On 26 June 2014, the European Commission published standardised guidelines on cloud computing service level agreements.[1] The Guidelines outline essential terms that should be included in SLAs concluded in the EU. A SLA details the nature and level of services provided by cloud service providers to customers.
The Guidelines were developed by a sub-group of the Cloud Select Industry Group (CSIG) which composed of representatives from expert groups such as the European Union Agency for Network and Information Security (ENISA)[2] and industry experts such as Amazon, Google, IBM, Microsoft, SAP and Salesforce.[3]
The Commission will now trial the Guidelines with cloud service users, specifically targeting Small and Medium Enterprises (SMEs), to see if amendments are necessary. If successful the Guidelines could enhance the popularity of cloud computing in Europe, as well as contribute to the formulation of international standards for SLAs. In parallel, the International Organisation for Standardisation is currently developing such standards. In October 2014, the Guidelines were passed to the ISO Working Group on Cloud Computing for comment and amendments.[4] The Commission is currently considering any amendments and feedback from the trials with the CSIG.
We are seeing the beginnings of national attempts at standard setting. For example in Ireland the National Standard Authority of Ireland (NSAI) has issued a SWiFT document (a form of document being a ‘rapidly developed recommendatory document based on the consensus of the participants of an NSAI workshop’) dealing with enterprise adoption of the cloud.[5] Currently, both industry and national initiatives are largely uncoordinated and of varying degrees of thoroughness, with some way to go before truly international norms are likely to apply. The EU is taking its first tentative steps with the Guidelines.
This article highlights the background to the introduction of the Guidelines and provides a summary of some of its key provisions.
Background
Cloud computing has developed in an unregulated manner in Europe. For example, there are no standard contractual templates for cloud computing services, which has resulted in supplier drafted cloud services contracts varying in their approach to common issues, with service level commitments being an example. This lack of uniformity, especially in circumstances where broadly similar service offerings are being compared, poses difficulties for cloud service customers and advising lawyers.
This article will not discuss the essential features of cloud computing from a legal perspective, which is a contentious area, with service providers keen to avoid comparison with the established IT managed service sector. However, it is true to say that unlike the managed service sector the cloud service sector is almost exclusively characterised by supplier drafted T&Cs, SLAs and commercial offerings. This is especially true of the large multinational suppliers. Hence, the introduction of the Guidelines looks to be beneficial to customers. It is fair to ask how many of the Guidelines terms are currently addressed in supplier drafted SLAs, how likely they are to be adopted and how soon? The Guidelines are not mandatory which will be a factor in their adoption – especially by suppliers.
In 2012, the Commission published a cloud computing strategy, which outlined three objectives to encourage the use of cloud services.[6] One objective was the development of standard contractual terms for SLAs. The Commission believes that standard contractual terms will promote growth and trust in the cloud computer industry in Europe. They will also contribute towards safe cloud service contracts and allow customers to compare the different services offered accurately.
Service Level Objectives
The terms that should be included in SLAs are outlined in a set of specific service level objectives (SLOs). The SLO provisions seek to address the main legal, contractual and compliance issues related to SLAs. These provisions will contribute to the service providers’ and customers’ greater understanding of cloud service activities and their respective responsibilities. The following areas are addressed:
· Performance: The SLOs provide information on the availability and provision of cloud services, response times, the number of connections that can be made to the service at any one time (capacity), customer support hours/responsiveness and the reversibility and termination processes.
· Security: The Guidelines set out provisions on service reliability where the service has a fault. It also outlines authentication and authorisation measures, cryptography, security incident management and reporting of events that could compromise business operations and threaten information security. Moreover, logging and monitoring of data related to the use of the cloud service, audit rights, vulnerability management and governance are all covered in the Guidelines.
· Data Management: The data management SLOs deals with the various aspects of the data life-cycle. In particular, it sets out information related to data classification, data mirroring, back-up and restore, data life-cycles and data portability. Measures to ensure compliance with EU data protection laws are also included.
