Cloud compliance 2023: what did last year bring and what will and (probably) will not pass this year?

Cloud compliance 2023: what did last year bring and what will and (probably) won't pass us by this year | ORBIT Cloud Encyclopedia

The year 2022 is behind us. Prizes are being handed out for everything and the balance sheet is being taken. So let's also try to do a little recap. What was 2022 like in terms of compliance? And what will the current one come with? Should we be surprised or do we already know what to prepare for?

Dana Yussupova

What 2022 will bring in cloud compliance

At the beginning of the year, the reverberations of covid were still visible and everyone was looking forward to everything becoming normal again. It didn't last long. Just as we were about to take a breath, the war in Ukraine began. Europe was plunged into an energy crisis, there were endless discussions about its cause and solutions, and the spectre of recession began to surround economic development.

In all the changes of 2022, at least something has remained the same, namely the EU's digital direction. The EU is holding the line and implementing its digital strategy as planned. Last year, a few important events happened along the way from a compliance perspective.

Data handling

Crucial, long-awaited regulations for Europe's digital journey have been approved and published, and prudent handling of data remains a priority:

Cybersecurity

In this area of EU interest, the following has been approved:

  • DORA
    Regulation on digital operational resilience of the financial sector; it is a regulation, meaning it is directly effective. No local regulation is needed. We are just waiting for the so-called 'European Regulation'. Regulatory Technical Standards (RTS).
  • NIS2
    Directive on measures to ensure a high common level of cybersecurity; as this is a directive, we will have to wait a while for local transposition.
  • CER
    Directive on strengthening the resilience of critical actors in sectors such as energy, transport, health, water and space. Some of the provisions of the draft Directive also apply to public authorities. Critical entities will have to identify relevant risks that may significantly disrupt the provision of essential services and will have to apply measures to ensure their resilience and report disruptive incidents to the competent authorities.

Important cooperation

Interesting and important collaborations have begun, such as:

  • ENISA & European Data Protection Supervisor (EDPS)
    The two institutions will join forces on cybersecurity and data protection (which will also be supported by the other EU institutions). The plan aims, among other things, to promote a common approach to data protection, introduce privacy-enhancing technologies and strengthen capacities and skills within the EU institutions.
  • CNB & NUCIB
    The two institutions will cooperate in the supervision of financial institutions, in the identification of critical infrastructure elements, in methodology and in cyber resilience testing, and will provide consultation and training to each other.
  • CBA & NCIB
    Closer cooperation will focus primarily on the prevention of cyber threats, the exchange of information on detected threats and on cyber attacks directly.

What's ahead in cloud compliance in 2023

We expect the following regulations:

  • Adequacy decision for the EU-US Data Privacy Framework
    Once the European Data Protection Board (EDPB) has given its opinion on the decision and the Commission has received the green light from the committee of Member States' representatives, the decision will go to the Commission for approval.
  • Completion of the Artificial Intelligence Act
    The aim is to underpin the responsibilities of manufacturers of AI products. Regulation addresses the presumption of causation where injuries could be related to AI productsthat are of a high technical level. The directive also creates a right of access to information about the technology to help victims obtain evidence of manufacturer liability. The directive may have implications for class actions, compensation, protection of trade secrets, etc.
  • Legal framework for the protection of health data
    The regulation targets digital health providers to force them to comply with a number of new legal requirements applicable to systems used to process health data. The Regulation applies to the exchange of health data between patients and healthcare professionals and across EU countries. It also targets the secondary use of this data for scientific purposes, innovation and development.
  • eIDAS
    A review of Regulation (EU) No 910/2014 (eIDAS Regulation) is expected to be announced in 2023, with the aim of extending its benefits to the private sector and promoting digital identity. The reform should include, among others:
    • Establishing a European digital identity
    • Electronic identification schemes
    • Qualified Archiving Service for qualified electronic signatures
    • Qualified electronic archiving service for electronic documents
    • Electronic attestation of attributes
    • Qualified trusted services.

What makes sense to prepare for now 

  • DORA
    They will be issued so-called. Regulatory Technical Standards (RTS). Therefore, the best approach is to carry out due diligence on the current situation until the time of their publication and then implement actions in the areas affected by the RTS.
  • NIS2
    One of the key points that makes sense to implement now before national transposition (by September 2024 at the latest) is to review contractual relations with suppliers. If the company will be negotiating new contracts with suppliers, it is advisable to keep NIS2 in mind and incorporate its requirements now. Otherwise, it is better to wait for national transposition. In the Czech Republic, it can be expected to be quick, as the NICIB has already prepared everything. All that is needed is for the House to work as it should.

Digital transformation remains a priority for our government. The CNB and NUCIB have confirmed their cooperation. Therefore, based on the need to implement the above regulations we can expect the development of digitalisation at all levels. From the perspective of 30 years ago, we are already experiencing science fiction thanks to digitalisation - and this is just the beginning. We've already opened the door and it's up to us what comes next.

About the author
Dana Yussupova
Dana Yussupova

Compliance consultant | LinkedIn

Dana has long been involved in compliance and control functions (audit, risk management) in the financial sector. She focuses in particular on regulations related to IT risks, cloud and outsourcing, both within the EU and at (non)national level and in India.