Standards and standardisation activities for cloud services

The Standardisation Forum advises on the obligatory or voluntary adoption of open ICT standards in the public sector. To be able to advise the government on standardisation in relation to the cloud, the Standardisation Forum’s aim is to get an idea of the standards that are important for government policy on the use of cloud services. To this end, the Standardisation Forum Office commissioned the independent consultancy firm, E-Space, to conduct research.

An important starting point for the research was the letter from State Secretary van Huffelen dated 29 August 2022, in which she announced a change in the central government’s policy on the use of cloud services. The new policy sets frameworks for the central government’s use of commercial public cloud services and updates the former policy dating back to 2011, which focused mainly on keeping cloud services under the government’s own management.

Government policy on cloud services raises questions about digital sovereignty, vendor independence and information security. Open standards for data portability, cloud interoperability and information security can help to support these standards. The main objective of the research was therefore to provide an overview of European, international and national standards, and the standardisation activities that are relevant to cloud platforms, systems and services. Trends and risks were also identified.

The Standardisation Forum formulated the following questions for this research:

1. What European, international and national standards are there in relation to the cloud, in particular in terms of cloud interoperability, data portability, information security and orchestration?

2. Which European, international and national cloud standards are still under development or planned?

3. Are there any existing gaps? In other words, cloud technologies or applications that require open standards but do not yet exist and are not yet under development.

4. Which cloud standardisation activities, including in Europe and internationally, should the government or the private sector in the Netherlands be able to influence? For instance, because they are moving in a direction that is not in line with government values, including openness, inclusion, information security, privacy, digital sovereignty and a balanced market. And to what extent is it possible to influence these standardisation activities?

The research was conducted between September and December 2023. Sources were analysed for the research (see Appendix 9) and interviews were held with 27 experts, including from the Netherlands Standardisation Institute, the Netherlands Organisation for Applied Scientific Research, the Association of Netherlands Municipalities, the ICTU, the Netherlands Authority for Consumers & Markets, the Ministry of the Interior and Kingdom Relations, the Ministry of Justice and Security, the National Cyber Security Centre, the Cloud Security Alliance, Microsoft and IBM. (See Appendix 10 for the full list of experts interviewed.)

Additionally, meetings on the subject of cloud and standards were attended. These meetings were the iBestuur conference held on 13 September 2023, the Haven community day held on 31 October 2023 and the ECP Annual Festival held on 16 November 2023.

This report is structured like a pyramid as much as possible, starting with the conclusions (Section 2) and recommendations to the government (Section 3), followed by the substantiation (Section 4).

The methodology, scope and basic assumptions and the results of the desk research are included in the appendices. Appendix 5 bgives an explanation of the cloud and cloud services, types of deployment of cloud services and a list of major cloud service providers worldwide, in Europe and in the Netherlands.Appendix 6 sets out the scope and basic assumptions of the research, including a summary of the renewed Government Cloud Policy of August 2022. Appendix 7 bcomprises an overview of global trends, European developments and initiatives from the Dutch government regarding cloud policy.

Major cloud service providers are prepared to some extent to collaborate on standards that facilitate interoperability and data portability. At the same time, dependence on these providers is growing. This tendency is clearly evident in the market study carried out in 2022 by the Netherlands Authority for Consumers & Markets (only available in Dutch)

A 'winner takes all ' market dynamic is emerging for cloud services, which means that the market share of the largest hyperscalers keeps on growing at the expense of smaller market players. Interweaving cloud services with proprietary AI is exacerbating this development. Smaller market players lack the knowledge and computing power required for large-scale AI, which in turn strengthens the position of the major hyperscalers. The Data Act is a step in the right direction and will bring more equilibrium to the market, but it will have to be implemented, inter alia by developing open standards and making them obligatory. Initiative and control are required for this.

Advice to the government: exercise greater control over the cloud services market, both at a national and European level. Cloud service providers are prepared to go along with this, but are asking for clarity about the standards to be implemented. Open standards at a European level are needed to reduce dependence on hyperscalers and other providers. There are none as yet; the government must work towards this in a European context. In addition, the government and the European Commission are in a position to put pressure on cloud providers to make their proprietary standards public so that third parties can use them.

“The cloud is a network market that does not observe the rules of traditional markets. Open standards are necessary to keep this market healthy”

Rudi Bekkers, Professor of Standardisation and Intellectual Property at the Eindhoven University of Technology.

Knowledge and expertise of public cloud services is scarce and scattered across the government. This is in contrast to on-premise cloud environments, where much more knowledge and experience is available. Several respondents indicated that there is little coordination in the government for all the measures and actions that need to be taken to keep up with and manage the rapid development in cloud services. Without its own aggregated expertise, the government is also growing more dependent on market players in terms of knowledge, and in particular the major cloud service providers based abroad.

