EU Cloud Standardisation Guidelines

In January 2013 I wrote about the EU’s cunning plan to “unleash the potential of cloud computing in Europe” by regulating it.

One of the first tangible steps in that process has just been unveiled to a waiting world. The Cloud Select Industry Group set up by the European Commission has published its Cloud Service Level Agreement Standardisation Guidelines.

One of the Commission’s key actions in its 2012 Communication was to promote safe and fair cloud contracts. The Commission believes that the development of model terms and service levels in the cloud sector is an important issue affecting the future growth of the cloud industry in Europe.

The new guidelines are intended to help business-to-business users of cloud solutions to ensure that key elements are included in plain language in contracts they make with cloud providers. The recommendations seek to have the cloud industry standardise aspects of SLA offerings.

At one level, the Standardisation Guidelines will be useful for cloud users because they provide a standardised vocabulary and terminology by which the metrics that underpin cloud services are described.  The guidelines set out a series of service level objectives covering aspects of: performance; security; data management; and personal data protection.

If a business is looking to understand and implement the key objectives typically required from a relationship with a cloud services provider, the standardisation guidelines provide a helpful starting point, although the guidelines don’t indicate the level at which specific metrics should be measured and they stop short of clear thresholds.  So, for example, the guidelines describe an approach to defining availability/uptime – but there is no stated thresholds as to what level of availability ought to be good, bad or indifferent in the cloud market.

Also, the key variable in measuring uptime is the inclusion or exclusion of maintenance, especially scheduled maintenance; but the guidelines merely observe this issue – there’s no recommended or mandated position as to whether maintenance should be in or out of the availability metric.

There must be an open question whether the cloud industry will pay attention to these non-mandatory guidelines, or whether the guidelines represent an attempt to set a baseline when the industry itself is already much further advanced than the baseline in the development of established approaches and has no interest or relevance to the guidelines.

One problem, of course, is that the guidelines are only recommendations from the European Union. As the EU itself is quick to recognise, the initiative of which the guidelines are a part will only have a deeper impact if standardisation is done at an international level across all the key jurisdictions – and this really means by international standards such as ISO/IEC 19086.

Adoption more broadly will depend either on the guidelines imposed “top-down” by the ISO as a standard that becomes broadly accepted in the market; or broad adoption could occur “bottom-up” if the key cloud providers move to embed these guidelines into their international cloud offerings. Or, of course, the ideal answer would be a combination of both top-down and bottom-up. But much depends on the appetite of the cloud industry to adopt and apply these guidelines – without industry buy-in, the guidelines may have little practical effect.