What is cloud compliance?
Cloud compliance is the series of procedures, controls, and organizational measures you take to ensure that your cloud-based assets meet your organization’s data protection regulations, security standards, and frameworks. It’s become more significant than ever due to the wide range of different data protection laws and standards that apply to today’s data-driven organizations. Plus, if you’re shifting to the cloud, you’ll also work with new data protection challenges during your move.
Below, you’ll learn more about meeting cloud compliance standards and how you can improve your cloud security as new threats and technologies evolve.
What’s the difference between cloud compliance and cloud governance?
Governance is the policy, while compliance is the proof.
Cloud governance encompasses establishing policies, procedures, and controls to align cloud services with an organization’s objectives, ensure regulatory compliance, and adhere to best practices. It also involves developing and implementing guidelines for cloud resource utilization and emphasizes monitoring and auditing to guarantee ongoing adherence to established standards.
Cloud compliance, on the other hand, focuses on meeting legal, regulatory, and industry-specific requirements within the cloud environment. It addresses data security, privacy, regulatory obligations, and compliance through service-level agreements with cloud service providers.
The relationship between cloud governance and compliance lies in their alignment. Both governance and compliance efforts contribute to effective risk management in the cloud environment and the identification and mitigation of potential issues.
5 cloud compliance regulations to be aware of
Below are the most common regulations organizations must meet in the cloud—some are mandatory, and others are contractual or industry-driven:
GDPR
The General Data Protection Regulation (GDPR) protects the personal data of anyone within the European Economic Area (EEA) at the time of collection. This area falls within the territorial boundaries of the European Union, and it also includes Norway, Iceland, and Liechtenstein.
Although the GDPR is European legislation, it’s still global in territorial scope. It applies to any organization that serves users in the EEA, both citizens and visitors, or processes their data as a routine part of its business operation. Its requirements state that personal data should have appropriate levels of protection in line with the risk to that data and the cost of implementation.
But don’t forget that the GDPR covers far more than just cybersecurity. For example, you’ll also need to consider the following:
Data minimization: You should only collect personal data that’s necessary to fulfill your purpose.
Storage limitation: You should store the data for no longer than necessary.
Data residency: You should only process and store data within the EEA or an approved country—unless the data subject has consented or data transfer to another country meets specific GDPR requirements.
Right of access: You must comply with requests from data subjects for a copy of their personal data.
Right of erasure: Under certain circumstances, you must also delete the personal data of any individual that requests you to do so.
Since leaving the EU, the United Kingdom has adopted its own version of the GDPR, which is nearly the same as its EU counterpart.
DORA
The Digital Operational Resilience Act (DORA) aims to protect Europe’s financial sector from cyber disruptions and attacks by creating a uniform management framework. According to Wiz’s estimates, the act has affected over 22,000 EU financial entities and information and communications technology (ICT) providers, including banks, insurers, and cloud services.
These are DORA’s main goals:
Create a comprehensive ICT risk management framework.
Conduct regular risk assessments.
Ensure that teams report all significant ICT incidents to authorities.
DORA: Everything You Need to Know
In this whitepaper, discover the ins and outs of this new set of regulations that applies to over 22,000 organizations in the European Union (EU).
Download Whitepaper
FISMA
The Federal Information Security Management Act (FISMA) is a United States legislative framework that federal agencies and private companies serving the public sector must adopt to protect any government information in their care.
The framework builds on the foundation of FIPS 199, FIPS 200, and NIST SP 800-53:
FIPS 199 categorizes your information and information systems based on the potential impact (low, moderate, or high) of losing confidentiality, integrity, or availability.
FIPS 200 determines your organization’s security objectives based on your FIPS 199 assessment.
FIPS 199 and FIPS 200 define your organization’s appropriate NIST SP 800-53 baseline security controls.
Although it’s only applicable to federal agencies and their contractors, FISMA compliance benefits any other organization since it can open up new doors to business with governmental bodies.
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, a set of national compliance standards, protects sensitive patient healthcare information across the US.
HIPAA covers any organization that directly handles personal health information. These organizations include covered entities like healthcare providers, health insurance companies, and associated billing services.
SOX
The Sarbanes-Oxley Act (SOX) is a federal law that protects shareholders, employees, and members of the public from negligent or fraudulent accounting and financial practices. The act primarily regulates financial reporting, internal auditing procedures, and other business practices at public companies. However, it also includes compliance requirements related to information technology. For example, you must monitor logs and maintain a complete audit trail of user activity that involves sensitive data.
