Read the EU Guidelines on Cloud Computing Service

1 | ARTHUR COX
Group Briefing
December 2014
TECHNOLOGY & INNOVATION
EU Guidelines on Cloud
Computing Service
Agreements - What You
Need To Know
KEY CONTACTS
INTRODUCTION
For further information please speak to
your usual Arthur Cox contact or one of
the following:
On 26 June 2014, the European
Commission (“Commission”) published
standardised guidelines (“Guidelines”)
on cloud computing service level
agreements (“SLAs”).1 The Guidelines
outline essential terms that should
be included in SLAs concluded in the
European Union (“EU”). An SLA details
the nature and level of services provided
by cloud service providers to customers.
PEARSE RYAN
PARTNER, TECHNOLOGY & INNOVATION
+353 1 618 0518
[email protected]
NIALL DONNELLY
TRAINEE, ARTHUR COX
[email protected]
The Guidelines were developed by a
sub-group of the Cloud Select Industry
Group (“CSIG”) which comprised of
representatives from expert groups such as
the European Union Agency for Network
and Information Security (“ENISA”)2 and
industry experts such as Amazon, Google,
IBM, Microsoft, SAP and Salesforce.3
The Commission will now trial
the Guidelines with cloud service
users, specifically targeting Small
and Medium Enterprises (“SMEs”),
to see if amendments are necessary.
1 See full text of the Guidelines available here: http://
ec.europa.eu/digital-agenda/en/news/cloud-service-levelagreement-standardisation-guidelines . See also related
Press Release: http://europa.eu/rapid/press-release_IP-14743_en.htm
This document contains a general summary of
developments and is not a complete or definitive
statement of the law. Specific legal advice should be
obtained where appropriate.
2 ENISA - the European Union Agency for Network and Information Security “working for the EU Institutions and Member
States. ENISA is the EU’s response to these cyber security
issues of the European Union. As such, it is the ‘pace-setter’
for Information Security in Europe, and a centre of expertise”
– see: http://www.enisa.europa.eu/
3 For more information on CSIG see: http://ec.europa.eu/
digital-agenda/en/cloud-computing-expert-group-research
If successful, the Guidelines could
enhance the popularity of cloud
computing in Europe, as well as
contribute to the formulation of
international standards for SLAs.
In parallel, the International
Organisation for Standardisation
(“ISO”) is currently developing such
standards. In October 2014, the
Guidelines were passed to the ISO
Working Group on Cloud Computing
for comment and amendments.4 The
Commission is currently considering
any amendments and feedback from
the trials with the CSIG.
We are seeing the beginnings of
national attempts at standard setting.
For example, in Ireland the National
Standard Authority of Ireland (“NSAI”)
has issued a SWiFT document (a form
of document being a “rapidly developed
recommendatory document based on
the consensus of the participants of an
NSAI workshop”) dealing with enterprise
adoption of the cloud.5 Currently, both
industry and national initiatives are
largely uncoordinated and of varying
degrees of thoroughness, with some way
4 http://ec.europa.eu/digital-agenda/en/news/standardisedcloud-service-contracts-step-closer
5 See ‘Adopting the Cloud – Decision Support for Cloud Computing’, available at http://www.iia.ie/resources/resource/531/
working-groups/552/cloud-computing-working-group/. The
document follows on from dialogue between the Irish Internet
Association Cloud Computing Working Group, on which
Pearse Ryan sits, and NSAI
2 | ARTHUR COX
TECHNOLOGY & INNOVATION
EU GUIDELINES ON CLOUD COMPUTING
SERVICE AGREEMENTS - WHAT YOU NEED
TO KNOW
to go before truly international norms are
likely to apply. The EU is taking its first
tentative steps with the Guidelines.
This Briefing Note highlights the
background to the introduction of the
Guidelines and provides a summary of
some of its key provisions.
BACKGROUND
Cloud computing has developed in
an unregulated manner in Europe.
For example, there are no standard
contractual templates for cloud
computing services, which has resulted
in supplier-drafted cloud service
contracts varying in their approach
to common issues, with service level
commitments being an example.
This lack of uniformity, especially in
circumstances where broadly similar
service offerings are being compared,
poses difficulties for cloud service
customers and advising lawyers.
This Briefing Note will not discuss the
essential features of cloud computing
from a legal perspective, which is a
contentious area, with service providers
keen to avoid comparison with the
established IT managed service sector.
However, it is true to say that unlike
the managed service sector, the cloud
service sector is almost exclusively
characterised by supplier-drafted T&Cs,
SLAs and commercial offerings. This is
especially true of the large multinational
suppliers. Hence, the introduction of
the Guidelines looks to be beneficial to
customers. It is fair to ask how many
of the Guidelines’ terms are currently
addressed in supplier-drafted SLAs
and how likely they are to be adopted
and how soon. The Guidelines are not
mandatory which will be a factor in their
adoption, especially by suppliers.
