Ref. Ares(2017)1248292 - 09/03/2017
Establishing
a Trusted Cloud
Europe
A policy vision document
by the Steering Board
of the European Cloud Partnership
FINAL REPORT
Prepared for the European Commission
DG Communications Networks, Content & Technology
Digital Agenda
for Europe
Internal identification
Contract number: 30-CE-0578903/00-87
LEGAL NOTICE
By the Commission of the European Union, Communications Networks, Content & Technology Directorate-General,
Software & Services, Cloud Computing Unit
Neither the European Commission nor any person acting on its behalf is responsible for the use which might be made
of the information contained in the present publication.
The European Commission is not responsible for the external web sites referred to in the present publication.
The views expressed in this publication are those of the authors and do not necessarily reflect the official European
Commission view on the subject.
ISBN 978-92-79-36734-2
doi:10.2759/44445
© European Union, 2014 – All rights reserved. Certain parts are licensed under conditions to the EU.
Reproduction is authorised provided the source is acknowledged.
This report was prepared for the European Commission by
The European Cloud Partnership Steering Board
In accordance with the European Commission’s communication on "Unleashing the Potential
of Cloud Computing in Europe", Brussels, 27.9.2012, COM(2012) 529 final
Drafted by Hans Graux, Rapporteur/Facilitator to the Steering Board, and adopted
by the following Members of the Steering Board:
Organisation
Representative
Organisation
Representative
President of Estonia
Toomas Hendrik Ilves
Accenture
Pierre Nanterme
and Chair of the
Steering Board
Amazon
Werner Vogels
ATOS
Thierry Breton
Austria
Reinhard Posch
The German Federal
Michael Hange
Office for Information
Security (BSI)
Dassault
Bernard Charlès
Ericsson
Hans Vestberg
EuroCIO and Daimler
Michael Gorriz
F-Secure Corporation
Christian Fredrikson
France
Cécile Dubarry
Memset
Kate Craig-Wood
The Netherlands
Dion Kotteman
Norway
Katarina de Brisis
Poland
Andrzej Ręgowski
SAP
Jim Hagemann-Snabe
Software AG
Karl-Heinz Streibich
Spain
Aitor Cubo Contreras
Telefonica Digital
Stephen Shurrock
Léo Apotheker
Preface
The European Union, like most of the world, faces economically challenging times.
In such times, it becomes all the more important to recognise and seize new and
unique opportunities to drive growth, stimulate innovation, and to provide
benefits to citizens, businesses and public administrations.
One of these opportunities is cloud computing. Its direct economic value to the
European Union is already substantial, but the impact on innovation and social
developments is even bigger, as it enables a transformation to a more connected
and more efficient on-line society.
The European Cloud Computing Strategy1 aims to ensure that this potential is
captured in Europe. Gaining and maintaining a leadership position in this market
requires quick, coordinated and effective action, so that trust in the cloud would
increase.
This document represents an important step in the execution of the Cloud Computing Strategy. It is the result of a
collaborative process in which participants of public administrations, cloud businesses, and data protection
advocates have joined forces through the European Cloud Partnership, and have worked together to establish a
roadmap for European leadership in the cloud.
The adoption of this document, however, does not signal a conclusion of our work. A sense of urgency remains:
cloud computing is not a technology of the future, it is the technology of today. This document hopes to set the
stage for rapid follow-up action. European businesses and administrations need to become cloud leaders in the
global market. This is how we can maintain a strong and competitive position in a challenging environment.
Ultimately, that is the goal of the European Cloud Partnership and of this document.
Toomas Hendrik Ilves
President of Estonia
Chair of the Steering Board
of the European Cloud Partnership
1 See the European Commission’s communication on "Unleashing the Potential of Cloud Computing in Europe", Brussels, 27.9.2012,
COM(2012) 529 final; http://ec.europa.eu/digital-agenda/en/european-cloud-computing-strategy
5
Executive summary
Cloud computing has the potential to bring significant advantages to European citizens, businesses and public
administrations, in terms of cost savings, efficiency boosts, user-friendliness, better security, and accelerated
innovation. However, access to cloud services in Europe is currently hampered by a number of uncertainties and
challenges, which vary from use case to use case. Depending on the type of data, type of service, and need for
enforcement, adoption of the cloud may be impeded by legal, technical, operational or economic barriers, as
shown through the examples in this document.
The Steering Board of the European Cloud Partnership recognises the need to address these uncertainties and
challenges through specific and targeted actions, so that Europe can reap the benefits from the shift to cloud
computing. Industry, public administrations and cloud users should work on the basis of common templates for
similar use cases, which can be adopted step by step in order to improve the functioning of the digital single
market for cloud services, and to avoid needless duplication of effort and market fragmentation.
This paper presents two groups of actions in order to reach this objective:
• Firstly, a flexible common framework of best practices needs to be created, at the legal, technical and
operational level. This common framework, consisting of legal and operational guidelines as well as
technical standards, can be voluntarily adopted by cloud providers to show that their offering is in
compliance with the common framework, and can be used by buyers of cloud services (in the public or
private sector) in order to determine more easily whether a cloud service complies with the requirements
of their use case.
• Secondly, systematic consensus building is required, through public consultations, workshops,
coordination groups etc., targeting al stakeholders, including citizens, public administrations, the cloud
industry and cloud users. This would result in a common understanding on issues such as risk
management, security requirements, privacy needs, enforcement methods, procurement practices, and
any need for legislative reform, all of which can differ from use case to use case.
Jointly, these actions will ensure that similar use cases for cloud computing – both in the public and private sector
– can be accommodated by a wide range of cloud service providers, offering equivalent and appropriate
assurances to their customers. Similarly, this approach will allow cloud providers to provide services offering
baseline common and rationally justified expectations, while also facilitating differentiation and innovation.
6
Executive summary
The challenge is then to achieve a common understanding of these best practices and their role in enabling cloud
use cases. The European Cloud Partnership has drafted this paper, containing its own analysis of the current state
of play, and its signposts for a strategy that would maximise the benefits offered by cloud computing in Europe.
The Steering Board of the ECP expresses its desire to set up a broader consultation around its observations,
Cloud computing has the potential to bring significant advantages to European citizens, businesses and public
involving cloud users and cloud providers, in order to seek a broader consensus on the correct actions for the
administrations, in terms of cost savings, efficiency boosts, user-friendliness, better security, and accelerated
future as set out in this document.
innovation. However, access to cloud services in Europe is currently hampered by a number of uncertainties and
To address this, this paper proposes the concept of the Trusted Cloud Europe: a framework to support the
challenges, which vary from use case to use case. Depending on the type of data, type of service, and need for
definition of common cloud best practices, linking them to use cases, and applying them in practice.
enforcement, adoption of the cloud may be impeded by legal, technical, operational or economic barriers, as
shown through the examples in this document.
Trusted Cloud Europe framework
The Steering Board of the European Cloud Partnership recognises the need to address these uncertainties and
challenges through specific and targeted actions, so that Europe can reap the benefits from the shift to cloud
computing. Industry, public administrations and cloud users should work on the basis of common templates for
similar use cases, which can be adopted step by step in order to improve the functioning of the digital single
market for cloud services, and to avoid needless duplication of effort and market fragmentation.
This paper presents two groups of actions in order to reach this objective:
• Firstly, a flexible common framework of best practices needs to be created, at the legal, technical and
operational level. This common framework, consisting of legal and operational guidelines as well as
technical standards, can be voluntarily adopted by cloud providers to show that their offering is in
compliance with the common framework, and can be used by buyers of cloud services (in the public or
private sector) in order to determine more easily whether a cloud service complies with the requirements
of their use case.
