Click here to subscribe to the Helix Nebula & PICSE Newsletter

Case study - Joint procurement for cloud brokerage services

The Procurer

We are an agency funded by the European Union that operates independently of the European legislative and executive institutions (Commission, Council, and Parliament) and EU Member States. Our agency was set up in 2002 to be a source of scientific advice and communication on risks associated with the food chain. The agency was legally established by the EU under the General Food Law - Regulation 178/2002. The General Food Law created a European food safety system in which responsibility for risk assessment (science) and for risk management (policy) are kept separate. Our duty is to communicate our scientific findings to the public.

Why the cloud?

In line with the European Cloud Computing Strategy adopted by the European Commission, many EU Agencies see ‘cloud services’ as the next primary way in providing information services. Cloud based services offer the possibility to add agility and flexibility in developing and rolling-out new ICT services, avoiding buying additional data centre equipment, while reducing Capex and Opex expenditures.

How we procured cloud services

In order to be able to procure the cloud based services swiftly as and when needed the contracting EU agency decided to establish a dedicated single framework contract. The cloud market is rapidly evolving and highly transformational in many aspects. To allow the necessary flexibility in such an evolving environment, in addition to opt for a framework contract, it was decided to base the contract on a “Cloud Service Broker” (CSB) model approach. As the EU agencies face the same needs and expectations in the cloud service market, in order to optimise the use of EU public funds, it was decided to pool resources and launch the call for tenders as a common initiative of several EU agencies.

Accordingly, this call is being launched as an interagency procurement, under the lead of the lead awarding authority. All the other EU agencies have joined the interagency call and will also use the resulting framework contract. The Call for tenders is based on the lead awarding authority Work Programme for grants and procurement. The purpose of the call for tenders is to establish a supply channel for multiple types of cloud services (multi- sourced) through an external cloud service broker. The call objective is to award the framework contract to an entity, the Cloud Service Broker (CSB), acting as intermediary and aggregator of services provided by different cloud service providers.

The CSB shall be able to:

» aggregate the demands across the different participating EU agencies,

» act for EU agencies as a single point of contact and management of multiple cloud service providers,

» ensure a vendor-neutral framework and create a level playing field for the cloud providers to offer and compare their cloud offerings,

» provide integrated brokerage negotiation (e.g. contracts, terms and conditions, SLA, security and data protection clauses) and service delivery with leading cloud service providers operating in Europe,

» provide a self-service Cloud Management Platform (CMP) to:

» present, purchase, provision, monitor and manage cloud resources,

» provide a centralized, transparent and uniform billing and invoicing of the consumed services,

» ensure flexibility and scalability, including the possibility to charge cloud resources according to the “pay-per-use” model,

» ensure compliance with security, data protection and audit requirements, » ensure portability and interoperability among the different cloud providers,

» provide complementary, cloud specialized value-added services, such as connectivity services, extended managed services, virtual desktop services, backup services, disaster recovery services, cloud consultancy services and channel catalogue services.

The tender was published in January 2016. The time limit to receive tenders is 1st April 2016.


What we learned

» Drafting the minimum requirements that must be complied by the bidders could be an efficient way to speed up the tender evaluation.

If the bidder cannot state that they comply with these points then their bid is eliminated. In particular, the requirements included in the tender for the procured broker service are:

» Controlling of personal data processing performed on behalf of the EU o Respect of data subjects’ rights & data quality principles

» Territoriality of datacentres

» Data transfers outside EEA

» Sub-processing & audits

» Personal data breaches

» Recognition of Protocol of Privileges & Immunities applicable to EU institutions and bodies for what concerns access of law enforcement bodies o Data portability and erasure

» Contractual remedy

» Information Security

Some other technical interesting points from the tender documentation are:

» The number of points that can be awarded for each criteria are listed together with conditions under which maximum or minimum points will be awarded

» Financial penalties are defined for non-respect of service quality, such as non-availability of the service, erroneous invoices, slow response from the service desk etc.

» The financial stability and minimum turn-over of bidders will be checked (this is in contradiction with the EC’s policy of promoting SMEs)

» Connection to GEANT is explicitly listed under network connectivity

» The roles of software architects, programmers, analysts, network engineers and their hourly rates are listed