Advice to the government: focus on training, knowledge building and knowledge retention, and on collaboration between government organisations. In this respect, align with national and international organisations, such as the Netherlands Standardisation Institute and the Cloud Security Alliance. Consider making a public-sector organisation responsible for this, so that coordination is organised centrally. This could be the National Academy for Digitalisation and Computerisation of the Government (RADIO). And attract more experts to work in the civil service.

A great deal is being done regarding standards and norms frameworks for information security and privacy. Some developments overlap, and this can result in ambiguity. It came to light during the research that government organisations working on security controls are not always aligned with international standards or organisations. This is despite the fact that international collaboration can strengthen the government’s position. The Ministry of the Interior and Kingdom Relations, for instance, is working on a control baseline based on Secure Cloud Business Applications (SCuBA).

Advice to the government: conduct in-depth research into the cohesion and overlap between national, European and international standards frameworks. After that, choose a clear line, make decisions and align with European and international organisations and developments. Make sure that they are transposed into standards so that organisations are obliged to observe them.

As it stands now, the Standardisation Forum is focusing solely on standards for data exchange between organisations. This renders it difficult to mandate standards such as IMAP, which are crucial for data portability and vendor independence, but are generally not used for data exchange standards between organisations.

Advice to the Standardisation Forum: investigate whether the scope of the ‘comply or explain’ list can be broadened as part of their existing mandate to include standards that promote vendor independence and digital sovereignty, even if these standards are not predominantly applied to data exchange between organisations.

There are still few open standards that support data portability. ISO 8000 provides guidelines for effective and efficient data exchange between different systems, organisations and technologies. This involves the standardisation of formats and terminology to avoid misunderstandings and errors. That said, there is no set standard for exchanging data included in databases.

Advice to the government: set up a working group to identify open standards for data portability and submit these standards for inclusion on the Standardisation Forum’s ‘comply or explain’ list to make them mandatory. This could involve standards that are still under development or are yet to be developed. In the latter case, the working group could indicate who should develop these standards, preferably in a European context. Make practical decisions for the period of time during which these standards are not yet available. Opt for instance for the Amazon Simple Storage Service (S3) API specification for file sharing until an open standard is developed for this. Draw up a list of open-source database formats that have to be supported as a minimum requirement for cloud providers to implement, and those formats such as Postgres, Mysql and Mongo, which are used by government agencies.

For the purposes of promoting interoperability between cloud services from different providers, this study identified several standards that are not yet on the Standardisation Forum’s list of open standards, but may have to be made mandatory.

Advice to the government: carry out further research to determine which of these standards are eligible for inclusion on the Standardisation Forum’s ‘comply or explain’ list. In the process, align with the standards mandated pursuant to the Data Act, and put pressure on providers to implement them. This research can be conducted by the same working group mentioned in the advice given in Section 3.6.

As far as standards for system and application portability in the cloud are concerned, Haven (an initiative of the Association of Netherlands Municipalities) has laid a good foundation for uniform use of Kubernetes. Commercial hyperscalers endorse and support Haven and there are already various kinds of cloud deployments at municipalities. This development contributes significantly to the improvement of interoperability.

Advice to the government: submit the Haven standard for inclusion on the Standardisation Forum’s ‘comply or explain’ list. Help to fortify Haven’s development by ensuring wider application and sound funding. Strengthen Haven by lending support to a wider range of features, which will continue to develop the standard to become a replacement for proprietary services.

The list of the Standardisation Forum’s recommended standards ncludes standards that support data portability at the level of files and should be made obligatory for cloud providers. The concerns, for instance, open standards such as IMAP, which can be used to transfer email messages from one cloud provider to another. WebDAV wis another example; it can be used to manage standard interfaces. By putting these standards on the ‘comply or explain’ list, governments will have to insist on them in their tenders for cloud services, and suppliers will therefore have to offer them.

Advice to the government: submit the recommended standards that are relevant for data portability for inclusion on the Standardisation Forum’s ‘comply or explain’ list. Put pressure on cloud suppliers to implement open standards based on the government’s strategic vendor management software (VMS). Even better would be to put pressure in alliance with like-minded Member States at European level.

Standards and frameworks for standards are crucial, but sharing knowledge and experience on their application is also important.

Advice to the government: also establish best practices for deploying cloud services using frameworks for norms and standards, just like ISO 27002 is a kind of best practices elaboration of ISO 27001. This provides more practical points of reference to government authorities that have to request the standards and apply frameworks for standards.

The research used the three service models for cloud services, namelyInfrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS), as defined by NIST SP 800-145. Appendix 5 explains these three service models in greater detail. Government organisations procure all these service models from suppliers.

The three service models for cloud computing require a range of standards to promote interoperability, information security, privacy and portability:

1. Security and privacy standards: Implementing security standards contributes to mitigating the risk of unauthorised access to information that could affect the information security of the owners and users of that information. The standards cover aspects such as data encryption, authentication, authorisation and audit logging.

