DDORA & IT Security

ECB Guide on Cloud Outsourcing: Implementation Tips for DORA Compliance

EZB-Leitfaden zur Auslagerung von Cloud-Diensten: Tipps zur Umsetzung von DORA ECB Guide on Cloud Outsourcing: Implementation Tips for DORA Compliance
0
Shares
0
0
0
0
0
0

Significance of Cloud Outsourcing and DORA in the Banking and Payments Sector

In July 2025, the European Central Bank (ECB) published a guide on the outsourcing of cloud services following extensive consultations. Through these non-binding recommendations, the ECB outlines its expectations for compliance with the Digital Operational Resilience Act (DORA), which has since entered into force. Additionally, the ECB provides best practices for effectively managing outsourcing risks. This guide is a response to supervisory findings regarding shortcomings in operational resilience, particularly in light of the continued increase in cloud service adoption. Although the ECB’s guide is specifically directed at institutions under its direct supervision, the practical guidance it offers includes numerous valuable considerations relevant to all entities making use of cloud services.

The German Federal Financial Supervisory Authority (BaFin) has also outlined expectations for cloud service use in its supervisory communication on outsourcing to cloud providers (as of February 2024). These already cover many of the practical aspects addressed by the ECB. However, due to the ECB’s more detailed guidance and its close alignment with DORA’s requirements, it is expected that BaFin will also review the ECB’s guide closely and refine its own expectations accordingly.

This particularly concerns the areas covered by the ECB guidance, including governance, resilience, data security, exit strategy and monitoring.

1. Cloud Governance in Banking: ECB and DORA Requirements

The ECB emphasises that supervised entities remain fully responsible for outsourced activities. Accordingly, it recommends ensuring that cloud providers maintain equivalent procedures, processes and controls for risk management. Supervised entities are expected to exercise the same level of care in their risk management, processes and controls as would be necessary with in-house solutions. The ECB expects companies to not merely regard the cloud as outsourced infrastructure, but to actively understand its functionality, risks and security measures, and integrate them into their own ICT risk management.

The cloud strategy should form an integral part of the overall corporate strategy and explicitly align with digital operational resilience requirements. The ECB identifies unclear responsibilities due to uncoordinated strategies as a primary cause of operational risks when using cloud services and sees comprehensive organisational and contractual role distribution as a key step to closing such gaps.

What should be considered in the ex-ante risk assessment?

A particular focus of the recommendations concerns the mandatory ex-ante risk assessment pursuant to Article 28(4) DORA, which must be conducted before any new outsourcing to cloud providers and regularly updated thereafter.

To identify and assess all risks associated with cloud outsourcing, the ECB provides detailed instructions on appropriate steps. These include analysing:

  1. which control processes must be established for relevant risks,
  2. how control processes can be integrated,
  3. whether the cloud provider supplies the necessary information,
  4. whether the cloud provider has properly implemented controls, and
  5. whether the cloud provider has adequate human resources.

Which risks must be considered when using cloud services?

The ECB recommends specifically addressing certain risks during the ex-ante risk assessment, including:

  • reliance on individual providers,
  • issues with data storage and processing,
  • physical and regional risks,
  • significant quality reductions and price increases,
  • risks from operating in multi-tenant environments.

In the constantly evolving technological environment, the ECB advises regular checks to avoid exacerbating dependencies due to inaction or ignorance. Concentration risks should therefore be included in the policy for using ICT services supporting critical or important functions.

2. Resilience and Contingency Management

To ensure continued operations during serious disruptions, the ECB recommends implementing appropriate ICT business continuity measures as part of general business continuity guidelines, adopting a holistic perspective.

How do firms ensure cloud data availability?

A specific risk with cloud services is the potential loss of access to data in the event of a failure, rendering firms unable to conduct business. Supervised entities should address data backup and recovery in their response and restoration plans. The scope and frequency of backups should be determined based on data criticality and confidentiality. The ECB advises choosing solutions based on risk assessment and storing backup data physically and logically separated from source systems.

For cloud outsourcing affecting critical or important functions, the ECB recommends a risk-based approach, including:

  • using multiple providers,
  • deploying data centres in different geographic locations (geo-redundant architecture), or
  • implementing hybrid cloud architectures.

