Ref. Ares(2017)1248292 - 09/03/2017
Report from the European Cloud Partnership Steering Board
meeting of 4 July 2013 in Tallinn
On 27 September 2012 the Commission adopted the European Cloud Strategy in the form of a
Communication entitled "Unleashing the Potential of Cloud Computing in Europe", in which it
announced the intention to set up a European Cloud Partnership (ECP).
Under the guidance of the Steering Board, the ECP brings together public authorities and industry
consortia to advance the objectives of the Strategy towards a digital single market for cloud
On the 4th of July 2013, the ECP organised its second full Steering Board meeting in Tallinn.
2. Meeting report
Introduction and state of play on EU initiatives
President Toomas Hendrik Ilves provided the introduction to the session, reminding the ECP that
recent events surrounding PRISM have brought into daylight both risk and opportunity. They have
forced us to move more quickly towards secure and lawful cloud computing in the European Union.
President Neelie Kroes welcomed the ECP members and sherpas, agreeing that recent events
have provided a wakeup call. It is up to the ECP to use this opportunity to build buy-in and support
from businesses and politicians. There is a need to work rapidly: we need to deliver a strategy and
concrete inputs before the October 2013 Council meeting, in the form of an EU cloud approach that
gets rid of fragmentation in the cloud market and helps build the Single Digital Market.
The state of play
surrounding the key actions of the European Cloud Strategy was presented by Ken
Ducatel. The planning and timing of each of the three key action points (standards mapping -
standard contractual work, including SLAs - European Cloud Partnership) was discussed, noting that
most key deliverables are scheduled after the Council meeting.
It was clarified that the standards work
aims to provide a mapping, not new standardisation. Good
progress was noted, and there was a strong support for progress on security issues. The Board stated
a need for progressing this area as fast as possible, especially in the context of the recent PRISM
revelations. In other (non-security) areas of standards, there was less buy-in, and there was a strong
call for the voices of users of cloud services to be factored in at an early stage. The work should
consider the views of public CIOs and private CIOs, and should bring these two streams of work
together in a comprehensive mapping. Open questions were the testing of the mapping and periodic
revision; this is still to be addressed. Ms. Craig-Wood questioned whether it is possible or desirable
to standardise cloud services beyond working on security requirements based on ISO27001.
Efforts are also underway to compile a cloud Code of Conduct
, to be endorsed by the Article 29
Working Party. The adoption of such a Code of Conduct that cloud providers could choose to adopt
voluntarily is envisaged to act as a confidence builder for businesses and citizens. The work is
planned to complete by April 2014, due to the need to liaise with the Article 29 Working Party and
due to the influence of the proposed General Data Protection Regulation.
The Cloud for Europe
project was presented by M. Michael Hange (BSI) and M. Reinhard Posch
(Austria). The key security challenge is the lack of transparency on security. This is separate from data
protection compliance: while security is a necessary part of data protection compliance, we also
need more transparency on standards, on the processes behind their use and implementation, on
the requirements for service providers, and on the underlying guarantees for cloud users so that they
have confidence that their prerequisites have been met.
The Cloud for Europe project leverages public-private cooperation through pre-commercial
procurement with the objective of implementing a safe and compliant cloud for the public sector.
The project will address technical, legal and operational security requirements, and will officially
launch in Berlin on 14-15 November. It is an FP7 project, containing 24 partners across 11 countries.
M. Jim Hagemann-Snabe (SAP) presented the work around Cloud Certification Schemes
that cloud computing is crucial to support the future European economy and competitiveness in
general, and not just to create new services. Could we define high levels of quality – e.g. bronze-
silver-gold levels of security - and let consumers and businesses choose in a free market model? This
approach might have sufficient commercial appeal to generate business in the EU.
The debates following this presentation brought forth notably the following points:
Data protection was a major concern. Compliance is too hard, both for providers and users;
To mitigate data protection challenges, data is frequently required to stay in European data
centres (European clouds). Doing so may be economically viable: European clouds would not
be the cheapest, but the added cost can be offset by a data protection/security benefit;
The ECP members acknowledged the need for legal change, but revising legislation takes too
long. Compliance guidance is therefore the most appropriate road forward in the short term.
M. Thierry Breton (ATOS) presented the activities around model terms and conditions
incidents have caused concern in the market. Given the need for quick action, it may be advisable to
prioritise European clouds over transatlantic partnerships. SLAs are a key tool for this, as they can
provide transparency, assurances and therefore trust. The activities revolve around three key
deliverables, building on a unified contractual vocabulary: template SLAs with terms and conditions,
a cloud decision flowchart, and a cloud checklist. A recurring concern is controlling data flows: there
is a strong demand in the market for ensuring that cloud data flows can be contained to Europe; data
should not flow through territories that don't respect EU legislation and EU policy principles.
