EU Cloud Contracts: Is Standardisation the Answer?

By Allan Watton on

EU cloud contracts, is standardisation the answer?

Though envisioned in the late 1960s, ‘cloud computing’ – the centralisation of programs and data delivered via the Web for businesses at any location where they have access to the internet – is, in practical terms, just a little over 15 years old. For all of this time we have been sold on the cost-saving, convenience and backup benefits of relinquishing our server-taxing software in favour of their remotely supplied and managed versions. So with these benefits clearly aligned with public sector needs in the UK today, why has cloud computing not been adopted across every local authority and public sector institution?

The answer is, in general terms, a lack of understanding and a fear of change in many cases.

However, this seems to be a perfectly natural reaction to a sector that has, until recently, been completely unregulated. With each supplier creating its own cloud contracts and service level agreements (SLAs), not only can the plethora of choice become a little confusing but there has been no measure of standardisation to help compare what one supplier offers against another. As a reaction to this, in June 2014, the European Commission introduced its first tentative changes, publishing the industry’s first standardised guidelines on the terms cloud-computing supplier SLAs should contain. A good step forward, but with serious limitations that will need to be both discussed and addressed.

EC guidelines – a step in the right direction

There is no doubt that anything that improves efficiency should be being given serious consideration by a government institution. The public sector has a duty of care to spend our tax money wisely and make it go further even if we weren’t in an economic situation that necessitates a thrifty approach to local government, and hadn’t elected a government that has such a course woven into the very fabric of its manifesto. Cloud computing offers many of these benefits and should, therefore be a serious consideration. Unfortunately it is not being adopted as universally as it might if the process of selecting the right supplier for the job was made easier.

To these ends the Commission’s guidelines focus on certain service level objectives (SLOs):

  • Performance. The capacity of the supplier across a range of deliverables and their limitations.

  • Security. The measures taken to ensure the safety of data and the security of personal information in the cloud.

  • Data Management. How data will be handled and how this specifically related to EU data laws.

And, while we acknowledge that the European Commission’s standardisation guidelines are an excellent step in the right direction there are a number of serious limitations that make me question whether any genuine improvements will be seen as a result of them.

Limitations of the EC guidelines

Every journey of a thousand miles starts with a single step, as they say, and while the step the European Commission has made should be commended as recognising the problem and initiating discussion to create change there are four issues with the current status quo:

1. Voluntary. The fact that these guidelines are voluntary will inevitably result in a low take-up by suppliers. After all, if you were a supplier with cloud contracts that maybe favour your priorities, or, in the odd case, that constructively confuse your clients into not quite understanding the detail of what they are paying for, what would be your motivation for changing this situation? Of course you could argue that with greater clarity and client confidence will come greater business prospects, but that’s a speculative argument set against the reality of risking today’s profitable strategy.

2. Global standard. Many businesses today conduct their activities internationally, across countries and continents. Therefore, for these guidelines to have the desired impact they should be extended globally to become international standards, which they have not been as yet.

3. Lack of clarity. The guidelines themselves are reported as having a number of ambiguities, and for guidelines to truly guide they need to be crystal clear at all times. It would therefore certainly be beneficial for them to be reviewed on a regular basis to ensure that any issues with clarity can be addressed.

4. Objectives. While the standardisation of quality levels and expectations is good to a certain degree, offering smaller and medium sized businesses an element of protection from the potential of unscrupulous supplier agreement wording, we need to remember that these agreements should to be outcome-led. Standardisation has a darker side, one where innovation is stifled and a one-size-fits-all approach is adopted that does not necessarily suit the needs of an outsourced relationship.

Is standardisation the way forward?

The question I’m asking myself is, does standardisation limit the capability of my supplier to achieve the outcomes I’m shooting for? And I worry that it might.

While quality standards in service areas can start from a standard minimum requirement position it’s important to appreciate that each relationship is different, each project has its own unique nuances – from the personalities involved to the capacities of the parties, the client’s expectations and the outcomes you hope to achieve. Essentially, every outsourced relationship is different and to effectively deliver the outcomes expected of them, suppliers need to word their agreements to reflect the unique elements of the project, and clients need to ensure that they do.


To win greater confidence from the public sector the cloud-computing world needs to ensure that they have a standard set of quality assurance rules that they adhere to. But they also need to be flexible to the changes their clients should wish them to make in order to personalise their agreements to achieve the outcomes they are shooting for and to encourage innovation wherever possible.

The European Commission’s cloud-computing standardisation guidelines are currently going through a process of review by a working group at the International Organisation for Standardisation (ISO). We will therefore, have to watch this space to see how these guidelines evolve, and whether any amendments focus more on the practical needs of public sector outsourced relationships.

Your experience

The above examples are from our own experience of what we have found works. Please share examples for the benefit of the wider audience in our comments section below of what you find has worked for you in the past – or new things you are trying yourselves and might be still waiting the results on.


Free Ebook Download: Problematic IT Project