In addition to this, it provides a limited range of data security, availability, and other access controls.
Key data protection regulations and standards
Below is a snapshot of essential data regulations for you to compare:
| Regulation or framework | Applies to | Scope | Territorial scope | Compliance responsibility |
|---|---|---|---|---|
| GDPR | Any organization that processes data anyone within the EEA at the time of collection | Data security and availability, personal data, and the rights of data subjects | Global | Mandatory |
| FISMA | Federal agencies and their contractors, along with any cloud service providers (CSPs) they use | Data security and privacy on federal systems | US | Mandatory |
| HIPAA Privacy Rule | Covered entities like healthcare providers, health insurance companies, and associated billing services | Healthcare information security and privacy | US | Mandatory except where state law takes precedence |
| SOX | Publicly traded companies | Primarily financial and business practices but also IT controls | US | Mandatory for public companies (although some requirements also broadly apply to private companies and non-profit organizations) |
| PCI DSS | Any organization that accepts or processes card payments | Data security | Global | Contractual |
| NIST SP 800-53 | Federal agencies and their contractors, along with any CSPs they use | Federal data security and privacy | US | Mandatory |
| FedRAMP | Federal agencies and their contractors, along with any CSPs they use | Federal government data security and privacy in the cloud | US | Mandatory |
| SOC 2 | Mainly SaaS vendors, companies that provide analytics and business intelligence services, financial institutions, and other organizations that store sensitive customer information | Data security, availability, processing integrity, confidentiality, and privacy | Global (but primarily US) | Voluntary |
| CIS Controls | Organizations of any size and in any industry sector | Data security | Global | Voluntary |
PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is a contractual standard that applies to any organization that accepts or processes card payments to ensure the security of sensitive cardholder data. The PCI Standards Council, a body of leading payment industry stakeholders, administers it.
The framework comprises a series of technical and operational requirements, including firewalls, encryption, and access control provisions.
The PCI Standards Council has also published an online guide about the impact of cloud computing on PCI DSS compliance to help merchants and service providers understand these requirements in the context of the cloud. This includes an example of a shared responsibility matrix, which serves as a starting point for understanding how the customer and CSP share compliance obligations.
NIST SP 800-53
The National Institute of Standards and Technology (NIST) SP 800-53, a library of technical and operational controls, aims to protect information systems’ integrity, confidentiality, and security. In simple terms, it comprises different categories of baseline controls, which you select based on data risk.
It’s mandatory for US governmental bodies and contractors with access to federal systems and serves as a core component of FISMA. Moreover, it underpins the cascade of frameworks that support FISMA compliance.
FedRAMP
The Federal Risk and Authorization Management Program (FedRAMP) framework uses the cloud’s shared responsibility model as its guide to separate requirements into these areas:
CSP responsibilities
Customer responsibilities
Shared responsibilities
Inherited controls
This simplifies the FISMA compliance process and helps agencies avoid unnecessarily duplicating security objectives. To ensure full compliance, however, the federal agency or contractor must use a CSP with FedRAMP authorization and meet its FedRAMP obligations.
SOC 2
System and Organization Controls (SOC) 2, a voluntary compliance framework, helps service organizations assure customers that they have appropriate measures to protect the sensitive data under their control. SOC 2 attestation is necessary for many outsourced services in the US, and customers often require it as part of contractual agreements.
To maintain SOC 2 compliance, you must pass an independent audit of your security posture. The evaluation includes five broad control categories: security, availability, processing integrity, confidentiality, and privacy.
CIS Controls
Center for Internet Security (CIS) Controls are a voluntary set of essential security controls that organizations should prioritize implementing.
These controls are a starting point for hardening systems because they focus on measures that make the most effective and immediate impact. They’re also handy for IT departments with limited security resources and expertise.
Cloud compliance considerations for CSPs
Below are some considerations to note for ensuring cloud compliance with a CSP:
Compliance programs
At the outset of your cloud compliance initiative, you must ensure that your CSP can meet its side of the shared responsibility bargain.
Admittedly, this vetting process may seem formidable, given the sheer number of regulations and standards that affect your organization. However, each of the main three vendors—AWS, Microsoft Azure, and Google Cloud Platform (GCP)—provides an online compliance portal to help customers check that their platforms have the appropriate certification, attestation, or alignment. They also make reviewing compliance offerings easy by grouping them into different categories, such as industry sectors and territorial regions.
