Selected links

    Documents

    Cloud Computing strategy for Norway

    To table of content
    Next chapter
    Previous chapter

    1 Introduction and summary

    Future growth and welfare in Norway is contingent on continued increase in productivity.1 Two key factors for growth are innovation and new business development. In order to meet future requirements for public services, we need to make better use of technology. The private sector, particularly service industries, needs to improve at adopting new technology to ensure continued increase in productivity.

    Public sector enterprises vary widely in terms of needs, risk profiles, financing and available expertise. One thing they have in common is a responsibility to choose the most appropriate and cost-effective ICT solutions that meet their needs. It goes without saying that the same applies to business and industry.

    The public sector has a duty to operate as cost-effectively as possible, but it also has a responsibility to properly safeguard citizens’ personal data and to protect their interests. It is therefore important that all available solutions be assessed – including cloud computing – when deciding which ICT solutions to procure. Services from the public cloud will suit some enterprises, but not all. The best solution is often a combination of delivery models.

    When enterprises are asked about their motivation for considering cloud computing, the usual answers are reduced costs and increased flexibility, but a third answer we are hearing more often is: “This is how solutions are being supplied now. If we are to have the latest version of the systems we want to use, then we have to choose cloud services.” Cloud computing can reduce the need for investment and thus reduce the risks associated with establishing a new business or developing new services.

    However, many enterprises – both public and private – find it difficult to know whether cloud computing is legally permitted and sufficiently secure. And is it really acceptable to store personal data abroad? The Government’s aim for this strategy is to clarify questions like these.

    Strategy objectives

    The main objective of the Cloud Computing Strategy for Norway is to provide public and private enterprises with more room for manoeuvre when deciding which ICT solutions to use. Provided that other important considerations are not compromised, enterprises should be able to use cloud services wherever they promise the best result and the most cost-effective solution.

    The strategy should facilitate:

    • more cost-effective ICT solutions
    • increased focus on core activities
    • greater flexibility
    • greater security through more professional and standardised ICT
    • lower threshold for innovation and startups
    • reduced carbon footprint from ICT operations

    Target group for the strategy

    This strategy is aimed at all enterprises, both public and private. Much of the strategy is directly aimed at the public sector, but these parts will also have transfer value for business and industry. Not least, it will be important for those segments of the private sector delivering ICT solutions to the public sector to know what principles public sector enterprises must follow when procuring new ICT services.

    The strategy is not aimed particularly at consumers. While there are several interesting issues related to cloud services for consumers, they are not within the scope of this strategy. Such issues fall under the mandate of the Norwegian Ministry of Children and Equality and the Norwegian Consumer Council.

    Summary

    The strategy is structured in such a way that the general sections – those addressing both the public and the private sectors – are presented first.

    Chapter 2 discusses important features, benefits and challenges of cloud computing. This chapter also discusses some important general considerations that must be taken into account when procuring cloud services.

    One important part of the work done on this strategy has been to review Norwegian legislation to identify any obstacles to the use of cloud services, and to assess whether something should be done about them. It is also important to look at areas where legislation is complicated or vague and assess whether laws and regulations relating to cloud computing can be clarified.

    The legal review has resulted in some important measures:

    • Revision of the Regulations pursuant to the Public Archives Act and, where appropriate, sections of the Public Archives Act to better adapt archiving regulations to digitisation. One point to be considered is the need for amendments to allow public bodies to use cloud services with servers located outside Norway for archiving purposes.
    • Assessment of the possibilities for expanding the number of countries where bookkeeping data can be stored legally. Important measures in this area are already under way in the European Union (EU), and Norway will monitor developments closely.
    • Efforts to harmonise supervisory practices as far as possible, so that enterprises do not encounter conflicting requirements issued by different supervisory authorities.
    • Input to the EU’s work on establishing common criteria (standards, certification schemes, etc.) for cloud services.

    The legal challenges are discussed in more detail in chapter three.

    The Government has already implemented one key measure addressing cloud services.
    The Circular on digitisation for 2016, which was issued to all public agencies, included the principle for using cloud computing:

    • Cloud computing shall be assessed on the same basis as other solutions when considering major changes or reorganisation of ICT systems or operations:
      • when procuring new systems or performing major upgrades
      • when undertaking extensive replacements of hardware
      • when existing operating agreements expire
    • When they offer the most appropriate and cost-effective solution and when no particular obstacles stand in the way of using them, cloud services should be chosen.
    • The chosen solution must satisfy the agency’s requirements for information security. This means that enterprises must know the value of its own systems and data, and perform a risk assessment of the chosen solution.

    The principle for using cloud computing is discussed in more detail in chapter 4 Conditions for using cloud computing in the public sector.

    Chapter 4 also discusses control issues relevant to the public sector, as well as what control mechanisms exist for cloud computing. We also present measures that will make it easier for public sector enterprises to assess cloud services:

    • Resources to support enterprises in assessing and procuring cloud services.
    • A project to identify and evaluate different models for a potential marketplace and/or procurement framework for cloud computing services aimed at the public sector.
    • The Government also wants to facilitate better utilisation of existing public data centre resources, in particular for agencies with such security requirements that they are considering buying high-security data centre services or establishing their own data centres in Norway. In such cases, agencies must assess the possibility of utilising free capacity from – or cooperating with – other agencies with similar needs.


    Footnotes

    1.

    NOU 2015:1 Produktivitet – grunnlag for vekst og velferd [Productivity – Underpinning Growth and Welfare]. First report of the Productivity Commission.
    Next chapter
    Previous chapter
    Next chapter
    Previous chapter
    To front page
    Go to the top