   Privacy standards focus on the reliable handling and maintaining the confidentiality of personal data stored in the cloud and/or processed there. Examples of this include the standards for data masking, anonymisation and pseudonymisation.

2. Portability standards These standards make it easier to move applications and data from one cloud environment to another. Here we have in mind the standards for containerization and orchestration. They can help to avoid vendor lock-ins and support multi-cloud strategies.

3. Interoperability standards: These standards ensure that the various cloud services and components can communicate and exchange data with each other in a standardised way. They can also help to avoid vendor lock-ins and support multi-cloud strategies.

4. Other standards: These are standards that cannot be classified as above but are relevant to cloud and cloud services and should therefore be noted.

The underlying report covers the following aspects for each type of standard:

• Norms.

• Existing standards included on the Standardisation Forum’s list of open standards.

• Existing standards and standard technology not yet included on the Standardisation Forum’s list of open standards.

• Standards that are under development.

• Missing standards, ‘existing gaps’.

When differentiating between standards and norms, the research used the following definitions: a standard is a generally accepted specification or best practice guideline, whereas a norm is an officially established requirement that products, services or processes must meet.

This document uses the word ‘standard’ in the broad sense. This includes open standards and vendor-dependent (‘proprietary’) standards, as well as technology that can be construed as de facto standards.

Privacy and security are key focus areas for users of cloud services. Cloud facilities have to meet all privacy and security requirements, just as they currently apply to on-premise facilities.

Security and privacy standards can be viewed as belonging to several levels, namely strategic, tactical and operational. The interviews with experts revealed that there are various and partly overlapping certification schemes at the tactical level, partly overlapping auditing frameworks at the operational level, as well as several cloud security frameworks and guidelines.

In the context of the cloud, it is essential that personal data is stored and processed securely. For this, there are three types that fall within the framework of European legislation. Personal data is:

• stored and processed in the EU;

• processed and stored in countries subject to an adequacy decision; or

• processed and stored in a country where there are safeguards in place for those processing operations that demonstrate that personal data has the same protection as if the processing were performed in the EU.

Currently, it is not always clear to users where the cloud facility is physically located and who has access to it. Also, thus far managing cloud facilities in countries that do not have the same rules regarding the protection of personal data is quite common. Cloud providers are working hard to create cloud facilities that comply with one of the three aforementioned types.

Portability standards are guidelines and specifications designed to facilitate the portability of data, software, the systems between the various platforms, and systems and devices. In the context of cloud standards, portability standards are essential for transferring applications, systems and data from one cloud environment to another.

We differentiate between two types of portability standards:

1. Standards for system and application portability: This concerns the ability of software to function on different hardware or operating systems without significant changes. These standards help to reduce the dependencies of specific platforms.

2. Standards for data portability: This refers to the ability to move data easily from one system or platform to another. Data portability is essential in the digital age, in which information often has to be transferred between various applications, databases or storage systems. Data portability standards ensure that the transfer of data goes smoothly, while at the same time maintaining the integrity and the usability of the data.

Interoperability standards for cloud computing are crucial for ensuring seamless and effective interaction between different cloud systems and services from various providers. In this way, interoperability promotes a more open, flexible and scalable cloud environment, where users have the freedom to choose and combine services from different providers based on their specific needs.

Portability and interoperability standards in cloud computing are closely connected, but they serve different purposes. Portability standards are used to facilitate the transfer of applications, data and services between different cloud environments, without significant changes or loss of functionality. Interoperability standards focus on safeguarding the compatibility between different cloud systems and services, so that they can together work seamlessly. Interoperability is essential for the creation of a coherent cloud environment with many functions, where different cloud services and components provided by the various providers can integrate and work together effectively.

Even though both areas of consideration for the standards have a different purpose, they are complementary. Good portability facilitates interoperability, because systems that can be moved easily from one platform to another usually also work better with the systems on those platforms. There is, however, overlap between both types of standards. Overlapping standards are included in Section 4.3 (Portability standards).

Although the research focused on standards for security and privacy, portability and interoperability related to cloud computing, several related standards and norms also came up for discussion. This concerns the following standards, norms and frameworks:

1. NIST SP 500-292: The NIST’s Cloud Computing Reference Architecture is a generic high-level conceptual model that serves as a user-oriented reference point.

1. ISO/IEC 22123-1:  Information technology – Cloud computing – Part 1: Vocabulary

   Gives definitions for terms used in the context of the cloud, such as: IaaS, PaaS and SaaS. Overlaps with NIST SP 500-292

2. ISO/IEC 22123-2:  Information technology — Cloud computing — Part 2: Concepts

   The intention of this standard, entitled ‘Part 2: Concepts’, is to define and specify concepts used in cloud computing. It serves as an extension of the cloud computing vocabulary originally defined in ISO/IEC 22123-1. By elaborating on these concepts in greater detail, ISO/IEC 22123-2:2023 is laying a foundation that supports other documents and standards associated with cloud computing.

