Cloud technologies and data centres: new regulation in Ukraine
On 15 March 2022, the President of Ukraine has signed the Law of Ukraine “On Cloud Services” No. 2075-IX, dated 17 February 2022 (the “Cloud Services Law“). The Law is scheduled to take effect on 16 September 2022.
For the first time in Ukraine, the Cloud Services Law introduces a complex regulatory framework for providing the cloud and data centre services for users in Ukraine. The adopted Cloud Services Law has strong focus on regulating provision of such services to the public authorities and operators of critical information infrastructure facilities (the “CIIF operators“), but the scope thereof extends further to B2B and B2C relations.
In this overview, we look at what cloud services mean, what types of services are covered, whether there are any requirements to cloud and/or data centre services contracts as well as what data security and localisation requirements are stipulated by the Cloud Services Law.
What do “cloud services” mean?
The Cloud Services Law does not re-invent the wheel, so the key definitions generally correspond to their conventional meanings.
Cloud service is defined as a service of providing cloud resources by means of the cloud computing technology.
Cloud resources mean any hardware and software or other elements of the information (automated) system the access to which is provided through and by cloud computing technologies, in particular, processor time (computing power), storage space, computing networks, databases and computer programmes.
Cloud computing technology should be understood as a technology of providing a remote access to the cloud infrastructure through e-communication networks at the user’s request.
Cloud (cloud infrastructure) means a set of dynamically distributed and customised cloud resources which can promptly be provided to the user of cloud services and freed up through global and local networks of data transfer.
Which cloud and supplemental services are covered?
The Cloud Services Law specifically lists the following services which are subject to its regulation:
- infrastructure as a service (IaaS) that involves providing computing resources, storage resources and e-communication systems by means of the cloud computing technology;
- platform as a service (PaaS) that involves providing access to infrastructure and sets of computer programmes, such as operating systems, system computer programmes, computer programming software, database management software, by means of the cloud computing technology;
- software as a service (SaaS) that involves providing access to software by means of the cloud computing technology through an online service or computer agent programmes; and
- security as a service (SECaaS) that involves providing cybersecurity services with the use of the cloud resources.
Under the Cloud Services Law, the list of the cloud services is non-exhaustive. Any service that falls within the meaning of the ‘cloud service’ definition will be subject to regulation under the Cloud Services Law. Scope of specific cloud services should be defined in a contract between provider and user of cloud services.
Furthermore, the Cloud Services Law regulates the services of data centres. Under the Cloud Services Law, a data centre is defined as a specialised technical complex that consists of engineering (uninterruptable power supply, ventilation, cooling and humidity control, fire safety, physical protection), information, e-communication and software and hardware infrastructure.
Data centre services can either be supplemental to the cloud services or provided separately from the cloud services. The data centre services include: (1) technical management of information (automated) and e-communication networks, as well as information and communication systems; (2) technical support for users of cloud services; (3) installing equipment in the data centre, including providing a separate premises for installing the equipment; (4) rent of technical means located in the data centre; and (5) cybersecurity.
