Policy and legislation

Policy objectives

Establishing a coherent framework and conditions for cloud computing was one of the key priorities of the digital agenda for Europe. The digital single market strategy confirmed the importance of cloud computing, which is driving a paradigm shift in the delivery of digital technologies, enhancing innovation, digital single market and access to content. 

EC perspective and progress report

The key role of cloud computing is established through the European Cloud Initiative and through the initiative on Building a European Data Economy. Cloud computing is developing fast. Estimates indicate that these developments could lead to the growth of the European cloud market from €9.5bn in 2013 to €44.8bn by 2020, i.e. almost five times the market size in 2013. The latest Eurostat data available (end of 2018) shows the current state of play in the European Union regarding the use of cloud computing by enterprises. The main findings are summarised below:

• 26 % of EU enterprises used cloud computing in 2018, mostly for hosting their e-mail systems and storing files in electronic form.
• 55 % of those firms used advanced cloud services relating to financial and accounting software applications, customer relationship management or to the use of computing power to run business applications.
• In 2018, many more firms used public cloud servers (18 %) than private cloud servers (11 %), i.e. infrastructure for their exclusive use.
• Compared with 2014, the use of cloud computing increased particularly in large enterprises (+21 percentage points).

The development of the cloud computing market and the efficient delivery of cloud services particularly depend on the ability to build economies of scale. The establishment of a Digital Single Market will unlock the scale necessary for cloud computing to reach its full potential in Europe.

In 2012, the Article 29 data protection working party issued on opinion on cloud computing . This opinion has outlined how the wide scale deployment of cloud computing services can trigger a number of data protection risks, mainly a lack of control over personal data as well as insufficient information with regard to how, where and by whom the data is being processed/sub-processed.

The proposed actions follow the direction as outlined in the EU Communication on ICT standardisation priorities which identified cloud as a key priority for Europe. The actions include a follow-up of cloud standards coordination started in 2012/2013 when the Commission asked ETSI to coordinate stakeholders to produce a detailed map of the necessary standards (e.g. for security, interoperability, data portability and reversibility).

The Cloud Select Industry Group (C-SIG) has been open to all organisations, groups and individuals having a professional interest in cloud computing matters and are active in the European cloud market. The Communication "Unleashing the Potential of Cloud Computing in Europe" (2012) identified key actions to be supported by Cloud Select industry Groups. See section C1 below.

The Commission is also pursuing international cooperation in the field of cloud computing, and a number of policy and joint research initiatives have been put in place with Japan, Brazil and South Korea and are ongoing with USA.

The Commission has also funded the CloudWatch2 project which, among others, reported on the status of interoperability and security standards, developed a catalogue of cloud services and mapped EU cloud services and providers.

When it comes to certification and ways for customers to know and be assured that their data is equally safe no matter where they are located or who provides the service, the Commission launched the study Certification Schemes for Cloud Computing (SMART 2016/0029) and a public consultation which ended in October 2017.

In the view of facilitating a fair market for the consumers, the Commission also launched a study on Switching cloud providers (SMART 2016/0032) to collect evidence on legal, economic, and technical issues when switching from provider.

In April 2018 the Commission launched two DSM (Digital Single Market) Cloud Stakeholder groups (https://ec.europa.eu/digital-single-market/en/news/cloud-stakeholder-working-groups-start-their-work-cloud-switching-and-cloud-security). The DSM Working Group on Cloud Certification Scheme will begin exploring an EU certification scheme on cloud security. The Group consists of national cyber security authorities, cloud service provider, cloud service customer as well as auditing entities.

The European Security Certification Framework (EU-SEC) strives to address the security, privacy and transparency challenges associated with the greater externalisation of IT to Cloud services. EU-SEC will create a certification framework under which existing certification and assurance schemes can co-exist. EU-SEC is funded by Horizon 2020 and publishes its results at www.sec-cert.eu.

The other DSM Cloud Stakeholder group (working group on cloud switching/ porting data - SWIPO) will define self-regulatory codes of conduct to facilitate data portability and cloud switching. These portability codes intend to support article 6 of the proposed free-flow of non-personal data regulation due to be completed by the end of 2018. The objective of SWIPO is to reduce the risk of 'vendor lock-in', as it will be easier to switch providers when it is clear which processes, technical requirements, timeframes and charges apply in case a professional user wants to switch to another provider or port data back to its own IT systems.

The JRC published a study on the relationship of open source software and standards setting at the end of 2019 (https://ec.europa.eu/jrc/en/publication/eur-scientific-and-technical-research-reports/relationship-between-open-source-software-and-standard-setting). The objective of the study was to identify possible commonalities and barriers for interaction between standardisation and open source (OSS) processes and in particular the interplay between OSS and FRAND licensing in standardisation.