3. ISO/IEC 22123-3:  Information technology — Cloud computing — Part 3: Reference architecture.

   This standard, entitled ‘Part 3: Reference architecture’, specifies the reference architecture for cloud computing (CCRA). This document is important because it establishes guidelines and standards related to the structure and organisation of systems and services in the cloud computing environment. The reference architecture described in this document offers a structured and detailed blueprint for setting up and managing cloud-based systems, making it an essential resource for professionals in the field of cloud computing.

4. NIST SP 800-154: This is a list of the National Institute of Standards and Technology’s definitions of cloud computing, which provides a clear and concise framework for understanding cloud technology.

5. ETSI cloud standards: The European Telecommunications Standards Institute applies various standards and specifications for cloud services, and focuses on interoperability, security and SLA's

6. ENISA Cloud Computing Risk Assessment: The cloud computing risk assessment, developed by ENISA (the European Union Agency for Cybersecurity), is a detailed document that assesses potential risks associated with the adoption of cloud computing services.

7. ISO/IEC 38500: ISO/IEC 38500 is an international standard that provides guidelines for effective corporate governance of information and communication technology (ICT).

8. FinOps-framework: The FinOps framework is a set of principles designed to help organisations manage and optimise their cloud costs more effectively.

9. ISO/IEC 19086: ISO/IEC 19086 is an international standard that provides guidelines and best practices for service level agreements (SLAs) for the cloud. These standards help to define, document and agree to service level objectives, measurements and responsibilities between cloud service providers and their customers.

10. ISO/IEC 19944: ISO/IEC 19944 (Parts 1 and 2) is an international standard for cloud computing and distributed platforms, with a special focus on establishing a framework for data flow and data categories in the cloud. This standard sets out guidelines for classifying data, including its origin, movement and use within cloud and distributed computing environments. It helps organisations to identify the various types of data processed in the cloud, such as user data, operational data and metadata. It also provides recommendations for managing and handling this data, taking into account issues such as privacy, security and compliance.

As a reference model for the definitions of cloud computing, we use the The NIST Definition of Cloud Computing in this report. This reference distinguishes five essential features of cloud services:

1. On-Demand Self-Service: Purchasers of cloud services can unilaterally obtain computing capabilities as required, such as server time and network storage. This can be done automatically, without human interaction with cloud service providers.

2. Broad Network Access: Using standard mechanisms, functionalities are available across networks to different types of clients, such as mobile phones, tablets, laptops and workstations.

3. Resource Pooling: The provider’s computing resources (such as storage, processing, memory and network bandwidth) can be shared to serve several customers using a multi-tenant model, where resources are dynamically allocated based on customer demand. It gives a sense of location independence in that the purchaser generally does not have any control or knowledge of the exact location of the resources provided, but may be able to specify the location at a higher level of abstraction, for instance the country, state or data centre.

4. Rapid Elasticity: Computing resources can be provided and released ‘elastically’, in some cases automatically, to be able to up- and downscale quickly. It often seems to purchasers as though the available computing resources are unlimited and can be appropriated in any quantity, and at any time

5. Measured Service: This involves cloud systems measuring and optimising the use of computing resources automatically. This is done at a set level of abstraction, for instance, storage, processing, memory and network bandwidth. The use of computing resources can be monitored, managed and reported, which provides transparency for the provider as well as consumers of the service used.

NIST distinguishes between three service models for cloud services. Government organisations purchase these different types of service models. The three main types of cloud services are Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS).

1. Infrastructure as a Service (IaaS): IaaS gives users access to essential infrastructure, such as physical machines, virtual machines, network, storage and other fundamentals, without users having to own or maintain the actual hardware. For the Dutch government, this could reduce the demand for large data centres or server farms, because these resources can be obtained on demand from the cloud.

2. Platform as a Service (PaaS): PaaS takes it a step further by not only providing the basic infrastructure but also a platform on which applications can be developed, run and managed. Examples of this are operating systems, databases, web servers, development tools, access management, identity management, portal functionalities and integration facilities. For government agencies looking to build unique applications for their services, PaaS can be a valuable tool because it streamlines the development process without having to worry about the underlying system management.

3. Software as a Service (SaaS): This is probably the best-known model; it involves users accessing software applications via the web. Here we have in mind, for instance, email services, CRM systems or collaboration tools, such as office applications (for instance Microsoft365), client management (CRM, for instance Salesforce), and software development (for instance GitHub). For the Dutch government, this means that the various departments and agencies can have access to the latest software without having to worry about installations, updates or compatibility issues.

Comment: in the forthcoming EUCS (as well as ISO 22123) the term ‘as a service’ will be replaced by ‘cloud capability types', i.e. ‘infrastructure capability', ‘platform capability’ and ‘application capability’. In this report, we use the terminology used at the time of writing.

For the government, this means that the three models can help to deliver services more efficiently and to respond to changing technological needs while reducing overheads. By choosing the right mix of IaaS, PaaS and SaaS, the Dutch government can create a technological infrastructure for primary processes, one that is simultaneously flexible and robust and is in line with frameworks standards.

