Skip to main content
All scenarios

SaaS / Cloud Platform

You process other people's data? That changes everything.

SaaS platforms are data processors under GDPR and potential essential/important entities under NIS2. You need DPAs, incident response, and potentially sector-specific compliance.

Reality check

If your largest customer asked for your SOC 2 report and Data Processing Agreement today, could you deliver?

GDPR (General Data Protection Regulation)

mandatory Art. 28, Art. 30(2), Art. 32, Art. 33(2)

Your obligations

  • Data Processing Agreement (Art. 28) for every customer
  • Sub-processor management and notification
  • Data breach notification to controllers without undue delay
  • Technical and organisational measures documented (Art. 32)
  • Data Protection Impact Assessment if high-risk processing
  • Records of processing as processor (Art. 30(2))

SiteGuardian monitors this

  • TLS/HTTPS encryption monitoring
  • Automated cookie consent detection
  • Security headers analysis
  • Email transport encryption checks
  • Breach notification SLA tracking (72h)
  • Digital DPA/AVV signing

Risk if ignored

Loss of enterprise customers who require DPAs. Joint liability with controllers. Fines up to 4% turnover.

NIS2 Directive (Cybersecurity)

mandatory Art. 21, Art. 23

Your obligations

  • Cloud computing providers are essential entities
  • Risk management measures (Art. 21) mandatory
  • Incident reporting: 24h early warning, 72h notification
  • Supply chain security for dependencies
  • Management body accountability

SiteGuardian monitors this

  • 24h/72h/1m incident reporting SLA
  • DNSSEC and DNS security monitoring
  • Security headers and TLS enforcement
  • Uptime and availability monitoring
  • Supply chain risk scoring
  • Incident auto-classification (NIS2 Art. 23)

Risk if ignored

Cloud/SaaS providers explicitly in NIS2 scope. Fines up to €10M. Management personal liability.

Cyber Resilience Act (CRA)

conditional Art. 10, Art. 11, Art. 13

Your obligations

  • Security by design for products with digital elements
  • Vulnerability handling and disclosure obligations
  • Security updates for the product's expected lifetime
  • Software Bill of Materials (SBOM) provision

SiteGuardian monitors this

  • TLS version and cipher suite monitoring
  • Security headers enforcement checks
  • Certificate chain and expiry validation

Risk if ignored

Products banned from EU market. Fines up to €15M or 2.5% of global turnover.

European Accessibility Act (EAA)

mandatory Art. 4, Art. 13, Art. 31

Your obligations

  • WCAG 2.2 AA for all user-facing interfaces
  • Accessible documentation and onboarding
  • Alternative access methods for disabled users

SiteGuardian monitors this

  • WCAG 2.2 Level AA conformance auditing
  • Automated accessibility scoring
  • Violation severity breakdown and remediation hints
  • Daily accessibility scans

Risk if ignored

B2B SaaS used by employees covered under EAA. Public sector procurement requires accessibility.

Does this apply to you?

If you answer yes to 2 or more, these regulations very likely apply to your business.

See where you stand

Our free scanner checks your website's security posture, SSL, headers, email authentication, and more. No account needed.

Scan your platform's security
View all scenarios · EU Regulatory Directory · Compliance Plan

This page provides general information about EU regulatory frameworks. It does not constitute legal advice. Consult a qualified legal professional for advice specific to your situation. SiteGuardian documents your monitoring continuously — compliance is your organisation's responsibility.