Security and Compliance Frameworks¶
CloudTaser provides technical controls that map to requirements across EU, national, and industry compliance frameworks. This page is a directory of every framework CloudTaser helps satisfy — select any framework for the detailed control mapping.
At a Glance¶
| Framework | Scope | Who Must Comply | CloudTaser Relevance |
|---|---|---|---|
| GDPR / Schrems II | Data protection, international transfers | All EU data controllers and processors | Supplementary measures for US cloud usage |
| DORA | Digital operational resilience | EU financial entities (banks, insurers, payment firms) | ICT risk management, third-party provider controls |
| NIS2 | Cybersecurity for essential/important entities | Energy, transport, health, digital infrastructure, ICT services | Risk management, incident detection, supply chain security |
| EU Data Act | Data portability, cloud switching, safeguards | Cloud service providers and customers | Technical measures against non-EU government access |
| PCI DSS 4.0 | Payment card data security | Any entity storing/processing/transmitting cardholder data | Key management, encryption, access control |
| ISO 27001:2022 | Information security management | Any organization (voluntary, often contractually required) | 13+ Annex A controls |
| SOC 2 Type II | Trust services criteria | SaaS providers, service organizations | Confidentiality, availability, processing integrity |
| German C5 | Cloud computing compliance criteria | Cloud providers serving German public sector and enterprises | EU key control, encryption, access monitoring |
| French SecNumCloud | Cloud security qualification | Cloud providers serving French government and sensitive sectors | Data residency, immunity from non-EU laws |
| BIO | Dutch government information security baseline | Dutch government agencies and their suppliers | Encryption, access control, monitoring |
| DNB Guidelines | Outsourcing and cloud usage for financial institutions | Dutch banks, insurers, pension funds | Third-party risk, data access controls |
| EDPB 01/2020 | Supplementary measures for international transfers | Data exporters to third countries | Technical measures ensuring data protection |
EU-Wide Frameworks¶
GDPR / Schrems II¶
Full name: General Data Protection Regulation (Regulation (EU) 2016/679) Schrems II: CJEU Judgment C-311/18 (July 2020)
The foundational EU data protection regulation. After Schrems II invalidated the EU-US Privacy Shield, organizations using US cloud providers must implement "supplementary technical measures" that prevent US government access to EU personal data.
CloudTaser provides:
- Secrets never enter US-controlled storage (etcd, disk, K8s Secrets API)
memfd_secretmakes secrets invisible to root and the cloud provider- EU-hosted vault ensures encryption keys remain under EU jurisdiction
cloudtaser auditgenerates Article 30 Records of Processing evidence
:octicons-arrow-right-24: Full GDPR / Schrems II mapping
DORA¶
Full name: Digital Operational Resilience Act (Regulation (EU) 2022/2554) Applies from: January 2025 Who: Banks, insurance companies, investment firms, payment institutions, crypto-asset service providers
DORA requires financial entities to implement ICT risk management frameworks, incident reporting, resilience testing, and third-party provider risk management.
CloudTaser provides:
- ICT risk quantification via protection scores
- eBPF-based incident detection and response (19+ attack vectors)
- Technical controls that reduce third-party provider (cloud) risk to near-zero for secret data
cloudtaser auditproduces DORA Article 6 risk assessment evidence
:octicons-arrow-right-24: Full DORA mapping
NIS2¶
Full name: Directive on Security of Network and Information Systems (Directive (EU) 2022/2555) Transposition deadline: October 2024 Who: Essential entities (energy, transport, banking, health, digital infrastructure) and important entities (postal, waste, chemicals, food, manufacturing, digital providers)
CloudTaser provides:
- Risk management measures (Article 21) via protection scores and audit reports
- Incident detection through eBPF event generation
- Supply chain security by eliminating cloud provider secret access
- Cryptography and encryption policy enforcement
:octicons-arrow-right-24: Full NIS2 mapping
EU Data Act¶
Full name: Regulation on harmonised rules on fair access to and use of data (Regulation (EU) 2023/2854) Applies from: September 2025
The EU Data Act includes provisions requiring cloud service providers to implement safeguards against non-EU government access to data. Article 32 requires "all reasonable technical, legal and organisational measures" to prevent international government access that conflicts with EU law.
