AzureFeeds

As organizations accelerate their digital transformation and embrace artificial intelligence (AI) across industries, the regulatory landscape is evolving just as rapidly. From financial resilience to responsible AI governance, enterprises are under increasing pressure to demonstrate compliance with a growing number of global standards across multiple cloud platforms.

At Microsoft, we are committed to helping customers meet these challenges with integrated, scalable, and intelligent security solutions. Today, we’re excited to announce the public preview of four new regulatory frameworks in Microsoft Defender for Cloud. These frameworks are now available across Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP), further expanding our multicloud compliance capabilities.

What’s New in Public Preview

The following regulatory frameworks are now supported in Microsoft Defender for Cloud:

• Digital Operational Resilience Act (DORA)


• European Union Artificial Intelligence Act (EU AI Act)


• Korean Information Security Management System for Public Cloud (k-ISMS-P)


• Center for Internet Security (CIS) Microsoft Azure Foundations Benchmark v3.0

Each of these frameworks addresses a critical area of modern cloud security and compliance. Let’s explore what they are, why they matter, and how Defender for Cloud helps you stay ahead.

Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act is a groundbreaking regulation from the European Union aimed at strengthening the digital resilience of financial institutions. DORA applies to a wide range of financial entities, including banks, insurance companies, investment firms, and third-party ICT providers, and mandates that these organizations can withstand, respond to, and recover from all types of ICT-related disruptions and threats.

Why DORA Matters

In today’s interconnected financial ecosystem, operational disruptions can have cascading effects across markets and geographies. DORA introduces a unified regulatory framework that emphasizes:

• Rigorous ICT risk management


• Incident reporting and response


• Digital operational resilience testing


• Oversight of third-party ICT service providers

With Defender for Cloud, organizations can now assess their compliance posture against DORA requirements, identify gaps, and implement recommended controls across Azure, AWS, and GCP. This helps financial institutions not only meet regulatory obligations but also build a more resilient digital infrastructure.

European Union Artificial Intelligence Act (EU AI Act)

The EU AI Act is the world’s first comprehensive legal framework for artificial intelligence. It introduces a risk-based classification system for AI systems, ranging from minimal to unacceptable risk, and imposes strict obligations on providers and users of high-risk AI applications.

Why the EU AI Act Matters

As AI becomes embedded in critical decision-making processes—from healthcare diagnostics to financial services, governments and regulators are stepping in to ensure these systems are safe, transparent, and accountable. The EU AI Act focuses on:

• Risk classification and governance


• Data quality and transparency


• Human oversight and accountability


• Robust documentation and monitoring

Defender for Cloud now enables organizations to monitor AI workloads and evaluate their compliance posture under the EU AI Act. This includes mapping security controls to regulatory requirements and surfacing actionable recommendations to reduce risk. By integrating AI governance into your cloud security strategy, you can innovate responsibly and build trust with customers and regulators alike.

Korean Information Security Management System for Public Cloud (k-ISMS-P)

The k-ISMS-P is a South Korean regulatory standard that integrates personal information protection and information security management for public cloud services. It is a mandatory certification for cloud service providers and enterprises handling sensitive data in South Korea.

Why k-ISMS-P Matters

As cloud adoption grows in South Korea, so does the need for robust compliance frameworks that protect personal and organizational data. The k-ISMS-P standard covers:

• Organizational and technical security controls


• Personal data lifecycle management


• Incident response and audit readiness

Defender for Cloud now supports k-ISMS-P, enabling organizations to assess their compliance posture and prepare for audits with confidence. This is especially valuable for multinational companies operating in or partnering with South Korean entities.

CIS Microsoft Azure Foundations Benchmark v3.0

The Center for Internet Security (CIS) Azure Foundations Benchmark is a widely adopted set of best practices for securing Microsoft Azure environments. Version 3.0 introduces updated recommendations that reflect the latest cloud security trends and technologies.

Why CIS v3.0 Matters

Security benchmarks like CIS provide a foundational layer of protection that helps organizations reduce risk and improve their security posture. Key updates in version 3.0 include:

• Enhanced identity and access management controls


• Improved logging and monitoring configurations


• Updated recommendations for storage, networking, and compute

Defender for Cloud now supports CIS Azure Foundations Benchmark v3.0, offering automated assessments and remediation guidance. This helps security teams stay aligned with industry standards and continuously improve their cloud security hygiene.

Unified Compliance Across Multicloud Environments

With the addition of these five frameworks, Microsoft Defender for Cloud now supports an extensive library of regulatory standards and benchmarks across Azure, AWS, and GCP. This multicloud support is critical for organizations operating in hybrid environments or managing complex supply chains.

The Regulatory Compliance dashboard in Defender for Cloud provides a centralized view of your compliance posture, complete with:

• Framework-specific control mapping


• Assessments and scoring


• Actionable recommendations and remediation steps


• Integration with Microsoft Purview and Microsoft Entra for unified governance

Get Started Today

These new frameworks are available in public preview and can be enabled directly from the Microsoft Defender for Cloud portal. To get started:

1. Navigate to the Regulatory Compliance blade.


2. Select Manage compliance standards.


3. Select an account or management account (Azure subscription or management group, AWS account or management account, GCP project or organization) to assign the security standard.


4. Select Security policies.


5. Locate the standard you want to enable and toggle the status to On.


6. Review your compliance posture and implement recommended actions.

For more information, visit our documentation.

By expanding our regulatory coverage, we’re helping customers stay ahead of compliance requirements, reduce risk, and build trust in a rapidly evolving digital world. Whether you’re navigating AI governance, financial resilience, or regional data protection laws, Microsoft Defender for Cloud is here to support your journey.