Boosting Competition in the Cloud Market: How the SREN Law Empowers Users

Boosting Competition in the Cloud Market: How the SREN Law Empowers Users

Key Takeaways

 

The French Security and Digital Space Regulation Law (“SREN Law”), enacted on May 21, 2024, aims to reduce user dependency on dominant cloud service providers (notably the GAFAM companies) by introducing a series of measures to create a more fluid market. The law also seeks to enhance the protection of strategic and sensitive data managed by public administrations when using cloud services.

 

The scope of the SREN Law is extensive, addressing various digital issues, from protecting minors and regulating content to fighting cybercrime, facilitating easier cloud service provider transitions, and aligning national regulations with the DSA and DMA standards. (1) Given the breadth of topics covered, each will be discussed in separate articles.

 

* * * * * * * * *

 

The cloud computing market is currently dominated by a handful of tech giants, including Google, Amazon (AWS), Microsoft (Azure), Apple (iCloud), IBM, and Alibaba. The contracts proposed by these providers often come with restrictive terms, making it difficult for users to switch providers seamlessly. This is exacerbated by technical obstacles, such as interoperability, and the high costs associated with data migration - even when exit procedures (reversibility) are built into the original contracts.

 

The SREN Law introduces provisions aimed at improving the competitiveness of the cloud services market. The goal is to reduce user dependency on cloud providers, thereby fostering the growth of the French and European cloud computing industry.

 

The law defines cloud computing services as “a digital service provided to a client that enables on-demand, network-based access from any location to a shared pool of configurable, modular, and scalable computing resources - whether centralized, distributed, or highly distributed - which can be quickly deployed and released with minimal management effort or interaction with the service provider.” (2) This definition encompasses the full range of cloud services, including SaaS, PaaS, and IaaS.

 

Several measures have been introduced to stimulate competition in the cloud market. Additionally, the law strengthens protections for strategic and sensitive data stored in the cloud.

 

 

1. Boosting Competition in the Cloud Computing Market

 

The SREN Law introduces a series of measures designed to reduce user dependency on cloud service providers, and promote a more competitive and transparent cloud computing market. These measures focus on several key areas, including the regulation of cloud credits (or “cloud vouchers”), control over data transfer and provider-switching fees, the requirement for interoperable cloud services, and enhanced transparency obligations for cloud service providers.

 

-        Regulation of “Cloud Credits” or “Cloud Vouchers” (3)

Cloud providers often offer credits or vouchers at the start of a contract, granting clients free access to certain services or discounts on future invoices. While seemingly beneficial, this practice has been identified as restrictive, as these offers are frequently tied to long-term commitments and substantial monetary amounts. At the same time, users are often required to purchase additional services to fully utilize the provider’s cloud platform.

 

The SREN Law continues to allow the issuance of cloud credits to businesses engaged in production, distribution, or service activities, but introduces the following conditions:

·       Time limitation: Cloud credits must be valid for a maximum period of one year;

·       No exclusivity requirement: Users must not be contractually obligated to rely solely on the issuing provider’s services.

 

The specific categories of cloud credits and their maximum validity periods will be further defined by a forthcoming decree. (4)

 

Failure to comply with these provisions can result in administrative fines of up to €1 million for legal entities, with the amount doubling for repeat violations.

 

-        Regulation of Data Transfer and Provider-Switching Fees (5)

Another barrier to competition lies in the fees charged for transferring data between cloud providers - or from a cloud platform to an on-premises infrastructure. Providers may also impose fees for switching to a different provider. These fees are typically calculated based on the volume of data being transferred, which can result in substantial costs that are often disproportionate to the actual expenses incurred by the provider.

 

The SREN Law establishes clear limits for data transfer fees, stipulating that such fees must not exceed the actual costs directly related to the transfer. Additionally, these fees cannot surpass the maximum rate specified by an order from the Minister in charge of digital affairs.

 

The French Regulatory Authority for Electronic Communications, Postal Services, and Press Distribution (ARCEP) is tasked with issuing guidelines to determine which costs can be legitimately included in provider-switching fees.

 

Cloud providers are required to disclose information about data transfer and provider-switching fees before a contract is signed and whenever these fees are updated.

