Getting Critical: Making Sense of the EU Cybersecurity Framework for Cloud Providers

TL;DR

This paper analyzes the EU cybersecurity regulations affecting cloud providers, highlighting regulatory complexities, compliance challenges, and the implications of recent and proposed frameworks for cloud service security and oversight.

Contribution

It provides a comprehensive review of EU cybersecurity regulations for cloud providers, examining their impact, challenges, and the potential effects of regulatory divergence and new assurance mechanisms.

Findings

Cloud providers face complex, divergent regulations from GDPR and NISD.

Regulatory compliance costs are high due to multiple overlapping requirements.

Proposed revisions and voluntary schemes aim to improve security but may add complexity.

Abstract

In this chapter, we review how the EU cybersecurity regulatory framework impacts providers of cloud computing services. We examine the evolving regulatory treatment of cloud services as an enabler of the EU's digital economy and question whether all cloud services should be treated as critical infrastructure. Further, we look at how the safeguarding and incident notification obligations under the General Data Protection Regulation ('GDPR') and the Network and Information Systems Directive ('NISD') apply to cloud providers. We also consider the proposed revision of the NISD and look at newly developed voluntary assurance mechanisms for cloud providers, including codes of conduct and certification schemes. We conclude that, since cloud providers are typically subject to both NISD and GDPR and to the jurisdiction of multiple regulators, they face divergent regulatory approaches, which can lead to unintended outcomes and high compliance costs.