Dutch central government in the cloud

Report | 15-01-2025

Working in the cloud can increase government efficiency and improve service delivery. The audit found that the government is making avid use of the cloud. All Dutch ministries are working with it. However, they do not know what type of cloud they are using in more than a quarter (26%) of the 1,588 cloud services they reported for the audit. This is a matter of concern: the type of cloud is of fundamental importance.

It is not known whether a quarter of the cloud services reported by the ministries are public, private or hybrid

Risks often not assessed, difficult management

As part of the audit, the Court of Audit investigated the most important cloud services government organisations use to perform their primary tasks. The services related to office automation at ministries, weather data at the Royal Netherlands Meteorological Institute and customer care data. More than half of these important public cloud services are procured from the American companies Amazon, Microsoft and Google. Their use is not without risk to the government itself and to citizens and businesses. For instance, foreign governments can request data from the cloud service provider or the provider could collapse or be hacked.

Ministries must understand how they use the cloud and make risk assessments before they decide to use it. The Court of Audit found that they did not make sufficient strategic risk assessments before using a public cloud. Risk assessments were not made of 84 (67%) of the 126 material public cloud services. As a result, there is a risk that data are poorly protected and services can be disrupted without notice. Furthermore, it is difficult for the State Secretary for Digitalisation to manage overarching cloud-related risks.
 

Central government has not assessed the risks of two-thirds of its most important public cloud services

Policy differs from one ministry to another

Cloud strategies and policies differ from one ministry to another. The diversity makes it difficult for all stakeholders (ministries themselves, central government data centres, cloud providers) to make consistent agreements. The Court of Audit’s main recommendation to the government is therefore that it should present itself to the major cloud providers as a single, unified organisation. By setting frameworks, enforcing rules and controlling risks as a unified organisation, it would strengthen its position in relation to cloud suppliers and other users. The government must consider the opportunities, risks and alternatives far more effectively.

Audit approach

For this audit, we asked all the ministries to provide us with overviews detailing their cloud use. We also interviewed staff at the ministries and external experts. We audited three major cloud contracts to determine whether safeguards were in place to protect digital sovereignty, business continuity and data integrity. 

Response of the state secretary and the Court of Audit’s afterword

The State Secretary for Kingdom Relations and Digitalisation responded to the conclusions and recommendations. He shared our main conclusion that central government’s use of the cloud was a matter of concern and improvements were needed. He accepted that better management and supervision were needed on his part. We presented and provided further information on the audit in a briefing to the House of Representatives on 15 January 2025.

Do you have any feedback on this audit?

We welcome all feedback on our audits and investigations. What do you think about our report? If you have any questions or need further information, mail us at feedback@rekenkamer.nl. We read all emails carefully and treat them in confidence.