Compliance in multi-cloud, multi-jurisdiction environments: Navigating the regulatory maze in 2025

Welcome reader to a 🔒 pro subscriber-only deep dive 🔒.

Brought to you by:

👉 Cypago - Cyber governance, risk management, and continuous control monitoring in a single platform

🧠 Ridge Security - The AI-powered offensive security validation platform

Forwarded this email? Join 70,000 weekly readers by signing up now.

#OpenToWork? Try our AI Resume Builder to boost your chances of getting hired!

—

Get lifetime access to our deep dives, weekly cyber intel podcast report, premium content, AI Resume Builder, and more — all for just $799. Corporate plans are now available too.

Executive Summary

89% of enterprises now use multiple cloud providers, with 73% employing hybrid public-private strategies according to Orca's 2024 Cloud Security Strategies Report.

This whitepaper examines regulatory compliance challenges for organizations using multiple cloud platforms across international jurisdictions in 2025. We cover:

• The current regulatory landscape

• Key compliance challenges

• Strategies for governance frameworks

• Implementing consistent controls

• Automation opportunities

• Building resilient compliance architectures

With proper implementation of these frameworks and practices, enterprises can leverage cloud innovations while maintaining regulatory compliance, protecting sensitive data, and reducing risks across global operations.

1. Introduction: The Multi-Cloud Reality

1.1 The Acceleration of Multi-Cloud Adoption

Organizations across industries have embraced multi-cloud environments at an unprecedented pace. This shift is driven by several compelling business imperatives:

• Business Resilience: Distributing workloads across multiple providers enhances operational continuity and reduces single points of failure.

• Best-of-Breed Capabilities: Each cloud provider offers unique strengths and specialized services that organizations can strategically leverage.

• Cost Optimization: Strategic workload placement allows organizations to optimize spending and take advantage of competitive pricing.

• Global Presence: Multiple cloud providers offer expanded geographic coverage to serve customers effectively worldwide.

• Vendor Risk Mitigation: Reducing dependency on a single provider protects against vendor lock-in and service disruptions.

Every major industry has joined this transition. Financial institutions leverage multi-cloud architectures to enhance operational resilience and comply with regulations that increasingly mandate business continuity provisions. Healthcare providers distribute patient data across clouds to maintain proximity to users while meeting stringent privacy requirements. Technology companies deploy services on multiple platforms to ensure global reach and satisfy diverse client compliance needs.

1.2 The Compliance Complexity Challenge

The flexibility and innovation enabled by multi-cloud architectures come with significant complexity in regulatory compliance. Unlike the relative simplicity of managing a single on-premises data center where one set of laws primarily applies, data in multi-cloud environments can be stored and processed in multiple jurisdictions simultaneously, triggering a cascade of overlapping and sometimes conflicting regulatory requirements.

This complexity manifests in several fundamental challenges:

• Regulatory Fragmentation: Organizations must track and comply with dozens of regulatory regimes simultaneously, each with unique requirements and enforcement mechanisms.

• Jurisdictional Conflicts: Laws from different regions may impose contradictory obligations, creating compliance dilemmas with no perfect solution.

• Visibility Challenges: Maintaining comprehensive visibility across heterogeneous cloud environments requires sophisticated tools and processes.

• Control Inconsistencies: Implementing uniform controls across diverse platforms with different security models demands significant expertise.

• Supply Chain Complexity: Each cloud provider brings its own ecosystem of subprocessors and third-party services that must be managed.

Regulators have also intensified their focus on cloud usage, recognizing its systemic importance. Financial regulators increasingly treat cloud concentration as a potential stability risk, encouraging multi-cloud adoption while demanding rigorous risk management. The Digital Operational Resilience Act (DORA), coming into full effect in January 2025, exemplifies this trend by bringing critical ICT third-party providers (including major cloud services) under direct regulatory oversight in the EU financial sector.

1.3 The Stakes for Organizations

The consequences of non-compliance have never been higher:

• Financial Penalties: Regulations like GDPR impose fines reaching €20 million or 4% of global revenue for serious violations.

• Operational Disruptions: Regulators can suspend services or issue cease-and-desist orders that interrupt business operations.

• Litigation Exposure: Non-compliance increases vulnerability to customer lawsuits and class-action litigation.

• Reputational Damage: Compliance failures erode customer trust and brand reputation, often with lasting effects.

• Executive Accountability: Increasingly, regulations impose personal liability on executives for compliance failures.

These risks have elevated multi-cloud compliance from a technical concern to a board-level strategic priority requiring executive attention and governance oversight.

2. The Evolving Regulatory Landscape

2.1 Data Protection and Privacy Regulations

The global regulatory environment continues to grow more complex, with data protection laws proliferating worldwide. By 2025, over 150 countries have implemented some form of data protection legislation, creating a patchwork of requirements that multi-cloud operations must navigate.