• Secondly, systematic consensus building is required, through public consultations, workshops,
coordination groups etc., targeting al stakeholders, including citizens, public administrations, the cloud
industry and cloud users. This would result in a common understanding on issues such as risk
management, security requirements, privacy needs, enforcement methods, procurement practices, and
any need for legislative reform, all of which can differ from use case to use case.
Jointly, these actions will ensure that similar use cases for cloud computing – both in the public and private sector
– can be accommodated by a wide range of cloud service providers, offering equivalent and appropriate
assurances to their customers. Similarly, this approach will allow cloud providers to provide services offering
baseline common and rationally justified expectations, while also facilitating differentiation and innovation.
With the support of the Trusted Cloud Europe framework, the European single cloud market can be stimulated,
creating new prosperity and a position of digital leadership for citizens, businesses and public administrations.
7
The potential of the cloud in Europe
Cloud computing is a key enabler for growth, productivity and job creation, capable of generating benefits for
citizens, businesses and public administrations. Allowing easy on-demand access to information technology
services, cloud computing can significantly reduce capital expenditure, as cloud users only pay for what they
actually use. Cloud computing fosters innovative business models and services across all industries, generating
new advantages for customers and companies alike. European businesses and public administrations can obtain
significant efficiency gains from wide-scale adoption of cloud computing. Small businesses (SMEs) in particular
can benefit from the cloud, as they can get access to high-performance IT solutions, which will help them to adapt
quickly to new market developments and to innovate and grow their businesses faster.
The expected cumulative economic effects of cloud computing between 2010 and 2015 in the five largest
European economies alone is around € 763 Bn.2 The cloud economy is growing by more than 20%3 and could
generate nearly € 1 trillion in GDP and 4 million jobs by 2020 in Europe4, with the support of the right policy
framework.
Europe is, however, lagging behind other regions in the take-up of cloud computing.5 Recent revelations about
intelligence services surveillance of data have the potential to harm trust in cloud-based solutions. Moreover, due
to a lack of regulatory consistency and due to policies which are technologically conservative, cloud computing in
Europe remains fragmented, at times making it difficult for European citizens and businesses to reap the full
benefits that the cloud undeniably offers.
Without ambitious and decisive actions to counter these trends, the competitiveness of the European economy
will be adversely impacted, as the scale and network effects, which are characteristic of cloud computing, will not
be widely available to support European growth.
2 Centre for economics and business research (2010): The cloud dividend report
3 IDC Worldwide Cloud Black Book, 4Q 2012 update, April 2013
4 IDC (2012): Quantitative estimates on the demand for cloud computing in Europe and the likely barriers to take up.
5 Europe trails North America by a factor of 2.4 in the public cloud market. Sources: IDC Worldwide Cloud Black Book, 4Q 2012 update,
April 2013; Gartner: Public Cloud Services, worldwide, 2011-2017, 1Q 2013, March 2013.
8
The potential of the cloud in Europe
Therefore, the Steering Board of the European Cloud Partnership has developed this joint statement which
proposes a set of coordinated measures by political leaders and industry to enable Europe to rapidly assume a
leading role in Cloud Computing. The guiding principle of this statement is the need to support an efficient EU
wide single market for cloud services, based on best practices, a common understanding of regulatory
Cloud computing is a key enabler for growth, productivity and job creation, capable of generating benefits for
requirements and the most effective way of meeting the needs of specific cloud use cases.
citizens, businesses and public administrations. Allowing easy on-demand access to information technology
services, cloud computing can significantly reduce capital expenditure, as cloud users only pay for what they
Achieving this goal requires actions from a variety of stakeholders, including the elimination of regulatory and
actually use. Cloud computing fosters innovative business models and services across all industries, generating
market access barriers at both national and EU level, but also the identification and promotion of best practices
new advantages for customers and companies alike. European businesses and public administrations can obtain
by industry in respect of applicable laws, technical standardization and operational assurances. In this way, a
significant efficiency gains from wide-scale adoption of cloud computing. Small businesses (SMEs) in particular
single market for cloud services will be supported, generating benefits for all European stakeholders:
can benefit from the cloud, as they can get access to high-performance IT solutions, which will help them to adapt
quickly to new market developments and to innovate and grow their businesses faster.
• On the demand side, European cloud users (citizens, businesses – including SMEs – and public
administrations) will be able to choose and use cloud services with confidence, knowing that they adhere
The expected cumulative economic effects of cloud computing between 2010 and 2015 in the five largest
to European legal norms and international standards, and that data in such clouds is secure;
European economies alone is around € 763 Bn.2 The cloud economy is growing by more than 20%3 and could
generate nearly € 1 trillion in GDP and 4 million jobs by 2020 in Europe4, with the support of the right policy
• On the supply side, cloud providers will be able provide their cloud services to European customers,
framework.
without hindrance from national regulatory barriers.
Europe is, however, lagging behind other regions in the take-up of cloud computing.5 Recent revelations about
This vision document sets out how this goal can be achieved, by establishing a shared understanding of regulatory
intelligence services surveillance of data have the potential to harm trust in cloud-based solutions. Moreover, due
and legal norms, and security and trust, common to cloud users and to cloud service providers, and how these
to a lack of regulatory consistency and due to policies which are technologically conservative, cloud computing in
can be tied to specific use cases. These solutions should be based on best practices, favouring internationally
Europe remains fragmented, at times making it difficult for European citizens and businesses to reap the full
recognized norms and standards wherever possible to ensure a global perspective that cloud computing
benefits that the cloud undeniably offers.
inherently requires.
Without ambitious and decisive actions to counter these trends, the competitiveness of the European economy
will be adversely impacted, as the scale and network effects, which are characteristic of cloud computing, will not
be widely available to support European growth.
2 Centre for economics and business research (2010): The cloud dividend report
3 IDC Worldwide Cloud Black Book, 4Q 2012 update, April 2013
4 IDC (2012): Quantitative estimates on the demand for cloud computing in Europe and the likely barriers to take up.
5 Europe trails North America by a factor of 2.4 in the public cloud market. Sources: IDC Worldwide Cloud Black Book, 4Q 2012 update,
April 2013; Gartner: Public Cloud Services, worldwide, 2011-2017, 1Q 2013, March 2013.
9
Cloud chal enges in Europe and the need for quick action
The European cloud market is currently confronted with a significant number of regulatory and market access
barriers that impede both development and commercial exploitation by cloud providers and adoption by cloud
users, especially for cross border use cases. Some of these regulatory and market access barriers are linked to
legal issues, whereas others are principally tied to trust concerns, technical control, or operational requirements.
In order to understand some of these barriers, the European Cloud Partnership has studied several cross border
use cases from both the public and private sector6, to better understand some of these challenges.
Use case: health care in the cloud
The exchange of health information between hospitals or doctors can be done more cost
efficiently and securely through the cloud. However, data protection and privacy concerns
impede such projects. User rights (access-edit-delete health data) must be carefully
managed across authorized users. End-to-end encryption and anonymisation can provide
workarounds, but also severely restrict use cases.
Privileged information can be protected by legal frameworks that stop cloud adoption or
limit use cases. Significant benefits could be realised through trusted cloud solutions.
Use case: personal data in cross border clouds
Storing personal data in public clouds is problematic when data is legally considered as
sensitive. In such cases, clouds usage is difficult due to varying national legal requirements
(e.g. supervision of the infrastructure by health care practitioners for health data).
Similarly, national laws can differ on information security requirements, such as the need
to have a data protection officer or to audit all data centres, which are legal requirements
in some Member States, but not in others.
