1 | ARTHUR COX Group Briefing December 2014 TECHNOLOGY & INNOVATION EU Guidelines on Cloud Computing Service Agreements - What You Need To Know KEY CONTACTS INTRODUCTION For further information please speak to your usual Arthur Cox contact or one of the following: On 26 June 2014, the European Commission (“Commission”) published standardised guidelines (“Guidelines”) on cloud computing service level agreements (“SLAs”).1 The Guidelines outline essential terms that should be included in SLAs concluded in the European Union (“EU”). An SLA details the nature and level of services provided by cloud service providers to customers. PEARSE RYAN PARTNER, TECHNOLOGY & INNOVATION +353 1 618 0518 [email protected] NIALL DONNELLY TRAINEE, ARTHUR COX [email protected] The Guidelines were developed by a sub-group of the Cloud Select Industry Group (“CSIG”) which comprised of representatives from expert groups such as the European Union Agency for Network and Information Security (“ENISA”)2 and industry experts such as Amazon, Google, IBM, Microsoft, SAP and Salesforce.3 The Commission will now trial the Guidelines with cloud service users, specifically targeting Small and Medium Enterprises (“SMEs”), to see if amendments are necessary. 1 See full text of the Guidelines available here: http:// ec.europa.eu/digital-agenda/en/news/cloud-service-levelagreement-standardisation-guidelines . See also related Press Release: http://europa.eu/rapid/press-release_IP-14743_en.htm This document contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate. 2 ENISA - the European Union Agency for Network and Information Security “working for the EU Institutions and Member States. ENISA is the EU’s response to these cyber security issues of the European Union. As such, it is the ‘pace-setter’ for Information Security in Europe, and a centre of expertise” – see: http://www.enisa.europa.eu/ 3 For more information on CSIG see: http://ec.europa.eu/ digital-agenda/en/cloud-computing-expert-group-research If successful, the Guidelines could enhance the popularity of cloud computing in Europe, as well as contribute to the formulation of international standards for SLAs. In parallel, the International Organisation for Standardisation (“ISO”) is currently developing such standards. In October 2014, the Guidelines were passed to the ISO Working Group on Cloud Computing for comment and amendments.4 The Commission is currently considering any amendments and feedback from the trials with the CSIG. We are seeing the beginnings of national attempts at standard setting. For example, in Ireland the National Standard Authority of Ireland (“NSAI”) has issued a SWiFT document (a form of document being a “rapidly developed recommendatory document based on the consensus of the participants of an NSAI workshop”) dealing with enterprise adoption of the cloud.5 Currently, both industry and national initiatives are largely uncoordinated and of varying degrees of thoroughness, with some way 4 http://ec.europa.eu/digital-agenda/en/news/standardisedcloud-service-contracts-step-closer 5 See ‘Adopting the Cloud – Decision Support for Cloud Computing’, available at http://www.iia.ie/resources/resource/531/ working-groups/552/cloud-computing-working-group/. The document follows on from dialogue between the Irish Internet Association Cloud Computing Working Group, on which Pearse Ryan sits, and NSAI 2 | ARTHUR COX TECHNOLOGY & INNOVATION EU GUIDELINES ON CLOUD COMPUTING SERVICE AGREEMENTS - WHAT YOU NEED TO KNOW to go before truly international norms are likely to apply. The EU is taking its first tentative steps with the Guidelines. This Briefing Note highlights the background to the introduction of the Guidelines and provides a summary of some of its key provisions. BACKGROUND Cloud computing has developed in an unregulated manner in Europe. For example, there are no standard contractual templates for cloud computing services, which has resulted in supplier-drafted cloud service contracts varying in their approach to common issues, with service level commitments being an example. This lack of uniformity, especially in circumstances where broadly similar service offerings are being compared, poses difficulties for cloud service customers and advising lawyers. This Briefing Note will not discuss the essential features of cloud computing from a legal perspective, which is a contentious area, with service providers keen to avoid comparison with the established IT managed service sector. However, it is true to say that unlike the managed service sector, the cloud service sector is almost exclusively characterised by supplier-drafted T&Cs, SLAs and commercial offerings. This is especially true of the large multinational suppliers. Hence, the introduction of the Guidelines looks to be beneficial to customers. It is fair to ask how many of the Guidelines’ terms are currently addressed in supplier-drafted SLAs and how likely they are to be adopted and how soon. The Guidelines are not mandatory which will be a factor in their adoption, especially by suppliers. In 2012, the Commission published a cloud computing strategy, which outlined three objectives to encourage the use of cloud services.6 One objective was the development of standard contractual terms for SLAs. The Commission believes that standard 6 http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM: 2012:0529:FIN:EN:PDF contractual terms will promote growth and trust in the cloud computer industry in Europe. They will also contribute towards safe cloud service contracts and allow customers to accurately compare different services offered. minimisation, the use, retention