“Moving to the cloud” appears more and more in organizations’ strategy and roadmap nowadays. Along the migration, “Regulatory Compliance” also becomes a hot topic. In fact, regulatory compliance is always a hot topic, but its temperature raises more when organizations are massively moving their workloads and applications from their compliant on-prem environment to the cloud.
There are quite a number of laws and regulations surrounding organizations in different industries and regions. Finding information of the regulation in concern can be a pain. Luckily AWS, Azure and GCP have all provided compliance resource sites to help organizations learn about compliance in the cloud. In this article, we’ll compare the these CSPs’ compliance offerings.
About Regulatory Compliance
As usual, let’s understand the “food” first before we have a bite on it. If we take a literal look at the phrase “Regulatory Compliance”, Regulatory is an adjective and Compliance is the noun. When we drill into the meanings behind each word, they are like:
- Regulatory refers to the activity of checking whether a business is working according to official rules or laws;
- Compliance refers to the act of obeying a rule or law.
So from the organizations’ point of view, compliance is the actual goal they need to achieve. Then the next question is what rules or laws an organization needs to conform? Usually we can group them in three ways:
- Compliance by Category
e.g. Certification/Attestation, Laws/Regulations/Privacy, Alignments/Framework - Compliance by Region
e.g. Global, Regional, Local - Compliance by Industry
e.g. Financial, Healthcare, Automotive, etc.
When organizations choose to host their workloads or applications in the cloud, compliance becomes the shared goal and responsibility between CSPs and organizations (ref Shared Responsibility Model in AWS, Azure and GCP). So it makes CSP’s compliance status a prerequisite for organization’s compliance. In the following sections, we’ll compare AWS, Azure and GCP’s compliance from the three ways of grouping.
Please note that all CSPs are constantly working to expand their compliance offering coverage. We’ll also periodically review the lists in this article and update them to map to the latest state. However, please always refer to these CSPs’ official websites for details of their compliance offerings (ref AWS Compliance Programs, Azure Compliance Documentation and Google Cloud Compliance Offerings).
Compliance by Category
AWS
Certifications/Attestations
- C5
- CMMC
- Cyber Essentials Plus
- DoD SRG
- ENS High
- FedRAMP
- FINMA
- FIPS
- GSMA
- HDS
- IRAP
- ISMAP
- ISO 9001
- ISO 27001
- ISO 27017
- ISO 27018
- K-ISMS
- MTCS Tier 3
- OSPAR
- PCI DSS Level1
- SOC 1
- SOC 2
- SOC 3
- TISAX
Laws/Regulations
Alignments/Frameworks
- CJIS
- CSA
- EU-US Privacy Shield
- FinTech – Japan
- FISC
- FISMA
- G-Cloud
- GxP (FDA CFR 21 Part 11)
- HITRUST
- Medical Information Guidelines – Japan
- MPAA
- NISC – Japan
- NIST
- UK Cloud Security Principles
- Uptime Institute Tiers
Privacy
- Act respecting the sharing of certain health information – Quebec
- Argentina Data Privacy
- Brazil Data Privacy
- CCPA
- FERPA
- FOIPPA – British Columbia
- HIA – Alberta
- NL PHIA – Newfoundland and Labrador
- PHIA – Nova Scotia
- NB PHIPAA – New Brunswick
- PHIPA – Ontario
- PIPEDA – Canada
- Australia Data Privacy
- Hong Kong Data Privacy
- India Data Privacy
- Indonesia Data Privacy
- Japan Data Privacy
- Korea Data Privacy
- Malaysia Data Privacy
- New Zealand Data Privacy
- Philippines Data Privacy
- Singapore Data Privacy
- Taiwan Data Privacy
- Thailand Data Privacy
- C5
- CISPE
- EU Data Protection
- EU-US Privacy Shield
- GDPR
- South Africa Data Privacy
Azure
Azure haven’t grouped their compliance offerings by category. Please refer to Compliance by Region and Compliance by Industry for more information.
