Compliance
How CloudTaser maps to EU regulations. Specific article references, what each regulation requires, and how CloudTaser satisfies it.
GDPR (Articles 44-49)
The General Data Protection Regulation restricts transfers of personal data to third countries that do not provide an adequate level of protection. After the Schrems II ruling invalidated the EU-US Privacy Shield, the EDPB issued Recommendations 01/2020 requiring "effective supplementary technical measures" for data transfers.
What GDPR requires
- Article 44: Any transfer of personal data to a third country shall take place only if conditions in Chapter V are complied with
- Article 46: In the absence of an adequacy decision, transfers may take place with appropriate safeguards and enforceable rights
- Article 49: Derogations for specific situations -- but not applicable for systematic transfers to US cloud providers
- EDPB Recommendations 01/2020, Use Case 2: "Transfer to cloud service providers or other processors which require access to data in the clear" -- recommends encryption where the importer does not hold keys
How CloudTaser satisfies it
- Client-side encryption with EU-held keys is the EDPB-recommended supplementary measure -- the cloud provider physically cannot access plaintext
- Encryption keys stored in EU-jurisdiction OpenBao/Vault under customer control
- Secrets delivered into process memory via memfd -- never written to disk, etcd, or K8s Secrets
- Provider sees only ciphertext -- court orders yield nothing decryptable
- Vault audit logs provide tamper-proof evidence of data access for DPA inquiries
Schrems II (CJEU Case C-311/18)
The July 2020 ruling by the Court of Justice of the European Union invalidated the EU-US Privacy Shield and created the legal requirement for supplementary technical measures when transferring data to the US. The court found that US surveillance laws (FISA Section 702, EO 12333) are incompatible with EU fundamental rights.
What Schrems II requires
- Standard Contractual Clauses (SCCs) alone are insufficient -- technical measures must complement them
- The supplementary measures must ensure US authorities cannot access the data, even if the cloud provider is compelled
- The current EU-US Data Privacy Framework (DPF) is already facing legal challenges and relies on the PCLOB for oversight -- members of which were fired in January 2025
How CloudTaser satisfies it
- CloudTaser is the exact "effective supplementary technical measure" the EDPB recommends
- Encryption is client-side -- the data is encrypted before it reaches the cloud provider
- Keys never leave EU jurisdiction -- they are stored in customer-controlled OpenBao/Vault in Frankfurt, Amsterdam, Dublin, or London
- Even if the cloud provider is compelled under the CLOUD Act, they can only hand over ciphertext
- This protection survives regardless of which legal framework gets invalidated next -- the guarantee is cryptographic, not contractual
NIS2 Directive
The Network and Information Security Directive 2 (NIS2) came into effect in October 2024 with transposition deadlines for EU member states. Cloud providers are classified as essential entities, subject to cybersecurity risk management requirements, supply chain security obligations, and incident reporting mandates. Fines reach up to EUR 10M or 2% of global annual turnover.
What NIS2 requires
- Article 21: Cybersecurity risk-management measures including policies on cryptography and encryption
- Article 21(2)(e): Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure
- Article 21(2)(d): Supply chain security, including security-related aspects concerning relationships between entities and their direct suppliers
- Article 23: Incident reporting obligations with 24-hour initial notification and 72-hour detailed report
How CloudTaser satisfies it
- eBPF kernel-level monitoring with 20+ enforcement vectors provides real-time intrusion detection
- 7 Prometheus metrics at
/metricsenable real-time alerting for incident reporting requirements - Encrypted secrets not on disk -- reduces the attack surface for supply chain attacks
- Runtime enforcement mode blocks unauthorized access to protected processes, supporting the cybersecurity risk management mandate
- Cosign-signed images, SBOMs, and Trivy scanning satisfy supply chain security requirements
DORA (Digital Operational Resilience Act)
DORA applies to financial entities in the EU and establishes a framework for ICT risk management, third-party risk assessment, incident reporting, and resilience testing. In November 2025, AWS, Google, and Azure were designated as Critical ICT Third-Party Providers, subjecting financial entities using them to heightened scrutiny.
What DORA requires
- Chapter II (Articles 5-16): ICT risk management framework -- financial entities must identify, protect against, detect, respond to, and recover from ICT-related incidents
- Article 28: Third-party risk -- financial entities must assess the risk concentration from dependencies on critical ICT third-party service providers
- Article 30: Key contractual provisions -- agreements with ICT third-party providers must include data location, processing, and protection requirements
- Chapter IV: Digital operational resilience testing, including threat-led penetration testing
How CloudTaser satisfies it
- eBPF monitoring provides real-time incident detection -- satisfies the "detect" and "respond" requirements of the ICT risk management framework
- Vault audit logs provide tamper-proof access records for third-party risk assessment
- S3 proxy encryption provides data-at-rest protection -- cloud provider stores only ciphertext
- Exit strategy enabled by portable vault + standard K8s -- financial entities can migrate between cloud providers without re-architecting secret management
- CloudTaser reduces concentration risk by making the cloud provider unable to access sensitive data -- even if compelled
EU Data Act (Chapter VII)
The EU Data Act entered into application in September 2025. Chapter VII specifically addresses unlawful third-country government access to non-personal data held in the Union. Cloud service providers must take "all reasonable technical, legal, and organisational measures" to prevent such access.