and disclosure limitations of data, openness, transparency, description of the providers data breach policy (accountability) and geographical location of cloud service customer data. SERVICE LEVEL OBJECTIVES DEFINITIONS AND PRINCIPLES The terms that should be included in SLAs are outlined in a set of specific service level objectives (“SLOs”). The SLO provisions seek to address the main legal, contractual and compliance issues related to SLAs. These provisions will contribute to the service providers’ and customers’ greater understanding of cloud service activities and their respective responsibilities. The following areas are addressed: The Guidelines aim to ensure that SLAs are clear and both parties understand the agreed terms. As a result, the Guidelines set out standard definitions of the legal and technical terms commonly used in SLAs. In addition, the Guidelines also provide a set of principles to assist organisations in developing standard agreements. Some of these principles include technical neutrality, business model neutrality, and the standards and guidelines applicable to different types of customers. These measures will assist in improving the clarity and understanding of SLAs among cloud service users. »» Performance: The SLOs provide information on the availability and provision of cloud services, response times, the number of connections that can be made to the service at any one time (capacity), customer support hours/responsiveness and the reversibility and termination processes. »» Security: The Guidelines set out provisions on service reliability in situations when the service has a fault. It also outlines authentication and authorisation measures, cryptography, security incident management and reporting of events that could compromise business operations and threaten information security. Moreover, logging and monitoring of data related to the use of the cloud service, audit rights, vulnerability management and governance, are all covered in the Guidelines. »» Data Management: The data management SLOs deals with the various aspects of the data life cycle. In particular, it sets out information related to data classification, data mirroring, backup and restore, data lifecycles and data portability. Measures to ensure compliance with EU data protection laws are also included. »» Personal Data Protection: Information is provided on codes of conduct on data privacy compliance, data IMPACT Despite initial optimism, the Guidelines’ impact may be reduced for a number of reasons. Firstly, and most importantly, they are voluntary guidelines. This lack of mandatory application may be a fundamental weakness. Secondly, similar standards need to be developed at an international level to ensure the Guidelines are effective across multiple jurisdictions. As noted earlier, the Guidelines could be a precursor to ISO efforts to establish international standards on SLAs. Finally, some aspects of the Guidelines need further clarification. For example, information is provided that describes an approach to defining availability and provision of cloud services, but there is no indication as to what is the appropriate level. Availability is ultimately a matter of percentage achievement against a target. CONCLUSION The Guidelines represent the first time that cloud service suppliers have agreed on common guidelines for SLAs. This will undoubtedly benefit cloud service customers, particularly SMEs, but TECHNOLOGY & INNOVATION 3 | ARTHUR COX EU GUIDELINES ON CLOUD COMPUTING SERVICE AGREEMENTS - WHAT YOU NEED TO KNOW also MLEs, as they will have a better understanding of services offered by providers and a comparator against which to rate supplier offerings. The main test of the Guidelines will be when they are trialled by cloud users. If successful, the Guidelines could contribute towards the development of international standards both within and beyond the EU, assisting in increasing the growth of the cloud computing industry. Speaking as lawyers active in the cloud computing world, the authors are of the view that current norms in the cloud industry are some way off the recommendations in the Guidelines and some fairly large shifts in emphasis and detail will be required to align supplier offerings with the Guidelines. Despite the cloud industry being well developed it has not been as successful as was originally envisaged in selling particularly to MLEs together with the public sector. Cloud industry adoption of the Guidelines in their service offerings should go some way towards dealing with areas of concern to those potential customers previously reluctant to engage with cloud offerings at the enterprise level. The Guidelines are a welcome addition to the jigsaw puzzle that is cloud computing and may reduce the number of multiple different types of bricks within that puzzle. If so, they will be a useful addition to the evolution of cloud computing for suppliers and users alike. However, their non-mandatory nature and ambiguity in some fundamental service delivery management areas allows for a degree of scepticism as to how much of an impact they may have in practice. The Guidelines are certainly a welcome step forward in the establishment of norms and standards in this fast evolving area of economic activity. The Guidelines are not an end point, but they are a useful EU milestone in the evolution of cloud computing. arthurcox.com Dublin +353 1 618 0000 [email protected] London +44 207 823 0200 [email protected] Belfast +44 28 9023 0007 [email protected] New York +1 212 782 3294 [email protected] Silicon Valley +1 650 943 2330 [email protected]
© Copyright 2024