Cloud Security Compliance

This post summarizes some aspects of cloud security that need to be taken into account regarding compliance.

To monitor cloud security compliance, we need to check all compliance sources and how they affect cloud security.

Compliance sources:

  • Laws and regulations
  • Standards
  • Contracts
  • Internal policies

Limits of Cloud Compliance

Ideas related to limits on cloud because of compliance:

  • You need to be careful about where data is because of GDPR. You need to pay attention to data transfers.
  • Some arriving laws may require specific certifications for cloud. FedRAMP is a certification that is mandatory for companies that want to work with public organizations in the USA.
  • GDPR requires that are controllers are responsible of data processors.

Notes on Cloud Compliance


  • Cloud compliance is not only about cloud, but mainly about outsourcing.
  • It is more difficult to address third-party risks that your own risks.
  • PCI DSS 4.0 mentions cloud explicitly, but just as a special case of third-party service provider (TPSP).
  • Compliance is usually assigned to laws and regulations

Laws and regulations affecting Cloud Security

USA Laws and Regulations affecting Cloud Security

USA laws featured on this post:

  • FISMA 2014

FISMA 2014

FISMA mandates compliance with at least the following programs:

FedRAMP is a certification that is mandatory for companies that want to work with public organizations in the USA.

Federal Information Processing Standard (FIPS) is a document with the title “Security Requirements for Cryptographic Modules”. FIPS 140-3 is the latest version, as of May 2024.

You can read more details in a post about cryptographic algorithms.

European Union Laws and Regulations affecting Cloud Security

European Union’s regulations affecting cloud security:

  • GDPR
  • NIS
  • DORA
  • CER
  • CRA


General Data Protection Regulation (GDPR, in Spanish, RGPD) is an European Union regulation on privacy. It affects every European Union citizen, whenever they is. It is adopted since 2016.

The full title of the document regulation GDPR is “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC“.

You can read the original document on this external link.

You can find read more about GDPR on this post.

The more challenging aspects of cloud are:

  1. Data processing agreements
  2. Data transfers outside EU
  3. Data access and control
  4. Audit (audit logs and compliance reports)
  5. Impact assessments

Data controllers must sign Data Processing Agreement (DPA) with data processors to ensure compliance.

In order to be able to transfer data from one country to another, you need to sign Binding Corporate Rules (BCR, in Spanish Normas Corporativas Vinculantes) or Standard Contractual Clause (SCC), or transfer to .

EU has made adequacy decisions to include country where data can flow in the same conditions as in the European Union.

In the United States, it is limited to those organizations within the EU-US Data Privacy Framework.

Data modification is simpler than the other two requirements because it already exist.

ENISA Regulation

ENISA is an European Union agency regulated by the EU law. The agency was created in 2004.

Its latest regulation is regulation EU 2019/881.

The full title of the document is “Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act)“.

You can read in on this external link.

ENISA has done some work regarding cloud security that can be read on this external link.


Network Information Security (NIS) directive is a legislation on cybersecurity. NIS was originally formulated in 2016, and then updated as NIS 2 in 2022.

As every directive in the European Union, it needs to be adapted to each country through the corresponding national laws or measure on each member state.

The time limit for transposition (i.e., each member states applying measures based on this directive) of NIS2 is 17 October 2024.

You can read more about NIS2 on this post.

NIS 2 mentions “cloud computing service providers” explicitly in the scope.

NIS 2 requires to warn about cyber incidents in 72 hours.


Critical Entities Resilience (CER) (in Spanish, resiliencia de entidades críticas) is a European Union directive.

Its full title is “Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC”.

It should be implemented by member states before 18 October 2025.

You can read more about CER on this post.


Digital Operational Resilience Act (DORA) is an European Union regulatory framework on digital resilience for the financial sector.

It should be implemented by member states before 17 January 2025.

You can read more about DORA on this post.


Cyber Resilience Act (CRA) (in Spanish, Propuesta de Reglamento de Ciberresiliencia) is an incoming EU regulation that was presented by the European Commision as a proposal in 2022.

It is focused on improving cybersecurity on products with digital elements, establishing a cybersecurity framework. From the user point of view, it makes an effort to make these products safer and improve transparency on this topic.

