In the past, organizations would buy IT equipment (hardware and/or software) and manage it themselves. Today many organizations prefer to buy IT services from an IT service provider. This trend is generally, and liberally, referred to as ‘going cloud’.

Cloud security

Our 2009 cloud security risk assessment is widely referred to, across EU member states, and outside the EU. Following up on this risk assessment we published an assurance framework for governing the information security risks when going cloud. This assurance framework is being used as the basis for some industry initiatives on cloud assurance. In 2011 ENISA published a report on security and resilience in government clouds.

We are following up on our past cloud work with the following activities:

Managing security through SLAs:The work of an organization's IT officer has changed as a consequence: Instead of setting up hardware, installing and configuring software, IT officers have to manage service contracts with these IT service providers. ENISA looks at how these service contracts can be set up and monitored in such a way that the information security is optimized.  In December 2011 ENISA has published  a survey and analysis of security parameters in cloud SLAs across the European public sector. A workshop on security parameters in cloud SLAs, was also organised in 2011 together with OASIS and CSA, at the OASIS International cloud symposium.

Critical cloud services: We are also developing a vision on the criticality of cloud services. Cost savings are driving businesses into cloud services hosted in large datacenters which can deliver computing resources more efficiently than small ones: It is possible to deliver high quality, for a good price. Of course, if a cloud service with millions of customers ceases to operate, then the impact is big too. We intend to analyze and discuss, with stakeholders, what could be the impact of a cloud service failure, and in which circumstances cloud services should be considered "critical infrastructure".

Cloud Security and Resilience Expert Group: Over the years ENISA has written a number of papers on cloud computing - with a range of experts on cloud security. These experts work and meet in an informal expert group called the ENISA Cloud Security and Resilience Expert Group. The workspace for the ENISA Cloud Security and Resilience Expert Group is open for the audience.  For more information on the activities of the group please contact us at

Good practice guide for Governmental clouds: In 2013 ENISA published a report on governmental clouds, assessing which EU Member States have operational government Cloud infrastructures and providing   an overview of Cloud adoption in the public sector in the EU. With this work ENISA aims to assist Member States in elaborating a national Cloud strategy implementation, to understand current barriers and suggest solutions to overcome those barriers, and to share the best practices paving the way for a common set of requirements for all Member States (MS).

Incident reporting for Cloud Computing:  ENISA has often underlined the security opportunities of cloud computing. In 2013 ENISA published a paper analysing how cloud providers, customers in critical sectors, and government authorities can set up cloud security incident reporting schemes.

Certification in the EU Cloud strategy: In 2012 the EC issued a communication called “European strategy for Cloud computing – unleashing the power of cloud computing in Europe”. One of the actions outlined there is to assist the development of EU-wide voluntary certification schemes make a list of such schemes. In the strategy ENISA is asked to support this work. The EC, as one of the first steps, set up a group of experts from industry, called Cloud Select Industry Group (C-SIG), with a number of working groups, also on Certification, abbreviated as the CERT-SIG. In 2013 ENISA published a working paper collecting and summarizing the results of CERT-SIG and proposing further steps to the EC, CERT-SIG and the European Cloud Partnership.

EU Vice President Kroes (Commissioner for the EU's Digital Agenda) blogged about this work at:

Cloud Certification Schemes List (CCSL): ENISA as part of the activities under the EU cloud strategy developed a list of different certification schemes which could be relevant for potential cloud computing customers. The creation of this list is explicitly mentioned as a key action in the European Cloud Strategy. This list was developed by ENISA in tight collaboration with the European Commission and the private sector. The certification schemes list can be found at:  (We refer interested readers to a paper ENISA published last year which give an overview of a range of information security certification schemes, used in different sectors.)

We use cookies to ensure we give you the best browsing experience on our website. Find out more on how we use cookies and how you can change your settings.

Ok, I understand No, tell me more