Sudden cloud service failure must not lead to tolerance thresholds for i) downtimes or ii) data loss, as set in the business continuity plan, being exceeded.

How should the disaster recovery strategy be monitored?

DORA obliges firms to test their ICT business continuity and disaster recovery plans. When extending to cloud services, firms should not rely solely on relevant certifications but carry out independent testing by trained internal staff.

The ECB recommends planning for various testing scenarios, such as:

  • component failure,
  • total site failure,
  • regional outage,
  • partial failures.

All deficiencies identified during testing should be documented and analysed for corrective measures.

3. Data Security, Confidentiality and Integrity

By using cloud-based applications, companies extend their own security and responsibility boundaries to cloud provider systems. This means that external environments must also be included in internal protection and control mechanisms – e.g. through safeguarding against unauthorised access and inclusion in the ICT asset register.

What criteria are key for selecting cloud provider locations?

ICT response and recovery plans required under DORA and accompanying legislation must consider scenarios of political and social instability at the provider’s head office and data storage/processing locations.

The ECB advises critically reviewing the countries where cloud providers are permitted to store data and preferably limiting them to jurisdictions with adequate data protection levels. Legal and political risks should also be assessed. Data locations must be regularly reviewed and documented.

If a relevant subcontractor is based in a different country than the main provider, any additional risks must also be evaluated. Compliance with geographic requirements should be monitored using appropriate tracking mechanisms.

How should access to the cloud be structured?

To avoid risks and disruptions, responsibilities for managing access and configuration rights should be clearly defined and agreed upon. The Identity and Access Management (IAM) policy should extend to cloud-stored assets.

The ECB also recommends contractually obliging cloud providers to align with the firm’s IT and IAM policies. Where negotiation is not feasible (e.g. with standardised providers such as AWS or Microsoft), it should be assessed whether the provider’s structure matches the firm’s own roles and responsibilities.

The ECB’s access management recommendations include:

  • strong authentication of users, especially with privileged access (e.g. MFA),
  • regular review of access rights,
  • real-time tracking and documentation of all privileged access,
  • appointment of business owners,
  • secure access via two-factor authentication and VPN,
  • use of monitoring tools to supervise provider access to systems and data, and regular checks.

How should data be encrypted?

DORA obliges companies to implement protection measures involving cryptographic keys. To ensure proper encryption, the ECB advises:

  • defining detailed strategies and procedures for the entire encryption lifecycle and cryptographic controls,
  • implementing current standards and regularly verifying their relevance (by professionals),
  • managing cryptographic keys according to best practices,
  • using unique keys.

In addition to encryption, the ECB points to the benefits of:

  • multi-cloud technologies,
  • network segmentation,
  • and comparable measures to prevent data loss.

4. Which Exit Strategies Does the ECB Recommend?

To avoid failures or disruptions when terminating outsourcing arrangements, Article 28(8) DORA mandates the creation of exit strategies for critical or important functions.

Overarching Exit Strategy

The ECB considers it good practice to define an overarching exit strategy that consolidates detailed technical exit plans for each outsourcing. These plans must align with contractual agreements (e.g. termination rights) and actual capacities, allowing sufficient time for all required steps.

A key element should be the firm’s ability to transfer data to internal systems or alternative providers, with technologies like virtual machines or containers becoming central to supervision.

Exit plans should evaluate the data volume and complexity of applications to be migrated, as well as internal/external staff capacity and expertise. The ECB recommends regularly rehearsing key migration steps to test assigned personnel’s capabilities. Furthermore, an independent third party should assess the feasibility of the exit plans.

Examples of contractual termination rights

The ECB recommends considering inclusion of the following contractual termination rights:

  • persistent underperformance,
  • significant breaches of contract or applicable laws/regulations,
  • relocation of business units or data centres,
  • merger or sale,
  • relocation of provider’s HQ to a new legal jurisdiction,
  • change of data centre location to a different country,
  • legal changes affecting the outsourcing agreement,
  • inability or unwillingness to comply with amended legal provisions,
  • material changes in subcontractor cybersecurity risk,
  • repeated violations of agreed service levels or serious service failures.

