Radboud University regularly receives messages expressing concerns about its reliance on Big Tech, such as Microsoft 365. The University shares these concerns and is working on a new strategy in which digital sovereignty plays a key role, as apparent from their response to an open letter signed by over 600 researchers.
These concerns about Big Tech stem partly from current geopolitical developments, which also raise concerns around information security and safety. How are specific ICT solutions actually chosen? When making a decision regarding ICT, Radboud University considers three levels of risk:
Level 1
The issue at this level is security: can the supplier adequately protect our data? In this context, the University makes an estimate based on the reputation of and the risk of damage for the supplier. In this respect, the University considers Big Tech to be highly secure: customer trust in security is central to their operations and information security and its management form the foundation of their business model.
Level 2
This level is about trust: can the supplier itself be trusted with our data? SURF, the partnership of education and research institutions in which we actively take part, has established a framework agreement with Microsoft. The contracts that SURF enters into for participants from the sector safeguard key issues for our sector, such as the terms of the General Data Protection Regulation GDPR and storage of our data in the European Economic Area.
The risks that arise when one of these countries undergoes a change in administration that calls into question or even changes previously made agreements represent a new development. This could potentially have a huge impact that goes beyond the University's data alone, and could also affect the availability of crucial software and the safeguarding of our public values therein.
Level 3
This level assesses risks related to state control: is the supplier under the control of a state actor or could this happen (including as a result of a corporate takeover), and can such a state actor then be trusted? For a long time, risks at this level were assessed as low, which is why the University opted for Big Tech solutions. However, those risks now turn out to be higher than initially estimated.
At European level, for example, repeated attempts were made to reach agreements with the United States to reduce such risks. This was not particularly successful, and it turns out that such agreements stand or fall with the party in power. Since there is no controlling power or state actor that the University can turn to, and no third party that can make a fair binding ruling in case of conflict, the conclusion is that we can only parry these risks by becoming digitally sovereign.
New strategy
“We feel this urgency to make choices, among other things in response to news concerning the restriction of access to academic data in the United States on certain research topics,” says the Executive Board of Radboud University. “We are currently working on a new I-strategy in which we are exploring how to be less dependent on Big Tech and in which digital sovereignty will be a major theme. In shaping this strategy, we are working together with the faculties, divisions and the SURF nexus.”