During the survey, respondents mentioned that, in practice, there is actually no clear separation between IaaS and PaaS. The three hyperscalers (Google, Microsoft and AWS) and other cloud providers deliver a mix of these two services. Generally speaking, a range of additional services are provided through app stores in an IaaS environment, such as database access, AI capability and authentication and authorisation services.

NIST distinguishes between four types of cloud services deployment at a cloud provider:

1. Public: The software and data are then entirely on the cloud provider’s servers and generic functionality (which is the same for all customers) is provided.

2. Gemeenschappelijk: The cloud facility is accessible to a limited group of customers who trust each other enough to share this facility.

3. Privaat: Work is done on a (virtual) private ICT infrastructure. In this cloud, the user has full control over data, security and the quality of service. Applications made available via the private cloud use shared infrastructure components that are used for one organisation only.

4. Hybride: This type of cloud is a combination of the above types of cloud deployment.

The Enisa’s Cloud Cybersecurity Market Analysis and other background documents also mention another type of deployment, which is similar to the one mentioned by respondents: the multi-cloud.. Using the multi-cloud is a type of deployment that, like the hybrid variant, combines several deployment variants, combining deployment from different providers.

Cloud computing provides numerous benefits for both individuals and organisations. Below we list a few of the most prominent advantages:

1. Cost savings: By using the cloud, customers can save on the costs of purchasing and maintaining hardware. They often only pay for what they actually use. The Netherlands Authority for Consumers & Markets’ market study into cloud services bconfirms this impression, because large data centres clearly offer economies of scale and they can therefore offer cheaper services than small data centres can.

2. Scalability and flexibility: One of the biggest advantages of cloud services is their ability to easily and quickly scale up as an organisation’s demand for digital applications to work optimally rises in terms of volume, without the need for major investments in physical hardware. And the hyperscalers of major Cloud providers can support applications that require tremendous computing power.An example of this is artificial intelligence (AI), with its best-known application, ChatGPT.

3. Accessibility and mobility: Data and applications in the cloud can be accessed from any location that has access to the internet. This facilitates teleworking and access while on the move. Moreover, it also makes it possible to collaborate better, such as when working together on a document.

4. Security and compliance: Although security in the cloud is a much-discussed topic, many cloud providers provide advanced security features, which companies may not be able to implement themselves because they lack the knowledge or other resources. Reputable cloud providers offer advanced security features and can assist with complying with strict regulatory standards.

In many ways, the cloud computing market in the Netherlands is a reflection of the wider European and global market, but it also has its own unique characteristics. Here is an overview of cloud providers in the Netherlands:

The top three hyperscalers vtogether have the lion’s share of cloud services. The following hyperscalers operate for the Dutch government:

1. Amazon Web Services (AWS

2. Microsoft

3. Google Cloud

Besides these hyperscalers, the following companies are active in the Dutch cloud market:

1. IBM Cloud

2. Oracle Cloud

3. VMWare

4. Red Hat

5. OVHcloud

Alongside these global players, there are a few Dutch companies that operate in the cloud:

1. KPN Cloud

2. TransIP

3. LeaseWeb

4. Interxion

It is worth mentioning that the major cloud providers operating internationally are virtually all American with branches in Europe; OVHcloud is the only European player. Now that government organisations are permitted to use the public cloud (subject to certain conditions), the market share of these hyperscalers in government is growing. The threat of a limited spread across the market and the origin of major suppliers outside Europe calls for regulation through (European) legislation and underlying norms and standards.

Key points of the cloud policy as defined in the letter from the State Secretary:

1. Public services are permitted to use public cloud services, subject to certain conditions and exceptions. Parts of the government that are not part of the civil service are advised to follow this government policy.

2. Processing personal data in public cloud services requires an approved pre-scan data protection impact assessment. If it concerns a high-risk case, a comprehensive data protection impact assessment (DPIA) is required.

3. Each departement is responsible for having insight into the risks of the using public cloud applications.

4. ‘Implementation guidelines on cloud risk assessment’ will be compiled before the end of 2022. This document has since been compiled, and is an implementation framework as opposed to guidelines

5. Exceptions:Using public cloud services for information classified as state secrets is not permitted. The Ministry of Defence does not fall within the scope of this policy.

6. Conditions:

   • Departments have to formulate their own cloud policy

   • A relevant risk assessment is required.

   • An annual report on the use of public cloud services has to be submitted to the State Committee on Integrity in the Civil Service.

   • An ‘exit strategy’ has to be laid down in contracts with cloud providers.

   • The provision of cloud services must meet existing ICT conditions.

   • Cybersecurity is essential, particularly when it concerns data processing in other countries. For this reason, the government also applies the C2000 criteria for cloud usage, which excludes suppliers or services from countries with an active cyber programme that targets the interests of the Netherlands.