The lack of full EU harmonisation of data protection rules is a recurring legal barrier.
6 See the more detailed information in sections 1 and 2 of the working document prepared by the working groups of the ECP. Note that the
inputs in this working document represent the positions of individual contributing members of the working groups, and do not
indicate any consensus from the ECP as a whole.
10
Use case: financial services in the cloud
Banks and financial institutions process vast amounts of personal data in the operation of
Cloud chal enges in Europe and the need for quick action
their business. Their activities are subject to national supervisory bodies, which can define
rules and requirements for the IT systems that process this data. In some Member States
(such as Luxembourg), these guidelines require infrastructure to be established within
national borders to facilitate direct inspection by the supervisory bodies.
The European cloud market is currently confronted with a significant number of regulatory and market access
Even outside of formal laws, norms may exist (issued by supervisors, regulators, sector
barriers that impede both development and commercial exploitation by cloud providers and adoption by cloud
organisations etc.) which stop or discourage the use of cloud services outside national
users, especially for cross border use cases. Some of these regulatory and market access barriers are linked to
borders.
legal issues, whereas others are principally tied to trust concerns, technical control, or operational requirements.
In order to understand some of these barriers, the European Cloud Partnership has studied several cross border
use cases from both the public and private sector6, to better understand some of these challenges.
Use case: IP-intensive sectors and cloud services
Use case: health care in the cloud
Entrusting information protected by intellectual property (IP) rights can be challenging,
The exchange of health information between hospitals or doctors can be done more cost
due to the legal and business need to control data. In the media business, cloud based
media dissemination may conflict with legacy rules that focus on obtaining
efficiently and securely through the cloud. However, data protection and privacy concerns
impede such projects. User rights (access-edit-delete health data) must be carefully
national/regional licenses or authorisations. Other IP intensive industries (such as e.g. the
managed across authorized users. End-to-end encryption and anonymisation can provide
automotive industry or the chemical/pharmaceutical sectors) prefer private clouds over
workarounds, but also severely restrict use cases.
public clouds in order to keep full control over their infrastructure.
Privileged information can be protected by legal frameworks that stop cloud adoption or
Cloud adoption barriers can vary from sector to sector. Legacy legal frameworks that are
not adapted to the global market can cause legal challenges, and operational/business
limit use cases. Significant benefits could be realised through trusted cloud solutions.
concerns may lead to a strong preference for private clouds.
Use case: personal data in cross border clouds
Storing personal data in public clouds is problematic when data is legally considered as
sensitive. In such cases, clouds usage is difficult due to varying national legal requirements
Use case: science data in the cloud
(e.g. supervision of the infrastructure by health care practitioners for health data).
The scientific community has a clear need for powerful, high capacity and dependable
Similarly, national laws can differ on information security requirements, such as the need
infrastructure that can be used to advance their research without exposing it to data loss,
to have a data protection officer or to audit all data centres, which are legal requirements
corruption or intrusion. Secure scientific clouds can meet these requirement, and several
projects within the EU have been set up to satisfy this demand, including the Helix Nebula
in some Member States, but not in others.
The lack of full EU harmonisation of data protection rules is a recurring legal barrier.
project and through GEANT. However, further work is needed to integrate existing science
clouds, to promote their adoption, and to enhance their usability.
Secure clouds for science applications offer clear benefits in terms of benefits of scale,
integrity and confidentiality. Further EU work is urgently needed to achieve this goal.
6 See the more detailed information in sections 1 and 2 of the working document prepared by the working groups of the ECP. Note that the
inputs in this working document represent the positions of individual contributing members of the working groups, and do not
indicate any consensus from the ECP as a whole.
11
Use case: national archives
Archiving laws in Spain require any documents generated and stored by the public sector
to be retained, and prohibits moving them from their original archives without a prior
Ministerial Order. This can be interpreted as a restriction on moving data to a location
outside the country (including cloud services with international data centres) without such
an order.
In many cases, there is ambiguity in the law on what is legally possible. In such cases,
uncertainty often leads to negative decisions on new technologies, even if there is no
overriding justification for this.
While based on a limited set of use cases, the examples above illustrate that barriers vary from use case to use
case, and include legal issues, operational concerns, and technological challenges. A recurring concern is the
perceived vulnerability of data in the cloud to seizure by authorized public authorities, and more broadly to
questions of general jurisdiction and applicable law. Current EU legislation generally favours policies where
service providers are subject to the laws of their country of establishment7. While this rule is sound in principle, it
raises the challenge of making cloud users’ data subject to foreign law, and typically also foreign jurisdiction. This
may not be palatable or viable for certain cloud users, including in the public sector.
The requirements of each cloud use case differ, and are jointly defined by their
data type (e.g. health data being
particularly sensitive), by
data usage (e.g. IP protected data requiring licenses for each use) and by the need for
enforcement (e.g. financial data requiring very strict controls). Cloud services that are able to satisfy all three
categories of requirements for a use case can be considered fit for purpose. This requires appropriate risk
management practices, in which the risks inherent to each use case are correctly understood, and in which the
resulting requirements can be rationally identified.
The challenge is then to achieve a common understanding of these requirements and their role in enabling cloud
use cases
. To address this issue, this paper proposes the concept of the Trusted Cloud Europe: a framework for
defining best practice and cloud requirements, linking them to use cases, and applying them in practice.
7 This is e.g. also enshrined in the European eCommerce Directive’s country of origin rule, albeit with exceptions in relation to data
protection and consumer protection.
12
As shown above, the requirements and related barriers differ strongly from use case to use case:
Use case: national archives
Archiving laws in Spain require any documents generated and stored by the public sector
to be retained, and prohibits moving them from their original archives without a prior
Ministerial Order. This can be interpreted as a restriction on moving data to a location
rns
n
outside the country (including cloud services with international data centres) without such
ghts
ctio
Requirement
s
once
an order.
ation
spe
In many cases, there is ambiguity in the law on what is legally possible. In such cases,
roperty ri
eignty
enforceability
uncertainty often leads to negative decisions on new technologies, even if there is no
egacy law
and in
n
ent rules
overriding justification for this.
Sector /
rotection
tion security c
sio
ma
use case
utdated l
ational security
Data p
Intelectual p
Confidential inform
O
Infor
Supervi
National sover
N
Jurisdiction /
Procurem
Public sector in general
√
√
√
√
√
√
√
√
√
While based on a limited set of use cases, the examples above illustrate that barriers vary from use case to use
case, and include legal issues, operational concerns, and technological challenges. A recurring concern is the
Taxation and social security
√ √ √
√
√
√
√
perceived vulnerability of data in the cloud to seizure by authorized public authorities, and more broadly to
questions of general jurisdiction and applicable law. Current EU legislation generally favours policies where
Health care and legal services
√
√
√
√
√
√
service providers are subject to the laws of their country of establishment7. While this rule is sound in principle, it
raises the challenge of making cloud users’ data subject to foreign law, and typically also foreign jurisdiction. This
Media and entertainment
√
√
√
√
√
√ √
may not be palatable or viable for certain cloud users, including in the public sector.
Financial services
√
√
√
√
√
√
√
The requirements of each cloud use case differ, and are jointly defined by their
data type (e.g. health data being
National archiving
√ √ √
particularly sensitive), by
data usage (e.g. IP protected data requiring licenses for each use) and by the need for
enforcement (e.g. financial data requiring very strict controls). Cloud services that are able to satisfy all three
Manufacturing/consumer
√
√
categories of requirements for a use case can be considered fit for purpose. This requires appropriate risk
management practices, in which the risks inherent to each use case are correctly understood, and in which the
- Summary of known requirements across various sectors, ‘√’ indicates a known priority issue -
resulting requirements can be rationally identified.
