Blog

Inherited compliance – Smart Move for Your IT Budget

Compliance – many managers immediately think of the high costs of compliance. However, in IT, these costs can also be optimized; in other words, reduced.

Compliance with legal requirements will mean more and more work for companies in the European Union. GDPR has arrived, now NIS2 and the AI ​​Act are being added, and we can also talk about EU requirements for regulated industries or critical infrastructure.

This growing trend scares many companies because ensuring compliance with security obligations is no cheap game. It is not just about writing mandatory documents, compliance in IT is also related to investments into infrastructure and qualified experts.

Despite all these negatives, it is possible to minimize investments and compliance costs. It is possible to inherit part of the compliance with regulations from a provider. In this article, we will focus on cloud providers or cloud services and find out how to choose such a provider so that you inherit maximum compliance from them. But first, a few words about the legislation itself.

What Do Companies in the EU Have to Comply With?

There is a lot to it. While some regulations are specific to a particular industry, many of them apply to all organizations regardless of their field. The following table provides an overview of the individual regulations and their scope:

Overview of regulations and standards for IT compliance in the EU
Area Regulation / standard What it addresses Who it applies to Nature
Cybersecurity NIS2 (Directive (EU) 2022/2555) Network and information systems security, incident prevention, mandatory reporting “Essential” and “important” entities including cloud providers and ICT services Mandatory legislation EU
CER (Directive (EU) 2022/2557) Physical security and resilience of critical entities Critical infrastructure operators Binding EU legislation
Cyber ​​Resilience Act (draft) Security requirements for digital products and software throughout the life cycle HW/SW manufacturers and suppliers in the EU Forthcoming EU legislation
Data protection and privacy GDPR (Regulation (EU) 2016/679) Personal data protection, rights of data subjects, obligations of controllers and processors All entities processing personal data of EU citizens Binding EU legislation
ePrivacy Directive (2002/58/EC) / ePrivacy Regulation (draft) Privacy in electronic communications, cookies, marketing Communication service providers, website and application operators Binding EU legislation (currently directive)
Sectoral regulation DORA (Regulation (EU) 2022/2554) Digital operational resilience in the financial sector Banks, insurance companies, investment firms, ICT providers for finance Binding EU legislation
PSD2 (Directive (EU) 2015/2366) Payment security and account access Payment service providers Binding EU legislation
eIDAS 2.0 (Regulation (EU) 910/2014 + revision) Electronic identification, trust services Certified electronic service providers Mandatory EU legislation
Standards and frameworks ISO/IEC 27001 Information security management system Voluntary, but often required by customers or regulators International standard
ISO/IEC 27017 Security in cloud services Voluntary International standard
ISO/IEC 27018 Protection of personal data in the cloud Voluntary International Standard
ENISA Recommendation Best Practices for Cyber ​​Resilience and Cloud Security Voluntary EU Agency Recommendation Framework

As we have already said, legislation is not just about bureaucracy. As part of these regulations, companies must submit evidence of compliance, ensure regular audits and update security measures.

This also results in the financial complexity of compliance. The category of compliance costs includes consultations, certifications, processing independent audits, creating the necessary documentation or, for example, operating an internal compliance team.

But how to keep compliance within such limits in a company so that it does not become too much of a burden for regular operations? First of all, we will focus on the infrastructure part of company’s IT.

How Can the Right Provider Make Compliance Easier for Your Company?

Simply put, you are not alone. There are areas where it is enough if your supplier is compliant. Then these steps are not necessary for you. What does it look like in practice?

