legal cloudsourcing strategy

Our 10 key lessons learned

contracting model – customers may contract with a cloud service provider directly or indirectly via a cloud reseller / integrator, although in practice it is not always very clear which parties are contracting with each other for which type of services (cloud-, maintenance / support – or professional services) and irrespective of any service integration issues where the customer operates a multi cloudsourcing environment.

transformation phase – to the extent it is technically possible to transfer existing on-premises applications to the cloud, it will also have to be verified whether this is permitted from a legal or compliance perspective, whether there are no hidden or unexpected costs and whether maintenance / support arrangements are adequate; as more and more traditional software suppliers have their own cloud strategy, this can be a challenge.

commercial elasticity – one of the key advantages of cloud solutions is that they allow dynamic use switching part of the services on or off very quickly. This also supports burst capacity as/when needed, although many professional cloud service providers facilitate this elasticity in their marketing, we have identified that this right is often not documented in the contracts.

user expectations – as a result of consumerisation business users expect the customers application suite to be updated increasingly faster and expect more flexible than ever before. At the same time, it has become much easier for the business to procure applications themselves (shadow IT). It should be acknowledged and facilitated as much as possible but within the boundaries of customer’s cloud strategy / policies.

continuous improvement – in particular the larger cloud service providers, but also the smaller innovative ones are always ahead in making new functionality available to their customers in particular functionalities that benefit from the unique characteristics of the cloud, but it is important to be aware how these new services fit within the existing (commercial) agreements, to avoid that licensed functionality erodes over time.

legal & compliance – many cloud service providers originate in the US while their European customers have to comply with often stricter European legislation (e.g. GDPR and ESG). This should be a key concern for compliance and legal within any customer organisation and for organisations in regulated markets in particular. Customer should know where personal data it controls is stored and who has access to it.

business continuity – on-premise brings with it entirely different business continuity risks than the cloud, because the dependence on the cloud service provider is much stronger, with the political and legal pressure on cloud service providers to take responsibility for the content increasing enormously, strong law enforcement instruments and, of course, the traditional risk of discontinuity, such as bankruptcy.

demand organisation – transition to the cloud does not mean that the customer no longer needs an IT department, but it will introduce new demands on the skills of the customer’s IT department, where in addition it is also crucial to clearly, contractually delineate the operational responsibility of suppliers in relation to that of the customer’s own IT organisation.

security requirements – public cloud generally provides a higher level of security and assurance, but a solid understanding about the agreed security conditions and clear reporting and audit arrangements to monitor the security throughout the entire lifecycle are indispensable, also because the customer’s IT department often has less insight and control into what is being used within the cloud organisation.

exit strategy – control over data and access thereto is now-a-days broadly considered as being crucial to mitigate the risks of vendor lock, but it should also be realised that many cloud-native information systems are developed for a specific cloud platform. From a legal perspective in particular the obligation to provide exit support in case of termination should be carefully reviewed and drafted.