GCP
Certifications/Attestations
- C5
- CSA
- ENS
- EU Cloud Code of Conduct
- FedRAMP
- FIPS 140-2 Validated
- HDS
- HITRUST CSF
- ISE Audit
- ISMAP
- IRAP
- FINMA
- ISO 9001
- ISO 22301
- ISO 50001
- ISO 27001
- ISO 27017
- ISO 27018
- ISO 27701
- K-ISMS (Korea)
- MARS-E
- MTCS Tier 3
- NCSC-Cyber Essentials
- OSPAR
- PCI 3DS
- PCI DSS
- SNI 27001
- SOC 1
- SOC 2
- SOC 3
- SWIPO Data Portability Code of Conduct
- ETDA
- TISAX
- TruSight
- U.S. Defense Information Systems Agency Provisional Authorization
- VPAT / Section 508
Laws / Regulations
- ACPR (France)
- Act on the Protection of Personal Information (Japan)
- APRA Prudential Standard CPS 234
- PDPL (Argentina)
- APPs (Australia)
- BaFin Cloud Outsourcing Guidance
- Banco de España
- Banco de Portugal
- Bank Negara (Malaysia)
- Bank of Italy
- Bank of Thailand (BOT)
- BCRA (Argentina)
- BRSA (Turkey)
- BSP (Philippines)
- BWG (Austria)
- California Consumer Privacy Act (CCPA)
- Central Bank of Brazil (Brazil)
- Central Bank of Ireland (Ireland)
- CNBV (Mexico)
- CNSF (Mexico)
- CMF (Chile)
- COPPA (U.S.)
- CSSF (Luxembourg)
- De Nederlandsche Bank (the Netherlands)
- DSA (Bangladesh)
- ESMA (EU)
- EU Standard Contractual Clauses
- Export Administration Regulations (EAR)
- FDIC (US)
- FERPA (U.S.)
- FG16/5 – FCA
- FINMA (Switzerland)
- Financial Superintendence of Colombia
- FSA (Denmark)
- FSC Insurance Outsourcing Directions
- FSC Banking Outsourcing Regulations
- GDPR
- GR 95/2018 guidelines
- GxP
- HIPAA
- IA (Hong Kong)
- HKMA (Hong Kong)
- MAMPU (Malaysia)
- PDPO (Hong Kong)
- Indonesia Government Regulation No. 71 (GR 71)
- IRDAI (India)
- IRS 1075
- International Traffic in Arms Regulations (ITAR)
- KNF (Poland)
- FSC (Korea)
- Lei Geral de Proteção de Dados (LGPD)
- MaRisk AT 9 Outsourcing
- MAS TRM Guidelines
- NERC CIP
- OJK Circular 21 of 2017 (SEOJK 21)
- OJK Regulation No. 38 of 2016 (POJK 38)
- OSFI (Canada)
- PDPA (Malaysia)
- PDPA (Philippines)
- PDPA (Taiwan)
- PIPA (Korea)
- PHIPA (Canada)
- PRA (UK)
- RBI (India)
- Reserve Bank of New Zealand (New Zealand)
- revFADP (Switzerland)
- SEC (US)
- Securities and Exchange Board of India (SEBI)
- SFSA (Sweden)
- PDPA (Singapore)
- South Africa POPI
- State Bank of Vietnam
- Superintendencia de Banca (Peru)
- SYSC 8 Outsourcing – FCA Handbook
- The Privacy Act (New Zealand)
- PIPEDA (Canada)
- VAG (Austria)
Alignments / Frameworks
- APRA Prudential Standard CPS 231
- ABS (Singapore)
- PMDA (Japan)
- Criminal Justice Information Services (CJIS)
- CyberGRX
- EBA (EU)
- EIOPA (EU)
- FFIEC (US)
- FED (US)
- FISC (Japan)
- SO/IEC 27110
- Know Your Third Party (KY3P) Report
- NCSC – Cloud Security (UK)
- MeitY (India)
- Monetary Authority of Singapore (MAS) Guidelines
- MPA
- MVSP
- NEN (Netherlands)
- NISC (Japan)
- NIST 800-34 – Contingency Planning
- NIST 800-53
- NIST 800-171
- NHS (UK)
- OCC (US)
- PiTuKri
- Standardized Information Gathering (SIG) Questionnaire
- 2G3M (Japan)
Compliance by Region
AWS
Global
Americas
- CCCS
- CJIS
- DoD SRG
- FedRAMP
- FERPA
- FIPS
- FISMA
- GxP
- HIPAA
- HITRUST CSF
- ITAR
- MPAA
- NIST
- PIPEDA
- SEC Rule 17a-4(f)
- VPAT / Section 508
Asia Pacific
Europe, Middle East & Africa
Azure
Global
- CIS benchmark
- CSA STAR Attestation
- CSA STAR Certification
- CSA STAR self-assessment
- SOC 1
- SOC 2
- SOC 3
- ISO 20000-1
- ISO 22301
- ISO 27001
- ISO 27017
- ISO 27018
- ISO 27701
- ISO 9001
- WCAG
Americas – U.S.
