ECB publishes consultation paper on cloud outsourcing
On June 3, 2024, the European Central Bank (ECB) published a new guide for consultation that sets out the requirements for banks when outsourcing IT services to cloud service providers (CSPs). The new guide is intended to clarify the ECB’s understanding of the corresponding legal requirements from DORA and to clarify the increased regulatory expectations for cloud outsourcing.
Background and objectives
The ECB has recognized that cloud services are becoming increasingly important for financial institutions as they offer flexibility, scalability and cost efficiency. At the same time, however, they also pose particular risks, especially in terms of IT security, compliance with data protection regulations and operational resilience. The new guidelines aim to address these risks and establish uniform standards for outsourcing to CSPs.
The ECB’s new guidance applies to banks directly supervised by the ECB, but is also relevant for CSPs and other financial entities subject to DORA.
The ECB states that its guidance should be read in conjunction with the new DORA framework and the existing guidance on outsourcing arrangements, with DORA taking precedence in case of doubt. Furthermore, the guidelines are not intended to set out legally binding requirements and “should not be interpreted as introducing new rules or requirements“. The guidelines should therefore be seen more as an aid to interpretation with regard to supervisory expectations of the (soon to be) existing legal requirements.
Key contents of the consultation paper
The new guide contains a number of references to best practices for the entire lifecycle of cloud outsourcing, including the pre-outsourcing analysis phase, oversight and monitoring during the term of the agreement, business continuity arrangements, exit strategies and contract termination. When it comes ot ICT-Outsourcing, the ECB expects supervised institutions to apply the same level of diligence to risk management, processes and controls as those which decide to keep the relevant services in-house.
The guide does contain specific considerations and recommendations that may be helpful in the context of the current DORA implementation projects (e.g. a very useful reference to the EU Commission’s list of third countries with an adequate level of data protection, which can be used as a basis for the risk assessment for the outsourcing of cloud services to third countries). It is also clear from the ECB guide that IT outsourcing to the cloud should be a separate category among companies’ IT assets and requires a special risk assessment. A special strategy for cloud outsourcing must be integrated into the IT outsourcing strategy, which must of course be consistent with the strategy for ICT third party management in accordance with DORA. In general, cloud services should be treated separately at all points of IT governance, as outsourcing and processes in the cloud are associated with higher and additional risks.
In its guidelines, the ECB attaches great importance to the topics of ICT security, data confidentiality and data integrity. For example, the highest encryption standards are required not only when storing data in the cloud, but also during transportation and when using data in the cloud. The ECB also focuses on ensuring business continuity – for example, in case of critical or important functions, an abrupt discontinuation of a CSP´s outsourced cloud service must not lead to business disruption beyond the maximum tolerable downtime or the maximum tolerable data loss as defined in the institution´s internal policies.
With regard to the drafting of contracts with CSPs, there is little new in the new ECB guidelines, but the ECB does make it clear that CSPs should be obliged to sign a separate digital or physical copy if a contract has only been concluded online. This is intended to avoid the risk of unilateral changes.
According to the ECB, an institution’s internal audit function should ensure that risk assessments are not based solely on certificates and attestations from the CSP but also on independent assessments being carried out. The ECB considers it good practice for institutions to work together when auditing a CSP and to put together a joint inspection team that includes at least one technical expert from each institution, provided that the institutions have the opportunity to make individual enquiries with the CSP on a bilateral basis in relation to issues relevant to them.
The consultation on the new ECB Guide ends on July 15, 2024, and it can be assumed that the ECB will publish the comments received together with a feedback statement and the final Guide before the DORA enters into force on January 17, 2015.
Conclusion:
As with the EBA guidelines on outsourcing and with DORA, the supervisor fails to recognize in its new guidelines that even large financial institutions often have only limited negotiating options vis-à-vis the dominant CSPs. This reflects only a theoretical understanding of the structure of CSPs and limits the ability of firms to comply with parts of the guidelines that require them to be more involved in the policies and procedures of CSPs. For example, the ECB’s proposal that institutions should ensure that their CSPs have implemented “equivalent” risk management practices, processes and controls is impractical and does not take into account the “one-to-many” nature of CSPs. CSPs cannot have equivalent risk measures in place for each individual financial institution for which they provide services.
The introduction of DORA was intended to reduce the fragmentation of previous supervisory practice and harmonize the rules for operational resilience. However, by issuing the new guidelines, the ECB has created additional uncertainty. This is because while many companies are in the middle of their DORA implementation processes, further considerations and evaluations still need to be made regarding companies’ cloud outsourcing. Furthermore, the ECB guidance fits into an already crowded regulatory landscape, which also includes the 2019 EBA Guidelines on Outsourcing and the 2020 ESMA Guidelines on Cloud Outsourcing. Instead of harmonization and regulatory consistency, companies must deal now with overlapping and, in some cases, conflicting regulatory expectations.
Particularly in light of the fact that outsourcing to the cloud is likely to become the “new normal”, it is to be hoped that the ECB will pay a little more attention to the feasibility of its requirements in the final version of the guidelines and not go beyond the requirements that DORA itself places on the institutions. After all, according to the ECB’s own statements, the guidelines should only serve as an interpretation aid for DORA and not impose any new or stricter regulatory requirements.