Mr. Fredrikson (F-Secure) presented the activities on SME, cloud security and software
knowhow and resources are generally limited in SMEs, and they are becoming increasingly aware of
this. This is one of the strengths of cloud computing: the cloud allows users to integrate security into
infrastructure at a much higher quality level than with the non-cloud outsourced services that SMEs
would typically use. This represents a huge opportunity. The main outputs of these activities were (1)
the Cloud security guide, i.e. a set of Q&As for SMEs along with their contractual/SLA implications;
and (2) the Cloud software guide, i.e. guidelines for SMEs, insights and experiences that help them to
adopt the cloud. Debates showed that the ECP members saw a convergence: lighthouse activities
could result in a homogeneous package of guidelines, standards, best practices and standard terms.
The SB members in general supported the current approach, consisting of the identification of best
practices (with respect to security, standards, contractual terms and guidance) coupled with an
opt-in voluntary approach to adoption
Recommendations and advice from the Steering Board
After a discussion on public sector clouds
, led by a presentation of the French situation by M.
Jacques Marzin (France), the following conclusions emerged:
Cost savings can be realised relatively easily through data centre consolidation; support from
data protection authorities (the CNIL in France) is important to build trust;
Due to data protection concerns, public data without privacy implications can be entrusted
to public cloud services in France, but private data must be limited to private/hybrid clouds;
Major challenges are the interoperability between clouds (given the separation between
public/private clouds) and vendor lock-in; this is always difficult for mixed models.
President Ilves noted that the main rule that enabled trust for Estonian citizens is data ownership:
the citizen is the legal owner of his/her data and has control over who can access them. The Board
supported this lesson, and also highlighted the importance of technical solutions (including
encryption) to support security: the goal is ensuring security, not keeping data within the borders of
states (as currently valid laws require). President Ilves noted that Estonia and Finland intend to work
together to build mutually interoperable e-service systems. This might eventually allow both
countries to move backups of data to data centres established outside of their borders to support
redundancy – but to achieve that, we will need to deal with the legal aspects of data storage abroad.
In a summing up debate
initiated by M. Dev (Telefonica), the following conclusions emerged:
An approach based on certification against two or three security levels
seems very useful.
There is a need to identify minimal standards
, based on existing best practices. These
should focus on public sector needs, but the private sector is free to adopt these if it sees a
benefit to doing so. Past experiences with the GSM standards are recalled, where a strong
and forced EU level standardisation push made the EU a global leader in mobile technology.
With a single standard the EU cloud sector could lead the world market for cloud services.
All of these needs could be met through a charter
based on the work done within the ECP.
The following action points were broadly supported:
Drafting of a charter, lightweight and based on existing practices and lessons, that private
companies can opt into
. This needs to be in place before the October Council meeting;
Validation of the charter with 9 Member States
to be selected, with a view of possible
Inventorisation of lessons learned
across a number of Member States to avoid effort/error
duplication through a survey.
Vice President Kroes concluded that we are focusing on strengthening competitiveness and tackling
the problem that we still have 28+ markets, causing unreasonable costs. We will make a proposal to
tackle that problem for the Digital Single Market in general. This proposal will also tackle cloud
computing, so this is a great opportunity for the ECP. However, we need to deliver inputs before
August. President Ilves concurs, and adds that the ECP’s position needs to be communicated to the
President of the European Council M. Van Rompuy, by President Ilves, Vice President Kroes, a major
cloud provider and a major Member State. A deliverable should be provided in July to this end.
Candidate pilot projects
The following pilot projects were briefly presented and discussed:
Academy Cube, presented by M. Hagemann-Snabe, aims to build a cloud ICT learning
platform. The project is live, and now offers 12 courses with the support of 16 partners.
There are 250 learners, but it can scale to 100.000 learners.
Helix Nebula, presented by M. Breton. The project has created a science cloud, providing
models for security, trust and privacy. It has three flagship users: CERN, EMBL, and ESA. The
project is very data protection aware due to the security/confidentiality needs of its users.
X-Trans, presented by M. Karl-Heinz Streibich (Software AG), which facilitates the
administration of oversized transports across the Alps. It enables a much faster and
streamlined process, where the administration is updated as the transport moves.
Conclusions and next steps
After discussions, M. Hagemann-Snabe notes that a core team has been assembled
, consisting of
SAP, ATOS, F-Secure, EuroCIO and Estonia, to draft up a charter
. A first version is to be prepared in
the week after this meeting, and finalised in July
. This draft aims to present core issues and solutions
to the Council, and it is clear that updates of the deliverable will still be needed. A country level
security survey is also on-going
, and currently looking for local cloud expertise; suggestions on this
point would be useful. Results are to be presented and discussed in Brussels in September 2013.
With regard to the pilots
, it is decided that work on all three will continue
. The ECP will support
them and look for expansion opportunities.
The next meeting is scheduled for 14-15 November in Berlin, aligned with the launch event for the
Cloud for Europe project.