The challenge is then to achieve a common understanding of these requirements and their role in enabling cloud
Based on this limited exercise, the table above would suggest that the most ubiquitous requirements (spanning
use cases
. To address this issue, this paper proposes the concept of the Trusted Cloud Europe: a framework for
the most sectors) are data protection compliance, information security, and jurisdiction/enforcement. When
defining best practice and cloud requirements, linking them to use cases, and applying them in practice.
applicable requirements cannot be met in cross border public clouds, there is a strong tendency to use only
private clouds, or at least only cloud solutions within national borders. As a solution for some use cases, this may
be acceptable. For the EU cloud market as a whole however, this is a problem that needs to be resolved.
While more systematic fact finding is desirable to obtain a comprehensive overview of requirements across
sectors, these initial inputs show that a set of measures are needed to overcome the current fragmentation in
7 This is e.g. also enshrined in the European eCommerce Directive’s country of origin rule, albeit with exceptions in relation to data
European cloud markets, addressing requirements in relation to data types, data usage and enforcement, through
protection and consumer protection.
the Trusted Cloud Europe framework.
13
Supporting the digital single market through Trusted Cloud Europe
The sections above have described some of the challenges currently experienced in the European cloud market by
stakeholders, including citizens, businesses and public administrations. The global goal is to achieve a European
single market for cloud computing.
This can be achieved by building a set of best practices and common understanding of the requirements that
should to be met for each specific use case. This is beneficial to both cloud providers and cloud users: cloud
providers can more easily ensure that their cloud services meet the requirements of specific use cases, and cloud
users can more easily choose cloud services that are suited for their use case. The Trusted Cloud Europe is a
framework for establishing these best practices, linking them to use cases, and applying them in practice.
The TCE framework is a non-legislative and voluntary initiative: it relies on voluntary adherence and participation
from cloud providers and cloud users that see a benefit in participating in it, in order to support the development
and uptake of the cloud and unlocking the accompanying benefits.
In this section, we will explore how a single market for cloud services can be formed. This requires two groups of
action:
• Firstly, a flexible common framework of best practices needs to be created, at the legal, technical and
operational level. This common framework, consisting of legal and operational guidelines as well as
technical standards, can be voluntarily used by cloud providers to show that their offering is in
accordance with the state of the art, and can be used by buyers of cloud services (in the public or private
sector) in order to determine more easily whether a cloud service meets the needs of their use case.
• Secondly, systematic consensus building is required, through public consultations, workshops,
coordination groups etc., targeting al stakeholders, including citizens, public administrations, the cloud
industry and cloud users. This would result in a common understanding on issues such as risk
management, security requirements, privacy needs, enforcement methods, procurement practices, and
any need for legislative reform, all of which can differ from use case to use case.
The framework formed by these two pillars together – building best practices and building consensus on their use
in practice – collectively make up the Trusted Cloud Europe.
14
Supporting the digital single market through Trusted Cloud Europe
Action 1: Building best practices and promoting their cross border mutual recognition
The sections above have described some of the challenges currently experienced in the European cloud market by
When addressing questions of adherence to legal norms, data control, security certification and accountability, it
stakeholders, including citizens, businesses and public administrations. The global goal is to achieve a European
is important to recognise the impact of existing achievements and ongoing work. These offer some of the quickest
single market for cloud computing.
solutions, and have often already been implemented and tried and tested through existing cloud services. Others
still require some finalisation, or are not well-known or correctly understood by aspiring cloud customers.
This can be achieved by building a set of best practices and common understanding of the requirements that
should to be met for each specific use case. This is beneficial to both cloud providers and cloud users: cloud
The fol owing
actions can be recommended to address this goal:
providers can more easily ensure that their cloud services meet the requirements of specific use cases, and cloud
users can more easily choose cloud services that are suited for their use case. The Trusted Cloud Europe is a
framework for establishing these best practices, linking them to use cases, and applying them in practice.
1.
Identify best practices, in terms of technical, legal and operational assurances commonly offered by
leading cloud service providers and measures generally available to cloud customers, and promote
The TCE framework is a non-legislative and voluntary initiative: it relies on voluntary adherence and participation
these more systematically. In many cases depending on the type of cloud computing, existing inputs are
from cloud providers and cloud users that see a benefit in participating in it, in order to support the development
suitable, including security certification against existing and often global standards8, data protection
and uptake of the cloud and unlocking the accompanying benefits.
compliance against the EU Standard Contractual Clauses9, or existing outsourcing techniques based on
In this section, we will explore how a single market for cloud services can be formed. This requires two groups of
Hierarchical Storage Management (HSM), Information Lifecycle Management (ILM), automatic replication
action:
facilities, and media migration and validation practices. Best practices may also relate to appropriate
technological security and access control solutions,
including - where proportionate - strong encryption
• Firstly, a flexible common framework of best practices needs to be created, at the legal, technical and
technologies, systematic logging, time stamping, and automated breach detection measures. The key
operational level. This common framework, consisting of legal and operational guidelines as well as
ambition is to establish a coherent toolbox of best practices, thus empowering cloud users to choose the
technical standards, can be voluntarily used by cloud providers to show that their offering is in
practices which are most appropriate to their use case.
accordance with the state of the art, and can be used by buyers of cloud services (in the public or private
sector) in order to determine more easily whether a cloud service meets the needs of their use case.
• Secondly, systematic consensus building is required, through public consultations, workshops,
coordination groups etc., targeting al stakeholders, including citizens, public administrations, the cloud
industry and cloud users. This would result in a common understanding on issues such as risk
management, security requirements, privacy needs, enforcement methods, procurement practices, and
any need for legislative reform, all of which can differ from use case to use case.
The framework formed by these two pillars together – building best practices and building consensus on their use
in practice – collectively make up the Trusted Cloud Europe.
8 See
See https://resilience.enisa.europa.eu/cloud-c https://re
om
puting s
-cilie
e nce
rtifi .e
catinoisa.e
n a uropa.eu/cloud-computi
nd
ng-certification and
http://www.etsi.org/images/
http://www.etsi.org/imagesfiles/Events
/
/2013/2
files/Events/2013/013_CSC_Delivery_WS/CSC
2013_CSC_Delivery_WS/CS -Final_report-013-CSC_Final_
C-Final_report-013-CSC_Fina report_v1_0_PDF_format-
l_re
.
port_v1_0_PDF_format- PDF
9
.PDF
9 See http://ec.europa.eu/justice/data-protection/document/international-transfers/transfer/index_en.htm
See http://ec.europa.eu/justice/data-protection/document/international-transfers/transfer/index_en.htm
15
2.
Establishing new best practices and guidelines to steer the market towards customer friendly practices.
Key ongoing actions include the
standardization of SLAs, the Safe and Fair Cloud Contract initiative, the
drafting of a data protection Code of Conduct10, which should be endorsed by the Article 29 Working
Party in order to ensure its legal authority, and
the development of a Meta-framework of security
certification schemes that can be used to compare and assess cloud computing security certification
offerings. 11 Such best practices and similar security/privacy cloud-specific international standards should
form a basis for adherence with EU security and privacy legal norms.
3.
Facilitating the cross-border recognition of these best practices. Adherence to these best practices
should be verifiable and auditable without extensive case-by-case checks, since ad-hoc checks are not
always financially or operationally viable, especially for citizens or SMEs that lack the know-how and
economic resources to conduct such checks. Therefore, the use of
self-declaration, third party audits and
one-stop-shop certification/trust marking schemes should be supported where appropriate as a tool to
make adherence against the aforementioned best practices, accessible to as broad a market as
possible. Any endorsed certification/trust marking practices should be industry driven and customer
centric, voluntary, lean and affordable, technology neutral and based on global standards wherever
possible, in order to avoid needlessly increasing costs, especially for SMEs.