References 

• COM(2016)176 "ICT Standardisation priorities for the digital single market"
• COM(2016)178 "European cloud initiative — building a competitive data and knowledge economy in Europe" (Along with SWD(2016)106 and SWD(2016)107)
• COM(2012)529 "Unleashing the potential of cloud computing in Europe"
• COM(2015)192 "A digital single market strategy for Europe"
• Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the EU (NIS Directive).

'The new cloud computing action programme comprises four fields of activity: harnessing innovation and eIDAS market potential (research programme for secure Internet services, cloud computing for small and medium-sized enterprises and the public sector — trusted cloud); creating a pro-innovative framework (security and legal framework, standards, certification); co-shaping international developments;  providing informational guidance'.

Requested actions

The Communication on ICT Standardisation Priorities for the digital single market proposes priority actions in the domain of Cloud. Actions mentioned below reflect some of them.

Action 1: Identify needs for ICT standards and open source technologies to further improve the interoperability, data protection and portability of cloud services and continue or start respective development activities. This should also take into account available open source technologies and their role for interoperability, data protection and management of multiple clouds.

Action 2: Promote the use of the ICT standards needed to further improve the interoperability, data protection and portability of cloud services as well as multi-cloud management.

Action 3: Further strengthen the interlock between standardisation and open source in the area of Cloud and establish and support bilateral actions for close collaboration of open source and standardisation.

Action 4:  Promote international standards on service level agreements (SLAs) and usage of the cloud code of conduct (CoC).

Action 5: ESOs are asked to update the mapping of cloud standards and guidelines for end-users (especially SMEs and the public sector), in collaboration with international SDOs, cloud providers and end users. This action could also draw on the material developed, e.g. to update the standards mapping carried out by cloud standards coordination phases 1 & 2.

Action 6: Promote the use of the ISO/IEC JTC 1 reference cloud architecture and define generic cloud architecture building blocks. Map available standards to the generic cloud architecture building blocks. Define privacy, security and test standards for each building block. This will also help determine which standards can be used for open cloud platforms and architectures taking into account the key role of open source for cloud infrastructure design and implementations.

Activities and additional information 

Related standardisation activities

CEN-CENELEC

When it comes to Cloud Security, CEN-CLC/JTC 13 'Cybersecurity and Data protection' mirrors the activities of ISO/IEC JTC 1 SC 38 'Cloud Computing and distributed platforms', and considers in this respect the potential adoption of International Standards as European Standards, where market relevant. CEN-CLC/JTC 13's scope covers the development of standards for cybersecurity and data protection covering all aspects of the evolving information society. This includes notably: Management systems, frameworks, methodologies; Data protection and privacy; Services and products evaluation standards suitable for security assessment for large companies and small and medium enterprises (SMEs); Competence requirements for cybersecurity and data protection; Security requirements, services, techniques and guidelines for ICT systems, services, networks and devices, including smart objects and distributed computing devices.

ETSI

In January 2016, the (now closed) ETSI Cloud Standards Coordination (CSC) Task Force produced four reports on user's needs, on standards and open source, on interoperability and security, and on standards maturity assessment, available under http://csc.etsi.org/.

Network Functions Virtualisation (NFV) adapts standard IT virtualisation technologies, consolidating heterogeneous network infrastructures based on disparate, ad hoc equipment types onto industry standard servers, switches and storage. This sees network functions running as software on a homogeneous ‘off the shelf’ infrastructure that can be introduced to various network locations as needed.

ETSI’s NFV Industry Specification Group (ISG) is developing enhancements of the NFV architecture for providing “PaaS”-type capabilities and supporting virtualised network functions (VNFs) which follow “cloud-native” design principles. It is also developing a specification of criteria to help characterize cloud-native VNFs.

Multi-access Edge Computing (MEC) provides IT and cloud computing capabilities within the access segments of network infrastructure, in close proximity to network users. ETSI’s ISG on MEC is developing a set of standardized Application Programming Interfaces (APIs) to enable MEC services. To application developers and content providers, the access network offers a service environment with ultra-low latency and high bandwidth and direct access to real-time network information that can be used by applications and services to offer context-related services.

ETSI ISG NGP is investigating communications and networking protocols to provide the scale, security, mobility and ease of deployment required for a connected society. The industry has reached a point where forward leaps in the technology of the local access networks (such as LTE-A, G.FAST, DOCSIS 3.1 and 5G) will not deliver their full potential unless, in parallel, the entire infoComms protocol stacks evolve more holistically. The driving vision is a considerably more efficient Internet that is far more attentive to user demand and responsiveness — whether “the user” is human or millions of things. Therefore, the ISG will stimulate closer cooperation over standardisation efforts for generational changes in communications and networking technology.

