The cloud security workshop was facilitated by the European Commission and focused on the issues shown in this agenda. In each session throughout the day, panels of experts in cloud computing touched on their own experience to convey their perspective of these issues. Participants actively discussed their own experience of these issues and together prioritised mechanisms to address them.

Cloud Security Workshop: Building Trust in Cloud Services – Certification and Beyond

The workshop was streamed live online and a recording is available on our website


You can view and download a copy of the agenda here.

Registration and coffee

Cloud Security in the context of European Commission initiatives
Pearse O'DONOHUE, Head of Unit
DG CNECT Software & Services, Cloud

Network & Information Security Directive and Cloud Computing Services
Pierre CHASTANET, Deputy Head of Unit
DG CNECT Trust & Security

Best Practice: Risk Management of cloud computing services
Facilitator: Aristotelis TZAFALIAS, DG CNECT Trust & Security, European Commission)          
Panel: Mikk Lellsaar (RISO, Estonia), Marnix DEKKER (IT Security Directorate, European Commission), Gilles Chekroun (VMware, EMEA),
Elena ALAMPI-DAS NEVES MOREIRA (eIDAS Task Force, European Commission)

Which service management elements, such as business continuity or incident management, help to measure the risk of cloud services and meet the obligations of risk management in Art.15a(1) in the NIS Directive?  What is the role of eIdentification, authentication and trust services under the eIDAS Regulation for accessing and provisioning cloud services?   How do cloud service customers decide between Public vs Private Cloud services?  What approaches could improve transparency of risk management for cloud-based services, including the use of risk-transfer mechanisms, such as insurance?


Mikk Lellsaar (RISO, Estonia) about Estonian Government cloud

Marnix Dekker (IT Security directorate, European Commission) about the EC as cloud customer

Gilles Chekroun (Network and Security Business Unit, VMware)

Elena Alampi (DG CNECT, European Commission) about eIDAS Regulation (EU) 910/2014


Coffee break

Transparency: Incident Notification and Information Sharing for cloud computing services
Facilitator: Aristotelis TZAFALIAS, DG CNECT Trust & Security           
Panel: Mario Maawad Marcos (CaixaBank, Spain), Craig Balding (Barclays, UK), Jonathan Sage (IBM, UK)

How can we make the best of incident notification and what will it take in terms of impact parameters, formats and procedures?  How can suppliers demonstrate compliance throughout the supply chain?  How could we strengthen cooperation between industry and the public sector to build trust in cloud-based services?


Mario Maawad Marcos (CaixaBank, Spain) about Incident Notification and Information Sharing



Recognition: Cloud Certification Schemes& Assurance Levels
Presentation: "C5" the Cloud Computing Compliance Controls Catalogue, Patrick Grete, (BSI, Germany)
Facilitator: Pearse O'DONOHUE, DG CNECT Software & Services, Cloud
Panel: Antonio Ramos (Leet Security, Spain), Dimitra Liveri (ENISA)

How could we raise awareness of cloud security that already meets the highest requirements in terms of cyber security?  Is certification the right option or do certified cloud services attract cyber-attacks?  Does certification replace risk management or would extra guidance and best practices complement certification?  Should cloud certification be more aligned to the needs of users and cover additional aspects not already endorsed by certification schemes, such as data protection?  How can certification be made accessible for all cloud service providers, including SMEs?  What could be the most effective method to enable standardisation agreements or mutual recognition of distinct or national cloud certification schemes across the Digital Single Market?


Patrick Grete (Federal Office for Information Security (BSI), Germany) about the BSI 'C5'

Antonio Ramos (Leet Security, Spain)

Dimitra Liveri (NIS Expert, ENISA) about next steps in Cloud Certification


Coffee break

Impact Factors: Service Authentication, Law Enforcement Access, and Export Controls on cloud services
Facilitator: Mark SMITHAM, DG CNECT Software & Services, Cloud
Panel: Jan Neutze (Microsoft, EMEA), Helmut Fallmann (Fabasoft, Austria), Filippo SEVINI via video (JRC, European Commission)

What approaches are necessary for cloud computing services to support the Digital Single Market in relation to service authentication, encryption, law enforcement access, or export controls?  What service authentication possibilities are made available and recognised across borders by cloud service providers to ensure a secure way of processing data?  Are these issues common for users and cloud service providers?  Are there other, more significant aspects of cloud security that would have sufficient impact to drive the uptake of cloud services?


Jan Neutze (Microsoft) about Law Enforcement Access

Helmut Fallmann (Fabasoft, Austria)

Filippo Sevini (JRC, European Commission) about Export Controls on cloud services and Cybersurveillance


Rapporteur: Professor David Wallom
e-Research Centre, University of Oxford

Pearse O'DONOHUE, Head of Unit
DG CNECT Software & Services, Cloud