New regulatory requirements for cloud services

Cloud or classic hosting? The choice is crucial - new laws place additional requirements on cloud services.

Cloud services have been an area of focus for legislators recently, including in relation to regulations for cloud security (NIS2) and switching between cloud services providers (Data Act, DMA). In light of this, the question of what constitutes a “cloud service” or "cloud computing service" is becoming increasingly important, particularly as different regulatory requirements can apply to cloud services, data centre services and hosting.

The question of what exactly is meant by the "cloud" is by no means trivial. Even from an economic and technical perspective, there is no universally applicable terminology for "cloud". The term "cloud" is colourful, has no fixed contours and is subject to an evolutionary change that has not yet been completed. The National Institute for Standards and Technology of the U.S. Department of Commerce (NIST) therefore also describes cloud computing as an "evolving paradigm" and the German Federal Office for Information Security (BSI) clarifies that no definition has yet been able to establish itself as universally valid, whereby the BSI now refers to the ISO/IEC definition.

Development: from on-premise to on-demand

Until the 1990s, the IT infrastructure landscape was strongly characterised by centralisation and self-hosting. Instead of purchasing computing resources, companies purchased physical computers and operated their applications on their own servers on their own premises ("on premise"). At the turn of the millennium, these self-managed computing resources were increasingly outsourced to external companies specialising in operating and providing computing services. Companies either housed their own servers at external companies ("housing"/"colocation") or rented the relevant IT services such as storage space, computing power, etc. directly ("hosting"). Customers had the choice of renting their own physical server with full access, a "dedicated server", or only renting access to a shared server. This shared usability of servers ("multitenancy") was achieved by using rights and role concepts to exclude access to the resources of other customers and by allocating certain resources ("quotas") such as storage space and CPU power to each user. Virtualisation also made it possible to run multiple operating system environments on a single physical server ("virtual server"). What all these models had in common, however, was that customers ordered contractually fixed services (e.g. a certain amount of storage space, CPU cores, internet data volume) and paid for them on a monthly, quarterly or annual basis. They still had to pay even if the resources they rented were not utilised. If, on the other hand, the resources were fully utilised, users had to manually move to a higher performance package and possibly to a more powerful server.

Cloud computing is a logical continuation of this development; on the one hand it continues with the concept of abstracting IT services, on the other hand it also meets the increased need for simple scalability of services with better cost control for users. The abstraction of IT services in particular is very important in cloud computing and is perhaps one of the biggest reasons for its success. Instead of renting a server with full access, cloud computing allows you to purchase the IT services you need directly. This is a huge plus for IT departments, as they no longer need to worry about the underlying levels (e.g. the operating system) and the associated maintenance requirements (e.g. security patches). The principle service models in cloud computing are generally categorised as:

• Infrastructure-as-a-Service (IaaS - the operator takes care of the physical infrastructure and virtualisation, the customer takes care of the operating system level, middleware and applications) - comparable to the classic virtual server and rather rare in the cloud sector.
• Platform-as-a-Service (PaaS - the operator also takes care of the operating system level and middleware and only provides certain services, e.g. database services, storage services, authentication services).
• Software-as-a-Service (SaaS - the operator provides a specific software and all the necessary platform components and infrastructure components; the customer hardly has to take care of any technical aspects).

In addition to this abstraction of services, cloud services are also characterised by seemingly unlimited scalability, because (a) new services can usually be used within a few minutes without having to increase quotas, physically upgrade the server used or switch to a different tariff first, (b) the computing power and storage capacities offered by the operator can be increased and reduced flexibly depending on the current volume of use ("load balancing"), (c) this load balancing is no longer limited to vertical scaling on a single physical server, it can also be performed horizontally across multiple physical servers and server locations, and (d) the customer generally only pays for the services actually used, i.e. there are no longer fixed monthly/annual flat rates, but rather a pay as you use model based on the amount of services used and the cost per unit of use.

