SWIPO: Failure to regulate the European cloud market

25 novembre 2019 | Cigref in english

#SWIPO – Cigref and its members cannot recognise the legitimacy of the documents (Codes of Conduct, description of the future legal entity for the governance of these codes) which should be submitted, on November 26th 2019, in Helsinki, to the ministers of the Finnish Presidency of the Council of Ministers of the European Union.

Cigref can only acknowledge the failure of the self-regulation process of the cloud market in Europe. This failure is essentially the result of a systemic asymmetry of skills, resources and objectives between those of some of the world’s leading cloud service providers, on the one hand, who defend the core of their business and their ability to lock their customers, and on the other hand those users whose lobbying in this area is not the business. None of the proposals made by Cigref members to improve the SaaS code of conduct and the subsequent governance of codes of conduct by the legal entity have been taken into account, in defiance of the SWIPO Working Group’s governance rules.

Cigref Press release

Novembre 25th 2019 – French version

Download the PDF version

The context

The Cloud has become an essential element of the IT technical architectures of major European companies. The market is currently very largely dominated by a few American players who are using their position to impose conditions on their customers that are incompatible with the principles of free and fair competition.

Regulation 2018/1807 of the European Parliament and of the European Council, published on November 14th 2018, aims to promote the free movement of non-personal data in Europe. Article 6 states that the Commission shall encourage and facilitate the development of codes of conduct by self-regulation of the cloud market in Europe.

The main objective of the Regulation is to promote mechanisms for the free circulation of non-personal data:

  • by opening the market to small suppliers;
  • by limiting the concentration of actors;
  • by improving users’ freedom of choice;
  • by removing proprietary locking devices;
  • promoting software interoperability and software license portability in the cloud through the adoption of common standards.

To this end, a working group called « SWIPO » for SWItching cloud and POrting data, was set up by the European Commission in April 2018. This working group was supposed to be representative of the main players in the European cloud: cloud service providers and users. In fact, while the main world-class suppliers were present throughout this work, the way they were carried out made it more difficult for users, who do not have dedicated resources, representative of their diversity, to be involved over time.

The objective of this SWIPO Working Group was to develop two codes of conduct, one for the IaaS (Infratructure As A Service) market and the other for the SaaS (Software As A Service) market, as well as the documents defining the legal entity that is to implement and monitor the evolution of these codes of conduct.

European Regulation 2018/1807 set the end of the SWIPO Working Group’s work at November 29th 2019.

The codes of conduct drawn up for the IaaS and SaaS markets, as well as the documents defining the legal entity for the governance of the codes of conduct, are expected to be formally submitted to the Finnish Presidency of the Council of the European Union on Tuesday 26 November 2019 in Helsinki by the co-chairs of the SWIPO Working Group and the European Commission.

The observation

At the end of the work of the SWIPO Working Group, the Cigref is led to make the following observations:

  • the IaaS code of conduct appears satisfactory;
  • contrary to the statements made by some of its co-chairs and the European Commission, the SWIPO Working Group did not reach a consensus on the SaaS code of conduct and the documents defining the legal entity. Cigref therefore wishes to deny any statement to the contrary;
  • none of the proposals made by Cigref members to improve the SaaS code of conduct and the subsequent governance of codes of conduct by the legal entity were taken into account, in defiance of the SWIPO Working Group’s governance rules.

Cigref therefore notes the dysfunction of the SWIPO Working Group and the refusal of the main suppliers to take into consideration the amendment proposals made by users to integrate their expectations in terms of cloud regulation, particularly in terms of software interoperability and software license portability. These expectations were formalized in a consensus motion presented by a dozen users, which the working group did not wish to include within the time frame set.

Cigref can therefore only acknowledge, at this stage, the failure of the self-regulation process of the cloud market in Europe.

Cigref believes that this failure is essentially the result of a systemic asymmetry of skills, resources and objectives between those of some of the world’s leading cloud service providers, on the one hand, who defend the core of their business and their ability to lock down their customers, and on the other hand those users whose lobbying in this area is not the business.

Cigref’s proposals

The members of the Cigref reiterate to the European Commission and the SWIPO Working Group their willingness to join forces following the work of the self-regulation of the cloud market in Europe, subject to reservations, already presented to the SWIPO Working Group in the form of a motion of consensus, that:

  • the IaaS and SaaS codes of conduct and the documents defining the legal entity are published, as public contributions, under a Creative Common BY-SA 4.0 license in order to avoid any attempt at locking;
  • the European Commission to launch a mission – independent of suppliers – to audit the codes of conduct and study the impact on the cloud market in terms of benefits for users, before January 31st 2020;
  • the steering committee of the legal entity should be composed of 1/3 suppliers and 2/3 users in order to establish a balance in order to overcome the asymmetry described above;
  • the European Commission commits itself to the development, by the stakeholders in the governance of the legal entity, of a version 2 of the IaaS and SaaS codes of conduct before May 29th 2020, taking into account in particular the main comments of users;
  • the European Commission undertakes to draw up a proposal for a Regulation by May 29th 2020 if versions 2 of the codes of conduct could not have reached a consensus.

In the absence of these provisions, Cigref and its members cannot therefore recognise the legitimacy of the documents that should be submitted on November 26th 2019 in Helsinki to the ministers of the Finnish Presidency of the Council of the European Union.

Finally, and even if the objective is not explicitly included in Regulation 2018/1807, Cigref reminds the European Commission and the players in the cloud market in Europe of its concern about the emergence of a European trusted cloud industry, offering both technical and legal security guarantees, enabling its European customers to protect themselves from the extraterritoriality of the legislation to which the main cloud service providers are currently subject. Cigref hopes that this ambition can be addressed, according to modalities to be defined, in the framework of the subsequent work of the SWIPO Working Group.

Anticiper les cyberattaques : de la surveillance à la gestion de crise

Dans un monde de plus en plus connecté, les entreprises, grandes ou petites, se retrouvent désormais exposées à des cyberattaques de toutes sortes. La numérisation rapide des organisations a considérablement étendu leur surface d'attaque, créant ainsi un défi majeur...

Le Cigref et ses partenaires européens publient un Manifeste pour les élections européennes.

Nos quatre associations, Beltug en Belgique, Cigref en France, CIO Platform Nederland aux Pays-Bas et Voice en Allemagne, qui représentent collectivement plus de mille grandes entreprises européennes utilisatrices de technologies numériques, ont identifié quatre...

L’IA en entreprise : retours d’expérience et bonnes pratiques

Le Cigref a publié, au mois de juillet 2023, une première note d'information et d'actualité intitulée « Recommandations au sujet des IA génératives ». Un peu plus de six mois après, les évolutions particulièrement rapides des solutions intégrant ce type de...

L’IA en entreprise : retours d’expérience et bonnes pratiques

Le Cigref a publié, au mois de juillet 2023, une première note d'information et d'actualité intitulée « Recommandations au sujet des IA génératives ». Un peu plus de six mois après, les évolutions particulièrement rapides des solutions intégrant ce type de...

Les métavers : démystification et chemins à parcourir

Ce rapport sur les métavers, produit par le groupe de travail Cigref piloté par Malika Mir, Directrice des Systèmes d’Information du GROUPE BEL, et Olivier Le Garlantezec, Digital Tech Partnerships Director chez LVMH Group, explore les différents enjeux auxquels sont...