 

It is important to note that these obligations do not apply to custom cloud services tailored to meet a specific client’s needs (e.g., private clouds) or services offered on a limited basis for testing and evaluation purposes.

 

-        The Obligation to Provide Interoperable Cloud Services (6)

The absence of interoperability in cloud services has long been recognized as a significant barrier to competition and market fluidity.

 

To address this issue, the SREN Law requires that cloud service providers comply with the following essential obligations:

·       Interoperability and portability of digital assets (software, applications) and exportable data (input and output data, metadata generated directly or indirectly by the client) under secure conditions. These must be compatible with the client’s services or those provided by other vendors offering similar services;

·       Provision of detailed APIs: Providers must make sufficiently detailed APIs freely available to clients and third-party vendors to enable seamless communication with their services.

 

The ARCEP will be responsible for specifying the rules and implementation methods for these requirements and for publishing the technical specifications related to interoperability and portability. Additionally, the ARCEP will have the authority to impose sanctions on cloud providers who fail to meet these obligations.

 

As with the data transfer regulations, these requirements do not apply to custom cloud services or those offered for a limited time for trial and evaluation purposes.

 

-        Transparency Obligation (7)

The SREN Law imposes stricter transparency requirements on cloud service providers. Providers must disclose the following information on their websites:

·       Jurisdictional information regarding the infrastructure used for data processing across their various services;

·       A general description of the technical, organizational, and contractual measures implemented to prevent unauthorized access to non-personal data stored in the European Union, or the transfer of such data by third countries, in cases where such access or transfer would violate European or national law;

·       The environmental footprint of their services.

 

It should be noted that the implementation of certain provisions is contingent on the publication of additional regulations, including decrees, ministerial orders, and guidelines. The ARCEP’s scope of responsibility has been expanded to oversee compliance with these new obligations.

 

Furthermore, the provisions governing data transfer fees, provider-switching costs, service interoperability, and transparency (excluding environmental footprint information) will only be in effect for a limited period of 30 months, until January 12, 2027. (8)

 

 

2. Strengthening the Protection of Strategic and Sensitive Data in the Cloud

 

To combat foreign interference, the SREN Law introduces measures aimed at safeguarding the strategic and sensitive data of state administrations stored or processed in the cloud. (9)

 

These datasets, classified as "data of particular sensitivity" are defined as “data protected by law under secrecy provisions (…) and data essential for the State’s core missions, including safeguarding national security, maintaining public order, and protecting public health and life.”

 

This category includes various types of documents, such as opinions issued by the Council of State Administrative High Court – Conseil d’Etat) and administrative courts, documents created or held by the Competition Authority during investigations or decisions, records maintained by the High Authority for Transparency in Public Life, and audit reports from medical institutions. It also includes documents whose disclosure could compromise the confidentiality of government deliberations, national defense, France's foreign policy, state security, etc. (10)


Cloud service providers handling or storing particularly sensitive data for state administrations must offer services with enhanced security and data protection. These services must ensure that such data is safeguarded against unauthorized access by public authorities from third countries, not permitted under European or national law.

 

To facilitate compliance with these new technical requirements, the SREN Law provides transitional periods:

·       Criteria Definition: A decree from the Council of State will establish the required security and protection standards within six months of the law’s enactment;

·       Ongoing Projects: Projects already in progress at the time of the law’s enactment may receive an exemption for up to 18 months from the date a compliant service offering becomes available in France.

 

* * * * * * * * * *

 

(1) Law No. 2024-449 of May 21, 2024, “Security and Digital Space Regulation” (Loi Sécurité et Régulation de l’Espace Numérique). See specifically Articles 26 to 39

 

(2) SREN Law, Article 26, introducing a new Article L.442-12 in the French Commercial Code

 

(3) SREN Law, Articles 26 and 27

 

(4) New Article L.442-12 II of the French Commercial Code

 

(5) SREN Law, Article 27

 

(6) SREN Law, Articles 28 to 30

 

(7) SREN Law, Articles 33 to 35

 

(8) SREN Law, Article 64

 

(9) SREN Law, Articles 31 and 32

 

(10) Articles L.311-5 and L.311-6 of the French Code of Relations between the Public and the Administration


Bénédicte DELEPORTE

Avocat

 

Deleporte Wentz Avocat

www.dwavocat.com

 

Nobvember 2024