It is clear that the economic potential of European cloud services depends on the ability to avoid any semblance
of a ‘Fortress Europe’ model where access to the European cloud market is
de facto restricted to providers
established in the EU. Non-European cloud providers should be able to access the European cloud market on
equal terms, and offer services that adhere to the best practices proposed as a part of the Trust Cloud Europe
framework, i.e. functional requirements in relation to data type, data usage and enforceability of European laws
and fundamental principles.
The Steering Board of the European Cloud Partnership
encourage Member States, cloud users and the cloud
industry to
contribute to the identification and completion of best practices, and to
support their use wherever
appropriate. All stakeholders should seek to
educate users on the meaning and impact of these best practices,
and their suitability for particular use cases.
10
10 See
Seehttps://
https:/ ec.e
/ec. uropa.eu/digital-agend
europa.eu/digital-agen a/en
d
/cloud-select-industry-group-code-conduct
a/en/cloud-select-industry-group-
for an ove
code-conduct for an ov r
e view of the Co
rview of
d
the Co e
d of Conduct activities.
e of Conduct activities.
11
11 See
See https://resilienc https://re
e.enisa.e silience
uropa.e .en
u/cl isa.europa.e
oud-computiu/cloud-computing
ng-certification/ce -rce
tifirtificat
cation ion/ce
-in-the rt
-eific
u ation-in-the
-cloud-strate -e
gy u-cloud-strate
and
gy and
https://ec.europa
https://ec.euro .eu/digital-age
pa
nda/en/clo
.eu/digital-age
ud-se
nda/en/clo
lect-industry-group-certification-
ud-select-industry-group-ce
schemes
rtification-s
chemes
16
The Steering Board furthermore encourages the EU, Member States and cloud industry to seek out opportunities
2.
Establishing new best practices and guidelines to steer the market towards customer friendly practices.
to
support adherence to best practices (including both self-declarations of compliance and third party
Key ongoing actions include the
standardization of SLAs, the Safe and Fair Cloud Contract initiative, the
certification), and to
promote the use and value of appropriate certification schemes. A flexible and innovation
drafting of a data protection Code of Conduct10, which should be endorsed by the Article 29 Working
friendly approach will be crucial during these efforts, as the risk of elevating existing practices to the status of
Party in order to ensure its legal authority, and
the development of a Meta-framework of security
obligations – thus creating future legacy problems and disrupting the potential for new innovations – must be
certification schemes that can be used to compare and assess cloud computing security certification
avoided.
offerings. 11 Such best practices and similar security/privacy cloud-specific international standards should
form a basis for adherence with EU security and privacy legal norms.
The definition of best practices and the facilitation of compliance assessment are two key pillars of the Trusted
3.
Facilitating the cross-border recognition of these best practices. Adherence to these best practices
Cloud Europe framework, allowing the TCE to become a recognizable brand and a mark of quality for cloud
should be verifiable and auditable without extensive case-by-case checks, since ad-hoc checks are not
vendors, thus creating an additional selling proposition on the global market for cloud services.
always financially or operationally viable, especially for citizens or SMEs that lack the know-how and
economic resources to conduct such checks. Therefore, the use of
self-declaration, third party audits and
one-stop-shop certification/trust marking schemes should be supported where appropriate as a tool to
Action 2 – Building consensus on the needs of specific use cases and on appropriate solutions.
make adherence against the aforementioned best practices, accessible to as broad a market as
possible. Any endorsed certification/trust marking practices should be industry driven and customer
As shown in the examples above, several challenges still exist that disrupt the cross border offering of cloud
centric, voluntary, lean and affordable, technology neutral and based on global standards wherever
services across the internal market. A one-size-fits-all solution to cloud computing does not seem credible or
possible, in order to avoid needlessly increasing costs, especially for SMEs.
viable, as the needs for specific data or service types may vary quite widely. Personal data may require a higher
level of protection than other types of data, and within the broad spectrum of personal data certain categories of
It is clear that the economic potential of European cloud services depends on the ability to avoid any semblance
information (e.g. health information or financial data) may be more sensitive. Rational risk management practices
of a ‘Fortress Europe’ model where access to the European cloud market is
de facto restricted to providers
will therefore be key to ensuring that the needs of individual use cases can be correctly understood and
established in the EU. Non-European cloud providers should be able to access the European cloud market on
addressed. This is of particular importance for public sector cloud users, who have clear needs that are directly
equal terms, and offer services that adhere to the best practices proposed as a part of the Trust Cloud Europe
connected to their public interest function.
framework, i.e. functional requirements in relation to data type, data usage and enforceability of European laws
and fundamental principles.
This can be chal enging for cloud providers who may be confronted by different requirements from Member State
to Member State, but also for cloud users who may see their cloud ambitions blocked by obstacles that may not
The Steering Board of the European Cloud Partnership
encourage Member States, cloud users and the cloud
be justified. In order to reduce geographic fragmentation, it would be beneficial to build a consensus on how the
industry to
contribute to the identification and completion of best practices, and to
support their use wherever
needs of specific use cases can be satisfied by particular best practices. This can be done through public
appropriate. All stakeholders should seek to
educate users on the meaning and impact of these best practices,
consultations, workshops, setting up coordination groups etc., targeting all stakeholders. Specifically:
and their suitability for particular use cases.
• Consultations and workshops need to target
non-legislative regulators, supervisory bodies, professional
bodies and trade associations. This stakeholder group is just as influential as formal legislators in allowing
or disallowing cloud services. These bodies should be encouraged to ensure that their guidelines and
policies are at least cloud neutral (i.e. enable cloud services) wherever this is compatible with their goals.
Furthermore, national and sector-specific bodies should create coordination groups to align their rules
and exchange best practices. In this way, geographic fragmentation could be avoided. They should be
10 See https://ec.europa.eu/digital-agenda/en/cloud-select-industry-group-code-conduct for an overview of the Code of Conduct activities.
encouraged to educate their members on permissible and proper cloud adoption.
11 See https://resilience.enisa.europa.eu/cloud-computing-certification/certification-in-the-eu-cloud-strategy and
https://ec.europa.eu/digital-agenda/en/cloud-select-industry-group-certification-schemes
17
• Consultations and workshops similarly need to target
cloud users, including citizens, SMEs and larger
businesses, either directly or via representative bodies such as consumer protection organisation, data
protection/privacy protection associations, or NGOs, since their data may be entrusted to the cloud.
Education and awareness raising will be key to ensure that cloud users are able to ask the right questions
– where are my data hosted, how are they secured, what are my rights and how can I exercise them –
which can only be meaningfully raised and understood with sufficient understanding of the cloud
computing paradigm. In addition, these consultations should examine
how enforcement can be made
more accessible. Given that particularly citizens and SMEs have limited resources for engaging in legal
proceedings, enforceability depends on the establishment of a credible and accessible dispute resolution
mechanism. This does not imply that the most stringent enforcement is necessary for any cloud service,
irrespective of its scope or intended use, but rather that cloud users must have access credible and
understandable options for recourse in case of incidents.
• Finally, consultations and workshops need to target
Member States, in order to
determine which
barriers (if any) they encounter in adopting cloud computing, and in order
to share best practices where
available.
