Growing from USD 700 billion in 2023 to USD 3.2 trillion by 2030, the XaaS (Anything as a Service) market signifies a monumental shift in global business operations.[1]XaaS, short for “Anything as a Service”, encompasses a vast array of subscription and pay-per-use offerings delivered via the cloud— providing consumers with unmatched flexibility, scalability, and accessibility. However, while a surge in XaaS investments promises new revenue streams, it also introduces significant legal challenges for consumers. Dissecting the dual-edged nature of XaaS, we first underscore its transformative impact on businesses in the service economy; we then delve into the legal and regulatory obstacles, such as data privacy compliance, intellectual property ownership, and contractual complexities that must be overcome by consumers. With XaaS evolving into a mega-trend, legal practitioners must move beyond mere compliance, positioning themselves as strategic partners to help businesses thrive in this dynamic and uncertain terrain.

Business Boon: How XaaS Transforms Performance  

Flexibility, Scalability, and Accessibility

XaaS is singularly advantageous for startups and SMEs, providing access to advanced, enterprise-grade tools without significant upfront investments, which enables better budget and cash flow management. XaaS spans a broad spectrum of models—from Software as a Service (SaaS) to emerging concepts like AI-as-a-Service (AIaaS) and Vertical SaaS tailored to specific industries. These models enable businesses to scale resources up or down based on demand, replacing large upfront capital expenditures (CapEx) with predictable and scalable operational expenditures (OpEx).

For example, AI-as-a-Service platforms allow businesses to leverage machine learning algorithms for fraud detection, customer analytics, and operational efficiency without the need to invest in costly specialized infrastructure. Similarly, Infrastructure-as-a-Service (IaaS) providers eliminate the need for on-premises infrastructure, offering scalable cloud computing solutions on a pay-per-use basis.

Industry-driven Innovation

Emerging models like Vertical SaaS are revolutionizing industries by delivering tailored solutions. Unlike generic SaaS platforms, Vertical SaaS caters to the specific needs of sectors such as automotive, manufacturing, and telecommunications. In the automotive sector, Vertical SaaS platforms support real-time fleet management while ensuring compliance with cybersecurity standards. In telecommunications, SaaS solutions enable scalable network infrastructure optimized for 5G deployment. These tailored solutions lower barriers to innovation, enhance workflow efficiency, and increase competitiveness. However, this very customization also introduces industry-specific legal complexities.

Legal Challenges of XaaS: Why They Matter

While XaaS offers immense commercial potential, unresolved legal risks could undermine its benefits.

  1. Data Privacy and Security

Storing and transferring sensitive data across multiple jurisdictions exposes XaaS services to significant compliance challenges, especially with varying global regulations like the General Data Protection Regulation[2] (“GDPR”). The cross-border nature of these services often involves opaque and intensifying scrutiny over data handling practices, leaving businesses vulnerable to penalties and reputational damage.

In the landmark Schrems II decision[3], the European Court of Justice invalidated the EU-US Privacy Shield, which had previously facilitated cross-border data transfers between the EU and the US, leaving businesses working urgently to comply with the GDPR. For XaaS consumers, this means stricter scrutiny over how and where their data is stored. Non-compliance with GDPR can result in fines of up to 4% of global turnover[4], alongside reputational damage and loss of customer trust. For businesses in highly regulated industries like finance, the risks are more pronounced. Failure to meet privacy standards may expose sensitive customer data, disrupt operations and lead to costly litigation— the stakes are high.

The Capital One Data Breach Litigation[5] further demonstrates these vulnerabilities. A misconfigured firewall in a cloud environment exposed millions of customer records, triggering questions about the shared responsibility model between XaaS providers and consumers. Data is the lifeblood of modern businesses. Without legal safeguards, businesses face disproportionate risks when providers fail to ensure adequate security controls that could jeopardize their reputation and bottom line.