If we take the situation that you have the IT infrastructure on your premises and specifically under your administration. Then you also have to ensure the following, outside of regular operation:

Cybersecurity (NIS2, CER)

  • Access control policies, network segmentation, encryption
  • Incident detection and response, regular testing and audits
  • Backup and disaster recovery plan
  • Physical protection of the data center (access control, CCTV, power redundancy)
  • Mandatory incident reporting within specified deadlines

Privacy Protection (GDPR, ePrivacy)

  • Data processing records
  • Technical measures (encryption, pseudonymisation)
  • Organizational measures (employee training, supplier management)
  • Procedures for exercising data subjects’ rights
  • Cookie and marketing consent management

Field Regulations (např. DORA, PSD2, eIDAS)

  • Operational resilience testing and vendor risk management
  • Strong user authentication and API protection
  • Certified electronic signature and seal systems

Norms and Frameworks (ISO 27001, ISO 27017, ISO 27018, ENISA)

  • Implementation of ISMS and risk management processes
  • Documentation and internal audits
  • Security best practices (e.g. Zero Trust)

There is a lot to do. But if you choose the right cloud provider, you can inherit these compliance points and not have to deal with them anymore:

Cybersecurity

  • The provider will cover: physical protection of the DC, network security, redundancy, infrastructure backups, part of the incident response
  • The customer solves: infrastructure and application configuration, access rights, specific data encryption, response to application incidents

Privacy Protection

  • Provider covers: technical means for data protection (encryption, tenant isolation), GDPR-ready environment
  • Customer solves: procedural part of GDPR, marketing and cookie rules, training

Field Regulations

  • Provider covers: technical and infrastructure requirements (e.g. DORA, NIS2), certification
  • Customer addresses: application logic, processes, contractual arrangements

Norms and Frameworks

  • Provider covers: most certifications (ISO 27001, 27017, 27018, SOC 2) for infrastructure
  • Customer handles: own internal processes and audits within its scope

This principle is called the “Shared Responsibility Model.” The word “shared” is important because there is no situation where the supplier takes on all the responsibility for compliance.

The right choice can cover a lot of your responsibilities. Of course, you can’t leave everything to the supplier but you can cooperate with them on compliance in a way that will lead to full compliance for your company and minimized costs.

How Can You Save Money?

As with any area, shared responsibility can reduce compliance costs in two ways – in operation and in consequences.

Earlier in the article, we listed the subcategories of costs that increase with compliance obligations. However, if you choose the right cloud provider, you will not need as many internal experts, you will not have to spend money on certifications and audits, and you will not have to invest as much into infrastructure.

Your provider will also have a highly specialized team of experts who will solve incidents and problems. This reduces the burden that these negative situations would cause for your company.

You can easily calculate how much your company will save. You can take a list of measures that you need to ensure and add to each a cost. Then compare the total with the costs of operating the cloud with the provider with whom you will share compliance responsibility. This calculation will tell you what is the right path for you.

This Only Applies if You Choose Correctly.

All of this only applies if you choose the right cloud infrastructure provider.

Such a choice cannot depend on the provider’s brand or price. You should primarily be interested in the facts that support the supplier’s ability to provide you with a shared responsibility model.

These facts should relate to the compliance that the provider itself adheres to. Which regulations does it fall under and how does it comply with them? They should be able to provide you with certifications and other documentation, as long as it doesn’t contain proprietary information.

You should also be interested in where your data will be located and what jurisdiction the supplier falls under. Non-European suppliers pose a major risk due to the US Cloud Act (more about potential unreliability due to GDPR can be found in this article).

You also need to know what SLA options the supplier offers and whether it will help you ensure operation even in the event of an outage (for example, using disaster recovery).

Does Shared Responsibility Only Apply to the Cloud?

It depends on what you mean by cloud. The following table explains more:

Infrastructure types and degree of shared responsibility
Infrastructure type Degree of shared responsibility between provider and client
Physical servers at your location No shared responsibility - all responsibility lies with the client.
Physical servers in an external data center Shared responsibility in the form of physical security (access control, power, cooling). Network security depends on the type of service (e.g. colocation vs. managed hosting).
Private cloud at your location No shared responsibility – full responsibility lies with the client.
Private cloud in an external data center Shared responsibility in the form of physical and possibly network security, depending on the agreed service.
Virtual private cloud (VPC; EU provider only) High level of shared responsibility – the provider covers the physical and virtualization layer, network security and part of cybersecurity, the customer handles configurations, applications and data.
Public cloud (so-called Big Three – AWS, GCP, Azure) There is a problem of conflict between EU and US laws (e.g. GDPR vs. CLOUD Act). Otherwise, the level of shared responsibility is the same as VPC.
Hybrid cloud The level of shared responsibility depends on the specific architecture and combination of environments.
Multicloud The level of shared responsibility depends on the specific solution and the individual providers on which the environment runs.