Requirements for cloud and/or data centre services contracts
The Cloud Services Law has strong focus on regulating the cloud and/or data centre services contracts where public authority and/or CIIF operator is a party to the contract, while the regulation is minimum where a privately owned business is a party to such contract:
Factor to consider |
Сloud and/or data center services to public authorities and CIIF operators |
Сloud and/or data centre services to privately owned businesses |
|
Contract form | Written (electronic) | ||
Model (standard) contract | Yes. A model cloud and/or data centre services contract will be approved by the Ukrainian Government. The model contract is binding, but the parties are permitted to specify the basic terms and conditions | No | |
Inclusion of other document to the principal contract by reference |
Permitted by the Cloud Services Law | ||
Joint liability of service providers | Yes. If several service providers are involved in the provision of services under the contract for one user, such providers bear joint liability before the user unless agreed otherwise in the contract with the user | ||
Essential provisions of the contract | Yes. The Cloud Services Law stipulates an extensive and non-exhaustive list of essential provisions for cloud services contract:
The parties are allowed to agree that some other provisions to be essential. |
No | |
Governing law | Must be governed by the laws of Ukraine | Can be governed by the laws other than Ukrainian if service provider is a foreign entity | |
Jurisdiction of the forum | Must be resolved in the Ukrainian courts | Foreign courts or arbitration can be chosen if service provider is a foreign entity | |
Local authorisation for service providers | Yes. Service provider must be recorded with the Ukrainian Registry of Providers of Cloud and/or Data Centre Services. The Registry is maintained by the Commission (as defined below) | No | |
Public procurements law | Applies | Does not apply | |
Data processing localisation requirement | Yes (for more information, see our overview below) | No specific requirement | |
Obligation to inform on security risks | Yes. User must be informed about potential security risks which can arise due to data processing in the cloud (likely prior to provision of services) | No specific obligation | |
Obligation to inform on security measures | Service provider should provide information on how data is secured from external and internal threats, including cyberattacks, upon the user’s request and/or in accordance with the procedure agreed in the contract |
Security requirements
Under the Cloud Services Law, service providers must not:
- use technical facilities located in the territory where public authorities of Ukraine temporarily do not exercise their powers (which would be territories temporarily affected by the war) and in the territory of any aggressor state (currently, only the Russian Federation);
- use technical facilities owned by states or entities to which the sanctions have been applied under the Law of Ukraine “On Sanctions” 1644-VII, dated 14 August 2014 (the “Sanctions Law“).
The Cloud Services Law does not provide any detailed instructions on how a service provider should trace the ownership of the facilities.The Cloud Services Law also sets general requirements regarding compliance with technical and organisational measures for managing risks related to security of networks and systems used for cloud and/or data centre services. Such measures must appropriately correspond to the perceived level of the security threat and should encompass:
- security of systems and equipment;
- incident management;
- business continuity management;
- monitoring, audit and testing;
- compliance with the international standards.
The Cloud Services Law also establishes a notification requirement for service providers – they must, without undue delay, notify of any incident that has a significant adverse effect on the provision of cloud and/or data center services. The said notification must be sent to the National Commission for State Regulation of Electronic Communications, Radiofrequency Spectrum and Postal Services (the “Commission“), and CERT-UA, the Computer Emergency Response Team of Ukraine at the State Service of Special Communication and Information Protection of Ukraine. The Cloud Services Law does not interpret the scope of “significant adverse effect” that triggers the notification obligation, so it should be defined in the internal documents or service providers and decided on a case-by-case basis. The Commission should also approve the notification procedure.
Data localisation requirement and related regulation
The Cloud Services Law introduces a data localisation requirement. In particular, it is prohibited to process the following information with the use of cloud resources and/or data centres located abroad or in the temporarily occupies territories of Ukraine, or which are owned broadly by the Russian Federation or sanctioned individuals and entities under the Sanctions Law: (1) state secrets; (2) information pertaining to the office; and (3) information from the state and unified registers which are created, maintained and operated under the laws of Ukraine.
Since the Cloud Services Law is not yet in force, the data localisation requirement is also not yet in force. Therefore, public authorities and service providers should have enough time to restructure their cooperation if and where needed.
The introduced data localisation requirement should be applied in conjunction with other parts of the Ukrainian legislation establishing a specific regulation during the martial law:
- according to Resolution No. 263 of the Cabinet of Ministers of Ukraine, dated 12 March 2022, public authorities were allowed, among other things, to locate public information resources and public e-registers as well as their encrypted reserve copies on the cloud resources or data centres outside Ukraine;
- Draft Law 7152 “On Amending Some Laws of Ukraine Concerning Maintenance of Functioning of Information and Communication Systems, Electronic Communication Systems, Public Electronic Registers” dated 13 March 2022 is expected to allow locating public e-registers abroad during the martial law and up to six (6) months after cancellation of the martial law. Currently, the Draft Law awaits the signature by the President of Ukraine.
Under the Cloud Services Law, the Ukrainian Government is tasked to adopt a procedure of providing cloud and/or data centre services in connection with public information resources or information with limited access.
Information contained in this overview is for general information purposes only, does not constitute legal or other professional advice, and should not be relied upon as a substitute for specific professional advice tailored to particular circumstances.