Compliance tools
Each of these three vendors also offers other in-house services to support compliance. These include the following:
AWS Artifact, a self-service portal, gives on-demand access to vendors’ compliance documentation and agreements. It also provides a quick, efficient way for customers to assess their AWS services’ compliance and obtain evidence of appropriate vendor controls to provide auditors or regulators.
AWS Audit Manager is a solution that continuously audits the controls you’ve implemented in your guest AWS environments for compliance with various regulations and standards.
Azure Blueprints is a resource template service for creating and managing environments that comply with predefined standards and requirements. The blueprints are packaged artifacts that help you deploy fully governed environments within Azure’s platform.
Azure Policy is a centralized policy management service through which you can create and maintain rulesets to ensure that services use default allow and deny resource properties. It can also alert you whenever resources deviate from policy rules and automatically remediate compliance violations.
Google Assured Workloads is a tool that supports compliance by automatically applying controls to workloads so they meet specific regulatory frameworks’ requirements. For example, it will only allow you to host data in cloud regions within the territory boundaries that the compliance program permits. It also configures the appropriate encryption services that the law requires and enforces access controls in line with data sovereignty requirements.
Cloud regions
Beyond the GDPR, there are many other data protection regulations worldwide, including data residency requirements that govern where you can store and process personal information about data subjects.
Because of this, you’ll need to ensure that your CSP has a data center presence in countries where governance laws permit it. If you choose to host your workloads on one of the three main cloud vendor platforms, then this should be relatively straightforward, as they now have a combined total of more than 130 data center regions around the globe.
The challenges of maintaining cloud compliance
In theory, all responsible companies want to achieve the highest standards of compliance. But when it comes to putting these processes in action, implementing compliance can be a lot harder than you’d expect.
Below are some common challenges you may face along the way:
Fragmented visibility across cloud environments: If you’re juggling different security tools in your multi-cloud environment, you’ll never get a full picture of your security health, which results in risks and blind spots. However, using a unified cloud security platform can give you a more holistic view of your multi-cloud infrastructure.
Time-consuming audits: If your team has to spend their time manually auditing your environment, you’ll miss vulnerabilities—and make room for human error as a result. This also reduces the time and energy your DevSecOps and governance teams have for more hands-on needs. To save you and your team time, invest in AI security features and agentless scanning.
Messy frameworks: If your organization is like most others, you’re dealing with several frameworks and regulations simultaneously. This can be difficult to manage and may lead to accidental noncompliance. However, cloud compliance solutions like Wiz provide you with automatic assessments using over 100 frameworks so you can be confident that you’re complying with governing bodies.
Reactive vs. proactive security: When compliance challenges create barriers and overwhelm your teams, you’ll end up running in reactive mode and will fall behind where you should be. Instead, you can proactively tackle these challenges and reach higher levels of compliance and security with a cloud native application protection platform (CNAPP) that offers prioritized and contextualized risk reports—all backed by innovation and research for emerging threats.
You can solve these compliance challenges head-on by adopting Wiz. This CNAPP gives you a holistic, bird’s-eye view of your cloud environments, automatic audits and reporting, and compliance capabilities with over 100 built-in frameworks.
With these tools—along with proactive, agentless scanning and continuous monitoring technologies—you can secure your data while meeting multiple standards simultaneously.
Essential cloud compliance best practices
After you choose a CNAPP for compliance, you can implement the following best practices to enhance your compliance posture and strengthen your cloud environment’s security, compliance, and management:
1. Data security
This practice ensures data’s confidentiality, integrity, and availability in the cloud:
Data classification and governance
Implement data classification schemes to categorize data based on sensitivity and regulatory requirements.
Develop and enforce data governance policies that dictate how your organization handles, stores, and accesses data.
Encryption and key management
Encrypt data at rest and in transit using strong encryption standards (like AES-256) to protect sensitive information.
Use robust key management practices and manage encryption keys securely so only authorized personnel have access.
Access control and identity management
Enforce least privilege access policies to ensure that users have only the minimum access necessary to perform their roles.
Use multi-factor authentication to add a layer of security for accessing cloud services.
2. Configuration management
Configuration management helps organizations maintain systems, servers, and software in a desired, consistent state:
Secure API use
Securely design APIs that interface with cloud services and use strong authentication and encryption for data in transit.
Regularly review and update API access policies to reflect user role or service changes.
Patch management
Implement an effective patch management process to ensure that all software and infrastructure components are up-to-date with the latest security patches.
