The advantages of cloud adoption have been obvious to organisations for a number of years. However, the constantly evolving parameters of cloud regulation and data sovereignty are far less easy to follow, with the state of play changing significantly from where it was just a few years ago.
Therefore, companies at any stage of their cloud journey must have specialist expertise in place that ensures they can fully understand the intricacies of the cloud regulatory environment. Tailored support can help organisations gain this knowledge and keep up with such a broad range of demands.
Adhering to ever-changing regulations
There is a vast amount of red tape already covering the cloud. Businesses must contend with a seemingly endless list of standards set by international governing bodies, nation states and supranational organisations such as the European Union. GDPR is perhaps the most famous of these, but others such as FedRAMP and the ISO 27000 series are also important.
The growing complexity of the global cloud ecosystem also means that the list of regulations continues to grow. Companies seeking to increase their cloud operations must be prepared for new rules, a couple of which we discuss below.
A purely in-house approach to tackling regulatory adherence can be difficult to manage. Instead, businesses can rely on managed cloud connectivity providers that specialise in solving these challenges.
NIS2
The second iteration of the Network and Information Systems Directive (NIS2 for short) was introduced in January 2023, and must be transposed into national legislation by EU member states by 17th October 2024.
NIS2 has been created to improve cybersecurity and resilience in businesses operating in the EU, including cloud providers with a European footprint. In areas such as incident
reporting and supply chain monitoring, it builds on NIS1 by bringing more sectors into its scope and placing greater scrutiny on organisations. Fines for non-compliance can reach up to 10% of a company’s annual turnover.
NIS2 brings a whole host of new requirements across the board for businesses. In terms of the cloud, something that was already complex is now even more so. As a result, companies need the right guidance to make sure every move they make in the cloud space meets NIS2 requirements.
DORA
Focused on the financial sector, the Digital Operational Resilience Act (DORA) is an EU regulation designed to create a binding, comprehensive information and communication technology risk management (ICT) framework. Its implementation began in January 2023, with all financial entities and third-party technology providers required to be compliant by 17th January 2025.
The overall objective of DORA is to apply consistent and rigorous standards to risk management and harmonise existing ICT risk management regulations across individual EU member states. Penalties on non-compliant organisations will be imposed by designated regulators in each member state. ICT providers falling foul of the rules can be fined up to 1% of average daily worldwide turnover, with fines able to be applied every day for up to six months until compliance is achieved.
In a similar vein to NIS2, DORA-regulated businesses have many elements to consider when weighing up requirements. How they engage with the cloud is a vital element alongside many other factors. To ensure their cloud connectivity is carried out in a fully compliant manner and that the providers they work with are themselves compliant, they need to rely on comprehensive expertise.
Navigating data sovereignty roadblocks
Organisations are having to grapple with increasingly tricky data sovereignty considerations, alongside new and existing directives. For businesses looking to achieve maximum scalability, agility and cost efficiencies, multicloud environments are becoming more commonplace, but making all of this work while meeting the individual data residency requirements of several different nation states can be easier said than done.
The convergence of regulatory compliance and data protection laws has led to stricter requirements for cross-border data transfers, resulting in an intricate web of regulations that companies need to work through. Customers whose data is being held by these companies are also much more discerning about how their information is handled than in previous years: they demand increased transparency, control and protection of their personal information, adding further complexity to data sovereignty responsibilities.
Another major headache for businesses, aside from the regulations themselves, is being able to replicate and synchronise data across disparate multicloud environments, while maintaining high levels of data availability and resilience. Addressing latency, bandwidth and performance requirements while establishing reliable and secure connections between different cloud environments can also be an extremely challenging undertaking.
Don’t be afraid to call for support
All of the complex factors discussed above outline exactly how much organisations have to contend with to deliver compliant cloud connectivity. It is extremely rare that a business has the skills and expertise needed to navigate this regulatory minefield without help.
To ensure they stay up to date with all regulatory developments, organisations should look to identify collaborators who have a strong grasp of cloud’s demands. This knowledge is uncommon but truly valuable, with vendors that have vast experience in disciplines such as software-defined cloud interconnect (SDCI) potentially vital partners. Ultimately, the right support can unlock an organisation’s cloud connectivity potential.