You can read more about CRA on this post.

CRA mentions cloud providers, but only to note that they are affected by EU’s NIS2 directive.

EIOPA Regulation

European Insurance and Occupational Pension Assurance (EIOPA) (in Spanish, AESPJ, Autoridad Europea de Seguros y Pensiones de Jubilación) is a European Union organism that supervises retirement pension and insurance.

There is a regulation that establishes EIOPA operations.

The full title of the document is called “Regulation (EU) No 1094/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Insurance and Occupational Pensions Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/79/EC“.

There is an specific guideline about how to outsource to “Guidelines on outsourcing cloud providers“.

France Laws and Regulations affecting Cloud Security

France laws and regulations affecting Cloud Security:

  • SecNumCloud


SecNumCloud is a certification issued by ANSSI.

Spain Laws and Regulations affecting Cloud Security

Spain Regulations affecting Cloud Security:

  • PIC
  • ENS


LOPD-GDD (Ley Orgánica de Protección de Datos-Garantía de Derechos Digitales) is a law by the Government of Spain.

It complements EU’s GDPR regarding data privacy.

It is legislated by the document “Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales“.

You can read it on this external link.


The Spain’s Critical Infrastructure Protection (PIC or LPIC, from the Spanish, ley de protección de infraestructuras críticas) is a regulation of the Government of Spain.

It transposes the EU directive 2008/114. Take into account that this directive has been repealed by CER (EU 2022/2557), so PIC should be updated.

PIC was published on April 2011, though the directive established the deadline on 12 January 2011.

PIC consists of three parts:

  1. EU directive 2008/114 “Identification and designation of European critical infrastructures and the assessment of the need to improve their protection”
  2. PIC law, that transposes this Directive (Ley 8/2011, de 28 de abril, por la que se establecen medidas para la protección de las infraestructuras críticas).
  3. PIC act (Real Decreto 704/2011, de 20 de mayo, por el que se aprueba el Reglamento de protección de las infraestructuras críticas)

You can read PIC on this external link (Spanish).

Seguridad de las Redes y Sistemas de la Información

The Spain’s Real Decreto-Ley 12/2018, de 7 de septiembre, de seguridad de las redes y sistemas de la información is a decree-law of Spain.

It transposes EU directive 2016/1148 NIS1. As NIS2 directive has been promulgated in 2022, it should be updated.

You can read the Real Decreto-Ley 12/2018 on this external link.


Spain’s National Security Framework (ENS) (from the Spanish, Esquema Nacional de Seguridad) is a certification that is compulsory for organizations in Spain that are considered public or that provide services to public organizations in Spain.

Spain’s National Cryptological Centre (CCN) (from the Spanish Centro Criptológico Nacional) has issued the guide CCN-TIC 823 “Cloud service usage” (in Spanish “Utilización del servicio en la nube”), only available in Spanish.

Standards affecting Cloud Security



Payment Card Industry Data Security Standard (PCI DSS) is an standard on card payment industry.

You can find the official PCI DSS Document Library on this external link.

PCI DSS 4.0 addresses cloud.

Data Retention

Some regulations may compel organizations to retain certain data for a given amount of time.

Even in cloud models, the data owner is still the provider. They should set this policy and ensure it is executed.

Supply Chain

Cloud services are part of supply chain, and they need to be treated as such.

NIS2 and ENS stipulates that the regulation must be met by the providers within the supply chain.

Cloud Security Certifications for Organizations

Cloud security certifications for organizations featured on this post:

  • STAR
  • FedRAMP


Security, Trust, Assurance and Risk (STAR) is a certification issued by the Cloud Security Alliance (CSA).

STAR Level 1 is a self-questionnaire.

STAR Level 2 is obtained by passing a third-party audit.

STAR official website


FedRAMP is a certification that is mandatory for companies that want to work with public organizations in the USA.

You can read a post with more details about FedRAMP.

Achieving Cloud Digital Sovereignty

You can read more on this external link (in Spanish).

External reference

  • GDPR
    • Chapple et al.; “ISC2 CCSP: Official Study Guide – Third Edition”, pages 263-267; Wiley, 2022

Leave a Reply

Your email address will not be published. Required fields are marked *