Digital Single Market
Digital Economy & Society

Action 121: Follow up of the European Cloud Computing Strategy

The European Commission published a Cloud computing strategy in September 2012.

In September 2012, the Commission published a Cloud computing strategy. The Commission is now implementing the key actions of the strategy . It is also looking into how to enhance the strategy further. This action is complemented by Action 122.

What is the problem?

The advantages of cloud computing are numerous and there is no doubt that cloud is bound to play a major role in tomorrow's economy. The benefits of cloud services for the
economy are illustrated in a study contracted by the Commission. It is in fact estimated that cloud can contribute up to €250 billion to the EU GDP in 2020 – that could reach a total cumulative gain of €940 billion for the period 2015-2020 [1] EU needs to ensure that challenges linked to the use of cloud are transformed into opportunities for European companies in order to fully exploit the possibilities that cloud is offering and mitigate the risks.

Why is EU action required?

EU action is required to speed up and increase the use of cloud to the benefit of users and services providers alike.

What has the Commission done so far?

In September 2012, the Commission adopted a Cloud Communication [2], which aims at enabling and facilitating faster adoption of cloud computing throughout all sectors of the
economy which can cut ICT costs, and when combined with new digital business practices [3], can boost productivity, growth and jobs. The Communication
consists of the tree key actions: 1) standards and certification, 3) model contract terms and 3) European Cloud Partnership (ECP).

The Commission has tasked ETSI to coordinate in an open and transparent way to identify by 2013 a detailed map of necessary standards inter alia for security, interoperability, data portability and reversibility. The Cloud Standards Coordination (CSC) process started in December 2012 with a kick-off meeting in Cannes and aimed to
produce a draft report on existing cloud standards including their relevance to different standardisation needs (SLAs, interoperability and security and privacy) in defined use cases and with respect to different stakeholders and their roles in the service provisioning. With stakeholders' participation, ETSI completed its Cloud Standards Coordination (CSC) initiative in December 2013 and delivered a mapping of existing cloud
computing standards.

Moreover, the Commission has been working with the European Union Network and Information Security Agency (ENISA) and other relevant bodies to assist in the identification of EU-wide voluntary certification schemes for cloud computing (including data protection) and establish a list of such schemes in 2014.

Cooperation with industry and ENISA resulted in the publication of a validated list of cloud computing relevant network and information security certification schemes in February 2014. Certification schemes are the requirements, procedures and means available for obtaining a certificate; certification can be used to provide assurance that a business complies with a certain standard. On-going work with the support of ENISA will further enhance the usability of this list of certification schemes by the end of 2014. New certification schemes will be added to the list and ENISA will enhance the functionality that will allow cloud computing customers to compare certification schemes and cloud computing services offerings.

As regards the second key action of the Communication, the Commission has started to work with stakeholders to develop model contract terms and conditions for Service Level
Agreements with the aim of facilitating cross-border transactions in the Single Market. In February 2013 a subgroup on Service Level Agreements was established within the C-SIG. The C-SIG Service Level Agreements Subgroup decided to start drafting a guidelines defining standard options for service level agreements (expected before the summer of 2014).

The Commission also set up in June 2013 a group of experts who work on safe and fair conditions for cloud computing contracts in order to facilitate the improvement of contractual arrangements between cloud computing service providers and consumers and small firms. The Expert Group should help identify best practices relating to cloud computing contracts and work towards ensuring that terms and conditions in cloud computing contracts are safe and fair. The final results are expected by the end of summer 2014.

Moreover, an subgroup group on code of conduct within the C-SIG was established with representatives from a number of cloud suppliers and other industry stakeholders.
The C-SIG code of conduct Subgroup is working on the data protection Code of conduct for cloud service providers to support a uniform application of data protection rules and
to build trust and confidence in the field of cloud computing. The code of conduct for cloud providers has been sent for positive opinion to the Article 29 Working Party in February and was received with a positive attitude. The final approval by issuing a positive opinion by the 29 Working Party and the delivery of the Code of conduct to the Commission is expected by the end of 2014.

The European Cloud Partnership (ECP) is the third key actions of the Cloud Computing Communication, aiming at bringing together industry experts and public sector
users to work on common procurement requirements for cloud computing. A steering board with high level members from member states and cloud service providers
was also established to provide the Commission with advice on cloud related subjects.

The European Cloud Partnership published on March 21st its Trusted Cloud Europe vision document, which includes recommendations to establish a common understanding of cloud computing best practices in Europe, such as on data protection, security and certification. A public survey on Trusted Cloud Europe was open until May 2nd.

What will the Commission do next?

The Commission will deliver on the key actions identified in this Communication, notably in respect of the actions on standardisation, code of conduct and certification for cloud computing, the development of safe and fair contract terms and conditions and the European Cloud Partnership.

The Commission will also report on the progress on the full set of actions described in the Communication and present further policy and legislative proposals initiatives
as needed.

Progress Report
Status: On track Ken DUCATEL Ken DUCATEL