Practical Legal Solutions:

    1. Incorporate Robust Data Protection Clauses: Contracts should specify safeguards like encryption, regular security audits, data localization, breach notification protocols, and clearly state who owns the data. Employing Standard Contractual Clauses (SCCs) can facilitate compliance with GDPR for cross-border data transfers.
    2. Strengthen Vendor Accountability: Contracts should impose strict obligations on third-party vendors and suppliers to implement robust cybersecurity practices, restrict third parties’ access to sensitive data and adhere to applicable regulations. This ensures that businesses are protected from vulnerabilities introduced through third-party relationships.
    3. Allocate Liability for Data Breaches: Indemnification clauses should hold XaaS providers accountable for security failures. High-profile cases like the Capital One breach demonstrate the critical importance of clearly allocating liability in contracts, ensuring providers are responsible for damages caused by negligence or non-compliance.
  1. Intellectual Property Ownership

Intellectual property ownership is a key issue and critically important in XaaS agreements Unlike traditional software licenses, XaaS agreements often allow service providers to retain rights to derivative works or customizations developed for clients, potentially blurring the boundaries of IP ownership between creators and users. Intellectual property is often a business’s most valuable asset, Yet, ambiguities in XaaS agreements could greatly erode a company’s ability to monetize its business innovations, weaken its competitive edge, and trigger costly lawsuits.

In SAS Institute Inc. v. World Programming Ltd.[6], the European Court of Justice held that replicating software functionality, such as syntax formats and output design styles, without copying source code, did not infringe copyright. This highlights that laws in copyright alone cannot provide adequate protection to functionality in XaaS. Further, limitations in copyright laws to protect software was demonstrated in another copyright infringement case, Google LLC v. Oracle Am., Inc.[7] Although the U.S. Supreme Court ruled that Google’s use of Oracle’s APIs constituted “fair use” due to its transformative nature and its role in fostering innovation, the case highlights potential IP ownership issues when there is an integration of  third-party software or APIs, particularly when XaaS agreements are vague or silent on these usage rights. Further, in Oysterware Ltd v Intentor Ltd and others[8], the Hight Court highlighted that a copyright infringement claim must clearly identify the aspects of the software application in which copyright protection is claimed, and the way its copyright was infringed upon. If the software is purely an adaptation of off-the-shelf software toolkits, it is challenging to establish subsistence and infringement of copyright. Therefore, the Plaintiff’s copyright infringement claim was dismissed

Practical Legal Solutions:

    1. Negotiate Clear Ownership of Customization and Derivative Works: When businesses rely on XaaS platforms to develop proprietary materials, contracts must clearly define ownership of IP created on XaaS platforms. For instance, a telecommunications company using a Platform-as-a-Service (PaaS) solution to create network optimization software should secure exclusive rights to the resulting IP.
    2. Incorporate Industry-Specific IP Protections: Different industries face unique IP challenges, and agreements should address these concerns. In technology, media, and telecommunications (TMT), contracts should focus on safeguarding monetizable innovations and licensing rights. In manufacturing, agreements must secure ownership of operational data generated by XaaS platforms to protect strategic assets. Tailoring IP clauses to industry-specific priorities mitigate risks and aligns contracts with business objectives.
  1. Contractual Complexity in Service-Level Agreements (SLAs)

SLAs, the backbone of XaaS contracts, define performance metrics, uptime guarantees, and remedies for non-compliance between XaaS users and service providers. However, vague or overly technical SLAs expose businesses to substantial risks. The notorious 2020 Amazon Web Services (AWS) outage, which was caused by a failure in its Kinesis service, basically brought down the internet and disrupted the operations of major platforms like Netflix and Spotify. It illustrates how a single failure on the part of cloud providers can massively cripple business operations, resulting in a major loss in revenue for consumers. Fundamentally, contractual remedies limited to service credits often fail to compensate for the full extent of financial or reputational losses, as well as ensuring operational continuity. If SLAs are weakly negotiated and service-level obligations are unclear, businesses may struggle to enforce uptime guarantees or secure meaningful remedies for prolonged outages.

