The Cloud Compliance Landscape in 2024: DORA, CIS, and More

Keeping track of changing requirements in compliance standards and laws is a time-consuming job that quickly becomes overwhelming given the volume of updates and new benchmarks affecting broad and niche business sectors.  

This article is a compilation of changes businesses should be aware of in 2024, so they can ensure continued compliance with the most well-known regulatory frameworks, such as PCI-DSS, GDPR, SOC 2, and prepare for incoming regulations such as DORA. 

DORA: Incoming 

DORA (Digital Operational Resilience Act) comes into power on the 17th of January 2025, and it’s a big one because it will affect everybody in the financial sector, not just banks. So affected companies should be spending a good amount of time in 2024 planning and preparing.  

DORA is an EU regulatory standard for financial institutions with activity in the European Union, but it also applies to entities outside of the EU which provide ICT services to financial entities within the EU. 

Essentially, the regulation seeks to ensure that financial services firms and institutions can recover and get back up and running quickly after a security incident. The aim is to minimize the impact on customers and consumers.   

The focus is on harmonizing internal processes while strengthening transparency and the monitoring of third-party service providers such as cloud services platforms. It’s really all about context and being able to see technological connections across the entire business and understanding how and where there are vulnerabilities. Ultimately this helps to ensure not just the continuity of service delivery, but also the business’s ability to keep making money. 

This has led observers to note that DORA could become a template to be adopted by other regulatory models. In fact, a recent report from PWC proposes that instead of seeing DORA “as a mere compliance matter, financial entities should view it as an opportunity to enhance their digital operational resilience and proactively ready themselves for upcoming regulations pertaining to other facets of the digital realm, namely Artificial Intelligence.” 

We have a detailed article on DORA that you can check out for more information and for a list of requirements related to cloud security and operational risk management. 

CIS Benchmarks: Updated 

CIS Benchmarks are configuration recommendations for more than 25 vendor product families, and they receive regular updates every year. Here are the latest versions for the most important CIS Benchmarks related to the cloud: 

• CIS Microsoft Azure Foundations Benchmark v2.0.0. The previous version, v1.5.0., was released in August 2022. The latest version appeared in February of 2023.  
• CIS Amazon Web Services Foundations Benchmark v2.0.0 appeared in June of 2023, and was previously released in August of 2022. 
• Google Cloud Platform 1.3.0 was previously updated in 2022.  
• CIS Kubernetes Benchmark v1.8.0. The newest version was released at the end of September 2023.  

CIS updates usually contain anything from additional requirements to text revisions and removing deprecated recommendations. These standards are highly regarded and very useful, and we recommend using them when planning your cloud security strategy for 2024 and beyond.  

PCI-DSS: March 2024 deadline 

2024 is a big year for compliance across many industries, especially those that deal with financial information. PCI-DSS, which relates to the processing and storing of credit card data, saw its latest version, 4.0, emerge in March of 2022.  

The regulation allowed companies a transition period of two years due to its extensive changes, meaning the clock is ticking down to end-March this year. While companies still have a little time to become accredited for version 4.0, compliance with version 3.2.0 is still required in the meantime. 

PCI-DSS v4.0 has many additional requirements in all categories, regulating logging and monitoring, authentication, vulnerability scanning, and many others. This is why it makes sense why the PCI SSC (The PCI Security Standards Council) has granted companies two years to become compliant. 

For instructions on implementing the requirements using Cyscale controls, this guide has all the steps you need.  

NIST: Version 2.0 arrives 

The long-awaited NIST Cybersecurity Framework 2.0 will be out this year, and we're excited about it! NIST released the first version of the framework in 2014 and later in 2018 updated it into what it is now – version 1.1. It's been five years – a long time coming.  

In 2023 multiple drafts have been released, and the CSF is expected to be ready in early 2024. 

Source: https://www.nist.gov/cyberframework/updating-nist-cybersecurity-framework-journey-csf-20, Credit: Kristina Rigopoulos 

According to NIST, the new version will set out to: 

• expand the current scope, 
• add a sixth function, Govern, which covers decision-making around cybersecurity in terms of people, processes, and technology, and relates to the five other functions: Identify, Protect, Detect, Respond, and Recover (to read about the other functions, read our detailed article on NIST), 
• improve the guidance on implementing the CSF. 

HITRUST: Setting the standard in healthcare 

The most recent version of HITRUST (11.2.0) was released in November of 2023. It contains 14 control categories, divided into 49 objectives with 156 control references. Control references are requirements and best practices.  

HITRUST is a framework for securing and managing information in the healthcare industry. This comprehensive framework regulates how healthcare providers and other health businesses handle sensitive data, store it and protect it. Let’s just say it’s HIPAA’s big sister, with a whopping 516 pages that seem very intimidating in terms of implementation, but with benefits in terms of credibility and assurance that are not to be underestimated. 

2024: A busy year for cloud compliance professionals  

As is now typical, 2024 is going to be another busy year for compliance. As adoption of the cloud grows, so do the rules and regulations governing its usage. Along with the updates to standards listed above, we cannot ignore the steps taken by the Securities and Exchange Commission last year, pushing for US companies to disclose cybersecurity incidents they experience along with material information regarding their cybersecurity risk management, strategy, and governance.  

Other regions should take note because the SEC also adopted rules requiring foreign private issuers to make comparable disclosures. We are likely to see more regulatory developments that put CISOs and other security and compliance leaders in the spotlight of responsibility.  

Manage your cloud compliance posture

Find out how Cyscale can help you keep up with the continuous changes in the cybersecurity landscape and achieve (and maintain) compliance with less stress. Cyscale provides support for all of the frameworks mentioned in this article, as well as ISO 27001, SOC 2, GDPR, HIPAA, MAS TRM, and more.