So it’s not entirely about the type of infrastructure you choose but about the way you provide this service and the products that will be tied to it. That’s why it’s very important to do a needs analysis. This will help you determine to what extent you need help with compliance.

Compliance Is Here to Stay

For this reason, it is necessary to perceive IT infrastructure not only as a cost item that does not really matter. The choice of the type of IT infrastructure is closely related to the strategic direction of the company and can greatly affect efficiency and costs.

First, look at what you need IT for. This will then tell your IT partner what architecture to choose. This will also give you the requirements for compliance and the degree of shared responsibility. But it all depends on the specific situation of the company.

No company can get rid of the need to take steps to comply with the legal system. What you can do, however, is to find out to what extent choosing the right cloud supplier will relieve you in this regard.

So don’t be fooled by the shining brand or an attractive price tag. Take a deeper look at the supplier so that what is reduced is your obligations within the framework of compliance and not the ability to finance it.

Caught Your Interest?

Our technicians will gladly make time for you.
Doporučené

Rádi s vámi probereme možnosti řešení pro vaše požadavky

Zanechte nám prosím kontaktní údaje. Ozveme se vám v co nejkratší době.

Vzdálená podpora pomocí TeamViewer

Abychom vám poskytli co nejefektivnější pomoc, využíváme program TeamViewer. Poté, co odsouhlasíte EULA a přístup technika, náš kolega má možnost navigovat se v prostředí vašeho přístroje, aby co nejrychleji odhalil, kde je problém. Tento přístup po vyřešení problému technik odpojuje, takže už do vašeho počítače nevidí, dokud mu příště přístup neodsouhlasíte.

Software TeamViewer stahujte až po konzultaci s našimi techniky. Nikdy nedávejte své přihlašovací ani jiné citlivé údaje ostatním, jediné údaje, které můžete při tomto řešení potřebovat, je ID a osobní kód v rámci softwaru TeamViewer.

TeamViewer Remote Assistance

To provide you with the most efficient help, we utilize the TeamViewer software. After you agree to the EULA and the technician access, our colleague has the abilitiy to navigate in the environment of your device to find as soon as possible where the problem us. This access is disconnected by the technician after the problem is resolved so he no longer can see the insides of your device until you aprove his access the next time. 

Download the TeamViewer sotware after you have consulted our technicians. Never give your login information or any other sensitive information to others. The only credentials you will need for the resolution of your problem is the ID and a personal code within the TeamViewer software.

Windows

Procesory

RAM

Storage

IP adresa

Linux

Procesory

RAM

Storage

IP adresa

We will be happy to talk about a solution fitting your needs

Please leave your contact information below.

Rádi s vámi probereme možnosti řešení pro vaše požadavky

Zanechte nám prosím kontaktní údaje. Ozveme se vám v co nejkratší době.

Rádi s vámi probereme možnosti řešení pro vaše požadavky

Zanechte nám prosím kontaktní údaje. Ozveme se vám v co nejkratší době.

We Tailor an Offer Specifically
to Your Needs

We Tailor an Offer Specifically
to Your Needs

Please leave your contact information below and we will get back to you as soon as possible.

We will be happy to talk about a solution fitting your needs

Please leave your contact information below.

We will be happy to talk about a solution fitting your needs

Please leave your contact information below.

We will be happy to talk about a solution fitting your needs

Please leave your contact information below.

We will be happy to talk about a solution fitting your needs

Please leave your contact information below.

We will be happy to talk about a solution fitting your needs

Please leave your contact information below.

We will be happy to talk about a solution fitting your needs

Please leave your contact information below.

We will be happy to talk about a solution fitting your needs

Please leave your contact information below.

Rádi vám zpracujeme nabídku na míru