Just one in 100 cloud providers meet the impending EU data protection regulations, it is claimed.
New EU requirements that redefine personal data and privacy are set to be passed into law before the end of the year before taking effect in 2015, yet cloud security firm Skyhigh Networks claimed most companies are currently falling foul of the new measures.
It analysed its 7,000-strong list of cloud service partners, saying that just 1% would currently pass the tougher requirements.
"It's staggering how few cloud providers are prepared for the new EU regulations," said Charlie Howe, EMEA director.
"[Meeting requirements] will inevitably require additional resources and expenditures, but it's a snip given the proposed penalties for violating the new laws, which can be up to 5% of a company's annual revenue or up to €100 million."
Currently the Information Commissioner's Office can levy a maximum £500,000 fine, but along with harsher fines, the new laws will see stricter rules around reporting a breach.
Companies will have to report data leaks "without undue delay", sparking confusion over how long that might be.
Max Perkins, insurance data expert at Beazley, said: "When does that clock start ticking? Is it when they suspect something might have happened? If so, the regulators are going to receive loads of calls."
Meanwhile, any organisation with more than 5,000 customers will have to appoint a data protection officer.
Skyhigh also points out that just 11 countries satisfy the EU's new privacy requirements for where European firms' data can reside.
Howe said: "Notably absent from the list is the United States, where 67 percent of all cloud services are headquartered. Data residency is already a significant issue under the current EU Data Protection Directive and it will continue to be so as the new regulations come into effect - especially as only 8.9% of US-based providers have the Safe Harbor Certification, which provides exemption to these regulations."