Cloud Contracts and Cyber Security: Key Clauses for Companies

In 2026, the cloud is no longer just about where your server is located, but a direct part of your cybersecurity and legal liability. Every serious incident – service outage, ransom, data leak – quickly becomes a question of what is written in the cloud contracts, who is responsible for what and how protected you actually are. For tech companies from Serbia, who often work for EU and other foreign clients, this is no longer a nuance, but a condition for maintaining trust and business.

Content

Shared responsibility – write down what must not be “assumed”

A cloud provider almost never takes over complete security of the system. Responsibility is shared: the provider protects the infrastructure, and you protect accounts, configurations, data and integrations. If this remains only in a marketing brochure, after an incident everyone will claim the other side is at fault.

That is why the cloud contracts should at least:

contain a table or annex with a clear allocation of obligations (provider vs. customer);
refer to a shared responsibility model that forms an integral part of the agreement;
oblige the provider to notify you when that model changes.

You do not need to reveal your architecture – the point is that it is not disputed who was responsible for which part.

Security standards and measures

The wording “we will apply appropriate measures” sounds nice but is too vague. In practice, it is useful to require the cloud contracts to specify at least the framework:

which standards the provider refers to (e.g. ISO 27001, encryption in transit and at rest, MFA);
an obligation to maintain that level during the term of the contract;
at least periodic confirmation that certificates/security reviews have been renewed.

This way you do not enter their technical diagrams, but you have a minimum below which you do not want to go.

Incidents and notification deadlines

The legal 72‑hour deadline for reporting personal data breaches is largely meaningless if you learn about the incident on day four. Key elements that cloud contracts should cover:

an obligation to inform you “without undue delay”, with a maximum period (e.g. 24 hours from becoming aware of an incident affecting you);
minimum content of the notification (what happened, which systems/data are affected, interim measures, contact person);
a duty to cooperate in communications with regulators and clients to the extent the incident relates to its infrastructure.

Your internal procedures remain internal, but the contract ensures you do not lack critical information.

SLA, availability and consequences

SLA is part of the security story because it affects business continuity. The contract should answer three questions:

what the guaranteed availability is (e.g. 99.9% per month) and what exactly counts as downtime;
whether serious security incidents and major outages are covered by the SLA;
what happens when the SLA is not met (service credits, right to terminate after repeated breaches).

It is also important that your contracts with clients do not promise more than you get from the cloud provider – otherwise you take on “empty” risk.

Data location and subcontractors

For companies handling EU citizens’ data or foreign clients’ data, location is both a legal and commercial issue. It is enough for the contract to:

state in which regions/countries data is stored and processed;
restrict transfers of data to “third countries” without your consent;
include a list of subprocessors and a mechanism for adding new ones, with your right to object.

This gives you a basis for your own risk assessments and communications with clients.

Logs, records and “exit” clauses

Without logs, it is hard to establish what happened, and without an exit strategy it is hard to leave when the provider no longer suits you. In practice, it is enough for the contract to provide for:

a minimum retention period for logs related to your service and how you can access them;
how long after termination you can retrieve your data and in what format;
that the provider deletes your data after that period and, at your request, provides a deletion confirmation.

This way you do not reveal details of your migration strategy but ensure that “the door out” exists and that data does not remain scattered across someone else’s infrastructure.

Cloud contracts do not have to be manuals for your security team, but they must clearly state who is responsible for what, when they must react and what happens when things go wrong. For tech companies in Serbia in 2026, that is the difference between controlled risk and an unpleasant surprise at the worst possible moment.

Do you need additional information about the cloud contracts?

Schedule a consultation>

Legal risks of Chinese Belt and Road contracts (BRI) for EU candidate countries

Who Is Liable When AI Makes a Mistake? Legal Vacuum, EU Regulation and What It Means for Serbian Companies

After Anthropic: What Will the AI Licensing Market Look Like and What Does It Mean for the Industry?