52014SC0214

1. Introduction

In September 2012 the European Commission adopted the Communication entitled 'Unleashing the Potential of Cloud Computing in Europe'[1] with the objective to stimulate the use and adoption of cloud computing across all sectors of the European economy.

The Communication highlights the potential benefits of cloud computing for the European economy and includes actions that will eventually deliver a net gain of 2.5 million new European jobs and a boost of EUR 160 billion to the European Union GDP in 2020.

Cloud computing is an important enabler for development for citizens, businesses and public administrations in all sectors of the European economy, including the data value chain. The transfer, processing and storage of data, including the analysis of large data sets for big data applications, require interoperable services, platforms and infrastructures that are widely accessible, that can be provisioned rapidly and that are scalable. Cloud computing can provide these benefits and the further use and adoption of cloud computing in Europe supports a data-driven economy.

The European Council recognised the interplay between cloud computing and big data by calling for EU action to provide the right framework conditions for a single market for Big Data and Cloud Computing in its conclusions of October 2013. In particular, the European Council noted the need for promoting high standards for secure, high-quality and reliable cloud services.[2]

The Communication on 'Unleashing the Potential of cloud computing in Europe' complements several on-going actions of the Commission under the Digital Agenda for Europe as regards the achievement of a single market, such as related to cybersecurity and data protection. In addition, it contains three key actions in respect of standards and certification; development of safe and fair contract terms and conditions; and the launch of the European Cloud Partnership with the aim to bring together the public and the private sector. Additional policy recommendations on e-skills and engagement in international dialogue with third countries are included as well.

The Communication commits the Commission to report on the progress on the full set of actions, present further policy options and, if necessary, legislative proposals. This staff working document is used to report on the results of and state of play as regards on-going actions and the foundation for further follow-up actions in the field of cloud computing.

2. Progress on activities targeted at the digital single market

The Communication recognises the fragmentation of the digital single market as a key area where actions are needed to support the use and adoption of cloud computing in Europe. In particular the EU’s data protection reform package that has the objective to build a single, modern, strong, consistent and comprehensive data protection framework for the European Union is recognised as an important factor to address data protection issues that are raised by cloud computing.

Copyright aspects of cloud computing are considered as a very important issue for building the digital single market in Europe. Published in January 2013, Mr Vitorino’s recommendations[3] for the review of the private copy levies focused on trying to fix the existing system and included suggestions to improve it. The report recognised that cloud-based online content services provide unique opportunities to be remunerated on the basis of direct licensing deals, rather than indirect compensation mechanisms on devices, such as private copying levies. Also, paragraph 30 of the European Parliament resolution of 27 February 2014 on private copying levies calls on the Commission to assess the impact on the private copying system of the use of cloud computing technology for the private recording and storage of protected works, so as to determine whether these private copies of protected works should be taken into account by the private copying compensation mechanisms and, if so, how this should be done.[4] The Commission will consider follow-up actions for the specific recommendations in the context of the on-going review of the EU copyright rules. Patent and trademark aspects related to cloud services were identified as potential areas for the further work.

As regards security, the European Strategy for Cyber Security was adopted and published by the Commission in February 2013. A Public-Private Platform on Network and Information Security was set up in order to identify risk management and information sharing/incident notification best practices and incentives to adopt them. The first output of the Platform will bring guidance on risk management and information sharing practices, and will be issued in spring 2014.

In order to address environmental challenges, the Commission is working with industry to adopt a common methodological framework for measuring the energy and carbon footprint of the ICT sector (including data centres and clouds).

Concerning e-skills, the Commission launched 'The Grand Coalition for Digital Jobs' – an initiative aimed at increasing the overall supply of digitally skilled professionals and to better match supply and demand of digital skills. The goal is to increase the supply of ICT practitioners by 2015, so as to ensure a sufficient number of them in Europe by 2020. The Commission is taking further action, in particular regarding the development of an EU reference framework for digital competences for learners and has addressed didactic digital competencies in its Opening up Education initiative.

