Brussels, 27 September 2012
Unleashing the Potential of Cloud Computing in Europe - What is it and what does it mean for me?
See also IP/12/1025
What is Cloud Computing?
‘Cloud computing’ is the storing, processing and use of data on remotely located computers accessed over the internet. Many people use the cloud today without even realising that they do so. Services such as web-based e-mail or social networks may be based on cloud technology. For professional IT users cloud computing means a high degree of flexibility as to the amount of computing power needed. For example, if a service sees increased use, it is very simple to add more capacity to it – something that would take much more time if a company had to install a new physical machine in its own data centre.
How does cloud computing work?
The user connects his/her computer to the cloud platform through dedicated software. In the cloud, the processing power is provided by big data centres with hundreds of servers and data storage systems that are able to handle practically any computer software (from data processing to video games) that clients might need to use. Sometimes the services are offered free (for example webmail offerings), but most clients can pay flexibly on a pay-per-use basis or by a single monthly fee.
Where is my data being stored when I use the cloud?
In a data centre somewhere on the planet. If the physical location is important, users can make sure this is specified in their cloud computing contracts. With regard to others' personal data, the Data Protection Directive requires data to either be stored in the European Economic Area (EEA) or in a territory that has equivalent privacy laws.
What are the main advantages of cloud computing for users?
Users do not have to buy software or buy and maintain expensive servers and data storage. This saves on money, office space and in-house IT support staff. Users also have near total flexibility about the storage space and tools they use.
Why do we need an EU strategy to unleash the potential of cloud computing?
The economic benefits are much bigger - €160 billion per year, or around €300 per person per year - through pan-European action. Today the patchwork of different rules at Member State level increases companies' uncertainty about their legal obligations, thus delaying the adoption of cloud computing. While cloud initiatives in the Member States are welcome, such as Andromède in France, G-Cloud in the UK and Trusted Cloud in Germany, this is not enough and not the most efficient way to grow the market for everybody's benefit.
What are the economic and job gains from a European cloud strategy?
New estimates indicate that cloud computing revenues in the EU could rise to nearly €80 billion by 2020 if policy intervention is successful (more than doubling the growth of the sector). So this strategy is about building a new industry, and better competing against the United States in particular.
More broadly, we expect a net annual gain of €160 billion to EU GDP by 2020 (or a total gain of nearly €600 billion between 2015 and 2020) if the full EU cloud strategy is in place. Without that, economic gains would be two-thirds less.
These benefits largely come from businesses being able to either save money or get access to technology that makes them more productive.
In terms of overall job numbers, we expect to see 3.8 million jobs generated following full implementation of the strategy, against 1.3 million if the regulatory and other policy barriers are not tackled.1
What is the time line of the actions? How long will it take for concrete change?
The Commission will deliver on the key actions identified in the Communication in 2013, notably in respect of actions on standardisation and certification for cloud computing, the development of safe and fair contract terms and conditions and the European Cloud Partnership. A progress report by the end of 2013 will show whether further policy and legislative initiatives are needed.
Who can benefit from cloud computing?
All internet users can benefit and cloud computing could revolutionise many fields.
Surveys show that 80% of businesses already using the cloud reported 10%-20% lower IT costs, while 20% of them reported savings rising to 30% or above.
Many consumers already use basic cloud computing (e.g. Internet-based e-mail accounts). A large storage capacity at no or minimal cost, convenient and ubiquitous access, reduction of expenditures – these are some of the advantages offered by the Cloud.
Cloud computing could bring large gains to the public sector, by making it easier to provide services that are integrated, effective and at lower cost.
Cloud computing could also boost research as research institutions could complement their in-house dedicated computing infrastructures with those of cloud providers, thus being able to maintain huge amounts of data and process these much faster, and innovation, as it becomes much easier and cheaper to try out new ideas for IT products or services.
How can cloud computing help protect the environment?
