Most companies in Israel treat cloud compliance as a documentation exercise. The regulations say otherwise — and the enforcement gap is closing.
The regulatory landscape has changed
Cloud adoption in Israel accelerated over the past several years. The regulations have been catching up.
Israeli companies operating in the cloud now face concrete, enforceable security requirements from multiple directions: the Privacy Protection Regulations, the Israel National Cyber Directorate (INCD) cloud security framework, and sector-specific rules from the Bank of Israel and the Capital Market Authority. These are not vague recommendations. They carry real requirements around monitoring, access control, incident response, and reporting.
The challenge for most companies is not understanding that these requirements exist. It is figuring out what technical controls actually satisfy them — and making sure those controls are operational, not just documented.
The short version
| Regulation | Who it applies to | Key security implication |
|---|---|---|
| Privacy Protection Regulations (Data Security) — תקנות הגנת הפרטיות (אבטחת מידע), תשע"ז-2017 | Any organization processing personal data of Israeli residents | Logging, access monitoring, and security assessments are mandatory at Medium and High tier |
| INCD cloud security framework — מסגרת אבטחת ענן של מערך הסייבר הלאומי | Organizations using cloud for business operations, mandatory for critical infrastructure | Continuous posture monitoring, privileged access controls, incident response plan |
| Bank of Israel Directive 362 — הוראת ניהול בנקאי תקין 362 | Banks and financial institutions using cloud services | Cloud risk management, audit trail retention, independent security review |
| Capital Market Authority cloud guidelines — הנחיות רשות שוק ההון לשימוש בענן | Insurance companies, pension funds, investment managers | Vendor oversight, data residency controls, access logging |
Privacy Protection Regulations: the baseline everyone must meet
תקנות הגנת הפרטיות (אבטחת מידע), תשע"ז-2017 establish the foundational data security framework that applies to any organization holding a database containing personal information about Israeli residents. The framework is tiered.
Tier 1 (Basic) applies to organizations with small-scale, non-sensitive personal data. Minimum controls apply.
Tier 2 (Medium) kicks in when your database includes sensitive personal data categories — financial information, health data, political opinions, employment records — or when you process large volumes of personal data. At this tier the regulations require:
- Documented access authorizations
- Logging of all access to the database, including the identity of the accessing user
- Procedures for managing security incidents
- Physical and logical access controls
Tier 3 (High) applies to organizations holding very sensitive data at significant scale — healthcare providers, financial institutions, large consumer platforms. This tier adds requirements for penetration testing, network segregation, encryption of data in transit and at rest, and formal incident response procedures.
For companies running databases or application data stores in cloud environments, this means your cloud configuration — who has access, how access is logged, how you detect unauthorized access — needs to satisfy the relevant tier. A spreadsheet saying you comply is not enough. The controls need to exist and be operating.
The 2023 amendment to the Privacy Protection Law (חוק הגנת הפרטיות) added breach notification obligations and expanded the enforcement authority of the Privacy Protection Authority. Fines have increased. The expectation that organizations can self-certify without demonstrable technical controls has shifted.
INCD cloud security framework: what it actually requires
The Israel National Cyber Directorate (מערך הסייבר הלאומי) has published cloud security guidance that addresses both organizations using cloud services and critical infrastructure operators. The framework is voluntary for most commercial companies, but it is mandatory for organizations in critical infrastructure sectors — energy, water, transportation, finance, healthcare, and government contractors.
For companies in those sectors, the INCD framework requires:
- A documented cloud adoption risk assessment
- Shared responsibility model clarity — knowing exactly what the cloud provider secures and what you are responsible for
- Continuous monitoring of the security posture of cloud environments
- Privileged access management for cloud administration accounts
- Log collection and security event monitoring
- A formal incident response plan that covers cloud-specific scenarios
Even for companies not in critical infrastructure, this framework is worth following because it maps well to what regulators in other areas are looking for. The INCD regularly publishes threat intelligence and security advisories that are directly relevant to commercial cloud operations in Israel.
One area the INCD guidance is explicit about: configuration drift. Cloud environments change constantly, and a secure configuration at deployment time does not stay secure. Continuous posture monitoring is not optional in regulated environments.
Sector-specific rules add another layer
Bank of Israel
הוראת ניהול בנקאי תקין 362 governs how Israeli banks use cloud services. It requires banks to:
- Conduct a formal risk assessment before moving services to the cloud
- Maintain contractual rights for audit access to cloud providers
- Retain audit trail data that satisfies the bank’s other recordkeeping obligations
- Demonstrate that security controls in the cloud environment meet the same standards as on-premises systems
The practical effect is that any bank or fintech that handles banking operations must show that its cloud environment is monitored, access-controlled, and auditable. The Bank of Israel has increased scrutiny of how banks manage third-party cloud risk.
