Monaco's sensitive data replicated in Luxembourg
Following an agreement signed between Monaco and Luxembourg, Monaco's sensitive data is now being hosted in the Grand Duchy, where it is protected against security breaches and data loss...
In Monaco, as indeed in many other countries, the priority is to ensure that public services and the economy continue to run smoothly in case of cyberattacks or severe flooding. The sovereign cloud, which stores the Principality's sensitive data, is to be afforded an additional layer of security, with the creation of a “backup datacentre.” This important step is now complete... in Luxembourg: a highly secure datacentre - managed by a body under the control of the Grand Duchy of Luxembourg - has recently been created and should, by the end of 2023, allow all of the Principality's institutions and critical operators to protect their data against “potential breaches, damages, destruction, and partial or total loss, resulting among others from natural disasters or unlawful acts”.
According to applicable safety standards, a recommended relative geographic distance of at least 150km between storage sites should be observed between the primary datacentre and its “recovery site”. And so, the Principality of Monaco and the Grand Duchy of Luxembourg entered into a bilateral agreement in 2021, which was ratified when the National Assembly approved it last April. “It provides and improved safety margin, since the data and systems are located exactly 1,034 km from Monaco”, explains Pierre Dartout, Minister of State.
A hosting solution adopted by NATO and Estonia
The idea of hosting data in Luxembourg is not a new one, and has already been implemented by NATO, the EU, and Estonia. “It should be possible to resume the Principality's essential activities from Luxembourg, by isolating and recovering the systems under attack, if such events were to occur” one can read in the laws of Monaco that enshrine its agreement with the Grand Duchy. This bilateral agreement is founded on privilege and immunity guarantees set forth in the Vianna Convention governing diplomatic relations. Thus, rented secure facilities “cannot be searched, requisitioned, seized, or subjected to law enforcement measures. No person, regardless of their administrative, legal, military, or law enforcement duties within a national or local entity of the Grand Duchy of Luxembourg, or abroad, will be allowed to enter the facilities without prior authorisation by the Principality of Monaco.”
In furtherance of this agreement, Monaco's datacentre in Luxembourg has been afforded additional legal protections in the case of a cyberattack: Monaco's legal bodies will be allowed to prosecute, charge, and sentence, in Monaco, foreign nationals located outside of Monaco's borders who attack one of its datacentres abroad.