ISO/IEC

ISO/IEC JTC 1/SC 38  Cloud computing and distributed platforms:

A full suite of standards is available and in progress in ISO/IEC JTC 1 SC 38 on cloud computing technologies including, most notably, the ISO Cloud Reference Architecture but also work on vocabulary, SLAs, etc. This is complemented by work in ISO/IEC JTC 1 SC27 on cybersecurity and on more specific work as on Virtualisation. Below is a non-exhaustive list of relevant ISO standards.

http://www.iso.org/iso/jtc1_sc38_home

ISO/IEC 27017 — Code of practice for information security controls based on ISO/IEC 27002 for cloud services

ISO/IEC 27018 — Code of practice for personally identifiable information (PII) protection in public cloud acting as PII processors

ISO/IEC 27036-4 — Information security for supplier relationships — Part 4: Guidelines for security of cloud services

ISO/IEC 19086-1 — Cloud computing — service level agreement (SLA) framework — Part 1: Overview and concepts

ISO/IEC 19086-2 — Cloud computing — Service level agreement (SLA) framework — Part 2: Metric model

ISO/IEC 19086-3 — Cloud computing — Service level agreement (SLA) framework — Part 3: Core conformance requirements

ISO/IEC 19086-4 — Cloud computing — Service level agreement (SLA) framework — Part 4: Components of security and of protection of PII

ISO/IEC 19941 Cloud Computing — Interoperability and portability

ISO/IEC 19944 Cloud Computing — Cloud services and devices: data flow, data categories and data use

ISO/IEC TR 22678 -- Cloud Computing -- Guidance for Policy Development

ISO/IEC TR 23186 -- Cloud computing -- Framework of trust for processing of multi-sourced data

ISO/IEC NP TR 23187 -- Cloud computing — Interacting with cloud service partners (CSNs) (work in progress)

ISO/IEC PDTR 23613 -- Cloud service metering and billing elements (work in progress)

ISO/IEC AWI 23751 -- Cloud computing and distributed platforms — Data sharing agreement (DSA) framework (work in progress)

ISO/IEC TR 23951 -- Cloud computing — Best practices for cloud SLA metrics (work in progress)

ISO/IEC 22624 -- Cloud Computing -- Taxonomy based data handling for cloud services (final stages of approval)

ISO/IEC CD 22123 -- Cloud Computing -- CONCEPTS AND TERMINOLOGY (work in progress)

ISO/IEC TS 23167 -- Cloud Computing -- Common Technologies and Techniques (work in progress)

ISO/IEC TR 23188 -- Cloud computing -- Edge computing landscape (work in progress)

ITU

ITU-T SG13 leads ITU's work on standards for future networks and 5G and is the primary SG working on cloud computing. To this end, it approved 20 Recommendations covering different aspects of cloud computing from terminology and overview to reference architecture and functional requirements for technologies supporting XaaS and inter-cloud computing and distributed cloud.
Y.Sup49 to ITU-T Y.3500-series - Cloud computing standardisation roadmap, has the matrix showing deliverables of different SDO/ITU against the different cloud-related categories and sub-related technologies: https://www.itu.int/rec/T-REC-Y.Sup49/en (11/2018)

Also, SG13 is progressing the work on management of distributed cloud, risk management, cloud service brokerage, data storage federation, containers and micro-services requirements for physical machinery, requirements for cloud service development and operation management inter-cloud data management and inter-cloud trust management.

In the domain of Big Data, ITU-T generated standards and supplementary material (since 2013) have been captured in the flipbook “Big Data – Concept and application for telecommunications” (https://www.itu.int/en/publications/Documents/tsb/2019-Big-data/index.html#p=166) (July 2019). This publication covers the overview, requirements, capabilities, BDaaS category, data exchange, data provenance, security aspects of big data described in 13 Recommendations and two Supplements. One of the latter is Supplement 40 to Y.3600: Big data standardisation roadmap (07/2016). It has an ongoing analogue, SG13 draft Supplement on Big Data roadmap, TD425/WP2/13. Both editions of the roadmap represent the description of concept and collection of the approved and ongoing work (of ITU and other SDOs) on big data along with the mapping matrix of each SDO work to the big data related technology domains.
The cloud computing roadmap, maintained by SG13, lists and points to cloud computing standardisation efforts deliverables across telco/IT industry: https://extranet.itu.int/sites/itu-t/Roadmaps/SitePages/JCA-Cloud-Standard.aspx

Current work on big data in SG13 is focussed on big data driven networking approach, conceptual model of metadata, data integration and data preservation.

