Cloud is a reality in all medium-sized and large organizations. Whether in public, private, or hybrid environments, organizations have adopted cloud infrastructures and services over the years to achieve greater agility, scalability, and innovation capabilities.
However, with the cloud comes an issue that goes beyond performance, known as cloud compliance. Moving data, applications, and processes to third-party infrastructures (not only public, but also privately hosted ones) does not automatically transfer regulatory, governance, and control obligations to the provider.
In most cases, the organization remains responsible for what happens to its data and must therefore comply with a range of policies, legal acts, and regulations.
How can this be achieved in practice?
Key Points
- Cloud compliance is a set of practices and controls that ensure cloud infrastructures, data, and services meet regulatory and security requirements.
- With cloud environments, responsibility is not simply transferred to the provider: companies remain subject to key aspects such as data protection, access, and configurations.
- For a sustainable compliance model, mature organizations increase visibility over their environments and integrate security and automation directly into operational processes.
Cloud compliance: what rules must a company comply with?
The cloud is far from being a regulatory-free zone. In fact, the very concept of sovereign cloud stems from the awareness that data cannot be freely transferred and managed globally without considering the regulatory and jurisdictional frameworks of the countries where it is stored, processed, or accessed.
The fact that applications and data are hosted on a provider’s infrastructure, possibly distributed worldwide, does not remove the obligations of the organization using them. The operational model changes and some responsibilities are redistributed, but compliance largely remains the responsibility of the company.
Although the framework varies depending on the chosen model (public, private, or hybrid), the sector, the type of data processed, and the countries of operation, there are three levels of cloud compliance.
European and national regulations: the starting point
The first level is legal obligations. For organizations operating in Europe, the starting point is a combination of Italian and EU regulations, among which the ever-present GDPR for data privacy protection stands out.
Within the European framework, GDPR is accompanied by regulations such as the NIS 2 Directive, the Digital Operational Resilience Act (DORA), the Data Act, and the AI Act; the latter, in particular, is expected to have an increasing impact as cloud environments host AI systems and models.
Industry requirements: obligations depending on the business
There are also standards and regulations that become mandatory only for certain business activities, regardless of where their data is stored. Here are some relevant examples:
-
PCI DSS for those managing electronic payments and card data;
-
Good Manufacturing Practice (GMP), which in the pharmaceutical sector imposes requirements on process quality and, increasingly, on data integrity in digital systems;
-
Hazard Analysis and Critical Control Points (HACCP), which today often also involves digital platforms and cloud systems for supply chain monitoring.
Voluntary frameworks that are becoming increasingly important
There is also a third dimension of cloud compliance that does not derive directly from law, but from the market. These are frameworks and certifications used to demonstrate to customers, partners, and stakeholders that the organization follows international best practices, benefiting reputation and business development.
Examples are numerous: ISO 27001 for information security, ISO 27017 for cloud services, and SOC 2 for controls related to security and reliability of digital services.
Who is responsible for cloud compliance?
If a company is subject to GDPR, must comply with industry requirements, and perhaps has obtained certifications such as ISO 27001, what happens when it decides to move data and critical processes to the cloud? Does responsibility shift to the provider?
In short, the answer is no. Cloud has always followed a shared responsibility model, where provider and customer are complementary in terms of compliance. The fact that a service is delivered by a provider does not mean the organization can delegate responsibility for security and proper data management. It means instead that some activities are transferred to the provider and others remain with the customer.
Simply put, the provider is responsible for the security of the cloud infrastructure, meaning the physical security of data centers, hardware protection, network resilience, operational continuity, and, in virtualized models, the security layer that separates different environments and customers.
The client organization, on the other hand, remains responsible for security in the cloud, meaning how it uses the resources provided by the provider or third parties. Typically, the following remain the organization’s responsibility:
-
data classification and protection;
-
identity and access management (IAM);
-
configuration of cloud environments and networks;
-
application and workload security;
-
backup, retention, and data storage policies.
As can be easily understood, these factors determine a large part of the organization’s compliance with applicable regulations.
