Ref. Ares(2017)1248292 - 09/03/2017
Minutes of the plenary meeting of the Cloud-Select Industry Group (C-SIG)
27 June 2016, Brussels, Belgium
SUMMARY
The European Commission presented an overview of the recently adopted Communications relevant
for cloud computing under the Digital Single Market Strategy (Communication on Digitising
European Industry: Reaping the full benefits of a Digital Single Market, Communication on a
European Cloud Initiative, Communication on an EU e-Government Action Plan 2016-2020,
Communication on Priorities of ICT Standardisation for the Digital Single Market) and also provided
more details on the forthcoming free flow of data initiative.
The latest developments and progress of the draft Code of Conduct on Personal data Protection for
Cloud Service providers were also presented and discussed in further detail with the participants as
regards current challenges and further steps to be taken.
The specifics of a Code of Conduct for Cloud Infrastructure Service Providers, coordinated by the
recently established Cloud Infrastructure Service Providers in Europe (CISPE), were introduced and
this initiated a discussion on the integration of these codes of conduct and also approaches to
integrate future codes of conduct for cloud service providers as regards protection of personal data.
Representatives from Deloitte presented the study "Measuring the Economic Impact of Cloud
Computing in Europe" and led discussion on the potential economic impact of a removal of data
location restrictions. It is clear that contractual and jurisdictional issues are major reasons for a lack
of uptake in cross-border cloud computing services with consideration for issues of latency and
redundancy. The impacts on important stakeholders lead to lively debate on the business benefits
for SMEs vs. large companies.
The European Commission proposed future activities in the policy area of cloud computing and, in
particular, the future role of the C-SIG in the context of recommended work streams. It is clear that
future activities should take into account key relevant initiative of the European Commission, such
as the General Data Protection Regulation (GDPR), European Cloud Initiative (ECI), Priorities for ICT
Standardisation, and the Network & Information Systems Security (NIS) Directive.
1. WELCOME AND INTRODUCTORY SESSION
Pearse O'Donohue (DG CONNECT, Head of Unit "Cloud & Software" - POD) welcomed the
participants and gave a brief overview of the meeting agenda. He gave a short outline of the
Digital Single Market Strategy (DSM) and its objectives; notably increasing economic growth &
jobs, improving cross-border opportunities, tackling fragmentation and keeping the European
Union (EU) on equal footing with other major economies worldwide. The Commission (EC) is
focusing on a limited number of coherent and high-impact initiatives, for example the Digitising
European Industry initiative (DEI), Online Platforms initiative and the Free Flow of Data initiative.
The Communication on DEI, adopted on 19 April 2016, linked to three further Communications:
on a European Cloud Initiative, an EU e-Government Action Plan 2016-2020, and on Priorities of
ICT Standardisation. This package supports the digitisation of new industries, i.e. every sector of
the economy should be able to benefit from advantages coming from data technologies and
services. A number of accompanying documents have also been adopted, including a Staff
Working Document on Internet of Things.
POD elaborated further on the European Cloud Initiative (ECI), which will facilitate the
exploitation and value of Big Data, ensure connectivity, and increased processing and computing
power in Europe. One of the major challenges has been a fragmentation of research facilities and
data sharing in research communities. These have not been able to maximise their combined
potential possibly due to technical obstacles or as a result of research communities' reluctance to
combine resources. ECI is intended to create underlying conditions which are necessary to bring
Europe together into a leading cloud economy. POD stressed C-SIG and other stakeholders
(providers, users, and their exchange of views) play a crucial role in the process of implementing
these strategies to contribute to the DSM.
Open data is part of the EC's Big Data policy and part of the internal market vision. EC has
identified several national, sectorial and other restrictions on the movement of data. This is not
only a European, but a global issue. The Free Flow of Data initiative (FFD) is expected in November
2016, including a legislative initiative on data location restrictions. There are also a number of
emerging issues which will be taken into account in the policy making process: (1) Ownership and
access to data, (2) Interoperability and portability (3) Liability. The impact assessment analysis will
provide some guidance as to which approach should be taken in order to remove restrictions and
barriers by the Member States (MS).
On the issue of building trust, POD reiterated that EC will promote the use of existing relevant
certifications and standards. The lack of confidence and certainty is one of the key barriers to
users embracing new technologies, such as cloud computing and data services. The ECI envisions
– where appropriate – the creation of European-level certification and labelling, in particular to
support public procurement of cloud services.
In response to questions from participants on certification and trust solutions, POD responded
that DSM's objective is to remove fragmentation. Certification can be bottom-up, however it must
not create a new silo culture. Certification systems should be able to operate in harmony and not
contradict each other. This is also crucial for building trust; such systems assure average users the
service has been independently verified. Ensuring network security was also recognized as a key
component; EC is very active in ensuring cyber security (e.g. the new cPPP).
