One of the tasks associated with operating a public cloud is keeping on top of the various regulatory and legal frameworks that affect us and our customers. We already had a dive into the EU Digital and Operational Resilience Act (DORA) and, to follow on the heels of that thrilling read, I present to you an overview of the current set of EU regulations that may-or-may-not affect Fly.io or you as a user of the services.
As always, this is just, like, our opinion, man.
Network and Information Security (NIS 2) Directive (“NIS 2”)
NIS 2 is an update of NIS 1 and says that EU member states need to standardize their supervisory regimes related to cybersecurity and expands the list of entities covered under those regimes. As a directive, that means the member states have to map NIS2 into their national laws (they have until until October of 2024 to figure this out). Cloud computing providers like Fly.io are covered entities though, as we’re US-based, there isn’t a clear Member State that covers Fly.io directly. However, as a potential supplier to customers who are themselves critical entities, we would likely have to demonstrate to a customer covered under the act that we have implemented appropriate security measures and can assist with the warning/reporting of incidents. We’re happy to do that, so get in touch if that’s a concern.
Cyber Resilience Act (“CRA”)
The CRA says that manufacturers are on the hook for shipping insecure products (hardware OR software) to EU customers. The CRA hasn’t yet been formally adopted though, when it is, the obligations won’t start until 2027. We’re not shipping a product covered under the act but our customers likely will be and thus it’s likely their requirements and security obligations under the act will flow down to us, even if not explicitly provided for in the CRA. If this describes your situation, reach out: odds are we probably already meet the obligations and we would just need to help you document compliance under the act.
Digital Services Act (“DSA”)
Basically, the DSA regulates online content. Think: copyright violations, hate speech, disinformation, terrorist materials, that sort of thing. For better or worse, one could draw comparisons to the US’s DMCA. The DSA, which went into effect in early 2024, covers “hosting services” (including cloud providers like Fly.io) as well as online platforms like marketplaces and forums. Fly.io would be a “Small Enterprise” under the DSA so, thankfully, we’re spared some of the more onerous terms. More importantly, however, customers don’t need to consider Fly.io when evaluating their DSA compliance obligations.
You own your data, you are free to move the data when you choose, and we must protect your data. That’s the relevant summary of the act (which will go live in 2025). Fly.io is designed to allow you to move data from our systems to other systems as fast as possible, and we work dang hard to protect your data, so we’re pretty comfortable with where we stand vis-à -vis the act. If you want to know more you can read about it here or, and we’re serious about this, ask us.
European Health Data Space (“EHDS”)
The EHDS will cover the interoperability of and access to medical data, including research access to private healthcare information, when it’s finished being adopted and goes into effect in 2026. While Fly.io won’t be directly covered by the EHDS, our EU healthcare customers likely will be covered and thus some their obligations will flow down to us. Those obligations are pretty much the same as under NIS2 and the Data Act: have strong security and privacy protections. For the privacy component, we are currently working through Data Privacy Framework certification and we’ll have more updates on that soon.
Artificial Intelligence Act (“AI Act”)
Most of the regulations under the act will be for restricting the content generated by or the use of AI solutions (the act will be live in 2026). As Fly.io is a lower-level provider of GPU compute, we’re not developing models or deploying AI solutions: that’s on our customers, not us. That said, we’d appreciate you not building a Disinformation at Scale platform or an Algorithmic Bias as a Service solution on us.
There are two main takeaways from the above:
- Most of the regulations are either not yet in effect (CRA, Data Act, EHDS, AI Act) or are relatively new (NIS2, DSA). What compliance looks like (or will look like) is still evolving.
- You don’t have to go it alone: you can (and should) talk to us about your product and your EU compliance challenges.