First Safe Harbor, now Privacy Shield – the European Court of Justice (ECJ) has overturned the agreement on data protection between the United States and Europe. A ruling with far-reaching consequences, because now companies must take a very close look when choosing their cloud provider. Anyone processing personal data with an overseas provider can no longer rely on the Privacy Shield, which was designed to ensure compliance with European data protection standards outside the EU.

However, correctly assessing the compliance standards of cloud providers is often a real challenge for companies. The C5 criteria catalogue of the German Federal Office for Information Security (BSI), for example, provides orientation. The catalogue lists criteria that cloud providers should fulfill to enable secure data processing in compliance with the GDPR. According to the current version, BSI C5:2020, cloud providers must also demonstrate that they meet two new areas of security criteria. The "Product Safety and Security" section, derived from the EU Cybersecurity Act, which came into force in 2019, takes into account requirements for how users use cloud services instead of only considering the security of the cloud platforms themselves, as it was previously the case.

In addition, with the introduction of the "Dealing with Investigation Requests from Government Agencies" section, cloud providers must now provide transparent proof of how they deal with government requests for the release of data. This is a criterion that US providers are currently unable to meet after the ECJ ruling because they are bound by US law regardless of the location of their data centers.

The Open Telekom Cloud, Telekom's public cloud offering, is subject exclusively to German law. Companies can therefore process data in the Open Telekom Cloud knowing they are in full compliance with GDPR. 

But what exactly does the BSI C5 catalogue achieve? With the test catalogue, the BSI wants to offer companies an orientation in the jungle of certificates. "There are currently more than 400 certificates, attestations and auditor reports on the market," says Daniel Fussy, security & privacy consultant at T-Systems. "In order to create a uniform test language in Europe, the BSI has officially defined a minimum standard for Germany in the BSI C5 criteria catalogue. When it comes to invitations to tender, officials, public agencies, their partners and suppliers are now required to select a provider that has tested its cloud services according to the criteria of the BSI C5 criteria catalog.

Since 2018, the Open Telekom Cloud has received certification every year that it provides the highest level of security and the best possible conditions for GDPR-compliant data processing. "The current discussions about the Privacy Shield as well as the handling of sensitive data, such as with the Corona-Warn-App, underline the importance of the topic of data protection and data security for cloud services, especially in the European environment," says Daniel Fussy. 

For the comprehensive test by an independent auditor, the Open Telekom Cloud is put to the test every year in a 10-month test phase. In addition, the extended criteria based on the SOC 2 Type 2 test protocol are now also being tested. "Providers such as the Open Telekom Cloud, which have been tested according to BSI C5 based on SOC 2 Type 2, offer even more comprehensive proof of the data security and data protection standard," says Daniel Fussy.

In addition, the BSI is working on a new legally compliant data protection certification for defined cloud services. This is a further development of the existing "Trusted Cloud Data Protection Profile" (TCDP) certification, which the Open Telekom Cloud received as early as 2017, making it one of the first cloud providers in Germany to do so. The new security standard is expected to be available as an accredited "Auditor" certificate towards the end of the year. Daniel Fussy: "The Open Telekom Cloud is one of the largest cloud solutions in Europe based on the OpenStack open source technology. With the proof that we regularly audit our cloud service according to the criteria of BSI C5 on the basis of SOC 2 Type 2, we once again can show that our cloud service is among the most secure in the world." European companies thus have an independent and secure alternative to US providers.

The Open Telekom Cloud IaaS offering is already being used by countless institutions and corporate customers due to the multiple-certified, highly secure data centers in Germany – from start-ups, SMES and big corporations to the CERN nuclear research institute and as the basis for the German government's Corona-Warn-App.