On the issue of procurement demands (national certification system requirements) he suggested
the system of mutual recognition as a possible solution.
Mark Smitham (DG CONNECT) added that a workshop on cloud security was held in March 2016
and one of the major highlights has been an appeal for sharing best practices. So far, the question
on whether this should be an EC initiative or industry-led remains open.
2. CODE OF CONDUCT FOR CLOUD SERVICE PROVIDERS
POD thanked the drafting group for their work on the Code so far. It was recognised as a crucial
element both in the development of the cloud industry as well as creating the environment for a
single market for cloud computing services.
Hans Graux (Time.Lex
- HG) initially introduced the less difficult points of contention; the draft
establishes the primacy of law, and specifies it does not offer protection from competent
authorities' scrutiny. Overall compliance, including standard terminology, with the General Data
Protection Regulation (GDPR) has been agreed, and further updates related to this commitment
are still needed. Clearer terminology with regard to trust making mechanism has been adopted.
Data portability as a right of end users has also been added to the Code.
2
More problematic issues include liability and applicability of national laws; it has been agreed that
in relation to data protection issues, the legislation of at least one MS should apply. The Article 29
Working Party (WP29) had suggested more transparency on data location information, including
exact physical addresses being publicly available. However it was decided not to include this for
privacy and security reasons. Data Protection Authorities (DPAs) could have problems with this so
a compromise has been reached – such lists will only be available to DPAs and not to customers. A
list of data processing locations – without actual addresses – should be available for customers.
These lists must be accurate, kept up-to-date and made available to the customers at all times. In
relation to audit rights, the need of customers to be able to assess compliance of cloud providers
has been recognized. Nonetheless, physical audits (visits to data storage locations) are held not to
be the only way, as there exist alternative ways of providing appropriate levels of inspection, such
as availability of documents, access to information, etc.
On the issue of international transfers of data, several inconsistencies have been removed in the
latest draft. References to GDPR on law enforcement requests have been added, as well as a
detailed description of security measures. On governance, the bodies remain the same (general
assembly, steering board, secretariat, monitoring body), and some of their roles have been
aligned with the GDPR. The Steering board now also has an appeals role, which should improve
overall appeals procedures. Following some criticism on possible conflicts of interest, additional
measures have been taken in order to prevent such conflicts.
HG concluded with some open points that needed to be addressed, such as certification schemes,
where gaps are always to be expected and the need to work with existing instruments to mitigate
this is required. Different levels of compliance from self-attestation to full independent audit
(green, bronze, silver and gold) are described in the mapping matrix. A possible lower level of
assurance for end users was recognized as one of the shortcomings of allowing self-declarations,
which should be taken into account when deciding if long-term support for self-declarations will
be provided. Another topic to be addressed is processing sensitive data and other special
categories of data.
Due to unfeasibility of addressing various specific scenarios in a single document, individual
guidelines for specific scenarios have been considered, e.g. by data type, by sector, by roles, etc.
These could impose stricter obligations if such appears appropriate for targeting specific needs.
Lastly, HG stressed the need for a strategic decision on next steps; whether to resubmit the latest
draft to WP29 and request feedback, perhaps approaching national DPAs for their opinion or
directly entering the market with the final version of the Code.
In the ensuing discussion with participants, it was emphasised that compliance with the Code
does not assure the safety of the cloud in general; admittedly, this is implied, but it should be
clear that it is not within the scope of the initiative. HG also emphasized that partial compliance
with the code is not possible, with the exception of opting only for specific services.
Following the discussion, POD concluded that the substance of the C-SIG Code was agreed, and
that final details of the governance structure needed to be completed, upon which the Code
would be finalised. This would constitute a "release 1.0" of the Code, to which several C-SIG
members were committed to subscribing. As for the WP29, informal contacts were the best
solution, and a more formal submission could be considered when we had some experience with
the Code and the governance structure was fully operational.
3. CODE OF CONDUCT FOR INFRASTRUCTURE
Alban Schmutz (OVH – AS) gave an overview on the development of a separate Code of Conduct
for Infrastructure Service Providers, a project from the new Cloud Infrastructure Service Providers
in Europe (CISPE), a group of IaaS providers in Europe. The current version of the CISPE code is to
3
be made available to all C-SIG participants. AS emphasized that services from cloud IaaS providers
differ considerably from SaaS, therefore some key points of the CISPE code are distinct (e.g.
terminology, transparency regarding data locations). WP29's comments on the C-SIG Code and
the GDPR have been taken into account, and the draft is at an advanced stage. For the moment, it
is only applicable to providers that restrict data transfers to within the EU. In terms of
governance, SMEs have been given significant influence. The CISPE code should be an appropriate
and efficient instrument for the specifics of the cloud infrastructure sector.