- CJIS
- CMMC
- CNSSI 1253
- DFARS
- DoD IL2
- DoD IL4
- DoD IL5
- DoD IL6
- DoE 10 CFR Part 810
- EAR
- FedRAMP
- FIPS 140
- ICD 503
- IRS 1075
- ITAR
- JSIG
- NDAA
- NIST 800-161
- NIST 800-171
- NIST 800-53
- NIST 800-63
- NIST CSF
- Section 508 VPATs
- StateRAMP
Americas – Other
Asia Pacific
- Australia IRAP
- China GB 18030
- China DJCP (MLPS)
- China TCS
- India MeitY
- Japan CS Gold Mark
- Japan ISMAP
- Japan My Number Act
- Korea K-ISMS
- New Zealand ISPC
- Singapore MTCS
Europe, Middle East & Africa
GCP
Global
- ISO 9001
- ISO 27001
- ISO 27017
- ISO 27018
- ISO 22301
- ISO 27110
- ISO 27701
- SOC 1
- SOC 2
- SOC 3
- CSA
- CyberGRX
- GxP
- HITRUST CSF
- Know Your Third Party (KY3P) Report
- MVSP
- PCI 3DS Core Security Standard
- PCI DSS
- Standardized Information Gathering (SIG) Questionnaire
- VPAT / Section 508
Americas – U.S.
- U.S. Defense Information Systems Agency Provisional Authorization
- TruSight
- SEC (US)
- OCC (US)
- NIST 800-53
- NIST 800-34 – Contingency Planning
- NIST 800-171
- NERC CIP
- MPA
- MARS-E
- ITAR
- IRS 1075
- ISE Audit
- HIPAA
- HECVAT
- FIPS 140-2 Validated
- FFIEC (US)
- FERPA (US)
- FedRAMP
- FED (US)
- FDIC (US)
- EAR
- CJIS
- COPPA (US)
- CCPA
Americas – Other
- BCRA (Argentina)
- Central Bank of Brazil (Brazil)
- CNBV (Mexico)
- CNSF (Mexico)
- CMF (Chile)
- Financial Superintendence of Colombia
- Lei Geral de Proteção de Dados (LGPD)
- NERC CIP
- OSFI (Canada)
- PDPL (Argentina)
- PHIPA (Canada)
- PIPEDA (Canada)
- Superintendencia de Banca (Peru)
Asia Pacific
- 2G3M (Japan)
- ABS (Singapore)
- Act on the Protection of Personal Information (Japan)
- APPs (Australia)
- APRA Prudential Standard CPS 231
- APRA Prudential Standard CPS 234
- Bank Negara (Malaysia)
- Bank of Thailand (BOT)
- BSP (Philippines)
- DSA (Bangladesh)
- ETDA (Thailand)
- FISC (Japan)
- FSC (Korea)
- FSC Banking Outsourcing Regulations
- FSC Insurance Outsourcing Directions
- GR 95/2018 guidelines
- HKMA (Hong Kong)
- IA (Hong Kong)
- Indonesia Government Regulation No. 71 (GR 71)
- ISMAP
- IRAP
- IRDAI (India)
- K-ISMS (Korea)
- MAMPU (Malaysia)
- MAS TRM Guidelines
- MeitY (India)
- Monetary Authority of Singapore (MAS) Guidelines
- MTCS (Singapore) Tier 3
- NISC (Japan)
- OJK Circular 21 of 2017 (SEOJK 21)
- OJK Regulation No. 38 of 2016 (POJK 38)
- OSPAR
- PDPA (Malaysia)
- PDPA (Philippines)
- PDPA (Singapore)
- PDPA (Taiwan)
- PDPO (Hong Kong)
- PIPA (Korea)
- PMDA (Japan)
- RBI (India)
- Reserve Bank of New Zealand (New Zealand)
- Securities and Exchange Board of India (SEBI)