   • The decision-making process has to be public, in accordance with the Dutch Open Government Act Wet open overheid.

   • The storage and processing of personal data has to be in line with the GDPR.

   • Extra protection is required for special personal data

   • If it concerns the storage and processing of a key register, or a source of a key register, public cloud facilities cannot in principle be used.

The letter stresses the importance of a balanced approach, taking advantage of the benefits of public cloud services while managing the risks.

The Standardisation Forum formulated the research question. The Standardisation Forum advises the public sector about the use of open standards. In the process, the Forum applies various objectives and points of departure. These objectives and points of departure are the basis of the research:

1. Open standards:The forum promotes the use of open standards. An open standard is a specification that is available and using it is not restricted by patents or licence rights.

2. Level playing field: Using open standards creates a level playing field for providers of ICT products and services. It encourages innovation and prevents government organisations from becoming dependent on one supplier.

3. Interoperabiliteit: One of the Forum’s key objectives is to safeguard interoperability. This means that different services from various cloud providers can communicate and exchange data with one another without problems.

Cloud computing needs a range of standards to promote interoperability, security, privacy and portability. The research differentiates between the various types of cloud standards:

1. Security and privacy standards: Security standards ensure that there is a secure environment, which unauthorised persons cannot access. The standards cover aspects such as data encryption, authentication, authorisation and audit logging. Privacy standards focus on protecting personal data stored or processed in the cloud. Examples of this include the standards related to data masking, anonymisation and pseudonymisation

2. Portability standards: These standards make it easier to move applications and data from one cloud environment to another. This includes, for instance, standards for containerization.

3. Interoperability standards: These standards ensure that the various cloud services and components can communicate and exchange data with each other in a standardised way. They can help to avoid vendor lock-ins and support multi-cloud strategies.

4. Other standards: These are standards that are not covered by the classification outlined above but are nevertheless relevant and therefore deserve to be mentioned.

In addition to standards, we also identify in the research norms and technologies that apply as the de facto standard:

• Standards: These are technical specifications or other precise criteria used as rules or guidelines to safeguard consistency and interoperability. They may be drawn up by official standards organisations or by sector organisations, or may even become de facto standards through widespread use.

• Norms: In the context of technology and IT, standards are often official documents that set out best practices, methodologies, processes or specifications that are widely accepted. Official standards organisation usually issue norms.

• Technologies that can be considered to be de facto standards. This does not refer to technical specifications. Instead, it concerns working technical solutions that are so widely used in the market that they can be construed as a standard.

Section 4 lists existing technologies or standards being developed for each type of cloud standard. ‘Existing gaps’ are described where possible.

Below is an overview of the most important global trends in cloud computing:

1. Hybrid and multi-cloud strategies:Companies and organisations are more and more inclined to opt for a hybrid cloud approach, which involves combining private as well as public cloud resources. At the same time, they are adopting multi-cloud strategies, using services from several cloud providers, to increase flexibility and reduce risk.

2. Serverless architectures: Serverless computing, often referred to as ‘function as a service’ (FaaS), enables developers to build and run applications without worrying about the underlying infrastructure and required services. Cloud providers offer this underlying infrastructure and the required services, which accelerates development and can reduce costs.

3. AI and machine learning integration: Cloud providers are expanding their services with tools and platforms that integrate AI and machine learning. This makes it possible for organisations to perform powerful data analytics and add intelligence to their applications without having to make major investments in advance. All the hyperscalers are busy doing this, and there are great expectations in this regard, given the investments that these organisations are currently making.

4. Improved security measures: With cybersecurity concerns on the rise, cloud providers are investing in advanced security technologies, such as AI-driven security analyses, encryption and zero-trust security models.

5. Containers and orchestration: Development based on containers, such a Docker, and orchestration tools, such as Kubernetes, have grown in popularity because they help developers to build applications that can be easily scaled and moved across various cloud environments, which in turn enhances portability.

6. Sustainability: Based on growing concerns about climate change, businesses and consumers are more and more inclined to examine the environmental impact of technology. Cloud providers are responding to this by building more sustainable data centres and using green energy.

7. Data sovereignty and local regulations: With stricter data protection laws in a range of countries and regions, cloud providers are busy working on regional data centres and offering specific solutions to comply with regulations.

Global trends in cloud computing are a reflection of a rapidly changing technological landscape and the needs of organisations and individuals. Even though cloud computing continues to evolve, the fundamental principles of flexibility, scalability and on-demand access will continue to be the driving forces behind this transformation.

WAs mentioned earlier, the cloud provides numerous benefits. It is essential that appropriate measures are taken to ensure that developments are controlled in line with the norms and values prevailing in European society. These measures are intended to lead to appropriate laws and regulations that refer to the obligation that cloud providers have to adopt open standards.

