News

European Network and Information Security Agency (ENISA) Issues Cloud Computing Guidance

This is the subtitle

25 November 2009
Image
Image

The European Network and Information Security Agency (ENISA) has just published a paper on cloud computing, which discusses the benefits and risks of cloud computing from a security perspective. The paper also includes recommendations for improving information security in the context of cloud computing and provides a – in our view very helpful – set of questions that organizations can use to assess whether or not providers of cloud computing services are sufficiently protecting the data entrusted to them.

The key conclusion of the paper is that the “cloud’s economies of scale and flexibility are both a friend and a foe from a security point of view. The massive concentrations of resources and data present a more attractive target to attackers, but cloud-based defenses can be more robust, scalable and cost-effective.” 

The paper is particularly timely in light of the European Commission’s public consultation on the legal framework for the fundamental right to protection of personal data, which closes at the end of next month. ENISA’s paper includes specific recommendations for the European Commission’s future consideration. It rightfully points out that certain issues related to the EU Data Protection Directive and Article 29 Working Party recommendations warrant clarification. In the current legal framework, it is not clear, for example, under which circumstances a provider of cloud computing services may be classified as a “joint controller” of personal data. ENISA also recommends that the European Commission examine and clarify, inter alia:

–         whether providers of cloud computing services should be obliged to notify their customers of data security breaches (and what information should be provided to these customers);

–         the legal impact of data transfers to providers of cloud computing services in countries outside the European Economic Area (EEA), if those countries do not provide an “adequate” level of data protection;

–         how the intermediary liability exemptions arising from the eCommerce Directive apply to providers of cloud computing services.

As far as information security in concerned, ENISA’s paper provides useful and practical guidance for potential and existing users of cloud computing services as well as policy makers. It will be interesting to see to what extent its recommendations will result in concrete action by the European Commission and/or Article 29 Working Party.

 

Authored by the HL Chronicle of Data Protection Team

Contacts

bio-image

Eduardo Ustaran

Partner

location London

View more

Related topics

Related countries

Related keywords

Load more

Articles you may be interested in

image_1
News

EU Commission seeks stakeholder contributions to shape guidelines on GPAI models

25 April 2025
image_1
News

Dutch DPA intensifies cookie enforcement – key takeaways

25 April 2025
image_1
News

The Cyber Security and Resilience Bill

25 April 2025
image_1
Insights and Analysis

End-to-end encryption: obstacle or pillar of national security?

07 April 2025
image_1
News

Latombe Case: First hearing for annulment of the EU-U.S. Data Privacy Framework

02 April 2025
image_1
News

Connected vehicles: CNIL’s consultation promotes driver’s consent over fraud and car theft

01 April 2025
image_1
News

Streamlined BCR approval: Understanding the EDPB's updated procedure

31 March 2025
image_1
News

The Data Chronicles | Unlocking the EU Data Act | What it means for connected products and related services

27 March 2025
image_1
News

Overview of the CNIL’s enforcement actions in 2024: the simplified procedure generates an increase in sanctions

25 March 2025
left_arrow
right_arrow

Search

arrow
arrow

Register now to receive personalized content and more!

 

Register
close
See benefits
Register