Alignment, reform and harmonization of legal frameworks and policies may be appropriate in
some cases where legislation creates unnecessary barriers to the internal market. Several ongoing
actions already support this goal. The
ongoing harmonization of EU Data Protection Rules is a key
example: national legal divergences are a challenge for vendors, which smaller providers sometimes
struggle to manage. Inversely, cloud users (including public administrations and business users) hesitate
to entrust their data to clouds, for fear of compliance issues and liability. The Steering Board welcomes
the harmonization efforts, and stresses the importance of a common interpretation of data protection
rules in Europe, as foreseen within the ongoing negotiations on a EU Data Protection Regulation, as an
essential condition for a single market for cloud computing.
Col ectively, these consultations and workshops should help citizens, businesses and Member States to build a
consensus on their challenges, as dictated by their individual interests and backgrounds, and to seek common
solutions, building on best practices in the cloud market. An example of the latter are
cloud-active procurement
policies which have been adopted by some Member States. While details vary from country to country, such
policies generally require administrations to at least consider cloud technologies (including both public and
private clouds) for their IT procurements, and to ensure that their requirements do not needlessly exclude cloud
18
• Consultations and workshops similarly need to target
cloud users, including citizens, SMEs and larger
technologies12. The objective of such policies is to change the mindset of procurers, to stimulate cloud adoption,
businesses, either directly or via representative bodies such as consumer protection organisation, data
and to ensure that the benefits of the cloud can be maximized by re-using successful services whenever possible.
protection/privacy protection associations, or NGOs, since their data may be entrusted to the cloud.
Education and awareness raising will be key to ensure that cloud users are able to ask the right questions
Such policies and practices allow laws, policies, and al related requirements to converge step by step around the
– where are my data hosted, how are they secured, what are my rights and how can I exercise them –
needs of specific use cases, thus facilitating access to the internal cloud market for cloud providers which adhere
which can only be meaningfully raised and understood with sufficient understanding of the cloud
to these requirements.
computing paradigm. In addition, these consultations should examine
how enforcement can be made
This gradual approach appears most viable to address concerns that are felt in particular by the public sector.
more accessible. Given that particularly citizens and SMEs have limited resources for engaging in legal
Most Member States are presently exploring their options for the use of cloud technology (e.g. by deploying
proceedings, enforceability depends on the establishment of a credible and accessible dispute resolution
virtualization techniques and application stores within their own private IT infrastructures), preparing for the
mechanism. This does not imply that the most stringent enforcement is necessary for any cloud service,
moment that public cloud services can be verified to be reliable and secure, and that privacy protection can be
irrespective of its scope or intended use, but rather that cloud users must have access credible and
guaranteed. Member States will be empowered in making the choice between replacing or amending their own
understandable options for recourse in case of incidents.
internal infrastructure by rented infrastructure from an external cloud provider.
• Finally, consultations and workshops need to target
Member States, in order to
determine which
Examples of expected convergences and alignment opportunities include notably the following:
barriers (if any) they encounter in adopting cloud computing, and in order
to share best practices where
available.
Alignment, reform and harmonization of legal frameworks and policies may be appropriate in
•
Alignment of procurement rules and practices: Procurement rules in some Member States can make it
some cases where legislation creates unnecessary barriers to the internal market. Several ongoing
difficult to sell cloud solutions to the public sector. This is burdensome to public administrations, which
actions already support this goal. The
ongoing harmonization of EU Data Protection Rules is a key
can be barred from technologically and economically advantageous solutions, but also for cloud
example: national legal divergences are a challenge for vendors, which smaller providers sometimes
providers, who are faced with different requirements from country to country. By sharing best practices,
struggle to manage. Inversely, cloud users (including public administrations and business users) hesitate
Member States can
ensure that their procurement legislation and policies wil become cloud enabled.
to entrust their data to clouds, for fear of compliance issues and liability. The Steering Board welcomes
Furthermore, they could
work towards developing common approaches to public procurement of cloud
the harmonization efforts, and stresses the importance of a common interpretation of data protection
computing, or towards the mutual recognition of any existing national accreditation schemes, so that
rules in Europe, as foreseen within the ongoing negotiations on a EU Data Protection Regulation, as an
providers do not need to seek different certifications, accreditations or approvals in different Member
essential condition for a single market for cloud computing.
States. Similarly, Member States can
share effective national budgeting policies to ensure that pay-as-
you go models (moving from capex to opex) can be enabled.
•
Reduction of data location restrictions: Member State practices and in some instances national laws
Col ectively, these consultations and workshops should help citizens, businesses and Member States to build a
restrict the possibility of storage and processing of certain data (especially public sector data) outside
consensus on their challenges, as dictated by their individual interests and backgrounds, and to seek common
their territory. If common requirements can be found for similar use cases,
Member States can choose to
solutions, building on best practices in the cloud market. An example of the latter are
cloud-active procurement
gradual y phase out data location restrictions when they are deemed unnecessary. This does not imply
policies which have been adopted by some Member States. While details vary from country to country, such
that data controls should be abandoned; it is often possible and advisable to
replace formal legal
policies generally require administrations to at least consider cloud technologies (including both public and
requirements (such as geographic location of the data)
by the corresponding functional requirements
private clouds) for their IT procurements, and to ensure that their requirements do not needlessly exclude cloud
(such as ensuring the accessibility and security of the data). State-of-the art security technologies could
be regarded for some use cases as an alternative to data location restrictions. This goal oriented approach
12 In some cases, Member States have opted for ‘cloud first’ policies, which sometimes include stronger support for cloud technologies, e.g.
by requiring procurers to prioritize cloud computing purchases where possible, or to justify any decision not to use cloud computing
when a suitable cloud solution was available.
19
is technologically neutral, conducive to supporting innovation and new technologies, and enables public
policy objectives to be more effectively reached.
•
Establishment of common templates to address jurisdiction and enforcement concerns. Some of these
concerns (notably on surveillance by national security bodies) can only be addressed in the longer term
and exceed the remit of the European Cloud Partnership. However, practical solutions may develop as a
result of consultations with Member States, the cloud industry and cloud users, which are able to address
some of these concerns. For instance, Member States could voluntarily
establish and accede to
multilateral cooperation agreements, to clarify under which conditions they (or their authorized public
sector bodies) wil access data hosted by cloud providers established in their country. Such opt-in
agreements may also include rules with respect to cooperation obligations by cloud providers, or on the
enforcement of foreign legal decisions. Such agreements would be aligned with applicable EU and
national laws and jurisprudence, notably EU data protection law and especially the envisaged cooperation
between national data protection authorities under the new EU Data Protection Regulation.
•
Setting up public sector pilot cloud services at EU level: the public sector faces specific challenges and
needs which are linked to their public policy objectives. This also implies that cloud solutions need to be
tailored towards these unique needs. As a natural step in the alignment process, Member States could
pilot public sector cloud applications with EU assistance, with a view to creating common building
blocks and ensuring that fragmented national approaches and duplication of efforts are avoided. Within
the ECP, representatives of the Member States were polled on suggestions for pilot cases, with the
following policy areas suggested as being particularly conducive to cloud pilots13:
•
Public sector document management and communication. This would e.g. include national archives,
library management, e-mail/e-delivery of documents towards the public sector, or public sector
information (PSI) portals. Such use cases focus on the public sector need for confidentiality,
trustworthy storage, and redundant capacity that would benefit from a distributed (cloud based)
solution.
•
Scientific research and data analysis, in the form of a
science cloud which could support the
European research community through significant virtualized storage and processing power,
supporting ‘big data’ analysis, data mining, advanced analytics and science grids in a secure and
trustworthy manner.
13 For more details, see the working document, section 3.
20
is technologically neutral, conducive to supporting innovation and new technologies, and enables public
Inputs for such pilots are already available, including via projects such as Helix Nebula and GÉANT
policy objectives to be more effectively reached.
