What is cloud compliance?
Cloud compliance refers to the procedures, controls, and organizational measures that ensure your cloud-based assets meet applicable data protection regulations, industry standards, and internal security frameworks. This means aligning how you store, process, and transmit data in AWS, Azure, GCP, or other cloud environments with requirements like GDPR, HIPAA, PCI DSS, and SOC 2.
Unlike traditional on-premises compliance, cloud compliance introduces shared responsibility between your organization and your cloud service provider. You control configurations, access policies, and data handling, while the CSP secures the underlying infrastructure. Misunderstanding this boundary is one of the most common sources of compliance failures, with experts predicting that 95% of cloud security failures will be the customer's fault.
Guide to Data Governance & Compliance in the Cloud
This Guide to Data Governance and Compliance in the Cloud provides a straightforward, 7-step framework to help you strengthen your cloud governance approach with confidence.
What's the difference between cloud compliance and cloud governance?
Cloud governance and cloud compliance serve different but connected purposes. Governance defines the internal policies, decision-making frameworks, and resource guidelines your organization uses to manage cloud services. Compliance demonstrates that you are actually following external regulations and internal policies through evidence, audits, and controls.
Think of governance as the rulebook you write, and compliance as the proof you can show auditors that you followed it. Both contribute to risk management, but governance sets direction while compliance validates execution.
Why cloud compliance matters
Cloud compliance matters because it is how you show regulators, auditors, and customers that you protect data the way you claim. Without that proof, deals get delayed, audits take longer, and security teams get pulled into repeat evidence drills.
It also reduces real risk. The same failures that break compliance usually break security too, leading to data exposure from public storage, weak identity controls, missing encryption, and logging gaps.
In practice, the hard part is not knowing the rule. The hard part is keeping the rule true as teams ship changes daily across multiple accounts, regions, and services. This is where continuous checks and clear ownership make the difference.
5 cloud compliance regulations to be aware of
The regulations that apply to your organization depend on your industry, the data you handle, and the regions where you operate. Some are legally mandatory, others are contractual requirements from customers or partners, and some are voluntary frameworks that signal security maturity. Here are five of the most common regulations affecting cloud environments:
GDPR
The General Data Protection Regulation (GDPR) protects the personal data of anyone within the European Economic Area (EEA) at the time of collection. This area falls within the territorial boundaries of the European Union, and it also includes Norway, Iceland, and Liechtenstein.
Although the GDPR is European legislation, it's still global in territorial scope. It applies to any organization that serves users in the EEA, both citizens and visitors, or processes their data as a routine part of its business operation. Its requirements state that personal data should have appropriate levels of protection in line with the risk to that data and the cost of implementation.
But don't forget that the GDPR covers far more than just cybersecurity. For example, you'll also need to consider the following:
Data minimization: You should only collect personal data that's necessary to fulfill your purpose.
Storage limitation: You should store the data for no longer than necessary.
Data residency: You should only process and store data within the EEA or an approved country, unless the data subject has consented or data transfer to another country meets specific GDPR requirements.
Right of access: You must comply with requests from data subjects for a copy of their personal data.
Right of erasure: Under certain circumstances, you must also delete the personal data of any individual that requests you to do so.
Since leaving the EU, the United Kingdom has adopted its own version of the GDPR, which is nearly the same as its EU counterpart.
DORA
The Digital Operational Resilience Act (DORA) aims to protect Europe's financial sector from cyber disruptions and attacks by creating a uniform management framework. According to Wiz's estimates, the act has affected over 22,000 EU financial entities and information and communications technology (ICT) providers, including banks, insurers, and cloud services.
These are DORA's main goals:
Create a comprehensive ICT risk management framework.
Conduct regular risk assessments.
Ensure that teams report all significant ICT incidents to authorities.
DORA: Everything You Need to Know
In this whitepaper, discover the ins and outs of this new set of regulations that applies to over 22,000 organizations in the European Union (EU).
FISMA
The Federal Information Security Management Act (FISMA) is a United States legislative framework that federal agencies and private companies serving the public sector must adopt to protect any government information in their care.
The framework builds on the foundation of FIPS 199, FIPS 200, and NIST SP 800-53:
FIPS 199 categorizes your information and information systems based on the potential impact (low, moderate, or high) of losing confidentiality, integrity, or availability.
FIPS 200 determines your organization's security objectives based on your FIPS 199 assessment.
FIPS 199 and FIPS 200 define your organization's appropriate NIST SP 800-53 baseline security controls.
Although it's only applicable to federal agencies and their contractors, FISMA compliance benefits any other organization since it can open up new doors to business with governmental bodies.
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, a set of national compliance standards, protects sensitive patient healthcare information across the US.
