Do you use or provide services in the field of cloud technologies? You should be aware that 2024 brings a number of legislative changes. European certification is around the corner, public authorities are facing the end of cooperation with non-certified cloud service providers and private providers will also face updates not only in contractual documentation. Let's take a closer look at the new obligations.
The use of cloud services is continuously growing. More and more SaaS[1] startups are emerging and also the public sector starts using cloud computing services. The growth in popularity of cloud technologies has been accelerated by the recent pandemic and is still expected to grow by tens of percent per year in the coming years. Cloud technologies are cheap and efficient, but carry a security risk, as any cloud service is a form of outsourcing. For this reason, there are typical efforts at both Czech and European levels to regulate this. Since the new year, there have been two legislative changes in the Czech cloud legislation.
European certification
Within the European Union, under the legal framework of the Cybersecurity Act (Reg. 2019/881), a uniform European cybersecurity certification for products, services and processes is being prepared, which will apply to the entire single market. The legislation is already in force and schemes which will set out specific rules for the certification of individual sectors are currently being developed. The EUCC (certification scheme for ICT products) and EUCS (certification scheme for cloud services) schemes are the furthest along in the process.
Although certification will not yet be compulsory, it is expected that there will be strong interest in it across the single market. It can be assumed that these standards will be used by technology companies wishing to demonstrate their security, that contracting authorities will refer to these standards in tender procedures, and that consumer demand will also appreciate certified and secure products and services. It is therefore a good idea not to “fall asleep” and to be active in this area today.
Czech cloud legislation
In the Czech Republic, the cloud legislation comprises two laws that are based on each other by their legal regulation. The first is Act No. 365/2000 Sb., on Public Administration Information Systems (APAIS) and the second is Act No. 181/2016 Sb., on Cybersecurity (ACS) that is also expected to be substantially amended in response to the NIS 2 Directive.
In contrast to the EU legislation, the Czech legislation has been in force for several years and after Act No. 261/2021 Sb., on Amendments to Certain Laws Concerning the Computerisation of Public Administration it has been freed from its original legislative defects since 1 September 2021[2]. This legislation affects public administrations, which are obliged to use only those cloud services that are registered in the cloud computing catalogue. The cloud computing catalogue is a public list, which includes both offers or demands for cloud computing services, but also cloud services that public administrations are currently using. If a public administration uses cloud services that are not listed in the catalogue, it is required by law to stop using them within 12 months of becoming aware of such a fact.
This indirectly forces private companies to register themselves in the cloud computing catalogue. To do this, however, they first need to register themselves as providers and then register their services in one of four defined security levels. However, a condition for registration is to meet the requirements that the Digital Information Agency (DIA) and the National Cyber and Information Security Agency (NÚKIB) verify.
Why, you ask, is awareness of this obligation not higher? We assume that this is due to the transitional period that allowed public administrations to use services not registered in the catalogue if the public administration started using the cloud computing service before 1 September 2021. In this case, the public administration could still use the cloud service. However, this exemption expired at the end of 2023, and in 2024 it will no longer be possible to start using unregistered services or continue using previously tendered cloud services.
Mandatory clauses in cloud computing service contracts
The second part of the legislation affects public authorities that at the same time are public administrations under the APAIS[3]. The Decree on Security Rules sets out specific requirements for them, which they must compulsorily agree in their cloud computing service contracts. Depending on the relevant security level, this includes, for example, requirements for data localisation, ISO certification, information security management system, data backup, operational data storage time or encryption. This again indirectly forces private cloud computing providers who conclude these contracts to comply with these rules.
Any new contract between a public authority and a cloud computing provider should therefore include contractual provisions to ensure that the cloud service provided by the private provider meets a certain security standard set out in this new July 2023 Decree. However, this obligation does not only apply to new cloud computing contracts, but also to previously implemented cloud services. Contracts relating to such services will thus have to be “supplemented”. Although this is an obligation that has been in the ACS for longer, the specific security requirements were only introduced in July 2023, and therefore it is advisable to update your cloud contract documentation in 2024. Otherwise, failure to do so could result in a fine of up to one million Czech crowns.
Conclusion
Cloud technologies are often referred to as the future of information technology delivery[4]. It is therefore not surprising that new regulatory obligations are approaching. Public administrations should take note of their statutory obligation to terminate cooperation with existing cloud service providers in 2024 if such providers are not registered in the cloud computing catalogue and to modify their contractual documentation with the existing registered ones. However, the change also affects private cloud providers, who are recommended to modify their contract templates and, if they are interested in providing services to the public sector, to register themselves in the cloud computing catalogue.
At HAVEL & PARTNERS, we have experience in drafting the necessary contractual documentation, as well as in registering major technology companies in the cloud computing catalogue or litigating before the regulator, and we will be glad to help you effectively with all aspects of cloud computing.
- [1] – SaaS or “software as a service” means provision of software as a service.
- [2] – KLODWIG, Jakub. Příručka právní regulace cloudu. Brno: Nugis Finem Publishing, [2022]. ISBN 978-80-7614-008-0.
- [3] – See NÚKIB’s interpretative notice on Section 4(5) of the ACS, available at: https://nukib.gov.cz/download/publikace/podpurne_materialy/2023-07-14_vyklad-ust-par-4-odst-5_v1.1.pdf.
- [4] – KLODWIG, Jakub. Data jsou nové zlato. Podcasts 21. [12 Dec 2023]. Available at: https://pravo21.cz/podcasty/jakub-klodwig-data-jsou-nove-zlato.