find-partner-btn-inner

ECB Guide on outsourcing cloud services

The European Central Bank (ECB) is the central bank for the euro area, responsible for managing the euro currency and framing and implementing the monetary policy for those European Union countries that have adopted the euro.

Although the ECB recognises the benefits of cloud computing, such as access to innovative technologies, scalability and flexibility, the ECB recently published detailed guidance to financial institutions on managing risks associated with outsourcing critical functions to cloud service providers (CSPs).

The ECB Guide on outsourcing cloud services (the ECB Guide) aims to (a) foster supervisory consistency across the banking sector as regards the use of cloud outsourcing; (b) help ensure a level playing field by providing a comprehensive description of the ECB's understanding of the legal requirements stemming from regulations such as the Digital Operational Resilience Act (DORA) related to cloud outsourcing; and (c) draw on risks observed in ongoing supervision and on-site inspections, complementing the expectations with examples of effective practices to mitigate those risks when using cloud services.

Whilst not legally binding, the ECB Guide provides detailed supervisory expectations and examples of best practices observed by the ECB. It should be used when institutions outsource to CSPs although it should also be read in conjunction with the DORA regulatory framework, including implementing legislation, and the EBA Guidelines on outsourcing arrangements, which take precedence over the ECB Guide.

The ECB Guide applies exclusively to procured cloud solutions rather than any non-cloud related products which might be offered by CSPs. Further, when a non-CSP third party provider (to a supervised institution) is reliant on cloud services provided by a CSP, the ECB Guide says that the same supervisory expectations will apply.

Best practices 

The ECB Guide emphasises thorough risk assessment, robust contractual arrangements, comprehensive exit strategy, data management controls, business continuity and independent auditing and monitoring when outsourcing critical functions to CSPs. Key best practices include:

  • Risk management 
    • Institutions must conduct thorough risk analysis before outsourcing to CSPs, assessing control processes as well as the CSP’s ability to provide required information, and the institution's expertise to implement checks.
    • Regular risk assessments should be performed, scrutinising risks like provider lock-in, unpredictable costs, auditing difficulties, concentration and lack of transparency on sub-providers.
    • Concentration risks from relying heavily on a single CSP should be assessed regularly.
  • Contractual arrangements 
    • Contractual clauses should allow institutions to follow up on the ineffective provision of services and to monitor any deterioration in services. In both cases, they should be able to ask for the implementation of remedial actions.
    • Contracts should include details of how the cost of performing onsite audits is calculated, ideally including a breakdown and indicating the maximum cost.
    • Appropriate incident reporting, monitoring and auditing clauses should be included to enable oversight.
    • If contractual provisions are stored online, the CSP should be required to sign a separate digital or physical copy to prevent any risk of unilateral changes.
  • Exit strategy 
    • Institutions must have comprehensive exit strategies for critical functions, including milestones, tasks, skill requirements, time estimates and costs.
    • Exit plans should be regularly reviewed, tested and independently verified.
    • Contracts must allow termination rights if certain circumstances arise, such as inadequate performance, breaches or excessive cost increases attributable to the CSP.
    • Contracts should include transition periods for smooth exit and CSP support during transitions.
  • Data management 
    • Institutions should maintain a list of acceptable countries for data storage and processing, considering legal and political risks.
    • Data processing controls should be consistent across locations, and additional risks from sub-contractors in different countries should also be assessed.
  • Business continuity 
    • Business continuity measures should address worst case scenarios of complete service unavailability and unco-operative exits.
    • Back-ups of critical systems should not be stored in the same cloud hosting the services.
  • Auditing and monitoring
    • Independent monitoring tools should complement CSP-provided tools for critical functions.
    • Joint audits with other institutions, involving technical experts, are recommended to pool resources and expertise.

Contracts with CSPs

Institutions should note that DORA sets out a range of contractual requirements such that existing cloud agreements with CSPs are likely required to be “uplifted” before DORA comes into force on 17 January 2025. For instance, Article 28(7) of DORA sets out an extensive list of rights of termination favouring institutions, including “circumstances identified throughout the monitoring of ICT third-party risk that are deemed capable of altering the performance of the functions provided through the contractual arrangement, including material changes that affect the arrangement or the situation of the ICT third-party service provider”. The ECB Guide states that these material changes might result from:

    • the relocation of business units or data centres to another country;
    • a merger of sale;
    • a material change to the sub-contracting chain;
    • relocation of the CSP’s headquarters to another jurisdiction;
    • significant change to the host country’s social, political or economic climate;
    • a change to national legislation affecting the outsourcing arrangement;
    • a change in the regulations applicable to data location and data processing;
    • significant changes to the management of cybersecurity risk in the chain of sub-contractors;
    • continuous failure to achieve agreed service levels or a substantial loss of service; and
    • a failure to successfully execute cloud provider test migrations at the agreed times.

Going forwards, when looking at entering into new cloud agreements with CSPs, institutions will need to follow the ECB Guide (and DORA), for example, assessing availability and resilience requirements for cloud outsourcing, especially for critical functions; evaluating concentration and provider lock-in and other risks such as data security and integrity; and carrying out pre-outsourcing analysis.

Article 30(4) of DORA requires that when negotiating contractual arrangements, institutions and ICT third-party service providers must consider using standard contractual clauses developed by public authorities for specific services, hence the ECB Guide recommends that financial entities use standard contractual clauses when outsourcing cloud computing services. However, at this time, no such standard contractual clauses have been published. 

Conclusion

While the ECB Guide provides additional guidance specific to cloud outsourcing, it does not replace or supersede DORA or the legally binding EBA Guidelines on outsourcing arrangements. Therefore, it should be interpreted in line with the DORA/EBA Guidelines when it comes to outsourcing arrangements. However, the ECB Guide does provide useful clarity on the ECB's supervisory expectations regarding financial institutions' outsourcing of cloud services to CSPs.

If you would like to learn more about the regulatory requirements applicable to cloud computing and outsourcing by financial institutions, please contact Tim Wright

    Featured Insights