HIPAA covers any organization that directly handles personal health information, mandating that they maintain documentation of compliance policies for six years. These organizations include covered entities like healthcare providers, health insurance companies, and associated billing services.
SOX
The Sarbanes-Oxley Act (SOX) is a federal law that protects shareholders, employees, and members of the public from negligent or fraudulent accounting and financial practices. The act primarily regulates financial reporting, internal auditing procedures, and other business practices at public companies. However, it also includes compliance requirements related to information technology. For example, you must monitor logs and maintain a complete audit trail of user activity that involves sensitive data.
In addition to this, it provides a limited range of data security, availability, and other access controls.
Watch 12-min demo
Learn what makes Wiz the platform to enable your cloud security and compliance operations.
Key data protection regulations and standards
Below is a snapshot of essential data regulations for you to compare:
| Regulation or framework | Applies to | Scope | Territorial scope | Compliance responsibility |
|---|---|---|---|---|
| GDPR | Any organization that processes data anyone within the EEA at the time of collection | Data security and availability, personal data, and the rights of data subjects | Global | Mandatory |
| FISMA | Federal agencies and their contractors, along with any cloud service providers (CSPs) they use | Data security and privacy on federal systems | US | Mandatory |
| HIPAA Privacy Rule | Covered entities like healthcare providers, health insurance companies, and associated billing services | Healthcare information security and privacy | US | Mandatory except where state law takes precedence |
| SOX | Publicly traded companies | Primarily financial and business practices but also IT controls | US | Mandatory for public companies (although some requirements also broadly apply to private companies and non-profit organizations) |
| PCI DSS | Any organization that accepts or processes card payments | Data security | Global | Contractual |
| NIST SP 800-53 | Federal agencies and their contractors, along with any CSPs they use | Federal data security and privacy | US | Mandatory |
| FedRAMP | Federal agencies and their contractors, along with any CSPs they use | Federal government data security and privacy in the cloud | US | Mandatory |
| SOC 2 | Mainly SaaS vendors, companies that provide analytics and business intelligence services, financial institutions, and other organizations that store sensitive customer information | Data security, availability, processing integrity, confidentiality, and privacy | Global (but primarily US) | Voluntary |
| CIS Controls | Organizations of any size and in any industry sector | Data security | Global | Voluntary |
PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is a contractual standard that applies to any organization that accepts or processes card payments to ensure the security of sensitive cardholder data. The PCI Standards Council, a body of leading payment industry stakeholders, administers it.
The framework comprises a series of technical and operational requirements, including firewalls, encryption, and access control provisions.
The PCI Standards Council has also published an online guide about the impact of cloud computing on PCI DSS compliance to help merchants and service providers understand these requirements in the context of the cloud. This includes an example of a shared responsibility matrix, which serves as a starting point for understanding how the customer and CSP share compliance obligations.
NIST SP 800-53
The National Institute of Standards and Technology (NIST) SP 800-53, a library of technical and operational controls, aims to protect information systems' integrity, confidentiality, and security. In simple terms, it comprises different categories of baseline controls, which you select based on data risk.
It's mandatory for US governmental bodies and contractors with access to federal systems and serves as a core component of FISMA. Moreover, it underpins the cascade of frameworks that support FISMA compliance.
FedRAMP
The Federal Risk and Authorization Management Program (FedRAMP) framework uses the cloud's shared responsibility model as its guide to separate requirements into these areas:
CSP responsibilities
Customer responsibilities
Shared responsibilities
Inherited controls
This simplifies the FISMA compliance process and helps agencies avoid unnecessarily duplicating security objectives. To ensure full compliance, however, the federal agency or contractor must use FedRAMP authorized CSPs for all risk assessments and security authorizations.
SOC 2
System and Organization Controls (SOC) 2, a voluntary compliance framework, helps service organizations assure customers that they have appropriate measures to protect the sensitive data under their control. SOC 2 attestation is necessary for many outsourced services in the US, and customers often require it as part of contractual agreements.
To maintain SOC 2 compliance, you must pass an independent audit of your security posture. The evaluation includes five broad control categories: security, availability, processing integrity, confidentiality, and privacy.
CIS Controls
Center for Internet Security (CIS) Controls are a voluntary set of essential security controls that organizations should prioritize implementing.
These controls are a starting point for hardening systems because they focus on measures that make the most effective and immediate impact. They're also handy for IT departments with limited security resources and expertise.
Cloud compliance considerations for CSPs
Below are some considerations to note for ensuring cloud compliance with a CSP.
Compliance programs
At the outset of your cloud compliance initiative, you must ensure that your CSP can meet its side of the shared responsibility bargain.
