When is a cloud also legally a cloud?
For years, cloud computing has been understood, not only in Germany, as a form of providing shared and flexibly scalable IT services using IT resources that are not permanently allocated.
Cloud services were purchased as part of outsourcing projects, for example to operate an application in an external data center at a service provider and not have to worry about CPU, memory or storage capacity. If required, nothing had to be purchased, only reordered from the service provider. This view may need to be adapted, as there is a definition of the term “cloud computing service” in European law.
Definition of the cloud: European regulation
On December 27, 2022, the NIS 2 Directive was published in the Official Journal of the EU, which must be transposed into national law by October 14, 2024. In May, the Federal Ministry of the Interior and Home Affairs presented the government draft for a law implementing the NIS 2 Directive. The NIS 2 Directive contains a definition of cloud computing, meaning that a European definition has existed since October 2022. This definition was adopted almost word-for-word in the German government draft and was also introduced into the German Social Code Book V in the Digital Act of the Federal Ministry of Health:
- Art. 6 No. 30 / NIS 2 Directive
‘Cloud computing service’
means a digital service that enables on-demand management and comprehensive remote access to a scalable and elastic pool of shared computing resources, even if these resources are distributed across multiple locations. - § Section 2 no. 4 / NIS-2 Implementation Act-E
‘Cloud computing service’
is a digital service that enables the on-demand management of a scalable and elastic pool of shared computing resources and comprehensive remote access to this pool, even if the computing resources are distributed across multiple locations. - § Section 384 no. 5 / SGB V
‘Cloud computing service’
means a digital service that enables on-demand management and comprehensive remote access to a scalable and elastic pool of shared computing resources, even if these resources are distributed across multiple locations.
As the European Court of Justice (ECJ) has ruled on several occasions, European law takes precedence. Although national legislators have a certain amount of leeway when it comes to directives, they must ensure that the legal effects of national laws correspond to those of the directive. The effects intended by the European legislator must therefore be reflected in the national law – otherwise national courts must refer to the European requirements of the respective directive instead of the national regulations when making their judgment.
What does the European legislator mean by cloud computing?
Due to the primacy of European law, the national implementations in Section 2 para. 1 no. 34 of the Government Draft NIS-2 Implementation Act and Section 384 no. 5 SGB V must comply with the European requirements. In order to understand how cloud computing is defined, it is therefore necessary to look at the European requirements, i.e. to interpret the definition in Art. 31 No. 30 NIS-2 Directive.
The ECJ states: “In examining those provisions, account must be taken not only of their wording but also of their context and the objectives pursued by the legislation of which they form part”. As the ECJ states, the objectives of the respective legal act must therefore be taken into account in particular. However, the possibility of interpretation is limited by the wording of the legal text; no interpretation can change the meaning of the wording of a regulation if the wording is unambiguous. The recitals of a European legal act must be given priority with regard to the interpretation of a wording that cannot be clearly interpreted, as they are part of the respective European legal act.
The ECJ points out that “recitals in the preamble to a Community act are not legally binding and cannot be relied upon either to derogate from the provisions of the act in question or to interpret those provisions in a manner manifestly contrary to their wording”.
The definition of cloud computing contains six “must” and one “can” criterion.
Cloud computing service is
- a digital service (“must”),
- who (“must”) manage on call
- and comprehensive remote access (“must”)
- to a scalable (“must”)
- and elastic pool (“must”)
- shared computing resources
(“must”), - even if these resources are
distributed across several locations (“can”).
The mandatory criteria are all linked with “and”, i.e. each of these conditions must be met for it to be a cloud computing service. If even one condition is not met, it is not a cloud computing service.
The following section takes a closer look at the conditions so that an assessment can be made as to whether a service is cloud computing or not.
Must criterion: Digital service
Article 6(23) of the NIS 2 Directive defines a “digital service” as a service within the meaning of Article 1(1)(b) of Directive (EU) 2015/1535. Article 1(1)(b) of Directive (EU) 2015/1535⁸ defines a “service” as an information society service, i.e. as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient”. For the purposes of this definition, the term
- “service provided at a distance” means a service provided without the simultaneous physical presence of the contracting parties;
- ‘electronically supplied service’ means a service which is sent by means of equipment for the electronic processing (including digital compression) and storage of data at the origin and received at the destination and which is transmitted, conveyed and received wholly by wire, by radio, by optical means or by other electromagnetic means;
- “service provided at the individual request of a recipient” means a service provided by the transfer of data on individual request.
A digital service is therefore any service provided electronically at a distance and at the individual request of a recipient.
The provision of hardware does not constitute an electronic service (see Annex I No. 2 of Directive (EU) 2015/1535). Examples of electronic services are the provision of virtual machines for the installation of software (whether with or without an operating system) or the provision of software.
