European cloud standardisation guidelines: what's it about?

Patrick Van Eecke and Antoon Dierick, of law firm DLA Piper, explain what the European Commission is doing to help firms standardise on cloud contracts

It is no secret that the European Commission wishes to boost the offering and the uptake of Europe-based cloud computing services. At the end of 2012, in its communication on the "Unleashing the Potential of Cloud Computing in Europe", the Commission announced that it will take the necessary steps to undertake three key action points that should, according to the communication, result in several billions of euros income by 2020 as well as a substantial amount of job creation.

Cutting through the jungle of standards is the first Commission action point, which aims at establishing common standards to increase the level of interoperability, data portability and reversibility. Proposing safe and fair contract terms and conditions is a second key action point, of which the below discussed guidelines form a part. Lastly, a European Cloud Partnership has been set up with the intent of bringing together the cloud industry and the public sector, the EU's largest buyer of IT services, and this aimed at working on common procurement requirements for cloud computing.

For each of these actions points, the Commission has set up different expert working groups, which must pave the way to concrete initiatives in order to achieve certain goals. It is in that framework that the Cloud Select Industry Group (so-called "C-SIG") on Service Level Agreements (SLA) has recently made public its "Cloud Service Level Agreement Standardisation Guidelines" (hereinafter referred to as the guidelines).

First things first: the C-SIG on SLA was established under the second key action (safe and fair contract terms and conditions) and had its first meeting in February 2013. This C-SIG is composed of industry representatives, both from the customer and provider side, and other specialists on cloud computing, such as DLA Piper. The aim of this C-SIG is to explore opportunities for setting out model terms for cloud computing service level agreements, which can be used between cloud providers and their professional users. The C-SIG therefore focuses on a B2B environment.

Now what are these above-mentioned guidelines about and what do they stipulate? According to the document, the guidelines aim to "provide a set of SLA standardisation guidelines for cloud service providers and professional cloud service customers, while ensuring the specific needs of the European cloud market and industry are taken into account". Next to providing a clear list of definitions in relation to key elements of service level agreements, the guidelines set out several service level objectives (SLO) that could be stipulated in a typical B2B cloud computing SLA. These SLO are sub-divided into four main categories: performance, security, data management and personal data protection.

Each of those main categories is further sub-divided into typical service levels that can be found in service level agreements. Examples of performance sub-categories are service levels on availability (the service's property of being accessible and usable upon demand by the user) and response time (the time lapse between a customer-initiated event and the provider-initiated response to that event).

For the security category, examples are service reliability levels (the performance of the cloud service without failure) and authentication and authorisation (authentication being the verification of the claimed identity of a user and authorisation being the process of verifying that a user has permission to access and use the service).

The document goes further in identifying per each of those individual service levels, why a service level objective could be useful, and which SLO could be relevant in the context of that particular service level. The document does not set out individual and concrete service levels; however, one can hardly see how it could do given the diverse nature of cloud computing and taking into account the cloud provider's discretion to determine service levels.

What the guidelines do provide, are descriptions of technical, operational and/or legal concepts that can generally be found in service level agreements. They explain in clear and plain language what these concepts mean and how they can impact the service.

As a result, this will be important for the cloud user, in order to fully understand to which service levels his service adheres. According to the press release on the guidelines, issued on 26 June, these guidelines will help professional users to ensure that essential elements are included in plain language in the contract with the cloud provider. Both Commissioners Neelie Kroes and Viviane Reding welcomed the guidelines and pointed out that they are likely to increase trust towards cloud offerings, especially from smaller firms. And more trust could signify greater uptake that in turn could be a driving force for innovation and development. In other words, one step closer to the objectives set out in the Cloud Communication.

Patrick Van Eecke is a Partner and Antoon Dierick an Associate at law firm DLA Piper