Inherited compliance – Smart Move for Your IT Budget
Compliance with legal requirements will mean more and more work for companies in the European Union. GDPR has arrived, now NIS2 and the AI Act are being added, and we can also talk about EU requirements for regulated industries or critical infrastructure.
This growing trend scares many companies because ensuring compliance with security obligations is no cheap game. It is not just about writing mandatory documents, compliance in IT is also related to investments into infrastructure and qualified experts.
Despite all these negatives, it is possible to minimize investments and compliance costs. It is possible to inherit part of the compliance with regulations from a provider. In this article, we will focus on cloud providers or cloud services and find out how to choose such a provider so that you inherit maximum compliance from them. But first, a few words about the legislation itself.
What Do Companies in the EU Have to Comply With?
There is a lot to it. While some regulations are specific to a particular industry, many of them apply to all organizations regardless of their field. The following table provides an overview of the individual regulations and their scope:
| Area | Regulation / standard | What it addresses | Who it applies to | Nature |
|---|---|---|---|---|
| Cybersecurity | NIS2 (Directive (EU) 2022/2555) | Network and information systems security, incident prevention, mandatory reporting | “Essential” and “important” entities including cloud providers and ICT services | Mandatory legislation EU |
| CER (Directive (EU) 2022/2557) | Physical security and resilience of critical entities | Critical infrastructure operators | Binding EU legislation | |
| Cyber Resilience Act (draft) | Security requirements for digital products and software throughout the life cycle | HW/SW manufacturers and suppliers in the EU | Forthcoming EU legislation | |
| Data protection and privacy | GDPR (Regulation (EU) 2016/679) | Personal data protection, rights of data subjects, obligations of controllers and processors | All entities processing personal data of EU citizens | Binding EU legislation |
| ePrivacy Directive (2002/58/EC) / ePrivacy Regulation (draft) | Privacy in electronic communications, cookies, marketing | Communication service providers, website and application operators | Binding EU legislation (currently directive) | |
| Sectoral regulation | DORA (Regulation (EU) 2022/2554) | Digital operational resilience in the financial sector | Banks, insurance companies, investment firms, ICT providers for finance | Binding EU legislation |
| PSD2 (Directive (EU) 2015/2366) | Payment security and account access | Payment service providers | Binding EU legislation | |
| eIDAS 2.0 (Regulation (EU) 910/2014 + revision) | Electronic identification, trust services | Certified electronic service providers | Mandatory EU legislation | |
| Standards and frameworks | ISO/IEC 27001 | Information security management system | Voluntary, but often required by customers or regulators | International standard |
| ISO/IEC 27017 | Security in cloud services | Voluntary | International standard | |
| ISO/IEC 27018 | Protection of personal data in the cloud | Voluntary | International Standard | |
| ENISA Recommendation | Best Practices for Cyber Resilience and Cloud Security | Voluntary | EU Agency Recommendation Framework |
As we have already said, legislation is not just about bureaucracy. As part of these regulations, companies must submit evidence of compliance, ensure regular audits and update security measures.
This also results in the financial complexity of compliance. The category of compliance costs includes consultations, certifications, processing independent audits, creating the necessary documentation or, for example, operating an internal compliance team.
But how to keep compliance within such limits in a company so that it does not become too much of a burden for regular operations? First of all, we will focus on the infrastructure part of company’s IT.
How Can the Right Provider Make Compliance Easier for Your Company?
Simply put, you are not alone. There are areas where it is enough if your supplier is compliant. Then these steps are not necessary for you. What does it look like in practice?
If we take the situation that you have the IT infrastructure on your premises and specifically under your administration. Then you also have to ensure the following, outside of regular operation:
Cybersecurity (NIS2, CER)
- Access control policies, network segmentation, encryption
- Incident detection and response, regular testing and audits
- Backup and disaster recovery plan
- Physical protection of the data center (access control, CCTV, power redundancy)
- Mandatory incident reporting within specified deadlines
Privacy Protection (GDPR, ePrivacy)
- Data processing records
- Technical measures (encryption, pseudonymisation)
- Organizational measures (employee training, supplier management)
- Procedures for exercising data subjects’ rights
- Cookie and marketing consent management
Field Regulations (např. DORA, PSD2, eIDAS)
- Operational resilience testing and vendor risk management
- Strong user authentication and API protection
- Certified electronic signature and seal systems
Norms and Frameworks (ISO 27001, ISO 27017, ISO 27018, ENISA)
- Implementation of ISMS and risk management processes
- Documentation and internal audits
- Security best practices (e.g. Zero Trust)
There is a lot to do. But if you choose the right cloud provider, you can inherit these compliance points and not have to deal with them anymore:
Cybersecurity
- The provider will cover: physical protection of the DC, network security, redundancy, infrastructure backups, part of the incident response
- The customer solves: infrastructure and application configuration, access rights, specific data encryption, response to application incidents
Privacy Protection
- Provider covers: technical means for data protection (encryption, tenant isolation), GDPR-ready environment
- Customer solves: procedural part of GDPR, marketing and cookie rules, training
Field Regulations
- Provider covers: technical and infrastructure requirements (e.g. DORA, NIS2), certification
- Customer addresses: application logic, processes, contractual arrangements
Norms and Frameworks
- Provider covers: most certifications (ISO 27001, 27017, 27018, SOC 2) for infrastructure
- Customer handles: own internal processes and audits within its scope
This principle is called the “Shared Responsibility Model.” The word “shared” is important because there is no situation where the supplier takes on all the responsibility for compliance.
