The cloud in the context of EU regulations
Legal compliance of cloud usage with regard to data protection and the legal acts of the EU Digital Strategy
The demands posed by ongoing digitalization can be complex and challenging, particularly with regard to cloud computing. Companies face not only technological but also regulatory challenges, such as complying with the GDPR and the EU Data Act. However, transitioning to the cloud can offer significant advantages in terms of efficiency, flexibility, and scalability. We can support you in implementing your cloud initiatives strategically and in full legal compliance.
Why moving to the cloud can be worthwhile
Cloud computing has been the market standard for over five years. The use of cloud services offers companies numerous benefits:
- Flexibility & Scalability: Cloud services enable on-demand use of IT resources – ideal for companies with fluctuating requirements or rapid growth. In particular, various “as-a-service” models allow organizations to source external IT resources as needed and scale flexibly
- Cost Savings: Reducing in house IT infrastructure lowers capital and operational expenditures
- Increased Efficiency: Cloud platforms provide integrated tools to optimize business processes and develop data driven business models
- Innovation Speed: Faster development and rollout of new products and services through access to modern cloud technologies
- Operational Security & Availability: Cloud services provide high resilience and global accessibility – ideal for remote work and international teams
Which legal aspects must be considered when using the Cloud?
With the ongoing digitalization and increasing use of modern cloud services, companies face not only technological but also new regulatory challenges.
At the center is GDPR compliance, as any processing of personal data in the cloud requires comprehensive data protection measures. A clear allocation of roles between provider and customer is essential – particularly the distinction between controller and processor under Art. 4(7) and 4(8) GDPR. Anyone using a provider’s cloud services must conclude a data processing agreement under Art. 28 GDPR. This agreement must clearly and bindingly regulate in particular, technical and organizational measures, the use of subprocessors, deletion concepts, audit rights, and all security related provisions. Furthermore, data transfers outside the EU require careful examination, for example through a Transfer Impact Assessment. This includes, in particular, evaluating the lawfulness of international data transfers and defining appropriate technical and organizational measures.
With the EU’s digital strategy, the compliance landscape becomes even more demanding. The EU Data Act introduces new requirements such as data portability, interoperability, and the right to switch clouds – enabling simple migration between providers. Companies must ensure that switching providers is technically and contractually possible without undue obstacles. Read more in this article: EU Data Act
In addition, cloud contracts must be legally compliant. Following a draft by an expert group and an extensive consultation process, the European Commission published its recommendation on 19 November 2025 on Model Contractual Terms (MCTs) for data access and use, as well as Standard Contractual Clauses (SCCs) for cloud computing contracts under the EU Data Act. Read more here: Cloud switching under the EU Data Act
