In a year when one trend – generative AI adoption – appeared to rule and bind all the others, it’s a challenge to look beyond 2023’s AI excitement and froth to build a fuller picture of the trends that will shape 2024 for tech lawyers.

Cloud capex and revenues: continuing 20% year on year growth

The first point is the sheer scale of the capital investment that the three Cloud Service Provider (CSP) market leaders will be making in 2024. The Financial Times estimates this at $116bn, up 22% on 2023 ($95bn) and double the level just four years ago in 2020 ($58bn).[1]

Coming on top of decades of heavy cloud investment, capex at this scale is what’s behind the growth of AWS (with roughly a third of the global CSP market), Microsoft (roughly a quarter) and Google (roughly a tenth) as they pull further ahead of the rest: AWS, Microsoft and Google together account for two thirds of the market when the chasing pack (Alibaba, IBM, Oracle, Salesforce and Tencent) at 14% musters little more than Google on its own.[2]

Equally remarkably, the growth of the CSP leaders continues to defy the Law of Large Numbers (as scale increases, growth rates decline): combined cloud revenues for AWS, Google and Microsoft in Q3 2023 were 17% ahead of Q3 2022.[3] Gartner estimates that cloud computing now accounts for around one fifth of total global IT spend and forecasts global cloud spend to more than double from $478bn in 2022 to over $1tn in 2027.[4]

Reducing time to value: cloud contract simplification

The burgeoning cloud market is reflected in the growing book of services that CSPs offer and the increasing complexity of their contract terms. At a time when customers are optimising spend, we’re seeing CSPs and reseller intermediaries starting to simplify contract structures to shorten the negotiation process and reduce time to value. This trend will continue in 2024.

Competition in the cloud

In 2024 we’ll also hear a continuous drumbeat about competition in the cloud, with a focus on claims of lock in, high switching charges for data, interoperability and licensing practices.

Concentration in the UK CSP market led Ofcom in its October 2023 Cloud Services Market Study[5] to make a referral to the UK Competition and Markets Authority (CMA) to investigate the market further. The CMA is due to publish its provisional decision in autumn 2024 and its final decision ahead of the 4 April 2025 statutory deadline.[6]

In the EU, the Commission on 30 October 2023 under the Digital Markets Act (DMA) designated six platforms (Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft) as ‘gatekeepers’ meeting the threshold for the imposition of pro-competitive behavioural requirements. The DMA’s duties for these core platform services apply from 30 April 2024.[7]

Cybersecurity and a good night’s sleep

The risk of cloud security breaches continues to top the list in surveys of what keeps CIOs awake at night. In 2023, the EU progressed a number of legislative initiatives to strengthen cybersecurity which will come into force in 2024. These include the Critical Entities Resilience (CER) Directive[8]  (transposition date: 17 October 2024) to improve resilience and incident response and the NIS 2 Directive[9] (transposition date: 17 October 2024) to overhaul and broaden the NIS 1 Directive.

The spine of the UK’s cybersecurity regime continues to be its implementation of the NIS 1 Directive.[10] The government consulted on this at the end of 2022 and plans to bring the UK rules more into line with NIS 2 in 2024. Part 1 of the UK Product Security and Telecommunications (PSTI) Act 2022 comes into force on 29 April 2024 setting out minimum security standards that consumer networkable products must comply with (for example, no shipping with default passwords).

2024 is also likely to see a stronger push towards cybersecurity standardisation around the ISO 27000 family of information security standards and (perhaps) a growing role for the European Network and Standardisation Agency’s (ENISA) European Cybersecurity Certification Scheme for Cloud Services (EUCS).[11]

Data protection

The UK government anticipates that Data Protection and Digital Information (DPDI) bill currently going through parliament will become law by mid-2024. However, with the deadline for the next UK general election at 28 January 2025, any legislation going through the parliamentary process at the moment is at risk from an earlier election being called (say in May or October 2024), so anticipating UK legislative developments next year in the tech as in other areas is more speculative than normal.

Summer 2023 saw in the EU-US Data Privacy Framework (DPF), which was extended to the UK in October. This has simplified the process of transferring personal data to the US, although concerns over its ability to withstand future legal challenge remain. In 2024 we will wait and see if this solution to the international transfers question will hold.