Like aviation, the rapid growth of computing means it is one of the fastest growing sources of carbon emissions. At the same time, cloud computing is the best way to increase the carbon efficiency of computing use. This is because large cloud-related investments can be planned with low-energy servers and green sources of energy, much more easily than ensuring hundreds of millions of computer users make green choices. In addition, hardware use can be optimised, reducing the number of physical machines needed to perform a given set of tasks.
The European Commission is funding a research project – the Eurocloud server project – whose first results show that it could be possible to cut cloud data centre energy use by 90%, this coming on top of the efficiencies already achieved by switching from desktop and server solutions to cloud solutions.
How could cloud computing affect the ICT sector?
If barriers to cloud computing were removed, a study of 1000 European companies shows that:
Details regarding the European Cloud Partnership (ECP)
What is the European Cloud Partnership and what will it do?
The European Cloud Partnership (ECP) will consist of high level procurement officers from European public bodies and key players from IT and telecom industry. The ECP will, under the guidance of a Steering Board, bring together public procurement authorities and industry consortia to implement pre-commercial procurement actions. This will allow them to identify public sector cloud computing requirements, to develop specifications for IT procurement, and to procure reference implementations. Thereby it will help advance towards common and even joint procurement of cloud computing services by public bodies on the basis of common user requirements. The ECP does not aim at creating a physical cloud computing infrastructure. Rather, via procurement requirements that will be promoted by participating Member States and public authorities for use throughout the EU, its aim is to ensure that the commercial offer of cloud computing in Europe, both of the public and of the private sector, is adapted to European needs,.
How will the European Cloud Partnership (ECP) operate?
A Steering Board will advise on strategic orientations, in particular with regard to public sector adoption of cloud computing services in a way that shapes the market to the benefit of all potential cloud users.
The other key component of the ECP is the implementation level: an initial budget of €10million has been earmarked for a pre-commercial procurement project in the ICT theme of the FP7 Research Programme2 This project will require close coordination and a joining of forces between different public sector actors across several Member States in order to consolidate public sector requirements for procurement and use of cloud computing services.
What is main mission of the Steering Board of the European Cloud Partnership (ECP)?
The main mission of the Steering Board includes:
What are operational arrangements of the Steering Board of the ECP?
The members of the Steering Board and its Chairperson will be appointed by the Commissioner responsible for the Digital Agenda, and will act in their personal capacities. The Board will meet two or three times per year. The Steering Board may consult with industrial, academic and governmental bodies and experts.
The inaugural meeting of the Steering Board is planned to take place in the last quarter of 2012.
Data protection, security, privacy and user rights
How will the strategy help me enforce my rights as a user of cloud services?
One of the key actions of the Strategy is to develop model contract terms and conditions to address issues not covered by the Common European Sales Law such as: data preservation after termination of the contract, data disclosure and integrity, data location and transfer, ownership of the data or direct and indirect liability. Identifying and developing consistent solutions in the area of contract terms and conditions is a way of encouraging wide take up of cloud computing services by increasing consumer trust.
How does this strategy relate to the Commission's proposals on data protection?
The concerns of cloud computing providers and users were carefully considered during the preparatory work for the Data Protection Regulation proposed by the Commission in January 2012. The proposed Regulation constitutes a good general basis for the future development of cloud computing
Given that data protection concerns were identified as one of the most serious barriers to cloud computing take-up, it is all the more important that the Council of Ministers and the European Parliament work swiftly towards the adoption of the proposed Regulation as soon as possible in 2013.
Once the proposed Regulation is adopted, the Commission will make use of the new mechanisms to provide any necessary additional guidance on the application of European data protection law in respect of cloud computing services.
What is being done concretely at global level to ensure consistent regulation?
Cloud computing is a global business that demands reinforced international dialogue on safe and seamless cross-border use.
The European Commission is working, through international dialogues on trade, law enforcement, security and cybercrime to fully reflect the new challenges raised by cloud computing.
These dialogues are pursued in multilateral fora such as the WTO and the OECD to advance common objectives for cloud computing services, and bilaterally with the USA, Japan and other countries.
How do I know if my data is stored in Europe or elsewhere?