In 2012, the Commission published
a cloud computing strategy, which
outlined three objectives to encourage
the use of cloud services.6 One objective
was the development of standard
contractual terms for SLAs. The
Commission believes that standard
6 http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:
2012:0529:FIN:EN:PDF
contractual terms will promote growth
and trust in the cloud computer industry
in Europe. They will also contribute
towards safe cloud service contracts and
allow customers to accurately compare
different services offered.
minimisation, the use, retention
and disclosure limitations of data,
openness, transparency, description
of the providers data breach policy
(accountability) and geographical
location of cloud service customer data.
SERVICE LEVEL OBJECTIVES
DEFINITIONS AND PRINCIPLES
The terms that should be included in
SLAs are outlined in a set of specific
service level objectives (“SLOs”). The
SLO provisions seek to address the
main legal, contractual and compliance
issues related to SLAs. These provisions
will contribute to the service providers’
and customers’ greater understanding
of cloud service activities and their
respective responsibilities. The following
areas are addressed:
The Guidelines aim to ensure that SLAs
are clear and both parties understand the
agreed terms. As a result, the Guidelines
set out standard definitions of the legal
and technical terms commonly used
in SLAs. In addition, the Guidelines
also provide a set of principles to assist
organisations in developing standard
agreements. Some of these principles
include technical neutrality, business
model neutrality, and the standards and
guidelines applicable to different types of
customers. These measures will assist in
improving the clarity and understanding
of SLAs among cloud service users.
»» Performance: The SLOs provide
information on the availability and
provision of cloud services, response
times, the number of connections
that can be made to the service at
any one time (capacity), customer
support hours/responsiveness and the
reversibility and termination processes.
»» Security: The Guidelines set out
provisions on service reliability in
situations when the service has a fault.
It also outlines authentication and
authorisation measures, cryptography,
security incident management
and reporting of events that could
compromise business operations
and threaten information security.
Moreover, logging and monitoring
of data related to the use of the cloud
service, audit rights, vulnerability
management and governance, are all
covered in the Guidelines.
»» Data Management: The data
management SLOs deals with the
various aspects of the data life cycle. In
particular, it sets out information related
to data classification, data mirroring,
backup and restore, data lifecycles and
data portability. Measures to ensure
compliance with EU data protection
laws are also included.
»» Personal Data Protection: Information
is provided on codes of conduct
on data privacy compliance, data
IMPACT
Despite initial optimism, the Guidelines’
impact may be reduced for a number of
reasons. Firstly, and most importantly,
they are voluntary guidelines. This
lack of mandatory application may be
a fundamental weakness. Secondly,
similar standards need to be developed
at an international level to ensure
the Guidelines are effective across
multiple jurisdictions. As noted earlier,
the Guidelines could be a precursor to
ISO efforts to establish international
standards on SLAs. Finally, some
aspects of the Guidelines need further
clarification. For example, information
is provided that describes an approach
to defining availability and provision of
cloud services, but there is no indication
as to what is the appropriate level.
Availability is ultimately a matter of
percentage achievement against a target.
CONCLUSION
The Guidelines represent the first time
that cloud service suppliers have agreed
on common guidelines for SLAs. This
will undoubtedly benefit cloud service
customers, particularly SMEs, but
TECHNOLOGY & INNOVATION
3 | ARTHUR COX
EU GUIDELINES ON CLOUD COMPUTING
SERVICE AGREEMENTS - WHAT YOU NEED
TO KNOW
also MLEs, as they will have a better
understanding of services offered by
providers and a comparator against
which to rate supplier offerings. The
main test of the Guidelines will be
when they are trialled by cloud users.
If successful, the Guidelines could
contribute towards the development of
international standards both within and
beyond the EU, assisting in increasing
the growth of the cloud computing
industry. Speaking as lawyers active in
the cloud computing world, the authors
are of the view that current norms in
the cloud industry are some way off the
recommendations in the Guidelines and
some fairly large shifts in emphasis and
detail will be required to align supplier
offerings with the Guidelines.
Despite the cloud industry being well
developed it has not been as successful
as was originally envisaged in selling
particularly to MLEs together with the
public sector. Cloud industry adoption of
the Guidelines in their service offerings
should go some way towards dealing
with areas of concern to those potential
customers previously reluctant to engage
with cloud offerings at the enterprise level.
The Guidelines are a welcome addition to
the jigsaw puzzle that is cloud computing
and may reduce the number of multiple
different types of bricks within that
puzzle. If so, they will be a useful addition
to the evolution of cloud computing for
suppliers and users alike. However, their
non-mandatory nature and ambiguity
in some fundamental service delivery
management areas allows for a degree of
scepticism as to how much of an impact
they may have in practice. The Guidelines
are certainly a welcome step forward in
the establishment of norms and standards
in this fast evolving area of economic
activity. The Guidelines are not an end
point, but they are a useful EU milestone
in the evolution of cloud computing.
arthurcox.com
Dublin
+353 1 618 0000
[email protected]
London
+44 207 823 0200
[email protected]
Belfast
+44 28 9023 0007
[email protected]
New York
+1 212 782 3294
[email protected]
Silicon Valley
+1 650 943 2330
[email protected]