(science clouds), Hermes Preservation Services (digital archiving), CloudForEurope (cloud computing for
the public sector in general), the technical solutions created by various large scale pilots (such as STORK,
•
Establishment of common templates to address jurisdiction and enforcement concerns. Some of these
PEPPOL, SPOCS and epSOS14), the secure communications network S-TESTA, and a legal framework that
concerns (notably on surveillance by national security bodies) can only be addressed in the longer term
would underpin the sustainability of some of the required services (electronic identification, signing, time
and exceed the remit of the European Cloud Partnership. However, practical solutions may develop as a
stamping, delivery, etc.) through the proposal for a Regulation on Electronic Identification and Trust
result of consultations with Member States, the cloud industry and cloud users, which are able to address
Services15. The main goal would therefore be to bring the existing building blocks together, to identify and
some of these concerns. For instance, Member States could voluntarily
establish and accede to
address any remaining gaps, and to bring them to an operational stage.
multilateral cooperation agreements, to clarify under which conditions they (or their authorized public
sector bodies) wil access data hosted by cloud providers established in their country. Such opt-in
The primary challenge for these pilots is funding, with many Member States noting that new pilots are
agreements may also include rules with respect to cooperation obligations by cloud providers, or on the
unlikely to be viable without EU level funding. Funding may be found under a future grant agreement as
enforcement of foreign legal decisions. Such agreements would be aligned with applicable EU and
part of Pre-Commercial Procurement (PCP) or Public Procurement of Innovation (PPI), e.g. as part of
national laws and jurisprudence, notably EU data protection law and especially the envisaged cooperation
Specific Challenges from Horizon 2020 work programme16. The execution of these pilots would also
between national data protection authorities under the new EU Data Protection Regulation.
support and expand research and development efforts around cloud computing in Europe, contributing to
the development of a strong and innovative European cloud industry offering.
•
Setting up public sector pilot cloud services at EU level: the public sector faces specific challenges and
needs which are linked to their public policy objectives. This also implies that cloud solutions need to be
tailored towards these unique needs. As a natural step in the alignment process, Member States could
pilot public sector cloud applications with EU assistance, with a view to creating common building
The Steering Board of the European Cloud Partnership
requests the Commission to assist in setting up and
blocks and ensuring that fragmented national approaches and duplication of efforts are avoided. Within
executing the aforementioned consultations with cloud users, the cloud industry and public administrations, in
the ECP, representatives of the Member States were polled on suggestions for pilot cases, with the
order to build a consensus on the proper application of best practices to meet the needs of specific use cases.
following policy areas suggested as being particularly conducive to cloud pilots13:
The EU, Member States and industry bodies should be
encouraged to seek cross border alignment of their rules,
policies and practices, in order to ensure that the internal market for cloud services operates effectively.
•
Public sector document management and communication. This would e.g. include national archives,
library management, e-mail/e-delivery of documents towards the public sector, or public sector
information (PSI) portals. Such use cases focus on the public sector need for confidentiality,
trustworthy storage, and redundant capacity that would benefit from a distributed (cloud based)
solution.
•
Scientific research and data analysis, in the form of a
science cloud which could support the
European research community through significant virtualized storage and processing power,
supporting ‘big data’ analysis, data mining, advanced analytics and science grids in a secure and
trustworthy manner.
14 See http://ec.europa.eu/digital-agenda/en/egovernment for details on these large scale pilots
15 See http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0238:FIN:en:PDF for the proposed Regulation.
16 The aforementioned CloudForEurope initiative has been funded following a successful response to a Call for Proposals under the FP7
13 For more details, see the working document, section 3.
work programme.
21
Concluding remarks
As this paper has shown, there is a need for action to support the development and adoption of cloud computing
in Europe. A single digital market, free of needless barriers or restrictions should be the ultimate objective, in
which al cloud users have access to high quality, secure and trustworthy cloud services. This goal can be achieved
by relying on the identification and consistent application and promotion of best practices, and by building a
consensus between citizens, businesses and administrations on how these should be applied, consistent with
legal norms and policies.
Collectively, these actions should ensure that the potential benefits of cloud services can be unlocked to as wide
an audience as possible, without unique dependence on potentially lengthy legislative reform. Voluntary
certification by third parties or self-declaration against identified best practices could act as a mark of quality for
cloud vendors, and thus create an additional sel ing proposition on the global market. This wil also make it easier
for aspiring cloud users to choose a high quality partner that adheres to European best practices and
expectations.
The European Cloud Partnership cal s upon policy makers at the European and national level, and upon cloud
providers and cloud users, to support this approach and to implement the proposed actions towards
establishing the Trusted Cloud Europe framework, and thus enabling a single digital market for cloud services in
Europe.
Furthermore, the Steering Board of the ECP is conscious of the importance of establishing a broad consensus on
the appropriate road forward. Therefore,
the Board expresses its desire to set up a broader consultation around
its observations, involving cloud users and cloud providers, in order to identify the right actions for the future.
The building of a single market for cloud computing is an urgent objective. Cloud computing is not a technology of
the future, it’s the technology of today. The actions aim to ensure that results can be provided that cloud vendors
and cloud users can adopt right away, and that will help grow the market and drive new innovations. This requires
voluntarism, and the genuine desire from Member States and cloud businesses to drive progress through all of
the actions described above.
22
Concluding remarks
The European Cloud Partnership thus recognizes that timing is of the essence, and emphasizes that the proposed
actions must be initiated as soon as practicable. Provisionally, the following time table can be presented:
As this paper has shown, there is a need for action to support the development and adoption of cloud computing
Action
Owner
Deadline
in Europe. A single digital market, free of needless barriers or restrictions should be the ultimate objective, in
which all cloud users have access to high quality, secure and trustworthy cloud services. This goal can be achieved
Finalisation of a model
Code of Conduct, and obtaining its endorsement by the Article 29 Industry and Ongoing.
by relying on the identification and consistent application and promotion of best practices, and by building a
Working Party
users
Finalisation
consensus between citizens, businesses and administrations on how these should be applied, consistent with
by end 2014
legal norms and policies.
Finalisation of
SLA guidelines and the Safe and Fair Cloud Contract initiative guidance at Industry and Ongoing.
the EU level (including issues of reversibility/interoperability)
users
Finalisation
Collectively, these actions should ensure that the potential benefits of cloud services can be unlocked to as wide
by end 2014
an audience as possible, without unique dependence on potentially lengthy legislative reform. Voluntary
certification by third parties or self-declaration against identified best practices could act as a mark of quality for
Finalisation of
ongoing data protection harmonization efforts in Europe, as foreseen EU, MS,
Ongoing.
cloud vendors, and thus create an additional sel ing proposition on the global market. This wil also make it easier
within the ongoing negotiations on a EU Data Protection Regulation
Industry and Finalisation
cloud users
in 2014-
for aspiring cloud users to choose a high quality partner that adheres to European best practices and
2015
expectations.
Organising consultations with cloud users (citizens, business and public EU, MS,
Finalisation
The European Cloud Partnership cal s upon policy makers at the European and national level, and upon cloud
administrations) to ensure acceptance of the Code, SLA guidelines and Cloud Contract Industry and by end 2014
providers and cloud users, to support this approach and to implement the proposed actions towards
initiatives
cloud users
establishing the Trusted Cloud Europe framework, and thus enabling a single digital market for cloud services in
Implementing and supporting certification mechanisms (in the broad sense, i.e. EU, MS and Finalisation
Europe.
including self-declaration, third party audits and one-stop-shop certification/trust Industry
by mid-2015
marking schemes) against best practices, including in relation to security, Code of
Furthermore, the Steering Board of the ECP is conscious of the importance of establishing a broad consensus on
Conduct about Security and against the CoC and SLA / Fair Contract
the appropriate road forward. Therefore,
the Board expresses its desire to set up a broader consultation around
its observations, involving cloud users and cloud providers, in order to identify the right actions for the future.