On the other hand, in Delta Air Lines, Inc. v CrowdStrike, Inc.[9], SLAs with clearly defined service-level obligations help mitigate service providers from suffering financial losses. The case involves an incident which caused a cancellation of 7,000 flights within the five days following an IT outage. However, it was difficult to prove service providers liable for the outage due to protections such as clearly defined liability caps in the SLAs. Therefore, even if Delta Air Lines succeeded in the action, it may only be compensated with nominal damages, which was possibly outweighed by the legal and judicial costs of pursuing after the service provider.

Practical Legal Solutions:

    1. Enforce Clear Performance Metrics with balanced terms: SLAs may include well-defined, measurable terms for service levels, such as “99.99% uptime guarantees”, response times, availability, data recovery timelines, and capacity thresholds. At the same time, SLAs should reflect commercial priorities by inserting liability caps, termination rights, and remedies that go beyond service credits to adequately compensating for financial or reputational losses, particularly for mission-critical services.
    2. Employ Seamless Exit Strategies: Contracts must include provisions for data migration and operational continuity upon termination, ensuring businesses can transition to alternative providers without disruption.
    3. Address Subcontractor Risks: To avoid liability gaps, subcontractors must adhere to consistent obligations, including performance standards and data protection measures, as outlined in the SLA.

Emerging Trends in XaaS

As XaaS continues to redefine the business landscape, legal practitioners representing consumers are playing an increasing role in tackling challenges from emerging trends, shaping the future of the industry:

    1. AI-as-a-Service (AIaaS): AI-driven XaaS platforms present risks including algorithmic biases and errors in automated decision-making, which may lead to legal challenges, such as biased hiring algorithms under employment law. Legal practitioners should shift from relying on indemnity clauses to adopting proactive measures, ensuring that AIaaS providers not only offer comprehensive documentation for transparency in AI processes, covering algorithm functions and data ethics, but also provide educational training and support for end-users. This holds AIaaS providers accountable for any unfair outcomes, ultimately protecting consumers’ interests.
    2. Sustainability and ESG: With growing emphasis on environmental, social, and governance (ESG) goals for corporates, businesses may demand sustainable practices from their XaaS providers. To meet consumer and investor expectations, legal practitioners may incorporate provisions that promote ESG compliance, requiring providers to report on environmental impact metrics (e.g. energy consumption, carbon emissions, resource optimization, and waste reduction).
    3. Multi-Cloud and Dynamic Pricing Models: As businesses embrace multi-cloud and hybrid environments to avoid vendor lock-in, XaaS providers must ensure seamless integration across platforms. These setups also bring unpredictable costs due to dynamic pricing models based on usage. To prevent cost overruns, legal practitioners should negotiate clear pricing structures, caps on variable fees, and transparency in cost escalations, while also addressing interoperability and service continuity to manage multi-cloud complexities.

The Road Ahead: A Strategic Imperative

XaaS is more than a technological innovation—it is a paradigm shift in how businesses increasingly operate in the digitalisation and servitisation of the economy. However, the promise of flexibility, scalability, and accessibility comes with significant risks that must be resolved through commercially-oriented legal solutions. Ultimately, XaaS is a double-edged sword. Through mitigating issues in data privacy, intellectual property and crafting airtight SLAs, legal practitioners play a pivotal role in shaping a more balanced XaaS ecosystem — one that not only captures key commercial opportunities, but manages risks, maintains integrity, and maximizes resilience.

Footnote

[1]  https://www.fortunebusinessinsights.com/everything-as-a-service-xaas-market-102096

[2] Regulation (EU) No. 2016/679 of the European Parliament and of the Council of 27 April 2016 laying down the General Data Protection Regulation [2016] OJ L119.

[3] Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, ECLI:EU:C:2020:559 (July 16, 2020).

[4] https://gdpr-info.eu/issues/fines-penalties/

[5] re Capital One Consumer Data Security Breach Litigation MDL No.1:19md2915 (AJT/JFA) (E.D. Va. Jun. 25, 2020)

[6] Case C-406/10, ECLI:EU:C:2012:259 (2 May 2012).

[7] 141 S. Ct. 1183 [2021].

[8] [2020] EWHC 2125 (Ch).

[9] Fulton Co., GA(state court), Case 24CV013621.

More from Titus