This means that choosing a certified or highly secure cloud provider is essential, but it does not automatically guarantee compliance. A cloud environment hosted in the most resilient data center in the world may still be non-compliant if, for example, excessive permissions are granted, data is not properly governed, or adequate process controls are missing.
Cloud compliance is therefore a governance issue: the provider enables the journey, but ownership of compliance remains, in most cases, with the organization.
Cloud compliance: how to proceed? Steps for a sustainable model over time
Once cloud compliance is understood, obligations are identified, and it is clear that final responsibility also lies with the organization, what must be done to ensure compliance of cloud environments?
There is certainly no universal checklist. Each organization must define a tailored path based not only on applicable regulations but also on its risk tolerance and the technologies it adopts to mitigate sanction risk.
However, some principles emerge in almost all mature projects:
- Start from governance;
- Gain visibility;
- Automate controls as much as possible;
- Integrate compliance into operational processes, rather than treating it as a periodic check.
Define governance, responsibilities, and regulatory scope
Compliance starts first and foremost with organizational decisions. Assuming the company has already identified the frameworks, regulations, and standards it is subject to, the next step is to define clear responsibilities.
Every critical data set, application, or process should have one or more owners responsible for governing aspects such as access, retention, information classification, and security requirements. The goal is not to increase bureaucracy, but to make ownership explicit and ensure every decision has a clear accountable party.
Before introducing controls, it is also essential to conduct a risk assessment to understand where vulnerabilities, operational criticalities, and potential exposures that could lead to sanctions are actually concentrated. Only from this analysis is it possible to define coherent priorities and investments.
Build visibility through tagging
One of the most common problems in cloud environments is the progressive loss of control due to resource growth. Databases, containers, and workloads can multiply to the point where it becomes difficult to understand what exists and which rules should be applied.
An increasingly important technique is resource tagging, meaning the association of attributes with different infrastructure components. For example, each resource should be identified through information such as:
-
service owner;
-
reference environment (development, testing, production);
-
criticality level;
-
applicable regulatory requirements.
In this way, compliance no longer lives in separate documents, often difficult to retrieve and keep updated, but becomes a built-in characteristic of technological resources.
Implement risk-based controls
Once governance is defined and visibility is established, it is necessary to introduce controls consistent with the regulatory context and the level of risk associated with each process and resource. The guiding principle is simple: reduce exposure as much as possible without compromising operations.
Among the most common mechanisms is Role-Based Access Control (RBAC), which assigns users only the privileges necessary to perform their activities, as well as data protection throughout its entire lifecycle. In practical terms, this means implementing encryption and backup policies, as well as retention and storage rules aligned with regulatory obligations and business requirements.
Integrate compliance, security, and automation into processes
This is probably the step that distinguishes mature organizations from those that treat compliance as a reactive activity.
Until a few years ago, the dominant model involved developing applications, implementing infrastructure, or launching new digital projects and only verifying compliance in the final stages, just before release or production deployment. As expected, this approach exposes the company to clear risks: deploying non-compliant components or having to halt initiatives after months of work to fix issues discovered too late.
Today, advanced organizations integrate security and compliance directly into software development and infrastructure management processes, adopting DevSecOps approaches and shift-left practices. In other words, controls are introduced as early as possible and embedded directly into the software development lifecycle, taking the form of activities such as automated code scanning and policy enforcement.
In parallel, observability plays an increasingly important role, enabling the creation of compliance dashboards to monitor cloud environments in real time and trigger automatic alerts when anomalous behavior is detected.
Kirey and compliance “by design"
In this article, we have seen how cloud compliance is not an activity to be addressed at the end of a project, but rather an element that should accompany every decision throughout the entire cloud transformation journey.
It is with this mindset that we support companies in their cloud journey, helping them identify the most suitable model for different workloads and supporting them through all phases of modernizing their software and infrastructure.
The goal is not to push a specific technology or cloud model, but to build a path aligned with operational needs, performance requirements, and regulatory constraints.
We support clients in analyzing the regulatory context, assessing risk levels, identifying potential data sovereignty constraints, and defining the most appropriate governance model. Only then do we make technological and architectural decisions together with the client.
Contact us to discover how we can support you in designing, evolving, and managing a cloud environment capable of balancing business objectives, compliance requirements, and risk management.