Uptake of the CoC, SLA/Fair Contract and security certification by Industry (if finalised Industry Finalisation
successful y)
by mid-2015
The building of a single market for cloud computing is an urgent objective. Cloud computing is not a technology of
Consensus building through public consultations, workshops, setting up coordination EU and
Initiation by
the future, it’s the technology of today. The actions aim to ensure that results can be provided that cloud vendors
groups etc.,
targeting professional bodies and trade associations at the EU level to Industry
early 2015
and cloud users can adopt right away, and that will help grow the market and drive new innovations. This requires
ensure that their (non-legislative) guidelines and policies are cloud neutral
voluntarism, and the genuine desire from Member States and cloud businesses to drive progress through all of
Consensus building through public consultations, workshops, setting up coordination EU, MS,
Initiation by
the actions described above.
groups etc.,
targeting cloud users (citizens, businesses and public administrations) to Industry and early 2015
ensure that they are transparently informed and to find e
ffective enforcement users
mechanisms.
Consensus building through public consultations, workshops, setting up coordination EU, MS,
Initiation by
groups etc.,
targeting Member States to identify any explicit and implicit legal roadblocks Industry and early 2015
to cloud computing in key cloud use cases.
users
Study on data categorisation from the perspective of MS, in order to identify required EU, MS and Initiation by
23
The European Cloud Partnership thus recognizes that timing is of the essence, and emphasizes that the proposed
actions must be initiated as soon as practicable. Provisionally, the following time table can be presented:
Action
Owner
Deadline
Finalisation of a model
Code of Conduct, and obtaining its endorsement by the Article 29 Industry and Ongoing.
Working Party
users
Finalisation
by end 2014
Finalisation of
SLA guidelines and the Safe and Fair Cloud Contract initiative guidance at Industry and Ongoing.
the EU level (including issues of reversibility/interoperability)
users
Finalisation
by end 2014
Finalisation of
ongoing data protection harmonization efforts in Europe, as foreseen EU, MS,
Ongoing.
within the ongoing negotiations on a EU Data Protection Regulation
Industry and Finalisation
cloud users
in 2014-
2015
Organising consultations with cloud users (citizens, business and public EU, MS,
Finalisation
administrations) to ensure acceptance of the Code, SLA guidelines and Cloud Contract Industry and by end 2014
initiatives
cloud users
Implementing and supporting certification mechanisms (in the broad sense, i.e. EU, MS and Finalisation
including self-declaration, third party audits and one-stop-shop certification/trust Industry
by mid-2015
marking schemes) against best practices, including in relation to security, Code of
Conduct about Security and against the CoC and SLA / Fair Contract
Uptake of the CoC, SLA/Fair Contract and security certification by Industry (if finalised Industry Finalisation
successful y)
by mid-2015
Consensus building through public consultations, workshops, setting up coordination EU and
Initiation by
groups etc.,
targeting professional bodies and trade associations at the EU level to Industry
early 2015
ensure that their (non-legislative) guidelines and policies are cloud neutral
Consensus building through public consultations, workshops, setting up coordination EU, MS,
Initiation by
groups etc.,
targeting cloud users (citizens, businesses and public administrations) to Industry and early 2015
ensure that they are transparently informed and to find e
ffective enforcement users
mechanisms.
Consensus building through public consultations, workshops, setting up coordination EU, MS,
Initiation by
groups etc.,
targeting Member States to identify any explicit and implicit legal roadblocks Industry and early 2015
to cloud computing in key cloud use cases.
users
Study on data categorisation from the perspective of MS, in order to identify required EU, MS and Initiation by
assurances from a legal and technological perspective (including enforcement)
users
early 2015
Selection and initiation of selected cloud pilots
EU, MS and Initiation by
Industry
end of 2015
Ultimately, all of Europe needs to form a single market for cloud computing based on best practices and a
common understanding of these best practices and their role in enabling cloud computing, in order to become a
leader in trustworthy cloud provision and cloud adoption in the global market. This is the only way to maintain a
strong and competitive economy in a challenging environment.
24
The European Cloud Partnership thus recognizes that timing is of the essence, and emphasizes that the proposed
actions must be initiated as soon as practicable. Provisionally, the following time table can be presented:
Action
Owner
Deadline
Finalisation of a model
Code of Conduct, and obtaining its endorsement by the Article 29 Industry and Ongoing.
Working Party
users
Finalisation
by end 2014
Finalisation of
SLA guidelines and the Safe and Fair Cloud Contract initiative guidance at Industry and Ongoing.
the EU level (including issues of reversibility/interoperability)
users
Finalisation
by end 2014
Finalisation of
ongoing data protection harmonization efforts in Europe, as foreseen EU, MS,
Ongoing.
within the ongoing negotiations on a EU Data Protection Regulation
Industry and Finalisation
cloud users
in 2014-
2015
Organising consultations with cloud users (citizens, business and public EU, MS,
Finalisation
administrations) to ensure acceptance of the Code, SLA guidelines and Cloud Contract Industry and by end 2014
initiatives
cloud users
Implementing and supporting certification mechanisms (in the broad sense, i.e. EU, MS and Finalisation
including self-declaration, third party audits and one-stop-shop certification/trust Industry
by mid-2015
marking schemes) against best practices, including in relation to security, Code of
Conduct about Security and against the CoC and SLA / Fair Contract
Uptake of the CoC, SLA/Fair Contract and security certification by Industry (if finalised Industry Finalisation
successful y)
by mid-2015
Consensus building through public consultations, workshops, setting up coordination EU and
Initiation by
groups etc.,
targeting professional bodies and trade associations at the EU level to Industry
early 2015
ensure that their (non-legislative) guidelines and policies are cloud neutral
Consensus building through public consultations, workshops, setting up coordination EU, MS,
Initiation by
groups etc.,
targeting cloud users (citizens, businesses and public administrations) to Industry and early 2015
ensure that they are transparently informed and to find e
ffective enforcement users
mechanisms.
European Commission
Establishing a Trusted Cloud Europe –
Consensus building through public consultations, workshops, setting up coordination EU, MS,
Initiation by
A policy vision document by the Steering Board of the European Cloud Partnership
groups etc.,
targeting Member States to identify any explicit and implicit legal roadblocks Industry and early 2015
to cloud computing in key cloud use cases.
users
Luxembourg, Publications Office of the European Union
Study on data categorisation from the perspective of MS, in order to identify required EU, MS and Initiation by
2014 – A4 – 28 pages
assurances from a legal and technological perspective (including enforcement)
users
early 2015
ISBN 978-92-79-36734-2
doi:10.2759/44445
Selection and initiation of selected cloud pilots
EU, MS and Initiation by
Industry
end of 2015
Ultimately, all of Europe needs to form a single market for cloud computing based on best practices and a
common understanding of these best practices and their role in enabling cloud computing, in order to become a
leader in trustworthy cloud provision and cloud adoption in the global market. This is the only way to maintain a
strong and competitive economy in a challenging environment.
KK-01-14-281-EN-N
For further information
European Commission
Directorate-General for Communications Networks, Content & Technology
Directorate Net Futures
Software & Services, Cloud
B-1049 Brussels
xxxxxxxx@xx.xxxxxx.xx
28