POD inquired how cloud providers that offer a combination of infrastructure and software
services are able to adhere or comply with the CISPE code, and also what aspects of the C-SIG
code were not applicable. AS clarified that service providers are able to declare different services
for both Codes of Conduct and could comply with both, depending on the service.
C-SIG members raised a concern on the proliferation of codes and certification marks, and
proposed an eventual convergence of the two codes. AS assured the meeting that a consolidation
with the C-SIG Code is envisaged for the future as their objective is the same, namely GDPR
compliance.
HG reiterated the need for a dialogue for identifying interconnections between the two codes.
4. PRESENTATION OF THE RESULTS OF THE STUDY "MEASURING THE ECONOMIC IMPACT OF CLOUD
COMPUTING IN EUROPE" – DELOITTE
Sebastiaan Van der Peijl (Deloitte - SVP) presented an overview of the study, including key trends
and barriers, policy measures for discussion and the cost benefit analysis of cloud computing in
Europe.
The objectives of the study were to analyse the cloud computing market in the EU, and provide
quantitative estimates on the impact of cloud computing in the EU. This encompasses a cost-
benefit analysis and the development of different policy options scenarios. The study was
executed in the context of the DSM strategy (e.g. Free Flow of Data initiative, European Cloud
Computing Strategy, Integrated Standardisation plan) as well as additional measures and focused
on professional users of cloud services (e.g. Code of Conduct, SLAs etc.).
The results of the study show that cloud computing technology has become increasingly
widespread and adoption has grown steadily as well as growth will be sustained over the next 10
years. According to SVP, cloud computing constitutes an important driver for the EU bringing
major benefits, significant macroeconomic impact and will lead to benefits for professional users
of such cloud services. However, in order to unleash the potentials of cloud computing the issue
of limited take-up must be addressed which varies strongly across MS.
The key barriers identified by the study can be distinguished between high, medium and low
impact barriers having different effects, such as lower adoption and/or higher costs or lower
sales/turnover. For both users as well as providers, data location restrictions represent the
strongest high impact barrier and are still widespread in Europe subject to different motivations.
SVP then turned to policy measures removing data location restrictions related to the Free Flow
of Data initiative. This requires an assessment of the current rationale and justification for
barriers, and how to overcome them in terms of the appropriate legislative response. The
empirical link between the regulation in data services and domestic downstream economic
performance at industry level pointed out that regulatory restrictions tend to reduce productivity
and economic output in those industries that depend relatively on data services.
Graham Taylor (Open Forum Europe – GT) opened the panel discussion on the impacts of data
location restrictions for the various stakeholders and potential legislative action. He pointed out
that there will be a major difference between personal and non-personal data and that not only
4
the availability of data is of stake, but also the data services build on top of the data. Furthermore,
it was emphasized that cloud services comprise various types of services and that data location
restriction as a fact have already affected the cloud market. GT highlighted that cloud should be
seen as an exemplar for the wider free flow of data.
HG identified security requirements, the availability of data for different purposes and the
expertise needed to understand and comply with such requirements to be some of the most
common reasons imposing restrictions on SMEs. However, HG pointed out that especially with
regards to security and privacy perspective data location restrictions might lead to more exposure
to risks rather than lowering it. Furthermore, from a technical standpoint data location
restrictions are not feasible, impede efficiency and prevent the roll-out of innovative
technologies. According to HG the higher burden for SMEs is high thereof disrupts competition.
Sebastiano Toffaletti (Digital SME Alliance - ST) acknowledged the accuracy and added value of
the study. However, ST emphasized that addressing other issues would contribute more
efficiently to the competitiveness of EU providers. For ST the key issue is not data location
restrictions, but rather jurisdictional problems stemming from contracts and the complexity of the
VAT system, which impose a significant burden on SMEs. Furthermore, tax avoidance by global
players and a lack of comparability between services also affect fair and effective competition
heavily. Such issues require prioritized attention in order to enable EU companies to grow and
establish themselves at EU and international level instead of facilitating oligopolies by removing
barriers.
Carlo Daffara (Cloudweavers Ltd - CD) pointed out that Europe is at the very beginning of the
uptake of the cloud and that by the time legislation takes effect the cloud market will have
already changed considerably. The removal of data location restrictions could save service
providers 5-10% which is a substantial improvement. The actual economic impact for individual
users is relatively small, since restrictions are applicable only to specific types of data (small
share). However, other issues such as jurisdictional and contractual uncertainties and a lack of
knowledge constitute a stronger disincentive for cloud users. The removal of data location
restrictions will have a positive impact on users, a slightly negative effect on SMEs while
advantaging large companies. Accordingly, short term actions of a complementary nature
addressing other issues are needed.
