Data processing services under the Data Act and cloud computing services under NIS2 – ”creative leeway” for companies
Summary
Looking at Chapter VI of the Data Act or the NIS2 Directive, many companies are wondering under what conditions their digital offerings are considered regulated "data processing services" or "cloud computing services". The legal definitions are vague. Digital service providers can therefore actively shape the applicability of the relevant laws through the design and, in particular, the degree of automation of their services. In the following, we will discuss options for companies.
1. Introduction
Providers of digital service must navigate a complex web of legal regulations. In our practice, we are increasingly receiving questions whether a certain digital service constitutes a data processing service under the Data Act or a cloud computing service within the meaning of the NIS2 Directive.
The practical implications of the answer to this question are far-reaching. For example, Chapter VI of the Data Act imposes comprehensive cloud switching obligations on providers of data processing services. The NIS2 Directive (as well as the German Federal Office for Information Security Act, "BSIG") requires providers of cloud computing services to implement specific IT security measures. In addition, a number of sector-specific laws (e.g., Sec. 384 No. 5 SGB V (the German Social Security Code No. 5 regulating the healthcare sector)) impose additional and rather strict requirements on data processing and cloud computing services. In practice, it is therefore of considerable importance to clearly classify digital services in this respect and to make use of the scope for flexibility offered by the above-mentioned laws.
2. Definition of "data processing service" and "cloud computing service"
The legal basis for the definition of a cloud computing service is Art. 6 No. 30 NIS2 Directive and the identical definition in Sec. 2 No. 4 BSIG. Both laws describe a cloud computing service as a "digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations." The clarification provided in Recital No. 33 NIS2 Directive is of particular importance for the definition of the term: A cloud computing service requires that the user can allocate resources such as server time or storage space to himself and “without any human interaction by the cloud computing service provider".
The Data Act adopts a similar approach but provides for a slightly broader definition of what constitutes a data processing service in its Art. 2 No. 8. According to Recital 78 of the Data Act, data processing services include cloud and edge services, but are not limited to them. Furthermore, whereas the term cloud computing services in the NIS2 Directive and the BSIG seems to presuppose complete automation ("on demand", "without interaction with the provider"), the wording of the Data Act suggests that it is sufficient for a data processing service that the resources can be provided with "minimal management effort and as entailing minimal interaction between provider and customer" (Recital No. 80 Data Act).
These definitions in European law have an (indirect) effect on German law: The German legislator, for instance, has adopted the term cloud computing service from the NIS2 Directive verbatim in Sec. 384 sentence 1 no. 5 SGB V. For providers of cloud computing services in the healthcare sector, this means that they must comply with particularly strict legal requirements (e.g., submission of a C5 certificate).
3. Ambiguities in the legal definition
Although the legal definitions appear precise at first glance, their application in practice creates headache for companies. There is a fair degree of legal uncertainty around the requirement of "administration on-demand" (NIS2 Directive and BSIG) or "available on-demand" (Data Act). The legislators largely refrain from providing explanatory comments and thus leave open the question when exactly an "on-demand" situation exists. This means that the distinction between a regulated cloud solution and a” classic” IT outsourcing model must be determined on a case-by-case basis. Recital 33 of the NIS2 Directive suggests that administration on demand "could" exist if the user allocates resources "without any human interaction" with the provider. However, the use of the subjunctive ("could") and the lack of case law to date leave room for interpretation. The distinction becomes even more blurred in the Data Act, where "minimal interaction" between the user and the provider is not considered detrimental to the classification as a data processing service.
To resolve this legal ambiguity, at least in part, it is worth taking a look at the technical regulations and standards of international standardization organizations such as ISO (International Organization for Standardization) and NIST (National Institute of Standards and Technology), on which also the BSI, amongst others, relies. The ISO/IEC 22123-1 standard defines the core feature of a "cloud computing service" as "on-demand self-service," i.e., the provision of resources "automatically without manual interaction by the cloud provider." The NIST and the European Union Agency for Cybersecurity (ENISA) also require "near instantaneous provisioning," i.e., without significant human intervention. A look at these technical standards published by ISO, NIST, and others thus paints a clearer picture: Accordingly, a cloud service is characterized by full automation.
4. “Creative leeway” for companies
The vagueness of the legal definitions opens considerable leeway for companies to design their services. To actively control whether their digital services qualify as a data processing or cloud computing service, companies should start as early as in the design phase and make targeted technical decisions at an early stage. One effective lever might be to deliberately avoid full automation, for example by implementing static resource limits that prevent elastic scaling in the technical sense. If the feature of "on-demand self-service" is omitted, a central requirement of the concept of a data processing or cloud computing service concept is lacking, bringing the service closer to classic hosting models. As a result, it will often be possible to argue that such services fall outside the scope of, for example, the NIS2 Directive, the BSIG, and the Data Act.
In addition to technical measures, companies can implement organizational mechanisms that have a direct impact on the characteristics of a "self-service model". This might include, in particular, the implementation of genuine manual approval processes in which a resource expansion requires mandatory individual review and active involvement by the provider (such as the acceptance of an order form). It is also conceivable to contractually restrict administrative rights to a few individuals only, thereby avoiding "immediate availability".
As a matter of course, companies will have to weigh the economic impact such measures could have.
5. Result
As of today, digital service providers have considerable flexibility when designing their services to avoid classification as data processing services under the Data Act or as cloud computing services under the NIS2 Directive.