Admittedly, this vetting process may seem formidable, given the sheer number of regulations and standards that affect your organization. However, each of the main three vendors, AWS, Microsoft Azure, and Google Cloud Platform (GCP), provides an online compliance portal to help customers check that their platforms have the appropriate certification, attestation, or alignment. They also make reviewing compliance offerings easy by grouping them into different categories, such as industry sectors and territorial regions.
Compliance tools
Each of these three vendors also offers other in-house services to support compliance. These include the following:
AWS Artifact, a self-service portal, gives on-demand access to vendors' compliance documentation and agreements. It also provides a quick, efficient way for customers to assess their AWS services' compliance and obtain evidence of appropriate vendor controls to provide auditors or regulators.
AWS Audit Manager is a solution that continuously audits the controls you've implemented in your guest AWS environments for compliance with various regulations and standards.
Azure Blueprints is a resource template service for creating and managing environments that comply with predefined standards and requirements. The blueprints are packaged artifacts that help you deploy fully governed environments within Azure's platform.
Azure Policy is a centralized policy management service through which you can create and maintain rulesets to ensure that services use default allow and deny resource properties. It can also alert you whenever resources deviate from policy rules and automatically remediate compliance violations.
Google Assured Workloads is a tool that supports compliance by automatically applying controls to workloads so they meet specific regulatory frameworks' requirements. For example, it will only allow you to host data in cloud regions within the territory boundaries that the compliance program permits. It also configures the appropriate encryption services that the law requires and enforces access controls in line with data sovereignty requirements.
Cloud regions
Beyond the GDPR, there are many other data protection regulations worldwide, including data residency requirements that govern where you can store and process personal information about data subjects.
Because of this, you'll need to ensure that your CSP has a data center presence in countries where governance laws permit it. If you choose to host your workloads on one of the three main cloud vendor platforms, then this should be relatively straightforward, as they now have a combined total of more than 130 data center regions around the globe.
Challenges of maintaining cloud compliance
Maintaining cloud compliance at scale is operationally difficult, especially when you manage multiple frameworks across multi-cloud environments. These are the most common obstacles organizations face:
Fragmented visibility across cloud environments: Disconnected security tools across AWS, Azure, and GCP create blind spots that prevent you from seeing your full compliance posture. A unified platform that normalizes data across clouds eliminates these gaps.
Time-consuming manual audits: Manual evidence collection drains your team's capacity and introduces human error. Agentless scanning and automated evidence collection free your GRC team to focus on remediation rather than documentation.
Overlapping framework requirements: Most organizations juggle five or more compliance frameworks with overlapping controls. Without a way to map controls across frameworks, you duplicate effort and risk accidental noncompliance.
Reactive instead of proactive compliance: When teams are overwhelmed by audit prep, they fall into reactive mode and miss emerging risks. Continuous monitoring with prioritized, contextualized alerts shifts compliance from a point-in-time exercise to an ongoing posture.
You can solve these compliance challenges head-on by adopting Wiz. This CNAPP gives you a holistic, bird's-eye view of your cloud environments, automatic audits and reporting, and compliance capabilities with over 100 built-in frameworks.
With these tools, along with proactive, agentless scanning and continuous monitoring technologies, you can secure your data while meeting multiple standards simultaneously.
Top 10 cloud compliance tools in 2026
When selecting a cloud compliance tool, look for features like comprehensive framework coverage, multi- and hybrid cloud visibility, context-aware risk prioritization, developer workflow integration, and automated evidence collection and reporting.
Read more
Essential cloud compliance best practices
Effective cloud compliance requires more than tooling. It requires embedding security and compliance into how you configure resources, manage access, and monitor your environment. These best practices address the operational disciplines that underpin a strong compliance posture:
1. Data security
This practice ensures data's confidentiality, integrity, and availability in the cloud:
Data classification and governance: Implement
data classification schemes to categorize data based on sensitivity and regulatory requirements. Develop and enforce data governance policies that dictate how your organization handles, stores, and accesses data.
Encryption and key management: Encrypt data at rest and in transit using strong encryption standards (like AES-256) to protect sensitive information. Use robust key management practices and manage encryption keys securely so only authorized personnel have access.
Access control and identity management: Enforce least privilege access policies to ensure that users have only the minimum access necessary to perform their roles. Use multi-factor authentication to add a layer of security for accessing cloud services.
2. Configuration management
Configuration management helps organizations maintain systems, servers, and software in a desired, consistent state:
Secure API use: Securely design APIs that interface with cloud services and use strong authentication and encryption for data in transit. Regularly review and update API access policies to reflect user role or service changes.
Patch management: Implement an effective patch management process to ensure that all software and infrastructure components are up-to-date with the latest security patches.