Online safety

One important new UK tech law that did make it on to the statute books in 2023 (on 26 October) is the Online Safety Act (OSA). Estimated to affect 100,000 organisations, the Act will “protect free speech, empower adults and ensure that platforms remove illegal content and [has] at its heart the protection of children” according to UK Technology Secretary Michelle Donelan.[12] The OSA does not come into effect straightaway however and Ofcom, the appointed OSA regulator, first has to publish a range of codes of practice and guidance and the government will bring the substance of the OSA into effect through statutory instruments (secondary legislation) in 2024.

AI: the star on the cloud’s stage

We didn’t want this year’s piece to give the spotlight to AI alone, but of course the arrival of genAI on the scene in 2023 is inextricably bound up with growth in cloud investment and revenues. Pulling out the key points from the setting, here are our top tips for 2024:

• make sure your AI investment in 2024 is not made redundant by developments in 2025. Clients are increasingly dipping their toes into the genAI pool but the pace of change is rapid.
• make sure you manage the risk of third party infringement claims in contracts with Large Language Model (LLM) and other AI service providers. Microsoft’s Customer Copilot Copyright Commitment, offering a copyright indemnity, is likely to point the way towards more general CSP market practice;[13]
• if your data is ingested into a large AI system, make sure you understand what happens to it after ingestion;
• in 2024 the focus will be on improving accuracy and reducing errors in gen AI use cases. See what emerging techniques like RAG (retrieval-augmented generation) can do for your use case by grounding the LLM on to external sources and ensuring those sources can be checked for accuracy;[14]
• manage data protection, bias and discrimination risks through reproduceability of results and governed use of AI – the ICO’s data protection risk toolkit may well help here.[15]

Fragmentation or alignment between legal codes?

A key feature of 2024’s tech law landscape will be how regulators, market participants and individuals respond to the increasing volume of laws that regulate the cloud, AI, data, services and cybersecurity. The increasing density of tech-related legal requirements, both within and between countries (US, UK) and country groupings (EU) will raise complex questions of compliance for many if not most organisations. These questions will be complicated if implementation – even within one geography – is characterised by fragmentation rather than alignment between the different legal codes. With many of the new EU rules already or coming into force across the EEA in 2024, will you apply your EU-compliant rules in the UK or have different terms for the UK?

The data estate: a holistic view

A final thought. Organisations increasingly see their data through the twin lenses of assets/labilities and opportunities/risks. This is prompting a more clearly articulated, structured and holistic approach to data management and governance, building out from data protection policies and processes already in place and taking in cybersecurity, AI adoption and tech ESG best practice across the organisation. 2024 is likely to see this more holistic approach to the organisation’s data estate develop at pace.

[1] Tech giants pour billions into cloud capacity in AI push, Financial Times, 5 November 2023

[2] Worldwide market share of leading cloud infrastructure service providers in Q2 2023, Statista

[3] Microsoft vs Google vs AWS: Q3 2023 Cloud Earnings Face-Off, CRN, 1 November 2023

[4] Gartner Says Cloud Will Become a Business Necessity by 2028, Gartner, 29 November 2023

[5] Cloud services market study, Final report, Ofcom, 5 October 2023

[6] Cloud services market investigation, CMA, 5 October 2023

[7] Digital Markets Act – Gatekeepers, European Commission, 16 November 2023

[8] Directive EU (2022/2557 of 14 December 2022 on the resilience of critical entities)

[9] Directive EU 2022/2555 of 14 December 2022 on Measures for a high common level of cybersecurity across the Union

[10] The Network and Information Systems Regulations, SI 20018/506, in force from 10 May 2018

[11] EU Cybersecurity Certification;  EU mulls wider scope for cybersecurity certification scheme, Reuters, 23 November 2023

[12] UK children and adults to be safer online as world-leading bill becomes law, UK Government, 26 October 2023

[13] Introducing the Microsoft Copilot Copyright Commitment, Microsoft, 7 September 2023

[14] See, for example, What is retrieval-augmented generation?, IBM, 22 August 2023

[15] AI and data protection risk toolkit, ICO, 24 May 2023