What the EU Data Act requires
- Article 32: Cloud providers must take reasonable technical measures to prevent unlawful third-country government access to non-personal data
- Article 33: Providers must notify affected customers when they receive government access requests from third countries
- Covers non-personal data -- which GDPR does not protect -- closing a significant gap
How CloudTaser satisfies it
- Client-side encryption makes data inaccessible to the provider regardless of government demands
- Transient DEKs mean no persistent key material on provider infrastructure
- Covers both personal and non-personal data -- the encryption is applied to all objects, not just GDPR-covered personal data
- Codifies what CloudTaser enables technically -- the regulation now requires what was previously a best practice
Regulatory Timeline
Key events that created the need for CloudTaser. The legal ground under EU-US data transfers gets shakier every year.
| Date | Event | What happened | CloudTaser relevance |
|---|---|---|---|
| Jul 2020 | Schrems II | CJEU invalidated EU-US Privacy Shield. Transfers require "effective supplementary measures." Source | The ruling that created the legal requirement for what CloudTaser does |
| Mar 2018 | US CLOUD Act | US providers must hand over data regardless of where it is stored -- including EU data centers. Source | Provider cannot hand over what they cannot decrypt |
| Apr 2024 | FISA 702 expanded | Broadened "electronic communication service provider" definition. Source | More providers can be compelled -- more workloads need protection |
| Jan 2025 | PCLOB gutted | All Democratic members fired, DPF compliance review suspended. Source | Key DPF safeguard gone -- technical measures are the only reliable fallback |
| Mar 2025 | FTC commissioners fired | DPF enforcement body weakened. Source | Contracts alone are unreliable -- need cryptographic guarantees |
| May 2023 | Meta fined EUR 1.2B | Largest GDPR fine ever -- SCCs without adequate protections. Source | SCCs alone are not enough -- CloudTaser is the supplementary measure |
| Mar 2024 | EDPS: Commission's M365 use illegal | EU Commission itself found violating data protection using Microsoft 365. Source | If the Commission cannot comply without technical measures, nobody can |
| Nov 2025 | DORA: hyperscalers designated critical | AWS, Google, Azure classified as Critical ICT Third-Party Providers. Source | Financial sector must demonstrate third-party risk management |
| Sep 2025 | EU Data Act enters application | Chapter VII blocks unlawful third-country government access. Source | Codifies what CloudTaser enables technically |
| Feb 2025 | Norway DPA: prepare exit strategies | First national DPA to formally advise US cloud exit planning. Denmark, Germany followed. Source | CloudTaser is the alternative to exit -- stay on US cloud, remove the risk |
| Oct 2024 | NIS2 transposition deadline | Cloud providers classified as essential entities. Fines up to EUR 10M or 2% revenue. Source | eBPF monitoring + encrypted secrets satisfies cybersecurity requirements |
| Jul 2022 | Denmark bans Google Chromebooks | Datatilsynet banned Google Workspace in schools. Expanded nationwide Jan 2024. Source | "Encryption at rest" is insufficient when the provider holds the keys |
| Nov 2025 | France-Germany sovereignty summit | Joint task force to reduce US cloud dependence. Procurement restrictions expected. Source | CloudTaser lets you comply without migrating off US cloud |
Compliance Frameworks Summary
A comprehensive mapping of CloudTaser capabilities to regulatory requirements.
| Framework | Requirement | How CloudTaser satisfies it |
|---|---|---|
| GDPR (Articles 44-49) | Adequate protection for data transferred to third countries. Supplementary measures required post-Schrems II. | Client-side encryption with EU-held keys = EDPB-recommended supplementary measure. Provider physically cannot access plaintext. |
| EDPB Recommendations 01/2020 | Use Case 2: "Transfer to cloud service providers or other processors which require access to data in the clear." Recommends encryption where the importer does not hold keys. | Exact implementation: encryption keys in EU vault, secrets in process memory, provider sees only ciphertext. |
| DORA | ICT risk management framework, third-party risk assessment, incident reporting, resilience testing for financial entities. | eBPF monitoring provides runtime incident detection. Vault audit logs provide tamper-proof access records. S3 proxy encryption provides data-at-rest protection. Exit strategy enabled by portable vault + standard K8s. |
| NIS2 | Cybersecurity risk management, supply chain security, incident reporting for essential/important entities. Cloud providers are essential entities. | eBPF kernel-level monitoring, encrypted secrets not on disk, runtime enforcement mode for blocking unauthorized access. |
| EU Data Act (Chapter VII) | Providers must take reasonable technical measures to prevent unlawful third-country government access to non-personal data. | Client-side encryption makes data inaccessible to the provider regardless of government demands. Transient DEKs mean no persistent key material on provider infrastructure. |
| PCI DSS 4.0 | Protect stored cardholder data. Encrypt transmission of cardholder data across open networks. Restrict access to cardholder data by business need-to-know. | Secrets in memory (not on disk), AES-256-GCM object encryption, eBPF access monitoring enforces need-to-know at kernel level. |
| ISO 27001:2022 (A.8.24, A.8.11) | Use of cryptography. Data masking. Protection of information in cloud services. | Envelope encryption with transient keys, EU-jurisdiction key management, per-object unique DEKs, vault audit trail. |
| SOC 2 Type II | Security, availability, processing integrity, confidentiality, privacy criteria for service organizations. | Demonstrates encryption controls, access monitoring (eBPF logs), key management practices, and data residency for EU-focused trust service criteria. |
| German C5 | Cloud Computing Compliance Criteria Catalogue by BSI. Required for German public sector cloud procurement. | EU-hosted key management, client-side encryption, runtime monitoring satisfy C5 data sovereignty and encryption requirements. |
| France SecNumCloud | ANSSI qualification for cloud service providers handling sensitive data. Requires immunity from non-EU laws. | CloudTaser provides the technical layer that makes US-hosted infrastructure functionally immune to CLOUD Act access -- data is ciphertext, keys are in EU. |
See CloudTaser in action
Interactive demos on real infrastructure. No signup required.