The long-awaited EU strategy goes heavy on standards and clearer contracts as a way to help major companies like Intel, Microsoft and Amazon do cloud business across the region - and boost employment and economies.
"Cloud computing is a game-changer for our economy," digital agenda commissioner Neelie Kroes said in a statement. "Without EU action, we will stay stuck in national fortresses and miss out on billions in economic gains. We must achieve critical mass and a single set of rules across Europe. We must tackle the perceived risks of cloud computing head on."
Key changes for industry include the need to agree fairer and clearer terms for service-level agreements, as well as a data-protection code of conduct. The Commission is also pushing for standards around security, interoperability, data portability and the environmental impact of cloud computing.
The long-awaited cloud strategy is intended to boost the EU's annual GDP by €160bn (£127bn) by 2020, an increase of one percent. The Commission said in its statement that it will lead to a net gain of 2.5 million jobs. However, it said in its main strategy document that 3.8 million jobs will be created, so 1.3 million jobs associated with in-house IT would presumably be destroyed by the massive shift to the cloud.
The Commission provided a lengthy list of hardware and software companies and cloud service providers it reckons will be affected by the new strategy. These include Intel, ARM, IBM, Google, Oracle, Amazon, Apple, Cisco, Microsoft, Dell, SAP, Software AG, Dassault Systems, Spotify and Facebook.
"We must achieve critical mass and a single set of rules across Europe" — Neelie Kroes, EU
HP, a major manufacturer of the equipment needed for cloud-computing datacentres, as well as a significant software provider for such systems, was quick to welcome the EU plans.
"HP supports the vision outlined by Neelie Kroes today in Brussels regarding a unified and consistent cloud-computing strategy across Europe," Ian Brooks, HP's European head of innovation and sustainable computing, said in a statement. "A legal environment that is friendly to cloud innovation is essential for Europe's economic growth, which includes the potential for two million new jobs by 2015."
Brooks said security, compliance and "transformation" concerns were major barriers to the adoption of cloud services, so HP supported the Commission's plans to "move the issue forward".
Work already underway
Some elements of the strategy are already being worked on, such as the European Cloud Partnership that will define common standards for public-sector cloud procurement.
The Commission has already put forward a Regulation on a Common European Sales Law to cover some of the contractual and legislative problems, and justice commissioner Viviane Reding's revised Data Protection Directive is largely intended to create more cross-border harmony when it comes to cloud-related legislation.
The cloud strategy also backs an opinion given by the Article 29 working group (a body composed of EU data protection regulators) in July. That opinion contained several recommendations for safeguarding EU citizens' data when stored in the cloud, principally the use of so-called 'model contracts' for service providers outside the union.
However, the strategy contains many new elements. On the standards side, the Commission wants to task the European Telecommunications Standards Institute (ETSI) with co-ordinating stakeholders so that a "detailed map of the necessary standards (inter alia for security, interoperability, data portability and reversibility)" can be set up by 2013.
As for security, technical specifications for the protection of personal information are to be recognised at the EU level, in order to bolster trust in cloud services. The Commission plans to work with the European Network Information Security Agency (ENISA) and others to develop EU-wide voluntary certification schemes for data protection, with a list of these schemes to be published by 2014.
It is also looking to set up harmonised standards to tackle the environmental impact of cloud usage, covering energy consumption, water consumption and carbon emissions. Again, these metrics will need to be put in place by 2014.
The Commission's problem with current cloud service contracts is that they tend to be both complex and of a 'take it or leave it' nature.
"Such contracts may also impose the choice of applicable law or inhibit data recovery. Even larger companies have little negotiation power, and contracts often do not provide for liability for data integrity, confidentiality or service continuity," the strategy notes.
By next year, the Commission intends to develop "model terms" for cloud-computing service-level agreements (SLAs) struck between providers and large businesses.
The existing Common European Sales Law proposal will also inspire model contract terms and conditions for services provided to consumers and small businesses. An expert group including industry representatives will be set up to nail down these "safe and fair" terms and conditions by the end of 2013, the Commission said.
It also plans to review the standard contractual clauses governing the transfer of personal data to third countries. National data protection authorities will need to approve 'binding corporate rules' for cloud providers for this, and the industry will also be asked to agree a data-protection code of conduct.
The US-based Software & Information Industry Association called the strategy "a major step forward by policymakers in coming to grips with the policy thinking needed to foster this new development". However, the trade group also sounded a note of caution.
"In places, the communication treats cloud computing as a discrete entity that is potentially subject to specific government regulation," Mark McCarthy, head of public policy at SIIA. "In reality, cloud computing is a variety of evolving business and technical developments that share only a rough similarity."
BEUC, the Brussels-based umbrella organisation for consumer groups across Europe, criticised the Commission's plans for a lack of ambition in tackling copyright, data protection and contract conditions.
"As the EU helps to push more content towards the cloud, we cannot lessen consumer protections even further from those we have on the ground," Monique Goyens, the director general of BEUC, said in a statement.
"Allowing businesses themselves to choose whether to safeguard consumer rights, as has been proposed here by 'optional regulation', is extremely risky and leaves consumers vulnerable to unfair contract terms. Rules should not be made to be chosen," she added.