In the field of taxation, the Commission tasked a High Level Expert Group on Taxation of the Digital Economy to examine the best ways of taxing the digital economy in the EU, weighing up the benefits and risks of various approaches. The Commission has also launched a study on issues on taxation in relation to cloud computing services.

3. Progress on key actions on cloud computing

For the implementation of the three key actions on cloud computing in respect of standards and certification, safe and fair contract terms and conditions and the launch of the European Cloud Partnership, a collaborative approach with relevant stakeholders was taken to allow the various activities to benefit from specific expertise in the field of cloud computing. In particular, a Cloud Select Industry Group with industry representatives was established to support the Commission in the implementation of the actions of the European Cloud Computing Strategy.

3.1. Standards and certification

With stakeholders' participation, the European Telecommunications Standards Institute (ETSI) completed its Cloud Standards Coordination (CSC) initiative in December 2013. ETSI delivered a comprehensive mapping of existing cloud computing standards, such as in the field of interoperability and network and information security, thereby providing more transparency in the market for cloud computing customers.[5]

In the field of cloud computing certification, the collaboration with the Cloud Select Industry Group[6] and the European Union Network and Information Security Agency (ENISA) resulted in the publication of a validated list of cloud computing relevant network and information security certification schemes in February 2014.[7] On-going work with the support of ENISA will further enhance the usability of this list of certification schemes by the end of 2014, which will also provide greater transparency in the market for cloud computing customers.[8]

Where relevant, this work will be informed by Regulation (EC) No. 765/2008 on setting out the requirements for accreditation and market surveillance relating to the marketing of products.[9]

3.2. Contract terms and conditions

As regards the safe and fair model contract terms, an expert group on model contract terms and conditions for cloud services for consumers and small firms and a working group with industry stakeholders on service level agreements for professional users were established in order to identify and disseminate best practices in respect of model contract terms for cloud services and to increase trust of prospective customers.[10] Deliverables from this working group will be published by the end of 2014.

Moreover, the collaboration with the Cloud Select Industry Group resulted in the establishment of a working group on service level agreement (SLAs). The industry group is working with the aim to deliver guidelines that define standard options for SLAs and contracts. These guidelines that are to be published by the summer of 2014[11]  will provide the basis for further concrete European contributions to standards development on cloud computing SLA standards in the ISO/IEC SC38.

Considering cloud contract-related aspects, insurance for cloud services and possible sectorial approach (e.g. for the financial sector) were identified as one of the areas for further work.

Also in the context of the Cloud Select Industry Group, another working group with was established with the objective to deliver a Data Protection Code of Conduct for cloud service providers to support a uniform application of data protection rules and to build trust and confidence in the field of cloud computing.[12] In February 2014, the Code of Conduct was submitted to the Article 29 Working Party for its opinion in order to ensure legal certainty and coherence between the Code of Conduct and EU law. The opinion from the Article 29 Working Party as well as the establishment of a governance framework for the Code is expected by September 2014.

3.3. European Cloud Partnership

The Steering Board of the European Cloud Partnership (ECP), which was set up as an advisory body to the Commission, presented its vision for a 'Trusted Cloud Europe' in March 2014.[13] Trusted Cloud Europe is a framework to support the definition of common cloud computing best practices, linking them to use cases, and applying them in practice.

The Trusted Cloud Europe framework aims to support a single market for cloud computing in Europe based on best practices and on a common understanding of these best practices, which will enable Europe to become a leader in trustworthy cloud computing provision and cloud computing adoption. Specific recommendations directed towards different stakeholders, including the Commission, Member States and industry of the ECP steering board include 1) the creation of a common framework of legal, operational and technical best practices, 2) a review of formal data location requirements (that currently still divide cloud architectures up by national jurisdiction) with the aim to replace them by functional requirements to ensure the same accessibility and security of the data, and 3) to promote an active consideration of cloud computing when procuring IT systems for public bodies.