Network configuration and segmentation: Configure cloud network settings to enforce security policies, including firewalls, intrusion detection systems, and other perimeter defenses. Use network segmentation to isolate sensitive data and systems and reduce the potential impact of a breach.
3. Strategy and monitoring
These overarching practices and procedures help teams manage and oversee cloud security and compliance:
Compliance and regulatory awareness: Stay informed about the regulations and compliance requirements that are relevant to your industry and regions of operation (such as GDPR, HIPAA, or PCI-DSS). Understand the shared responsibility model in cloud computing and clearly delineate security responsibilities between your organization and the CSP.
Security assessments and audits: Conduct regular security assessments, including vulnerability scans and penetration tests, to identify and mitigate potential security gaps. Perform compliance audits to ensure ongoing adherence to internal policies and external regulations and maintain audit trails and logs for accountability and forensic analysis.
Employee training and awareness: Provide regular training on security best practices, compliance requirements, and emerging threats to all employees. Foster a culture of security awareness by emphasizing everyone's role in maintaining compliance and data protection.
Incident response: Develop and maintain an incident response plan that outlines procedures for detecting, containing, eradicating, and recovering from security incidents. Regularly test the incident response plan to ensure its effectiveness.
Cloud provider specifics: Familiarize yourself with your CSP's security documentation and best practices. Some may have slight variations in implementation or may use unique security features, but there are often similarities across cloud providers (AWS, Azure, and GCP).
What is a Director of Compliance in cloud security?
Director of compliance leads regulatory adherence, risk management, and security governance to ensure consistent policy application and audit readiness.
Read more
Who is responsible for cloud compliance?
Cloud compliance is a shared responsibility between your organization and your cloud service provider. The CSP secures the physical infrastructure, hypervisors, and host operating systems. You are responsible for configuring cloud services correctly, managing access controls, and ensuring the security of your data and applications.
The exact split varies by service model. In IaaS, you own more of the stack. In SaaS, the provider handles most controls. Misunderstanding this boundary is one of the most common compliance failures.
To help customers understand the demarcation between responsibilities, each leading CSP provides a set of guidelines, or a shared responsibility model. This involves the following responsibilities:
The CSP is responsible for securing its data centers, IT infrastructure, hypervisors, and host operating systems and ensuring the availability and reliability of the services it provides to customers.
The customer is responsible for configuring the cloud services it uses and ensuring the security and compliance of guest operating systems and the applications it hosts on the vendor's platform.
Cloud compliance in the AI landscape
AI workloads introduce new compliance considerations that traditional frameworks do not fully address. Training data governance, model access controls, and inference endpoint security all create compliance obligations that span data protection, identity management, and application security.
Wiz Research discovered an exposed DeepSeek database leaking sensitive data, including usage history and log streams, with vulnerabilities that allowed complete control over database operations. This type of exposure illustrates how AI systems can create compliance gaps if they are not inventoried and secured like any other cloud workload.
As AI adoption accelerates, the line between cloud compliance and AI compliance continues to blur. Organizations that treat AI security as part of their broader cloud compliance posture, rather than a separate initiative, will be better positioned to meet emerging regulatory requirements. With over 85% of organizations now using either managed or self-hosted AI services, according to Wiz's State of AI in the Cloud report, establishing AI governance frameworks has become essential.
Continuous Cloud Compliance with Wiz
Wiz helps you shift from point-in-time compliance checks to continuous posture management. Instead of scrambling before audits, you get real-time visibility into what is passing, what is failing, and who needs to fix it across your entire cloud footprint.
Here is what makes Wiz different:
Broad framework coverage: Support for over 100 built-in frameworks, including NIST, HIPAA, CIS, HITRUST, PCI DSS, and SOC 2, with the ability to create custom frameworks tailored to your specific requirements.
Continuous, agentless assessment: Real-time posture monitoring without the operational overhead of deploying and maintaining agents across your environment.
Cross-framework control mapping: Automatic correlation of controls across overlapping frameworks so you can address multiple requirements with a single remediation.
Contextual remediation guidance: Prioritized findings with specific fix instructions and ownership routing, not just a list of violations.
Executive-ready reporting: Compliance heatmaps and trend reports that translate technical posture into business risk for board and audit conversations.
Wiz connects compliance monitoring to vulnerability management, identity risk, and data security in a single platform, eliminating the need to correlate findings across disconnected tools. You get one graph that shows how your cloud, workloads, identities, and data align with the frameworks that matter to your business.
Ready to simplify cloud compliance? Get a personalized demo to see how Wiz maps your environment to the frameworks you need to meet.
100+ Built-In Compliance Frameworks
See how Wiz eliminates the manual effort and complexity of achieving compliance in dynamic and multi-cloud environments.