Network configuration and segmentation
Configure cloud network settings to enforce security policies, including firewalls, intrusion detection systems, and other perimeter defenses.
Use network segmentation to isolate sensitive data and systems and reduce the potential impact of a breach.
3. Strategy and monitoring
These overarching practices and procedures help teams manage and oversee cloud security and compliance:
Compliance and regulatory awareness
Stay informed about the regulations and compliance requirements that are relevant to your industry and regions of operation (such as GDPR, HIPAA, or PCI-DSS).
Understand the shared responsibility model in cloud computing and clearly delineate security responsibilities between your organization and the CSP.
Security assessments and audits
Conduct regular security assessments, including vulnerability scans and penetration tests, to identify and mitigate potential security gaps.
Perform compliance audits to ensure ongoing adherence to internal policies and external regulations and maintain audit trails and logs for accountability and forensic analysis.
Employee training and awareness
Provide regular training on security best practices, compliance requirements, and emerging threats to all employees.
Foster a culture of security awareness by emphasizing everyone’s role in maintaining compliance and data protection.
Incident response
Develop and maintain an incident response plan that outlines procedures for detecting, containing, eradicating, and recovering from security incidents.
Regularly test the incident response plan to ensure its effectiveness.
Cloud provider specifics
Familiarize yourself with your CSP’s security documentation and best practices—some may have slight variations in implementation or may use unique security features, but there are often similarities across cloud providers (AWS, Azure, and GCP).
Who is responsible for cloud compliance?
When you host your workloads in your on-premises data center, you’re accountable for virtually all security and compliance aspects. But the cloud is an altogether different story—you have to relinquish some of this responsibility to your CSP.
In other words, cloud compliance is a shared responsibility. But who exactly is accountable for what?
To help customers understand the demarcation between responsibilities, each leading CSP provides a set of guidelines, or a shared responsibility model. This involves the following responsibilities:
The CSP is responsible for securing its data centers, IT infrastructure, hypervisors, and host operating systems and ensuring the availability and reliability of the services it provides to customers.
The customer is responsible for configuring the cloud services it uses and ensuring the security and compliance of guest operating systems and the applications it hosts on the vendor’s platform.
Cloud compliance in the AI landscape
While you’re thinking about responsibilities, remember that it’s also critical to anticipate evolving threats. To accomplish this, find a powerful cloud native security platform that helps you prevent new threats that can compromise your compliance.
Consider AI, for instance. In the not-too-distant future, AI will be more crucial than ever in the world of cloud compliance. In fact, according to Wiz’s article, AI Compliance in 2025, “soon, the terms ‘cloud compliance’ and ‘AI compliance’ will mean the same thing. That’s how connected they are.”
Attacks and leaks are becoming much more common within the AI landscape. For instance, Wiz recently discovered an exposed DeepSeek database that was leaking sensitive data, including usage history, log streams, and vulnerabilities that allowed complete control over database operations.
However, CNAPP platforms like Wiz continue to innovate, research, and create cloud native solutions for threats like these.
Want to learn more about AI and cloud compliance? Check out Wiz’s 2025 State of AI in the Cloud report.
What to look for in a cloud compliance solution
Cloud compliance is no easy challenge, given the complexity of cloud-based environments and the sheer number of different regulations and standards that can determine your set of controls. Keeping track of both overlapping responsibilities within multiple frameworks and those that are unique to specific frameworks is a formidable, time-consuming, and highly manual undertaking.
So how do you overcome this challenge?
Third-party compliance tools like Wiz’s CNAPP continuously monitor and benchmark your cloud deployments against various compliance frameworks. For instance, Wiz offers the tools you need to maintain compliance in your cloud environment, along with these key features:
Over 100 frameworks, including NIST, HIPAA, CIS, HITrust, and SOC2
Custom framework capabilities so you can align your cloud infrastructure with your needs
Granular and flexible reporting to help you assess your compliance posture
Continuous assessment with automatic reporting so you always know where you stand
Cross-framework and cross-application heatmaps to survey your cloud environment from the top
Automated and contextual remediation so you can quickly fix issues and misconfigurations
By using a compliance solution and implementing best practices, you can improve your cloud security posture and meet compliance benchmarks, no matter the framework.
Learn more about compliance and data governance today with Wiz’s free Guide to Data Governance and Compliance in the Cloud.
100+ Built-In Compliance Frameworks
See how Wiz eliminates the manual effort and complexity of achieving compliance in dynamic and multi-cloud environments.