Example: definition according to the National Institute of Standards and Technology (NIST)

The National Institute of Standards and Technology (NIST) defines cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

SP 800-145, The NIST Definition of Cloud Computing | CSRC - Key Characteristics of Cloud Computing (NIST Definition)

1. On-demand self-service: Users can automatically provision computing capabilities as needed without requiring human interaction with each service provider.
2. Broad network access: Services are available over the network and accessed through standard mechanisms that promote use by heterogeneous client platforms (e.g., mobile phones, tablets, laptops, and workstations) .
3. Resource pooling: The provider's computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand 
4. Rapid elasticity: Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand .
5. Measured service: Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts)

Example: definition according to the Data Act

The definitions of the term "cloud" in the relevant laws are basically similar and comparable, but they differ in certain aspects. For example, Article 2(12) of the Data Act defines the cloud (referred to here as "data processing service") as follows:

a digital service other than an online content service as defined in Article 2(5) of Regulation (EU) 2017/1128, provided to a customer, which enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources of a centralised, distributed or highly distributed nature.

Key features according to the Data Act

The key features of the cloud can be summarised as follows:

• computing resources: computing resources include both hardware and software, e.g. networks, servers, other physical infrastructures, the server's operating system, virtualisation systems, software (e.g. applications and services). More general or specialised services are offered depending on the level of abstraction.
• pool: several/a large number of computing resources are available. In cloud computing, the services purchased by users often extend horizontally across multiple servers (which may also be located in data centres in different geographical locations), which offers advantages such as load balancing during periods of increased demand (see below for more on scalability). As a result, it is usually no longer possible to precisely identify a specific single server on which the services are provided for the customer.
• scalability: new resources are allocated automatically or with minimal administrative effort as needed, for example to balance fluctuations in demand – the resources available seem to be limitless (even if this is not actually the case). High scalability can be achieved, among other things, by not assigning users individual/specified servers that have to be changed or upgraded as required, but by allowing the purchased services to extend horizontally to several servers or even locations and adding further resources automatically or with minimal effort in times of increased demand.
• elasticity: elasticity in this sense means that computing resources are dynamically expanded and released again depending on the workload. While scalability is all about future-proofing for increased demand, elasticity is about being able to absorb short-term peaks and dynamically expand and reduce the resources provided.

Difficult to differentiate in individual cases; technical delivery model is decisive

At first glance the difference between cloud and hosting appears simple. However, to properly categorise the service it’s necessary to take a comprehensive look at the technologies and business models used. How a product or service is marketed (e.g. labelling as "Cloud" or "SaaS" on the sales website, flyers or the app store) is only an indication and can be deceptive. The way a service is described for advertising purposes is not decisive for its legal categorisation. It is necessary to carefully evaluate the technical solution and classify it according to specific cloud service features. Not every feature has to be present for a technical solution to qualify as a cloud service. At the same time, a cloud service can also exist even if it only has some of the specific features.

Further "soft features" that may also play a role in the assessment must still be taken into account: (a) the type of billing for the services used (e.g. monthly fee regardless of usage or pay as you use); and (b) information in brochures, on the provider's website, in the general marketing of the product, etc.

The delivery model, purpose of provision and other circumstantial factors may also be relevant.  For example: Article 2(13) of the Data Act stipulates that scalable and elastic computing resources must be "provided to a customer" in order to be considered a data processing service/cloud; and Recital 35 of NIS 2 acknowledges that “Services offered by data centre service providers may not always be provided in the form of a cloud computing service. Accordingly, data centres may not always constitute a part of cloud computing infrastructure.”  It is therefore important to consider whether the specific cloud service features are actually offered to customers or if the service provider only uses cloud services in its own backend (e.g. as a sub-processor).

To understand what their legal rights and obligations are under the wave of new digital regulation governing cloud, data centre and hosting services, whether as a customer or a service provider, businesses need to assess and correctly categorise the services received/provided. And they need to act promptly so appropriate compliance measures can be implemented in time because local member state implementation of NIS 2 has already occurred, or is overdue, and the Data Act will apply from September this year.

Our CMS blog series CMSdatalaw provides an overview of data law, such as the Data Act and the Data Governance Act. You can find the introductory article to our blog series here. Please also visit our CMS Insight page "Data Law“.