More info: https://www.itu.int/en/ITU-T/studygroups/2017-2020/13

This work is complemented by ITU-T SG11 for cloud computing conformance and interoperability testing and SG17 for cloud computing security. SG11 approved/agreed:

• Supplement 65 on “Cloud computing interoperability activities” ,
• Recommendation ITU-T Q.4040 on “The framework and overview of Cloud Computing interoperability testing”,
• Recommendation ITU-T Q.4041.1 on “Cloud computing infrastructure capabilities interoperability testing - part 1: Interoperability testing between the CSC and CSP”,
• Recommendation ITU-T Q.4042.1 “Cloud interoperability testing for web applications - part 1: Interoperability testing between the CSC and CSP”
• Recommendation ITU-T Q.4043 “Interoperability testing requirements for virtual switches”)
  More info: https://itu.int/go/tsg13

ITU-T SG17 on “Security” has approved one Recommendation on “Data security requirements for the monitoring service of cloud computing” (ITU-T X.1603) and is in the process of approving Recommendation ITU-T X.1605 “Security requirements of public infrastructure as a service (IaaS) in cloud computing” and Recommendation ITU-T X.1604 on “Security requirements of network as a service (NaaS) in cloud computing”. SG17 has also commenced work on “Security guidelines for container in cloud computing environment” (X.sgcc), “Security guidelines for distributed cloud” (X.sgdc), “Security guidelines for multi-cloud (X.sgmc), Security requirements of cloud-based platform under low latency and high reliability application scenarios” (X.sr-cphr) and “Requirements of network security situational awareness platform for cloud computing” (X.nssa-cc).

More details here: https://www.itu.int/en/ITU-T/studygroups/2017-2020/17

IEEE

In addition to continuing work on cloud computing standards projects, IEEE has new standards projects on edge and fog computing which further distributes and disperses computing assets. <https://ieeesa.io/rp-cloudcomputing>

IETF

The IETF has multiple groups working on standards for virtualization techniques, including techniques used in cloud computing and datacenters.

The Layer 2 Virtual Private Networks (L2VPN) Working Group produced specifications defining and specifying solutions for supporting provider-provisioned Layer-2 Virtual Private Networks (L2VPNs). They also addressed requirements driven by cloud computing services and data centers as they apply to Layer-2 VPN services. The L2VPN Service Model (L2SM) Working Group is tasked to created a data model that describes an L2VPN service.

The Layer 3 Virtual Private Networks (L3VPN) Working Group was responsible for defining, specifying and extending solutions for supporting provider-provisioned Layer-3 (routed) Virtual Private Networks (L3VPNs). These solutions provide IPv4, IPv6, and MPLS services including multicast.

The Layer Three Virtual Private Network Service Model (L3SM) Working Group was tasked to create a YANG data model that describes an L3VPN service (an L3VPN service model) that can be used for communication between customers and network operators, and to provide input to automated control and configuration applications.

The Network Virtualization Overlays (NVO3) Working Group develops a set of protocols and extensions that enable network virtualization within a datacenter environment that assumes an IP-based underlay. An NVO3 solution provides layer 2 and/or layer 3 services for virtual networks enabling multi-tenancy and workload mobility, addressing management and security issues.

The System for Cross-domain Identity Management (SCIM) Working Group worked on standardising methods for creating, reading, searching, modifying, and deleting user identities and identity-related objects across administrative domains, with the goal of simplifying common tasks related to user identity management in services and applications. https://trac.ietf.org/trac/iab/wiki/Multi-Stake-Holder-Platform#Cloud.

OGF

Open Grid Forum (OGF) is a leading standards development organisation operating in the areas of grid, cloud and related forms of advanced distributed computing. The OGF community pursues these topics through an open process for development, creation and promotion of relevant specifications and use-cases. http://www.ogf.org/

OMG

Object Management Group (OMG): the OMG's focus is always on modelling, and the   first specific cloud-related specification efforts have only just begun, focusing on modelling deployment of applications & services on the clouds for portability, interoperability & reuse. http://www.omg.org/

Hosted by the OMG is the Cloud Standards Customer Council, which has produced a series of customer-oriented white papers on diverse topics related to cloud computing, all of which are publicly accessible at: http://www.cloud-council.org/resource-hub.htm 

OneM2M

The oneM2M specifications foresee distributed computing capabilities and data management and storage. The oneM2M system itself acts as a cloud when the data are centralized. At the same time, cloud services may be used to support the storage capabilities of oneM2M as an alternative to the direct integration of a dedicated data bases. Guidelines for this case are provided in ETSI TR 103 527 V1.1.1 (2018-07) SmartM2M; Virtualized IoT Architectures with Cloud Back-ends.