Maurice Van der Woude (BPdelivery B.V. - MVW) referred to an internal survey on end users of
cloud computing, which has shown that high cost and the lack of information on cloud prevents
most users to migrate to the cloud. This illustrates the potentials to be unleashed.
Freddy Van den Wyngaert (Chairman Euro-CIO, and CIO Agfa-Gevaert NV – FVW) identified the
costs and pricing models, trust issues and the comparability issue to be the main reasons for a
minor uptake. Jonathan Sage (IBM – JS), Mark Lange (Microsoft – ML) and Stephane Ducable
(AWS – SD) made clear that mostly the user community and demand dictate investments in new
data centres. But, redundancy, latency and in some situations regulatory restrictions also
constitute critical criteria. Therefore influencing demand would require action at the European
level. Helmut Fallmann (Fabasoft – HF) identified jurisdiction and latency to be the most
important criteria. Mark Smitham (DG CNECT) confirmed the jurisdictional problem in reference
to the English and Welsh legal system vs the Scottish legal system in the UK. HG acknowledged
that the importance of jurisdiction was underestimated and pointed at better and more
accessible online dispute resolution mechanisms as a possible answer to that problem.
Joe Alhadeff (Oracle – JH) added that data localisation must be understood in its global remit and
SMEs the ecosystem as a whole must be scrutinized.
POD concluded that obviously market sentiment plays an important role which requires education
in order to be overcome and clarification on actual restrictions vs presumed restrictions. Further,
5
POD recognized that SMEs in the cloud market are important, but obviously SMEs in all sectors
who can benefit from cheaper cloud services are a higher priority to the EC.
5. FURTHER ACTIONS AND FUTURE ROLE OF THE C-SIG
Finally, POD elaborated on the future role of the C-SIG in light of cloud computing actions. He
recalled the cloud computing strategy and its key actions. The principle issues currently
influencing cloud policy are the GDPR, ECI, priorities for ICT Standardisation, and the NIS Directive,
and some key actions and work streams have been set up in order to address these challenges,
which are described in detail in individual papers, distributed among the participants.
Cloud certification schemes need further attention, and C-SIG's role is crucial in reaching the
objectives. The public sector should be encouraged to choose cloud services and the system
needs to correspond to procurement needs. A need for C-SIG group on certification was
recognized, which would hold a different mandate than the C-SIG certification working group, in
order to cooperate with the EC to reach and actualize ECI's objectives. Ensuring the
implementation of the NIS Directive would also be one of the purposes of this group.
In relation to ICT standardisation, a C-SIG working group on cloud standards should be
established.
With regard to Service Level Agreements, further collaboration with DG Justice is required.
Standard contract clauses will be considered for the future.
Main stakeholder groups for the identified work streams include Users, Public Sector Users,
ENISA, ESOs, Certification Bodies and Providers. A wider membership of the C-SIG could also be
considered.
POD invited the participants to discuss the challenges facing the industry and whether the
suggested work streams are appropriate for addressing them.
Joe Alhadeff (ORACLE - JA) raised a concern over the lack of cooperation and coordination
between different work streams, which should be able to collaborate towards the same end. POD
acknowledged an overlap over certification and agreed we should learn from these past lessons.
Substantial global developments in the field of ICT standardisation have been recognized and a
suggestion to take these on-board and to engage in this process further was made.
Mark Smitham (DG CNECT) called on participants to reflect on the previously distributed paper on
C-SIG ICT standardisation proposed actions and work streams. It has been pointed out that
information sharing between companies or a group of companies in the field of standardisation
activities should be encouraged.
Freddy Van den Wyngaert (EuroCIO) emphasized the benefits of the users as a result of these
efforts. However, business cases still need to mature and improve. JA agreed, but also stressed
that flexibility inside economic models should remain guaranteed. As a response to previous
appeals to improve or expand the scope of activities, he noted that the C-SIG Code should be a
priority, with additional or new directions being taken upon completion of this document.
POD highlighted the lack of SME involvement in this process due to their limited capacity, and the
need to include them through cooperating with intermediaries and associations. One other
weakness is a failure to include users and giving them an equal voice in the policy making process.
C-SIG members enquired whether EC could coordinate an intersection between industry,
governments and CIOs. POD remarked that DG DIGIT is already coordinating this, but further
6
exploration of possibilities could be considered. He also stressed the importance of identifying
areas where user groups are able and willing to participate.
POD concluded the session by emphasizing that the C-SIG Code is a current priority, thanked all
the participants for their cooperation and closed the plenary meeting.
7