· Personal Data Protection: Information is provided on codes of conduct on data privacy compliance, data minimisation, the use, retention and disclosure limitations of data, openness, transparency, description of the providers data breach policy (accountability) and geographical location of cloud service customer data.
Definitions and Principles
The Guidelines aim to ensure that SLAs are clear and both parties understand the agreed terms. As a result, the Guidelines set out standard definitions of the legal and technical terms commonly used in SLAs. In addition, the Guidelines also provide a set of principles to assist organisations in developing standard agreements. Some of these principles include technical neutrality, business model neutrality, and the standards and guidelines applicable to different types of customers. These measures will assist in improving the clarity and understanding of SLAs among cloud service users.
Impact
Despite initial optimism, the Guideline’s impact may be reduced for a number of reasons. Firstly, and most importantly, they are voluntary guidelines. This lack of mandatory application may be a fundamental weakness. Secondly, similar standards need to be developed at an international level to ensure the Guidelines are effective across multiple jurisdictions. As noted earlier, the Guidelines could be a precursor to ISO efforts to establish international standards on SLAs. Finally, some aspects of the Guidelines need further clarification. For example, information is provided that describes an approach to defining availability and provision of cloud services, but there is no indication as to what is the appropriate level. Availability is ultimately a matter of percentage achievement against a target.
Conclusion
The Guidelines represent the first time that cloud service suppliers have agreed on common guidelines for SLAs. This will undoubtedly benefit cloud service customers, particularly SMEs, but also medium to large enterprises (MLEs), as they will have a better understanding of services offered by providers and a comparator against which to rate supplier offerings. The main test of the Guidelines will be when they are trialled by cloud users. If successful, the Guidelines could contribute towards the development of international standards both within and beyond the EU, assisting in increasing the growth of the cloud computing industry. Speaking as lawyers active in the cloud computing world, the authors are of the view that current norms in the cloud industry are some way off the recommendations in the Guidelines and some fairly large shifts in emphasis and detail will be required to align supplier offerings with the Guidelines.
Despite the cloud industry being well developed it has not been as successful as was originally envisaged in selling particularly to MLE’s together with the public sector. Cloud industry adoption of the Guidelines in their service offerings should go some way towards dealing with areas of concern to those potential customers previously reluctant to engage with cloud offerings at the enterprise level.
The Guidelines are a welcome addition to the jigsaw puzzle that is cloud computing and may reduce the number of multiple different types of bricks within that puzzle. If so, they will be a useful addition to the evolution of cloud computing for suppliers and users alike. However, their non-mandatory nature and ambiguity in some fundamental service delivery management areas allows for a degree of scepticism as to how much of an impact they may have in practice. The Guidelines are certainly a welcome step forward in the establishment of norms and standards in this fast-evolving area of economic activity. The Guidelines are not an end point, but they are a useful EU milestone in the evolution of cloud computing.
Pearse Ryan is Partner, Technology & Innovation Group, Arthur Cox, Dublin.
Niall Donnelly is a Trainee at Arthur Cox, Dublin.
[1] See full text of the Guidelines available here: http://ec.europa.eu/digital-agenda/en/news/cloud-service-level-agreement-standardisation-guidelines . See also related Press Release: http://europa.eu/rapid/press-release_IP-14-743_en.htm
[2] ENISA – the European Union Agency for Network and Information Security ‘working for the EU Institutions and Member States. ENISA is the EU’s response to these cyber security issues of the European Union. As such, it is the ‘pace-setter’ for Information Security in Europe, and a centre of expertise’ – see: http://www.enisa.europa.eu/
[3] For more information on CSIG see: http://ec.europa.eu/digital-agenda/en/cloud-computing-expert-group-research
[4] http://ec.europa.eu/digital-agenda/en/news/standardised-cloud-service-contracts-step-closer
[5] See ‘Adopting the Cloud – Decision Support for Cloud Computing’, available at http://www.iia.ie/resources/resource/531/working-groups/552/cloud-computing-working-group/. The document follows on from dialogue between the Irish Internet Association Cloud Computing Working Group, on which Pearse Ryan sits, and NSAI
[6] http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0529:FIN:EN:PDF