The contact terms and conditions should address the issue of data location. However, the "take-it-or-leave-it" standard contracts used by many cloud providers today may not include such information. The strategy underlines the need to develop model contract terms and conditions to address issues not covered by the Common European Sales Law such as, inter alia, data location.
What happens to my data if the cloud company I use shuts down?
This will normally be covered by the contact terms and conditions – the need for clearer protection is why the Commission will develop model contract terms and conditions to address issues not covered by the Common European Sales Law.
Standards, certification and contracts
Why can't you write the necessary standards yourself, why do you rely on the industry to make this happen?
Standardisation works best as an industry-led process. The industry is already putting a lot of effort into creating standards that increase interoperability of the clouds.
Standards are emerging but at the moment there is no common agreement as to which standards would guarantee the required interoperability, data portability and reversibility. The Commission wants to identify coherent sets of useful standards to make it easier for the demand and supply sides to organise themselves.
When you do you hope to launch the certification scheme?
The Commission will work with the support of ENISA and other relevant bodies to assist the development of an EU-wide voluntary certification schemes in the area of cloud computing (including data protection) and establish a list of such schemes by 2014.
If it is voluntary, what will you do if companies simply decide not to join?
We will keep working with companies to increase the attractiveness of the scheme. Citizens tell us they want such information, and it should be remembered that certification is not a punishment for companies. It simply gives them a tool to signal their quality and compliance to prospective customers.
Does the Cloud Computing Strategy foresee the building of a "European Super-Cloud"?
No, the strategy is not about creating physical infrastructures. But we want to see publicly available cloud offerings that meet European standards not only in regulatory terms, but in terms of being competitive, open and secure.
What about the security in the cloud?
Cloud-specific security risks relate to multi-tenancy and shared resources character of cloud computing (that means that the same physical infrastructure will often serve many different customers of a cloud provider). In the cloud, the client cedes control of security to some extent to the service provider, making it important to be able to assess whether the cloud service provider complies with the security requirements. This shows why certification schemes will play an important role because they help providers signal compliance to prospective users in a reliable way. On the other hand, for non-IT security experts, leaving security issues to the hands of IT professionals working for the cloud service provider could in fact increase security.
Are clouds interoperable? Is it possible to easily change your cloud service provider?
At the moment different cloud offerings are not as interoperable as they could be. Cloud providers might use different operating systems or application interfaces which are not interoperable, meaning that software developed to work with one cloud provider cannot easily be made to work with another. This could lead to dependency from one service provider, since it is not necessarily easy to move data from one cloud to another ("lock-in").
Does the cloud computing strategy address wider the security issues?
The strategy does not address the security issues related to the internet and online environment as such. The Commission will in the coming months address general cyber security challenges in its Strategy for Cyber Security. This forthcoming strategy will address all information society providers, including cloud computing service providers. It will, inter alia, indicate appropriate technical and organisational measures that should be taken to manage security risks. It will also establish reporting obligations to competent authorities of significant incidents.
Does the cloud computing strategy intend to impede the activities of international cloud providers in Europe?
No. The strategy aims at facilitating Europe's participation in the global growth of cloud computing by: reviewing standard contractual clauses applicable to transfer of personal data to third countries and adapting them, as needed, to cloud services; and by calling upon national data protection authorities to approve Binding Corporate Rules for cloud providers.3 Furthermore, the Commission will also build on its on-going international dialogues with the USA, Japan and other countries, as regards key cloud themes.
See: IDC, "Quantitative Estimates of the demand for cloud Computing in Europe and the likely barriers to take-up", February 2012.
See Objective 11.3 of http://cordis.europa.eu/fp7/ict/docs/ict-wp2013-10-7-2013.pdf
The relevant opinions of the Article 29 Working Party (See: WP 195 and WP 153) will serve as a basis for a Commission draft. Binding Corporate Rules are one means to allow for legal international data transfers: they govern in an enforceable manner how the different parts of a corporation, regardless of their international location, deal with personal data.