Amine Gharbaoui, Chief Operating Officer at InterCloud, examines the current regulatory environment and data sovereignty challenges of cloud computing and outlines what organisations need to do to stay on top of these demands.
The benefits of connecting to the cloud have been communicated well to businesses for many years. Less immediately obvious, however, are the ever-evolving challenges relating to regulation and data sovereignty. The landscape is much different now to how it was just a few years ago, and it can be hard to keep up.
This is why organisations, regardless of where they are on their cloud journeys, need access to holistic expertise that covers the most intricate requirements of cloud connectivity. Here, we examine the current regulatory environment and data sovereignty challenges, and what organisations need to do to stay on top of everything.
Existing regulation covering cloud is already plentiful, with businesses needing to be aware of a seemingly endless list of standards set by international governing bodies, nation states and supranational organisations such as the European Union. GDPR is perhaps the most famous of these, but others such as FedRAMP and the ISO 27000 series are also important.
As the global cloud ecosystem becomes increasingly complex, the list of regulations continues to grow. Organisations looking to expand their existing engagement with the cloud must be prepared for new rules, a couple of which we discuss below.
Tackling regulatory adherence solely in-house is something that enterprises must give significant consideration to. Are they best placed to address this complexity with internal expertise, or should they rely on managed cloud connectivity providers that specialise in solving these challenges for enterprises?
The second iteration of the Network and Information Systems Directive (NIS2 for short) was introduced in January 2023, and must be transposed into national legislation by EU member states by 17 October 2024.
NIS2 has been created to improve cybersecurity and resilience in businesses operating in the EU, including cloud providers with a European footprint. It builds on NIS1 by bringing more sectors into its scope and placing greater scrutiny on organisations in areas such as incident reporting and supply chain monitoring. Fines for non-compliance can reach up to 10% of a company’s annual turnover.
NIS2 brings a raft of new requirements across the board for businesses. As far as cloud is concerned, something that was already complex is now even more so. Organisations, therefore, need the right guidance to make sure every move they make in the cloud space is in line with NIS2 requirements.
In a similar vein, the Digital Operational Resilience Act (DORA) is an EU regulation designed to create a binding, comprehensive information and communication technology risk management (ICT) framework, with a specific focus on the financial sector. Its implementation began in January 2023, with all financial entities and third-party technology providers required to be compliant by 17 January 2025.
DORA’s aim is to apply consistent and rigorous standards to risk management, and harmonise existing ICT risk management regulations across individual EU member states. Designated regulators in each member state will be able to impose penalties on non-compliant organisations. ICT providers falling foul of the rules can be fined up to 1% of average daily worldwide turnover, with fines able to be applied every day for up to six months until compliance is achieved.
As with NIS2, DORA-regulated businesses have a huge amount to think about in getting their houses in order. How they engage with cloud is a vital element, but just one of many. To ensure their cloud connectivity is carried out in a fully compliant manner and that the providers they work with are themselves compliant, they need comprehensive expertise to navigate this complexity.
Data sovereignty challenges
Alongside new and existing directives, organisations are having to grapple with increasingly tricky data sovereignty considerations. Multicloud environments are becoming more commonplace as businesses look to achieve maximum scalability, agility and cost efficiencies, but making all of this work while meeting the individual data residency requirements of several different nation states can be easier said than done.
The convergence of regulatory compliance and data protection laws has ushered in stricter requirements for cross-border data transfers, creating an intricate web of regulations that companies need to work through. Customers whose data is being held by these companies are also much more discerning about how their information is handled than in previous years: they demand increased transparency, control and protection of their personal information, adding further complexity to data sovereignty responsibilities.
Aside from the regulations themselves, being able to replicate and synchronise data across disparate multicloud environments – while maintaining high levels of data availability and resilience – can present a major headache for businesses. Establishing reliable and secure connections between different cloud environments while addressing latency, bandwidth and performance requirements can also be hugely complicated.
The need for specialist knowledge
Add all of the above together, and it is abundantly clear that there are innumerable moving parts for businesses to keep an eye on when it comes to connecting to the cloud. No organisation is an island: compliance with such a vast labyrinth of regulation and data sovereignty requirements cannot be achieved alone.
Companies should, therefore, ensure they take steps to engage with the right partners who can deliver a holistic blend of cloud and international regulatory expertise. This is a rare combination of skills, but companies well-versed in disciplines such as software-defined cloud interconnect (SDCI) should be an important port of call.
Working out how to achieve effective cloud connectivity in the long term can be a bewildering experience, but with the right approach to partner engagement, organisations have little need to worry.