An organization needs to take legislation and regulations into account when configuring the IT landscape. The use of services is complicated by the legislation aimed at different industries, such as legislation with regard to financial accountability (the Sarbanes–Oxley Act is an example), pharmaceuticals, medical care, and telecoms. The application of most legislation and regulations does not change substantially when services are in the cloud, but demonstrating conformity is not getting easier. This section mainly targets the legislation and regulations that are codependent with the location and protection of data that is brought to the cloud. It is about which requirements apply and not how they are being complied with by putting security measures in place. With cross-border data traffic in the cloud, another factor is added: multiple laws and regulations for each of the countries involved.
For the tester, legislation and regulations are a form of test basis. It is critical to list all applicable legislation and regulations. This inventory potentially brings a number of problems to light, such as contradictory legislation from dif- ferent countries. Then the intended service is tested to determine whether the rules can be met. In this specialized field, the tester and the legal representative need to complement each other.