The EU views legislation and standardisation as strategic instruments to make cloud services healthier and more secure. Actions for cloud computing in the 2023 Rolling Plan:

“Action 1 - Identify needs for ICT standards and open source technologies to further improve the interoperability, data protection and portability of cloud services and continue or start respective development activities…

Action 2 - Promote the use of the ICT standards needed to further improve the interoperability, data protection and portability of cloud services as well as multi-cloud management.”

Below is a list of interesting European developments that affect the way data is stored, processed and shared at a European level, and developments that influence the design of cloud services:

1. Data Governance Act: The Data Governance Act came into force on 24 September 2023. The regulation creates a new European way of data governance based on increasing trust in data sharing. Its aim is to create a secure environment for sharing data across sectors and Member States for the benefit of society and the economy. This strategy has direct implications for cloud computing because it is intended to develop sector-specific, shared European data systems. For the Netherlands, this means that government systems have to be compatible and in line with these European initiatives.

2. Data Act: This European regulation requires cloud service providers to make it possible for users to switch to another provider easily, without losing data and functionality (i.e. portability). The regulation does not prescribe specific standards that providers must use for this purpose; however, it does define several functional requirements that they must meet. Besides the obligation to facilitate portability, cloud service providers also have to enable interoperability. That is to say, users must be able to choose to use two or more cloud service providers in parallel without encountering problems. Pursuant to its findings from market study into cloud services, the Netherlands Authority for Consumers & Markets (ACM) has also insisted on the latter point. Even though the Data Act does not prescribe specific standards for portability and interoperability, it does offer the European Commission the opportunity to draft these standards in the future in the form of delegated legislation. The European Parliament and the European Council have since adopted the Data Act. The Data Act can now be published. It will then take another twenty months from the time of publication for the Data Act to come into force, in other words in the autumn of 2025. A European focus group will assess which frameworks and provisions need to be developed to support Member States in implementing the Data Act. The group will be focusing inter alia on open standards and data spaces.

3. GAIA-X: This initiative, driven mainly by Germany and France, aims or aimed at establishing a competitive, secure and reliable range of cloud services for Europe. The objective of GAIA-X is to safeguard European values and regulations with respect to data. GAIA-X seems to have shifted its objective of achieving a competitive range of cloud services to jointly developing a digital governance layer that enables organisations and government agencies to keep control of public cloud facilities, making it simpler to interact between cloud facilities and migrate from one cloud platform to another. ‘Control’ in this context also means complying with all sorts of security standards. Various experts have been critical of the results achieved by GAIA-X thus far. Given the potential implications for interoperability and data sovereignty, the Dutch government will have to closely follow developments concerning GAIA-X.

4. Digitale Soevereiniteit: The EU has expressed its ambition to enhance the digital sovereignty of its Member States. This concerns Europe’s capacity to develop independent digital solutions, including cloud infrastructures. This may have consequences for where and how government information is stored.

5. Reinforcing the GDPR: DThe General Data Protection Regulation continues to develop with the inclusion of additional guidelines and interpretations. It is crucial for the Dutch government to adapt to these evolving standards, especially in the context of cloud services.

6. EU Cloud Code of Conduct:This code of conduct, approved by the European Data Protection Authority, provides guidance for cloud service providers on how to integrate the GDPR into their services. It ensures that there is a uniform interpretation of the GDPR in the cloud sector, which is relevant for the Dutch government when selecting cloud partners.

7. The European Cybersecurity Act:: Implemented in 2019, this Act introduced an EU-wide framework for cybersecurity certification. It is a framework with verifiable criteria. Various organisations have been mandated to certify themselves. There are various levels of this certification. NIS2, the successor of NIS1, is part of the European Cybersecurity Act. Just like the European GDPR for privacy legislation, the European NIS2 will also become mandatory legislation. The ‘Algemene verordening gegevensbescherming’ is the Dutch name for the GDPR. NIS2 also has a Dutch name, ‘Netwerk- en Informatiebeveiligingsrichtlijn’. It has to be implemented as Dutch legislation by the second half (September) of 2024 (21 months after adoption). Incidentally, the same applies to all 27 European Member States. The NIS2 is intended to strengthen cyber resilience by raising security levels and enforcing the adoption of ‘basic measures’ to prevent cyberattacks and reduce their impact. If the Dutch government uses cloud services, it is important to ensure that these services comply with European cybersecurity standards and the Dutch version of the NIS2

8. European cloud rulebook: To protect European businesses and public organisations, which are increasingly dependent on cloud technologies, it is important that cloud and edge services offered in Europe comply fully with relevant general and sectoral laws, as well as with key European self-regulatory norms and standards relating to security, energy efficiency, data protection, interoperability and fair competition. In recent years, stakeholders from the industry in Europe have been working together to develop these kinds of self-regulating norms and standards. The forthcoming EU Cloud Rulebook will offer an extensive catalogue of these regulations and it will set out the mechanisms that can be used to demonstrate regulatory compliance.