The right choice can cover a lot of your responsibilities. Of course, you can’t leave everything to the supplier but you can cooperate with them on compliance in a way that will lead to full compliance for your company and minimized costs.
How Can You Save Money?
As with any area, shared responsibility can reduce compliance costs in two ways – in operation and in consequences.
Earlier in the article, we listed the subcategories of costs that increase with compliance obligations. However, if you choose the right cloud provider, you will not need as many internal experts, you will not have to spend money on certifications and audits, and you will not have to invest as much into infrastructure.
Your provider will also have a highly specialized team of experts who will solve incidents and problems. This reduces the burden that these negative situations would cause for your company.
You can easily calculate how much your company will save. You can take a list of measures that you need to ensure and add to each a cost. Then compare the total with the costs of operating the cloud with the provider with whom you will share compliance responsibility. This calculation will tell you what is the right path for you.
This Only Applies if You Choose Correctly.
All of this only applies if you choose the right cloud infrastructure provider.
Such a choice cannot depend on the provider’s brand or price. You should primarily be interested in the facts that support the supplier’s ability to provide you with a shared responsibility model.
These facts should relate to the compliance that the provider itself adheres to. Which regulations does it fall under and how does it comply with them? They should be able to provide you with certifications and other documentation, as long as it doesn’t contain proprietary information.
You should also be interested in where your data will be located and what jurisdiction the supplier falls under. Non-European suppliers pose a major risk due to the US Cloud Act (more about potential unreliability due to GDPR can be found in this article).
You also need to know what SLA options the supplier offers and whether it will help you ensure operation even in the event of an outage (for example, using disaster recovery).
Does Shared Responsibility Only Apply to the Cloud?
It depends on what you mean by cloud. The following table explains more:
| Infrastructure type | Degree of shared responsibility between provider and client |
|---|---|
| Physical servers at your location | No shared responsibility - all responsibility lies with the client. |
| Physical servers in an external data center | Shared responsibility in the form of physical security (access control, power, cooling). Network security depends on the type of service (e.g. colocation vs. managed hosting). |
| Private cloud at your location | No shared responsibility – full responsibility lies with the client. |
| Private cloud in an external data center | Shared responsibility in the form of physical and possibly network security, depending on the agreed service. |
| Virtual private cloud (VPC; EU provider only) | High level of shared responsibility – the provider covers the physical and virtualization layer, network security and part of cybersecurity, the customer handles configurations, applications and data. |
| Public cloud (so-called Big Three – AWS, GCP, Azure) | There is a problem of conflict between EU and US laws (e.g. GDPR vs. CLOUD Act). Otherwise, the level of shared responsibility is the same as VPC. |
| Hybrid cloud | The level of shared responsibility depends on the specific architecture and combination of environments. |
| Multicloud | The level of shared responsibility depends on the specific solution and the individual providers on which the environment runs. |
So it’s not entirely about the type of infrastructure you choose but about the way you provide this service and the products that will be tied to it. That’s why it’s very important to do a needs analysis. This will help you determine to what extent you need help with compliance.
Compliance Is Here to Stay
For this reason, it is necessary to perceive IT infrastructure not only as a cost item that does not really matter. The choice of the type of IT infrastructure is closely related to the strategic direction of the company and can greatly affect efficiency and costs.
First, look at what you need IT for. This will then tell your IT partner what architecture to choose. This will also give you the requirements for compliance and the degree of shared responsibility. But it all depends on the specific situation of the company.
No company can get rid of the need to take steps to comply with the legal system. What you can do, however, is to find out to what extent choosing the right cloud supplier will relieve you in this regard.
So don’t be fooled by the shining brand or an attractive price tag. Take a deeper look at the supplier so that what is reduced is your obligations within the framework of compliance and not the ability to finance it.