- SNI 27001
- State Bank of Vietnam
- The Privacy Act (New Zealand)
Europe, Middle East & Africa
- VAG (Austria)
- TISAX
- SYSC 8 Outsourcing – FCA Handbook
- SWIPO Data Portability Code of Conduct
- Spain Esquema Nacional de Seguridad (ENS)
- South Africa POPI
- SFSA (Sweden)
- revFADP (Switzerland)
- PRA (UK)
- PiTuKri
- NHS (UK)
- NEN (Netherlands)
- NCSC – Cloud Security (UK)
- NCSC – Cyber Essentials (UK)
- MaRisk AT 9 Outsourcing
- KNF (Poland)
- ISAE 3000 Type 2 Report (FINMA)
- HDS
- GDPR
- FSA (Denmark)
- FINMA (Switzerland)
- FG16/5 – FCA
- EU Standard Contractual Clauses
- EU Cloud Code of Conduct
- ESMA (EU)
- EIOPA (EU)
- EBA (EU)
- De Nederlandsche Bank (the Netherlands)
- CSSF (Luxembourg)
- Cloud Computing Compliance Criteria Catalog (C5:2020)
- Central Bank of Ireland (Ireland)
- BWG (Austria)
- BRSA (Turkey)
- Bank of Italy
- Banco de Portugal
- Banco de España
- BaFin Cloud Outsourcing Guidance
- ACPR (France)
- ISO 50001
Compliance by Industry
AWS
AWS haven’t grouped their compliance offerings by industry. Please refer to Compliance by Category and Compliance by Region for more information.
Azure
Financial Services
- 23 NYCRR Part 500 (US)
- AFM and DNB (Netherlands)
- AMF and ACPR (France)
- APRA (Australia)
- CFTC 1.31 (US)
- EBA (EU)
- FCA and PRA (UK)
- FFIEC (US)
- FINMA (Switzerland)
- FINRA 4511 (US)
- FISC (Japan)
- FSA (Denmark)
- GLBA (US)
- KNF (Poland)
- MAS and ABS (Singapore)
- NBB and FSMA (Belgium)
- OSFI (Canada)
- OSPAR (Singapore)
- PCI 3DS
- PCI DSS
- RBI and IRDAI (India)
- SEC 17a-4 (US)
- SEC Regulation SCI (US)
- SOX (US)
- TruSight
Healthcare & Life Sciences
- ASIP HDS (France)
- EPCS (US)
- GxP (FDA 21 CFR Part 11)
- HIPAA (US)
- HITRUST
- MARS-E (US)
- NEN 7510 (Netherlands)
Other
GCP
GCP haven’t grouped their compliance offerings by industry. Please refer to Compliance by Category and Compliance by Region for more information.
Summary
After listing the compliance offerings from AWS, Azure and GCP, we felt much sympathy for the CSPs. One organization may only need to comply with one or a few laws or regulations, but CSPs will need to go through as much compliance as they can to be able to offer compliant cloud services to their customers in various regions and industries.
The compliance offerings listed above may change/grow the very next day. To get the comprehensive information about AWS, Azure and CSP’s compliance offerings, please refer to their official website: AWS Compliance Programs, Azure Compliance Documentation and Google Cloud Compliance Offerings.