The Trusted Cloud Europe Report has been consulted widely in the form of a public survey and questionnaire. Although not yet a formal consultation, the results of the survey and questionnaire are an important indication for further steps of the European Commission as regards the field of cloud computing. As such, the results of the survey indicate a wide support for the further development of a digital single market for cloud computing in Europe and to reinforce Europe as a region for world class cloud computing. For example, the majority of participants agree with important issues such as the need for a rapid political agreement on a fully harmonised EU data protection regulation and the need for clearer rules to resolve contractual or services disputes in the context of existing legislative instruments relevant to cloud computing, in particular for SMEs.

A clear majority of participants of the survey also underlines the need for a move from formal to functional requirements as regards data location, in order to support cross-border data flows and the development of the cloud computing market in Europe. Participants also see a role for Member States, suppliers and industry bodies to be engaged in the development of a robust framework of best practices that better facilitate the adoption of cloud computing in Europe. The survey results furthermore show support for greater consistency and clarity in procurement processes of Member States for cloud computing services, which is recognised as an important driver for the adoption of cloud computing.

Finally, respondents also expressed concerns on data sovereignty and some suggested that cloud service provider access to the market should be limited only to those established in the EU and the adequacy of the current legal framework to protect sensitive information was questioned by some. The use of appropriate security measures was found to be an important topic for almost all respondents and was linked to the implementation of the European Cybersecurity Strategy and issues like identity and access management, certification, research and innovation and the appropriateness for SMEs.

The Commission intends to respond to the Trusted Cloud Europe report and survey by consulting on a package of policy measures that include regulatory as well as market-led and co-regulatory options by 2015.

As part of the European Cloud Partnership, the pre-commercial procurement project Cloud for Europe was launched in June 2013 by a consortium of 25 partners from the public sector (EU Member States and third countries), with the aim to develop common procurement requirements for cloud computing services for the public sector in Europe.[14]

3.4. Supporting actions

The European Cloud Computing Strategy includes a number of flanking actions to support the implementation of the key actions on cloud computing. As part of those flanking actions, cloud computing is included as a priority area for research, development and innovation in the first Work Programme of the Horizon 2020 Programme.[15]

The Commission has also built on its on-going international dialogues with third countries on key themes in relation to cloud computing, notably with the United States, Japan, Korea, Brazil and with a Latin American multilateral forum (ECLAC). Concrete results of these dialogues provide a foundation for Europe to benefit from a broader cloud computing market beyond the European Union.

[1]       Communication on 'Unleashing the potential of cloud computing in Europe'. COM(2012), 529.

[2]       Conclusions of the European Council (24/35 October 2013), EUCO 169/13.

[3]       http://ec.europa.eu/internal_market/copyright/docs/levy_reform/130131_levies-vitorino-recommendations_en.pdf

[4]       http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference=P7-TA-2014-0179

[5]       ETSI, 'Cloud Standards Coordination - Final Report', November 2013, available at http://csc.etsi.org/website/home.aspx

[6]       http://ec.europa.eu/digital-agenda/en/cloud-select-industry-group-certification-schemes

[7]       https://resilience.enisa.europa.eu/cloud-computing-certification

[8]       https://resilience.enisa.europa.eu/cloud-computing-certification/certification-in-the-eu-cloud-strategy

[9]       Regulation (EC) No. 765/2008 of the European Parliament and of the Council of 9 July 2008 on Setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93.

[10]     Commission Decision of 18 June 2013 on "setting up the Commission expert group on cloud computing contracts" (2013/C 174/04), available at http://ec.europa.eu/justice/contract/cloud-computing/expert-group/index_en.htm

[11]     http://ec.europa.eu/digital-agenda/en/cloud-computing-strategy-working-groups

[12]     http://ec.europa.eu/digital-agenda/en/cloud-computing-strategy-working-groups

[13]     European Cloud Partnership, 'Establishing a Trusted Cloud Europe: A policy vision document by the Steering Board of the European Cloud Partnership', March 2014, available at http://ec.europa.eu/digital-agenda/en/news/trusted-cloud-europe

[14]     http://www.cloudforeurope.eu/

[15]     http://ec.europa.eu/programmes/horizon2020/en/h2020-section/information-and-communication-technologies