CloudTaser provides:
- Technical measures preventing data access regardless of legal demands on the cloud provider
- EU-hosted key management under EU jurisdiction
- Client-side encryption for data at rest (S3 proxy)
- Process-level memory isolation for data in use
EDPB Recommendations 01/2020¶
Full name: European Data Protection Board Recommendations 01/2020 on measures that supplement transfer tools
The EDPB provides guidance on which supplementary measures are effective when transferring data to countries without adequate data protection (including the US).
CloudTaser provides:
- Measure 1 (encryption with EU-held keys): Secrets fetched from EU vault, never in US storage
- Measure 2 (pseudonymisation): Pseudonymisation keys protected in process memory
- Measure 4 (encryption by data exporter): EU data controller retains sole key control
- Measure 9 (EEA processing): Vault exclusively in EU; processing on US infra with cryptographic protection
Industry Standards¶
PCI DSS 4.0¶
Full name: Payment Card Industry Data Security Standard v4.0 Effective: March 2025 (all requirements) Who: Any entity storing, processing, or transmitting cardholder data
CloudTaser provides:
| PCI DSS Requirement | CloudTaser Measure |
|---|---|
| Req 3: Protect stored account data | Cardholder data keys stored in EU vault, injected into memory only. S3 proxy encrypts stored data with AES-256-GCM |
| Req 4: Protect data in transit | TLS/mTLS for all vault communication |
| Req 6: Develop secure systems | cloudtaser validate and cloudtaser discover identify insecure secret handling in CI/CD |
| Req 7: Restrict access to system components | eBPF enforces process-level access control; only authorized pods access secrets |
| Req 8: Identify users and authenticate | Vault Kubernetes auth binds secrets to pod identity (ServiceAccount + namespace) |
| Req 10: Log and monitor all access | eBPF generates security events for all secret access attempts |
| Req 12: Support information security with policies | Protection scores and audit reports provide policy enforcement evidence |
ISO 27001:2022¶
Full name: Information security management systems — Requirements Who: Any organization (often contractually required by enterprise customers)
CloudTaser supports 13+ Annex A controls covering cryptography, access control, data leakage prevention, network security, and configuration management.
:octicons-arrow-right-24: Full ISO 27001 mapping
SOC 2 Type II¶
Full name: Service Organization Control 2 Type II Who: SaaS providers, cloud service organizations, managed service providers
CloudTaser supports Trust Services Criteria for confidentiality (CC6.x) and monitoring (CC7.x).
:octicons-arrow-right-24: Full SOC 2 mapping
National Frameworks¶
German C5¶
Full name: Cloud Computing Compliance Criteria Catalogue (C5:2020) Issued by: BSI (Federal Office for Information Security, Germany) Who: Cloud providers serving German public sector and regulated enterprises
The C5 catalogue defines baseline security requirements for cloud providers. CloudTaser addresses key C5 domains:
| C5 Domain | Control Area | CloudTaser Measure |
|---|---|---|
| CRY | Cryptography and key management | EU-hosted vault with sole key control. AES-256-GCM for storage. TLS for transit |
| IDM | Identity and access management | Vault Kubernetes auth ties secrets to pod identity. eBPF blocks unauthorized access |
| OPS | Operational processes | Protection scores, audit reports, automated validation via CLI |
| LOG | Logging and monitoring | eBPF event generation for all secret access attempts with SIEM integration |
| PHY | Physical security | Confidential computing (SEV-SNP) encrypts VM memory against physical access |
| SPN | Supply chain management | Cloud provider cannot access secrets; eliminates supply chain risk for secret data |
French SecNumCloud¶
Full name: Référentiel SecNumCloud v3.2 Issued by: ANSSI (National Agency for Information Systems Security, France) Who: Cloud providers serving French government, defense, and critical infrastructure
SecNumCloud requires cloud providers to demonstrate immunity from non-EU extraterritorial laws. CloudTaser provides the technical layer:
| SecNumCloud Requirement | CloudTaser Measure |
|---|---|
| Immunity from non-EU laws | Technical enforcement: cloud provider cannot access secrets regardless of legal compulsion |
| EU data residency | Vault and encryption keys hosted in EU. Secrets never persist outside process memory |
| Encryption key control | EU entity operates vault. Cloud provider has no key access |
| Access logging | eBPF generates tamper-evident logs of all secret access attempts |
SecNumCloud is primarily a provider certification
SecNumCloud qualifies cloud providers, not their customers. CloudTaser helps customers achieve equivalent protection guarantees on non-SecNumCloud-certified providers (AWS, GCP, Azure) through technical controls rather than provider certification.