OASIS

OASIS hosts multiple standardisation projects for cloud computing management, interoperability and functionality, including

Cloud Application Management for Platforms (CAMP)

https://www.oasis-open.org/committees/camp,

Cloud Authorisation project, the OASIS Identity in the Cloud project

https://www.oasis-open.org/committees/id-cloud,

OASIS Open Data Protocol (Odata) Protocol

https://www.oasis-open.org/committees/odata,

Topology and Orchestration Specification for Cloud Applications (TOSCA)

 https://www.oasis-open.org/committees/tosca.

The OASIS TOSCA TC and ETSI NFV ISG are cooperating to provide comments on each other's specifications, and sharing content, so as to align their Network Functions Virtualisation (NFV) service models and specifications.

https://www.oasis-open.org/committees/tc_cat.php?cat=cloud

OFE

Recently Open Forum Europe (OFE) carried out a study on behalf of the European Commission, entitled “Standards and Open Source: bringing them together”. The aim of this study was to analyse and make practical progress on the collaboration models between SDOs and cloud open source software development initiatives, and to develop a roadmap of actions to improve the integration of open source communities in the standard setting process. https://ec.europa.eu/digital-single-market/en/news/standards-and-open-source-bringing-them-together 

Other activities related to standardisation

BSI

Cloud Computing Compliance Controls Catalogue (C5)

The C5 defines a baseline for cloud security, divided into thematic sections (e.g. organisation of information security, physical security), using mostly recognised security standards. C5 outlines prerequisites for a conformity assessment using international standards (ISAE 3000, ISAE 3402), adding cloud specific requirements, especially for transparency.

C-SIGs

The cloud select industry groups as a contribution from Europe to the global cloud standardisation community.

• Cloud Select Industry Group on Code of Conduct: the European Commission has been working with industry to finalise a code of conduct for cloud computing providers. The code of conduct supports a uniform application of data protection rules by cloud service providers. The Code of Conduct for Protection of Personal Data in cloud services has been published in June 2016. Strong relationship with ISO/IEC 27018 standard.
• Cloud Select Industry Group on Service Level Agreements: the goal of this subgroup is to work towards the development of standardisation guidelines for SLAs for cloud services. Work was submitted to ISO/IEC SC38 committee as input to the work on the 19086 standards.
• Cloud Select Industry Group on Certification Schemes: the Digital Single Market Strategy 2015 (DSM) committed the European Commission to delivering a European Cloud Initiative, including certification. 

GICTF

Global Inter-Cloud Technology Forum (GICTF) is promoting standardisation of network protocols and the interfaces through which cloud systems inter-work with each other, to promote international interworking of cloud systems, to enable global provision of highly reliable, secure and high-quality cloud services, and to contribute to the development Japan’s ICT industry and to the strengthening of its international competitiveness. http://www.gictf.jp/index_e.html.

OCC

The Open Cloud Consortium (OCC) supports the development of standards for cloud computing and frameworks for interoperating between clouds; develops benchmarks for cloud computing; and supports reference implementations for cloud computing, preferably open source reference implementations. The OCC has a particular focus in large data clouds. It has developed the MalStone Benchmark for large data clouds and is working on a reference model for large data clouds. https://www.occ-data.org/

TM Forum

TM Forum: The primary objective of TM Forum’s Cloud Services Initiative is to help the industry overcome these barriers and assist in the growth of a vibrant commercial marketplace for cloud-based services. The centrepiece of this initiative is an ecosystem of major buyers and sellers who will collaborate to define a range of common approaches, processes, metrics and other key service enablers. https://www.tmforum.org/ioe/

SNIA

Storage Networking Industry Association (SNIA): The Cloud Work Group exists to create a common understanding among buyers and suppliers of how enterprises of all sizes and scales of operation can include cloud computing technology in a safe and secure way in their architectures to realise its significant cost, scalability and agility benefits. It includes some of the industry’s leading cloud providers and end-user organisations, collaborating on standard models and frameworks aimed at eliminating vendor lock-in for enterprises looking to benefit from cloud products and services. http://www.snia.org/cloud

Additional information

Open source projects address particular aspects of cloud computing (e.g. OpenStack (IaaS), the Open Networking Foundation (ONF), Cloud Foundry (PaaS), Docker (Container technology) and kubernetes) and as such, open source communities should be encouraged to collaborate with standardisation and submit their APIs for standardisation.