Skip to content
TECHNOMATON | Docs SAI Certified Trainers

SaaS and Cloud Services

Compliance requirements for SaaS platforms and cloud services.

Sector Profile

AttributeValue
AI Act impactHIGH
NIS2 categoryEssential (Annex I — Digital Infrastructure)
GDPR impactHIGH
Typical size10-500 employees
Typical revenueEUR 1M - EUR 100M

AI Act for SaaS

Typical AI Systems

SystemClassificationObligations
Recommendation engineLow/MediumTransparency
Fraud detectionMediumDPIA, monitoring
Customer support chatbotMediumLabel as AI
Content moderationMediumTransparency
Predictive analyticsLowMinimal

GPAI Usage (Claude, GPT-4)

NIS2 for SaaS

Scope Determination

Service typeNIS2 AnnexCategoryObligations
Cloud computingAnnex IEssentialHIGHER obligations
DNS providerAnnex IEssentialHIGHER obligations
Online marketplaceAnnex IIImportantLOWER obligations
Search engineAnnex IIImportantLOWER obligations
SaaS (other)Depends on criticalityDepends on service criticality

ISMS Requirements

ControlRequirementPriority
Encryption at restAES-256 for all dataCritical
Encryption in transitTLS 1.3 for all APIsCritical
MFAFor all admin accountsCritical
Access loggingSIEM, 1-year retentionCritical
BackupDaily, tested monthlyCritical
Patch management<30 days for criticalHigh
Penetration testing1-2x annuallyHigh
ISO 27001RecommendedHigh

Incident Response SLA

SeverityResponse TimeNotification
Critical1hNational CSIRT 24h
High4hNational CSIRT 72h
Medium24hInternal
Low72hInternal

GDPR for SaaS

Roles

Key Obligations

AreaObligationStatus
ROPADocumentation of all processing activitiesRequired
DPAAgreements with cloud providersRequired
DSARWorkflow for data subject rightsRequired
Breach72h notificationRequired
Privacy PolicyClear, completeRequired
Cookie consentGDPR-compliant bannerRequired

Multi-tenancy Specifics

Checklist for SaaS

Weeks 1-2 (Audit & Scope)

  • Determine NIS2 category (Essential/Important/Out)
  • AI inventory (internal + third-party)
  • GDPR data mapping

Months 1-3 (Planning)

  • Risk assessment (NIS2 + AI Act)
  • ISMS roadmap
  • DPA update with all vendors

Months 3-6 (Implementation)

  • Technical controls (encryption, MFA, logging)
  • DSAR workflow
  • Incident Response Plan

Months 6-12 (Certification)

  • ISO 27001 audit
  • Penetration testing
  • AI documentation complete

Typical Costs

ItemEstimate
ISMS setup (CISO consultant)EUR 20-40k
ISO 27001 certificationEUR 30-50k
Legal review (DPA, policies)EUR 10-20k
Penetration testingEUR 5-15k/year
Compliance toolingEUR 5-15k/year
Total Y1EUR 70-140k

Resources