In recent years the ICT market has evolved toward a cloud-based approach. This shift together with the rapidly changing legal and regulatory landscape has heavily impacted security assurance, governance and compliance. The information security market players have tried to provide suitable solutions to cope with issues such as i) lack of means to provide higher level of assurance (e.g continuous monitoring and auditing), ii) privacy not adequately taken into account, iii) limited transparency and iv) lack of means to streamline risk management and compliance. In the certification space this has resulted in the creation of several schemas creating an additional problem, i.e. the proliferation of certification scheme. The project EU-SEC will improve the effectiveness and efficiency of existing approaches for assurance and compliance. The EU-SEC aims to create a framework under which existing, certification and assurance approaches can co-exist. The three core ideas behind the EU-SEC project are that an effective and efficient approach to trust, assurance and compliance has to: (1) balance the need of nations and business sectors to develop their specific certification schemas with the need of CSPs to reduce compliance costs (2) avoid that humans (auditors) do activities that can be performed by machines (e.g. collecting data) (3) make sure that accurate and reliable evidences/information are provided to relevant people, in a timely fashion, leveraging as much as possible automatic means. The EU-SEC framework will equip stakeholders in the ICT security ecosystem with a validated governance structure, a reference architecture, and the corresponding set of tools to improve the efficiency and effectiveness of their current approach to security governance, risks management, assurance and compliance. The EU-SEC aims to enhancing trustworthiness and transparency in the ICT supply chain through business cases developed and piloted by industrial partners.

Today, whilst many organisations are reliant on cloud resources, contracts for cloud services often contain Service Level Agreements (SLAs) with technical & legal provisions that are inappropriate, difficult to understand &/or illegal. Similarly, the application of established data protection concepts can be problematic, with uncertainties as to what is regulated, who is responsible & which laws apply. Building on the work conducted by EC SIG SLA, Certification & Code of Conduct, ETSI CSC, CSA WGs, ECP Steering Board, NIST, Gartner, SLA-Ready, delivers a reference model for Cloud SLAs & a set of best-practices & services to support cloud customers in the use of cloud SLAs through their life cycle. The latter will improve the uptake of cloud computing by private sector, while procuring services across the cloud market. Other Outputs: • support cloud customers via a dedicated, social repository of Cloud SLAs and supporting services to ensure the acquisition, operation and termination of cloud services fulfilling specified requirements; • provide an active contribution to relevant SDOs like: ISO/IEC 19086. • engage & ensure coordinated, global collaborations with e.g., NIST RATAX and the CSA SLA WG for a collaborative, international approach; • Provide 4 engaging practical user friendly tutorials to end-users, • Showcase real efforts of the common reference model implementation in Europe. The consortium is lean, complementary & strong: TRUST-IT, a prime mover in cloud computing landscape ensures effective coordination, digital marketing & SDO liaisons; CSA a leading, global player in the arena of cloud security; TUDA, brings direct expertise on techniques & frameworks to operate with cloud SLAs; Arthur’s Legal represents IT, ISP, software, CSP, IoT & IT service vendors, end-users in their legal life cycle. Numergy offers cloud services to public & private organizations. SLA-READY has a pragmatic & actionable Advisory Board (AB) made up of key opinion leaders.

CloudWATCH2 supports EU R&D on cloud computing, software, services across the full innovation lifecycle & the move to market, promoting technology advancements, supporting OS software re-usability through clustering, championing standards for interoperability & security, providing a roadmap on the cloud market structure to encourage transparent pricing & offering educational services on risk management & legal issues to lower adoption barriers for SMEs & public administration. CloudWATCH2 focuses on the cloud ecosystem emerging from EU research & innovation projects, where technology & pricing are an equally important part of market equation. It takes a pragmatic approach to market uptake & sustainable competitiveness by clustering projects around common themes & challenges, with deep dive training for wider uptake & commercial exploitation. It analyses the fast evolving standards landscape, new implementations, extensions & protocols focusing on the value creation of interoperable and secure services, identifying gaps & making recommendations to address them. It brings interoperability testing to the forefront supporting Cloud Interoperability Plugfests. It supports market-oriented approaches to new products, services & solutions, including OS developments, where “free” & “profitability” are not mutually exclusive. It introduces a novel activity around cloud pricing analysis, strengthens support of sustainability, to encourage faster time-to-value & commercialisation of innovative products & services. On the demand side, it supports key stakeholders in the EU digital market by providing training on legal aspects addressing increasingly common consumer concerns. Consortium: TRUST-IT, coordination, outreach, a renowned international network & SDO liaisons; CSA a leading, global player in cloud security; UOXF OeRC part of UK eScience programme; StrategicBlue cloud billing & price risk management experts. ICT Legal, represents IT, ISP, SW, CSP, IoT & IT service vendors