Must criterion: Management on demand
Recital 33 of the NIS 2 Directive contains the following explanation of the “on-demand management” requirement:
“The fact that cloud computing users can allocate computing capacity such as server time or network storage space to themselves without interacting with the cloud computing service provider could be described as on-demand management.”
On-demand management therefore means that cloud users (= customers) can allocate computing capacities to themselves without interacting with the cloud provider. It does not matter whether the computing capacities allocated by the customer themselves are charged by the cloud provider or not.
It is crucial that the cloud users can allocate the computing capacities themselves. If cloud customers have to request computing capacity from the cloud provider and the decision on this lies with the cloud provider, this criterion is not met.
Must criterion: Comprehensive remote access
Recital 33 of the NIS 2 Directive contains the following explanation of the “comprehensive remote access” requirement:
‘The term ‘comprehensive remote access’ is used to describe that the cloud capacities are provided over the network and made accessible via mechanisms that promote the use of heterogeneous thin or thick client platforms (including mobile phones, tablets, laptops and workstations).’
Any service provided via a network, in particular also using the Internet, fulfills this requirement.
Must criterion: Scalable pool
Recital 33 of the NIS 2 Directive contains the following explanation of the “scalability” requirement:
‘The term ‘scalable’ refers to computing resources that are flexibly allocated by the cloud service provider, regardless of their geographical location, so that fluctuations in demand can be managed.’
Whenever a cloud provider can react flexibly to the utilization of a service, this condition is fulfilled. It does not matter whether computing resources from different data center locations are accessed. “Independent of geographical location” makes it possible to organize everything in one data center or to use different data centers for load balancing.
In terms of capacity utilization, it does not matter whether time effects play a role (e.g. increased use of cloud resources between 8 a.m. and 7 p.m.) or not. The service promised to the customer must be provided.
Must criterion: Elastic pool
Recital 33 of the NIS 2 Directive contains the following explanation of the “elastic pool” requirement:
‘The term ‘elastic pool’ is used to describe computing resources that are provisioned and released according to demand so that the amount of available resources can be quickly increased or decreased depending on the workload.’
The requirement for an “elastic pool” complements the requirement for a “scalable pool”. While the “elastic pool” requirement demands that cloud providers can balance out fluctuations in demand, the requirement for a scalable pool demands that cloud providers can make computing resources available to cloud customers in response to demand.
Must criterion: Can be used together
Recital 33 of the NIS 2 Directive contains the following explanation of the “shareable” requirement:
‘The term ‘shareable’ is used to describe computing resources provided to a plurality of users who access the service through a common access point, but where the processing is performed separately for each user, even though the service is provided through the same electronic equipment.’
A provider makes computing resources available to a large number of customers. The requirement “separate processing for each user” is usually implemented by means of client separation, which separates the data of the different users and thus also the access options.
Optional criterion: Distributed across several locations
The wording “[…] even if these resources are distributed over several locations […]” in the definition in Art. 31 para. 30 NIS 2 Directive indicates the optionality: “even” means that the condition does not have to be met for a cloud computing service, but may be met.
Recital 33 of the NIS 2 Directive contains the following explanation of the “shareable” requirement:
‘The term ‘distributed’ is used to describe computing resources that are located on different networked computers or devices and that communicate and coordinate with each other by exchanging messages.’
“Distributed” is therefore fulfilled if computing resources are used by networked devices. These can be networked data centers, but also networked computers (e.g. computers connected in a cluster) in a single data center.
Conclusion
Since December 2022, there has been a definition in European law that ultimately also has an impact on contracts: Anyone who contractually offers or purchases a cloud must ultimately also fulfill requirements for a cloud or cloud usage. The directive should be transposed into German law by October 2024, so it is time to check how your own cloud offerings or corresponding contracts comply with the definition.
The following is an overview of the conditions that must be met for a service to constitute a cloud computing service:
- Digital service:
Will usually be given if more than hardware is provided by one provider. - On-demand management:
The cloud user can allocate computing capacity to themselves without interacting with the cloud computing service provider. - Comprehensive remote access:
Cloud capacities are provided via the network and made accessible via mechanisms. - Scalable pool:
Computing resources are allocated flexibly by the cloud service provider, regardless of their geographical location, so that fluctuations in demand can be managed. - Elastic pool:
Computing resources are provided and released according to demand so that the amount of available resources can be quickly increased or reduced depending on the workload. - Shared:
Computing resources are made available to a large number of users, with the users accessing the service via a common access point, but processing is carried out separately for each user, even though the service is provided via the same electronic equipment.
The following criterion may also be met:
- Distributed:
Computing resources are located on different networked computers or devices.
Customers whose purchased service does not comply with the conditions should approach the provider and conclude a corresponding clarification with them as part of a contractual amendment. Providers should check whether the products they offer meet the requirements. By offering a cloud computing service, the customer is simultaneously guaranteed certain aspects of IT security under various laws that not every provider is able or willing to provide.