2.1.1 Global Data Protection Framework Evolution

The EU's General Data Protection Regulation (GDPR) remains the global standard for data protection, influencing legislation worldwide. Enforcement continues aggressively, with EU authorities imposing €1.2 billion in fines during 2024. Key provisions that directly impact multi-cloud architectures include requirements for data protection by design and default, 72-hour breach notification timelines, data subject rights, strict cross-border transfer restrictions, and data protection impact assessments.

The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) have been fully implemented, with active enforcement focusing increasingly on third-party processors, including cloud providers. Other U.S. states have implemented similar but not identical laws, creating a de facto U.S. privacy patchwork.

Many countries have adopted GDPR-influenced laws with unique variations:

• Brazil's LGPD (Lei Geral de Proteção de Dados)

• China's PIPL (Personal Information Protection Law)

• India's DPDP Act (Digital Personal Data Protection Act)

• Saudi Arabia's PDPL (Personal Data Protection Law)

• Japan's amended APPI (Act on Protection of Personal Information)

Each law has unique requirements affecting multi-cloud operations, from varying consent mechanisms to specific data localization mandates.

2.2 Industry-Specific Regulations

Beyond general data protection frameworks, sector-specific regulations add additional layers of complexity for organizations in regulated industries.

2.2.1 Financial Services

Financial institutions face particularly stringent requirements for cloud operations:

• DORA (EU Digital Operational Resilience Act): Fully effective January 2025, DORA mandates comprehensive ICT risk management for financial organizations and brings critical ICT third-party providers under direct regulatory oversight. Financial institutions must ensure robust operational resilience for all ICT systems, including multi-cloud environments.

• Banking Cloud Guidelines: Banking authorities globally have issued specific guidelines addressing cloud outsourcing, requiring exit strategies, concentration risk management, and continuous compliance monitoring.

• Operational Resilience Frameworks: Financial regulators increasingly require operational resilience assessments that specifically include cloud dependencies and require demonstrable recovery capabilities.

2.2.2 Healthcare

Health data in the cloud faces strict regulatory requirements:

• HIPAA: Recent updates have strengthened security requirements, making encryption mandatory for protected health information in transit and at rest, with requirements for regular vulnerability scans including cloud assets.

• International Health Data Regulations: Various countries have implemented specialized healthcare data protection laws with specific provisions for cloud-hosted health information.

• Telehealth Regulations: As healthcare increasingly moves to virtual settings, regulators have focused on cloud security for telehealth and remote care platforms.

2.2.3 Critical Infrastructure

Organizations operating critical infrastructure face emerging cloud-specific requirements:

• NIS2 Directive: Effective October 2024, the EU's Network and Information Security Directive 2 broadens cybersecurity requirements to more sectors and explicitly includes cloud service providers as "essential" entities subject to regulatory supervision.

• U.S. Critical Infrastructure Directives: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued directives with specific provisions for cloud security in critical infrastructure sectors.

• Energy Sector Regulations: Regulators in the energy sector have increasingly addressed cloud security requirements for operational technology interfaces and grid management systems.

2.3 Data Sovereignty and Localization

Data sovereignty concerns have intensified significantly in recent years, adding another layer of complexity to multi-cloud compliance.

2.3.1 Localization Mandates

Approximately 75% of countries now enforce some form of data localization requirement, mandating that certain types of data be stored within national borders:

• China's Cybersecurity Framework: China's CSL, DSL, and PIPL require certain data (personal information, "important data") to be stored within China with security assessments required for cross-border transfers.

• Russia's Data Law: This legislation mandates that personal data of Russian citizens be stored on servers physically located in Russia.

• Middle East Regulations: Saudi Arabia's PDPL and UAE's Data Protection Law have implemented data residency clauses for sensitive information.

• Southeast Asian Requirements: Vietnam and Indonesia have enacted localization requirements for certain services and data types.

These requirements directly impact multi-cloud architectures, often requiring region-specific deployments and careful data flow management.

2.3.2 Cross-Border Transfer Mechanisms

Organizations operating multi-cloud environments must navigate evolving mechanisms for legal cross-border data transfers:

• EU-US Data Privacy Framework: Implemented in 2023 to facilitate transatlantic data flows following the invalidation of previous mechanisms, though still subject to legal challenges.

• Standard Contractual Clauses (SCCs): Updated clauses requiring transfer impact assessments and additional safeguards based on destination country risks.

• Binding Corporate Rules (BCRs): Increasingly important for global organizations transferring data between corporate entities.

• Regional Frameworks: Emerging mechanisms like the APEC Cross-Border Privacy Rules (CBPR) gaining adoption in Asia-Pacific regions.

2.3.3 Sovereign Cloud Development

In response to data sovereignty concerns, major cloud providers have developed "sovereign cloud" solutions:

• Localized Partnerships: Cloud providers partnering with local operators to meet residency requirements while maintaining service capabilities.

• Technical Guarantees: Implementing technical and contractual guarantees about data location, access controls, and encryption.

• Operational Segregation: Providing local support staff and segregated operations in sensitive regions to satisfy sovereignty requirements.

These solutions offer potential compliance pathways but often involve trade-offs in functionality, cost, or performance.

Subscribe to CybersecurityHQ Newsletter to unlock the rest.