hanging fruit and start leveraging Cloud for core processes in your regulated business, the panel recommends the following:

• Start with a smaller but critical application and proof that you can overcome the challenges. A bank in Luxembourg managed to move their SWIFTnet gateway in the public cloud in a compliant way.
• Analyse the rules and regulations in all relevant jurisdictions and build a controls framework that allows you to address the regulatory challenges in a structured way. This will help you to understand which type of data and processes require which type of Cloud Services. Not all clouds are the same.
• Engage in workshops with your regulators from the very start of the project. They won't approve your approach, but they will point out all the challenges. The process will allow them to gain confidence and build trust.  
• Most regulated organisations prepared their move to Public Cloud thoroughly. Several delegates stated that the preparation phase can take up to two years. This includes building up new capabilities and skills as well as redesigning existing practices such as cost allocation mechanisms.

Finally, the panellists also discussed the fact that the hyperscale cloud providers are gradually becoming more powerful and systemically important than nations, multi-national clients and regulators. If their importance continues to grow, regulators might end up with only one option: make data centers a public good. The panellists strongly recommend the hyperscale cloud providers to take this into consideration and to work with them to properly address all local regulatory concerns.

I would like to thank our panellists for the constructive discussion, their insights and the great learnings. During this executive lunch, our panel consisted of:

• Uwe Klatt, Managing Director, Geva
• Vincent Stas, Director Infrastructure and Security, Telenet
• Brecht Stubbe, Chief Information Officer, RIZIV
• Guy Wuyts, ICT Director Business Solutions, Argenta
• Philippe Gericke, IT Director for Quality, Manufacturing sites (Non-Be) and CIO office, GSK Vaccines
• Zakaria Jdaoudi, IT Manager, Euroclear
• Johan Kestens, MD/CIO, Bank of New York Mellon European Bank
• Michel Desfawes, ICT Manager, Eurogentec
• Dirk Claus, Manager Business Intelligence, Mutualités Libres / Onafhankelijke Ziekenfondsen
• Ann Webers, ICT Manager , AHOVOKS Vlaamse Overheid
• Alain De Maght, Chief Information Security Officer (CISO) & Data Protection Officer (DPO), Hôpitaux Iris Sud
• Didier van Riel, Cloud and AI specialist, IBM
• Peter Neirynck, IBM Cloud Platform Sales, IBM
• Wouter Denayer, CTO BeLux, IBM