Contracts should provide for an adequate transition period and ensure that provider’s termination rights are compatible with the firm’s exit strategy.

List of Alternative Providers

If the exit strategy involves switching providers, firms should maintain a regularly updated list of qualified alternatives. For insourcing scenarios, technical analyses and time estimates should be conducted, with regular reviews of internal resources and capabilities.

5. How Should ICT Third-Party Risks Be Monitored?

Effective monitoring of the ICT risk management framework is essential. The ECB clarifies that firms retain full responsibility for verifying compliance with ICT risk requirements, even when outsourced as managed services.

Firms should not rely solely on provider statements. Independent monitoring tools and qualified personnel are crucial.

Incident Reporting

Comprehensive reporting from cloud providers should enable effective identification and tracking of impacted services to assess potential operational impact. Incident handling steps must be documented. Firms should contractually agree on appropriate incident and monitoring reports.

Internal Audit: What Should Be Considered?

According to Article 8(3) of Delegated Regulation (EU) 2024/1773, relying solely on provider reports or third-party certifications is insufficient. Internal audit must use its own resources to verify:

  • proper application of internal policies,
  • thorough risk assessments,
  • adequate provider risk management.

In line with Article 30(3)(e)(i) DORA, the ECB recommends contractually agreeing access, inspection and audit rights for both the firm and relevant authorities.

Audits may be outsourced (cf. Art. 8(2)(a) of Delegated Regulation (EU) 2024/1773) and conducted jointly with other supervised entities (pooled audit). The ECB encourages forming joint inspection teams with each firm contributing at least one technical expert. Leadership of these teams should rotate to avoid audit blind spots.

Standard Contractual Clauses

The ECB recommends agreeing best practice provisions for:

  • addressing service deficiencies and requiring remedies,
  • monitoring service quality degradation,
  • calculating on-site audit costs.

A version of the original contract and all amendments should be retained.

What Does This Mean for Your Firm?

While BaFin’s previous cloud outsourcing communication offered only a national outlook on DORA, the ECB now provides concrete and specific requirements. As such, the ECB’s guide raises the bar through references to DORA, accompanying technical standards, and its aspiration to set supervisory coherence benchmarks. It is expected that BaFin will adapt its own expectations accordingly.

Existing and planned cloud outsourcing arrangements should be reviewed critically. By following the ECB’s recommendations early on, firms not only enhance their digital resilience but also anticipate mandatory future adjustments.

0
0

Niklas Olschewski advises companies from the payment services, blockchain & DLT and credit and finance sectors at the Berlin office. In his advisory practice, he focusses primarily on banking & banking supervisory law, money laundering law and payment services supervisory law.



By continuing, you accept our privacy policy.
You May Also Like
LLegal
Von Outsourcing zu Third Party Arrangements: Die neuen EBA-Leitlinien zum Drittparteienmanagement • Teil 1: Überblick über die wichtigsten Neuerungen
Read More
  • 7 minute read

From Outsourcing to Third Party Arrangements: The New EBA Guidelines on Third-Party Risk Management 1/2

On 8 July 2025, the European Banking Authority (EBA) published a new consultation paper on the EBA Guidelines for third-party risk management. The draft goes well beyond the previous Outsourcing Guidelines from 2019. The objective is to establish a harmonised European framework for managing third-party risks, aligned in particular with the Digital Operational Resilience Act (DORA). Part 1 of the analysis highlights the key innovations and main content; a practical assessment will follow in Part 2.
Read More
FFinTech
Neues Buch: Das Recht der digitalen Zahlungsdienstleistungen
Read More
  • 2 minute read

PayTechLaw – now available as a book!

With the title “PayTechLaw – The Law of Digital Payment Services”, a new handbook has been published by C.H. BECK. It is dedicated entirely to the regulatory and civil law framework of digital payments. The editors: Prof. Dr. Carsten Herresthal, LL.M., and Annerton partners Dr. Matthäus Schindele and Frank Müller, LL.M. – all recognized experts in payment services and financial regulatory law. They were supported by a top-class team of authors – including many familiar names from the Annerton environment and beyond.
Read More