BIO (Netherlands)¶
Full name: Baseline Informatiebeveiliging Overheid Issued by: Dutch government (CIP/BIO framework) Who: Dutch national and local government agencies and their suppliers
BIO is based on ISO 27001/27002 with additional controls specific to Dutch government. CloudTaser addresses:
| BIO Control Area | CloudTaser Measure |
|---|---|
| Encryption (10.1) | memfd_secret + mlock for secrets in use; S3 proxy AES-256-GCM for secrets at rest |
| Access control (9.x) | eBPF enforcement blocks all unauthorized access to protected process memory |
| Logging and monitoring (12.4) | eBPF events, protection score monitoring, cloudtaser audit |
| Supplier relationships (15.x) | Technical controls eliminating cloud provider access to government secrets |
| Communications security (13.x) | TLS/mTLS for vault communication; NetworkPolicies for network isolation |
DNB Guidelines (Netherlands)¶
Full name: De Nederlandsche Bank Good Practices for Information Security / Cloud Outsourcing Who: Dutch banks, insurers, pension funds under DNB supervision
DNB's guidance on cloud outsourcing requires financial institutions to maintain control over data and ensure the cloud provider cannot access sensitive information.
| DNB Requirement | CloudTaser Measure |
|---|---|
| Data access control | Cloud provider never holds plaintext secrets or encryption keys |
| Risk management for third-party providers | Protection scores quantify residual risk; eBPF provides runtime enforcement |
| Exit strategy feasibility | CloudTaser is cloud-agnostic; secrets are in a portable EU vault, not locked to any provider |
| Regulatory access to data | EU vault under EU legal entity ensures regulatory access is governed by EU law |
Framework Coverage Matrix¶
Which CloudTaser components contribute to which frameworks:
| Component | GDPR | DORA | NIS2 | PCI DSS | ISO 27001 | SOC 2 | C5 | SecNumCloud | BIO | DNB |
|---|---|---|---|---|---|---|---|---|---|---|
| Operator | Art.32 | Art.7 | Art.21(e) | Req 6 | A.8.9 | CC6.3 | OPS | 12.4 | ||
| Wrapper | Art.32 | Art.9 | Art.21(h) | Req 3,7 | A.8.24 | CC6.1 | CRY | Key control | 10.1 | Data access |
| eBPF | Art.32 | Art.10,11 | Art.21(b) | Req 10 | A.8.12 | CC6.6 | LOG | Access logging | 12.4 | Risk mgmt |
| S3 Proxy | Art.32 | Art.9 | Art.21(h) | Req 3,4 | A.8.24 | CC6.7 | CRY | Data residency | 10.1 | Data access |
| CLI | Art.30 | Art.6,8 | Art.21(a) | Req 12 | A.8.9 | CC7.3 | OPS | 12.4 | Risk mgmt |
:octicons-arrow-right-24: Ultimate Protection | :octicons-arrow-right-24: Detailed Control Mapping