A CLOUD MAP FOR EUROPE.

Migration to the cloud heralds a host of opportunities
for business, but without joined-up thinking regarding
the infrastructure, legislation and standards the hoped
for benefits might not be realized. Best Execution spoke to Ken Ducatel, of DG CONNECT* about the strategy decisions being hammered out in the EU to put Europe at the forefront of cloud adoption.

What are the key drivers in developing a single policy area for cloud computing (with particular emphasis on the financial markets)?

Our main goal is to increase the competitiveness
of the European economy, to facilitate growth and the creation of jobs in Europe. Today, this is not possible for the European cloud computing market. The EU’s cloud market is fragmented, as different rules apply in different member states.

This patchwork of different rules causes uncertainty, as businesses and individual users
are not sure about their legal obligations (for example they don’t know where legal disputes
will be resolved or how to make sure that it will be easy to move data and software between different cloud providers). They are not sure what standards and certificates they should look for to meet their requirements and legal obligations, for example
to ensure that their own or their customers’ data
is safe or that applications are interoperable. It is only natural that this uncertainty leads them to postpone the decision to adopt cloud solutions.

The new cloud computing strategy** will help Europe make the most of the enormous potential offered by the cloud. According to new estimates, cloud computing revenues in the EU could rise to nearly €80 billion by 2020, if policy intervention is successful (more than doubling the growth of the sector). So this strategy is about building a new industry, and better competing in the global cloud market. More broadly, we expect a net annual gain of €160 billion to EU GDP by 2020 (or a total gain of nearly €600 billion between 2015 and 2020) if the full EU cloud strategy is in place. Without that, economic gains would be two-thirds less.

These benefits largely come from businesses being able to either save money or get access to technology that makes them more productive. In terms of overall job numbers, we expect to see 3.8 million jobs generated following full implementation of the strategy, against 1.3 million if the regulatory and other policy barriers are not removed.

In terms of policy, what kind of framework
do you envisage for the European cloud computing strategy?

We want a business framework that will speed
up the take-up of cloud computing across EU economy. To do this, we need to make Europe not just cloud-friendly, but also cloud-active. And this can be achieved by means of three key actions:

We plan to cut through the jungle of technical standards. Standards are emerging, but at the moment there is no common agreement as to which standards would guarantee the required interoperability, data portability and reversibility. That is why we want to identify coherent sets of useful standards to make it easier for the demand and supply sides to organise themselves.

We want Safe and Fair Contract Terms and Conditions to address issues not covered by the Common European Sales Law such as: data preservation after termination of the contract, data disclosure and integrity, data location and transfer, ownership of the data or direct and indirect liability. Identifying and developing consistent solutions in the area of contract terms and conditions is a way of encouraging wide take up of cloud computing services by increasing trust by consumers.

We are promoting common public sector leadership through a European Cloud Partnership (ECP). This Partnership will bring together public procurement authorities and industry consortia to implement pre-commercial procurement actions. This will allow them to identify public sector cloud computing requirements, to develop specifications for IT procurement, and to procure reference implementations. They will thus be able to advance towards common and even joint procurement of cloud computing services by public bodies on the basis of common user requirements.

Are security and privacy the main challenges, and if so what can be done to allay the fears?

Security is one of the main challenges of cloud computing – though we should bear in mind that risks in the cloud do not necessarily differ much technically from already known risks. However, in the cloud, these risks can amplify quickly and easily, and this increases the effects on multiple clients simultaneously. Cloud-specific security risks relate to the multi-tenancy and shared resources character of cloud computing. They are related, for example, to access control, data storage, data protection, data portability, data integrity and virtualisation. In the cloud, the user cedes control of the security to the service provider; it is thus more difficult for the user and the provider to agree on sufficient assurance levels for the service. This is probably why the cloud is perceived to be less secure.

Privacy risks also relate to the perceived lack of control and to unclear roles of different actors in the cloud service provision chain. In the cloud, personal and other sensitive data can be stored and processed anywhere – also outside the European Union. This in turn creates confusion about the applicable data protection rules.

What we are doing about this is work very actively to increase the security of IT systems.
The European Commission is collaborating
with industry and with the European Telecommunications Standards Institute (ETSI) to identify a detailed map of the necessary standards and to work with the support of the Network and Information Security Agency (ENISA) to assist the development of EU-wide voluntary certification schemes in the area of cloud computing. The Commission is also preparing a European Strategy on Cyber Security that will also encompass cloud security. In the field of data protection, we already have proposed a new Regulation which aims to ensure the high level of data protection and addresses issues raised by the advent of cloud computing.

Would simplifying the legislative minefield help?

We are in the course of assessing whether current security legislation needs some streamlining
as regards cloud providers. For example, their obligation to notify severe security breaches is being assessed. But amending legislation is not always the best course to follow. For example, standards are voluntary; therefore it is up to market players whether they will endorse them or not. In cases such as this, creating trustworthy certification schemes is a faster and more effective way to increase security of cloud services than legislation.

What are the challenges to delivering a co-ordinated cloud infrastructure in Europe?

The cloud computing strategy does not foresee the building of a dedicated hardware infrastructure to provide generic cloud computing services to public sector users across Europe. We simply want to see publicly available offerings of cloud- based services that meet European standards not only in regulatory terms, but also in terms of being competitive, open and secure.

This does not preclude public authorities
from setting up dedicated private clouds, but in general even cloud services used by the public sector should – as far as feasible – be subject to competition on the market to ensure best value for money, while conforming to regulatory obligations or wider public-policy objectives in respect of key operating criteria, such as security and protection of sensitive data.

What role do funding, research and innovation play?

We want European companies to remain at the cutting edge of technological development and innovation. That is why we have established a vast portfolio of research activities on cloud computing, alongside policy actions. Our budgetary commitment to cloud computing-related research is currently around €400 million and it’s funded through European research programmes.

Moreover, we will try to make full use of other available research and development instruments offered by Horizon 2020*** to tackle long-term challenges specific to cloud computing.

Why does Europe lag behind the US? Is it because there are varying local accounting methods and business practices and,
the absence of harmonised rules for the technology?

In Europe our biggest potential weapon for increasing competitiveness is the single market, and if we could get to a vibrant Digital Single Market then I believe Europe would be able to lead the world in technology and services. Too often businesses are stopped at borders which in the online world don’t make sense any more. Many of the actions announced in the Digital Agenda are addressing these problems in respect of Digital Content, e-Commerce or Data Protection and in order to promote cloud in Europe we need to reinforce our efforts in these fields.

What does it mean to be cloud active?

Being cloud-active means creating the conditions that will allow us to make the most of the potential offered by cloud computing. It means we are not standing still, waiting in the shadows for others to lead the way. It means taking initiatives that will open new paths in cloud use in business, research, education, and culture.

That is what we want to achieve with this strategy. We know that in Europe we have the talent it takes to be world leader. We want to allow this talent to flourish. We want it to bring growth and jobs in Europe for us and for the generations to come.