9. Simpl-project: The Smart Middleware Platform (Simpl) makes it possible for EU stakeholders to pool resources to create more business value and enhance resource efficiency, reduce costs and avoid duplication. This middleware enables connectivity between isolated data centres and EU operators, allowing them to leverage underutilised infrastructure. It will also open up data sources to public institutions, SMEs, organisations and industry to improve services in the public interest. This middleware can be used to achieve the commission’s ambition to create an open marketplace for EU resources, which in turn will lead to efficient reuse of the efforts of other EU organisations. In line with the European Green Deal, the Smart Middleware Platform will be based on energy-efficient software. The services also focus on optimising energy consumption in all sectors.

10. DOME-marketplace: DOME is an ecosystem that unites all cloud and edge service stakeholders, including infrastructure and platform providers, service integrators, certification agencies and customers from every industry. The aim is to simplify current practices and offer a continuum of bundled services that go beyond national borders.

The developments and challenges in the field of cloud computing are significant. They are too big for a country like the Netherlands to tackle on its own. It is therefore essential for the Dutch government to stay informed and contribute to developments at a European level. By being proactive and pursuing a well-considered approach to cloud adoption, and acting jointly at a European level, the Netherlands can contribute to a secure, efficient and compliant cloud infrastructure for its citizens and institutions.

The cloud transition is in full swing across the world, with the Netherlands being no exception. The Dutch government realises that, when setting conditions for the use of the cloud, it needs to join forces with its European allies under the umbrella of the European Union.

The Netherlands provides the necessary expertise and input in the various European developments noted previously. In addition to this contribution in Europe, the Dutch government has developed various cloud initiatives. Below is an overview of key cloud developments in the Dutch government:

1. Use of the public cloud subject to certain conditions: AGiven the many advantages of the cloud and the need for computing power for AI, the Dutch government has permitted the use of the public cloud under strict conditions. The 2022 government-wide cloud policy, set out in the letter to Parliament from State Secretary van Huffelen, sets out the conditions and is a prelude to the controlled use of public cloud facilities.

2. Guidelines on the application of risk management in public cloud services: The cloud policy and the ‘Implementation framework for risk assessment of cloud use’ were adopted in 2022. The policy and framework lay down the frameworks for public and hybrid cloud usage. These guidelines are intended for specialists in project teams, clients (CIOs) and specific officials (CISOs and CPOs) who work on a programme in which public cloud usage plays a role. In addition to this, clients get better insight into the management of risks in public cloud usage. The cloud policy and the implementation framework are obligatory for the civil service when it concerns material use of the public cloud.

3. Strategic vendor management (SVM): The Strategic Vendor Management group of the Netherlands government has been responsible since 2014 for negotiating agreements on the procurement and contracting of Cloud services and software from Microsoft, Google and Amazon.The tasks include: Advising government institutions on the procurement of software and cloud products and services. Assessing the risks associated with cloud products and services for compliance with privacy legislation (GDPR). Organising national and international networks of purchasers and contract managers of cloud products and services. Entering into contracts on behalf of the Dutch government between the central government and hyperscalers to arrive at appropriate conditions, such as GDPR compliance and compliance with the government information security baseline. 

4. Common ground – Haven: Each municipality organises its IT infrastructure in a different way. For instance, one municipality may be running its operations locally, while another may be using the cloud more. Applications have to be adjusted in line with the infrastructure on which they operate. This is what makes it difficult for municipalities to develop applications together and to deploy them quickly across all municipalities. Haven is a standard for platform-independent cloud hosting. Municipalities can use Haven to host applications anywhere without having to adapt their IT infrastructure. This creates uniformity, lowers costs and reduces dependence on suppliers, among other things. Haven prescribes a specific configuration of Kubernetes that has to be implemented on existing technical infrastructure, for instance, on a cloud or on-premise platform. The prescribed configuration ensures that every Haven environment of any random cloud provider that has implemented the standard is functionally equal, irrespective of the underlying technical infrastructure. Think of it as a layer of abstraction that provides a common starting point. If offers several advantages: uniformity in the technical infrastructure, interchangeability of applications, vendor independence, platform independence and cost reduction. Haven has its own compliance facility.

5. Baseline Microsoft 365: More and more government organisations are using cloud services. A well-known example of a cloud service is Microsoft Office 365. The use of the service is increasing at the government too. Departmental confidential information at the level of BBN2 may only go to the cloud if more stringent requirements and measures have been met, such as encryption. For instance, compliance with the GDPR, the Civil Service Data Security – Special Information and various norms and standards, such as the government information security baseline, is obligatory. Because of growing use of the Office 365 cloud service, the Dutch government and Microsoft are working together on a baseline for the Microsoft suite.

Finally, the Dutch Government Reference Architecture organisation has a decision tree for risk assessment of cloud servicesas part of the government information security baseline theme for cloud services. In addition, this organisation has a Wiki site for cloud computingFor the time being, this wiki site contains older articles about the cloud, and the Dutch Government Reference Architecture organisation is still looking for an expert group to keep this wiki site up to date.