Capital Market Authority
רשות שוק ההון has issued cloud usage guidelines for entities it supervises — insurance companies, pension funds, provident fund managers, and investment advisors. The guidelines require:
- A cloud governance policy approved by senior management
- Vendor risk management for cloud service providers
- Data residency and sovereignty considerations for personal and financial data
- Ongoing monitoring and audit of cloud security controls
The common compliance gap: the controls exist but are not operating
Here is what happens in most organizations that are nominally compliant: they have a cloud environment, they have logging enabled, and they have policies written down. What they do not have is anyone actually reviewing the logs, or a system that alerts when their cloud posture changes.
This is the gap regulators are increasingly focused on. The Privacy Protection Regulations require logging. The INCD framework requires monitoring. Bank of Israel and CMA guidelines require ongoing oversight. These requirements are not satisfied by storing logs in an S3 bucket that nobody reads.
Two controls close this gap more than anything else: CSPM and a working SOC.
What CSPM provides
Cloud Security Posture Management (CSPM) is continuous, automated monitoring of your cloud environment against a security baseline. It tracks configuration changes — who changed what, when, and what the result was — and alerts you when that configuration moves into a risky state.
In the context of Israeli regulations, CSPM directly supports compliance in several ways:
For Privacy Protection Regulations: CSPM monitors whether access controls are in place and enforced, detects when data stores are inadvertently exposed, and logs control plane changes that affect data access — exactly what Tier 2 and Tier 3 require.
For INCD cloud framework: CSPM provides the continuous posture monitoring the framework requires. It catches configuration drift, overprivileged identities, and control changes before they become incidents.
For Bank of Israel and CMA: CSPM gives you the audit trail and control oversight documentation that auditors look for during reviews.
The specific cloud events that matter most in regulated environments include:
| Event type | Regulatory relevance |
|---|---|
| IAM policy changes granting broad access | Unauthorized access risk, relevant to all frameworks |
| Public access protections removed from storage | Data exposure risk, directly relevant to Privacy Protection Regulations |
| CloudTrail logging disabled or modified | Logging integrity, required by Bank of Israel and CMA |
| Root or privileged account activity | Access control monitoring required at all regulatory tiers |
| Cross-account or external data sharing | Data residency and sovereignty concerns |
| New API keys or credentials created | Persistence and unauthorized access risk |
Why CSPM alone is not enough
CSPM tells you what is wrong. A Security Operations Center (SOC) is what makes you do something about it.
This matters because:
- Misconfigurations in regulated cloud environments often need to be investigated, not just closed. Was the change made by an authorized administrator or by an attacker? Was data accessed before the misconfiguration was corrected?
- Incident response requirements under Israeli law now include breach notification timelines. You cannot meet a 72-hour notification window if your alerts are sitting unreviewed.
- Audit and regulatory review processes ask about your incident response history, not just your tool configuration. If you cannot show that you investigated and responded to events, your CSPM deployment does not demonstrate compliance.
A working SOC means that alerts from your posture monitoring are triaged by a human, investigated where necessary, and documented. For most startups and mid-sized companies in Israel, this does not mean hiring five analysts. It means having a managed service that provides that capability without requiring it in-house.
What a practical compliance-oriented program looks like
For a company that needs to satisfy Privacy Protection Regulations at Tier 2 or Tier 3, or that operates under INCD or sector-specific requirements, the minimum viable program looks like this:
Cloud environment (AWS / Azure / GCP)
-> Audit trail enabled and retained (CloudTrail, Activity Log)
-> Configuration changes monitored continuously (CSPM)
-> Alerts generated on high-risk changes
-> SOC reviews and investigates alerts
-> Incidents documented and reported per regulatory timeline
-> Posture evidence retained for audit
This is not a complex architecture. It is a discipline problem more than a technology problem. The tools exist. The process needs to be operational.
Final thought
Israeli cloud regulations are no longer background noise for compliance officers. The Privacy Protection Authority is more active, the INCD’s expectations for critical infrastructure are concrete, and sector regulators are asking harder questions about how cloud environments are actually controlled.
CSPM gives you visibility into whether your cloud posture satisfies those requirements. A SOC gives you the operational capability to act on that visibility and respond within the timelines the regulations expect.
Together, they are not a nice-to-have. For any Israeli company processing personal data at scale, operating in a regulated sector, or working with government — they are what compliance actually looks like in practice.
If you want to see how Xpernix can help you build this for your environment, contact us.