- Guide sets out supervisory expectations for implementing DORA related requirements and provides good practices on effective cloud outsourcing risk management
- Guide to make supervision more consistent and ensure level playing field for supervised banks
- Revisions provide clarity on recommended risk management measures for cloud outsourcing and on guide’s scope and legal nature, aligning terminology with relevant regulation
The European Central Bank (ECB) published its final guide on outsourcing cloud services to cloud service providers. Similar to other ECB Guides, it does not lay down legally binding requirements, practices, or rules. It also does not introduce new rules or requirements over and above those currently imposed by the Digital Operational Resilience Act (DORA). Instead, it clarifies the expectations the ECB has for banks to comply with DORA requirements. It also provides good practices on effective outsourcing risk management for banks under ECB supervision that use third-party cloud services, based on observed industry practices.
“Banks are relying on outsourcing cloud services to a handful of third-party service providers. This exposes them to several risks, including IT security and cyber risks, which remain an ECB priority in times of heightened geopolitical tensions” said Anneli Tuominen, member of the ECB’s Supervisory Board, in a statement. “Our Guide outlines good practices on how we expect banks to manage such risks, drawing on the experience we have gathered through our ongoing supervision.”
The guidance clearly differentiates the requirements set out in DORA from the good practices recommended by the ECB. It also clarifies the way in which the principle of proportionality is applied. An overview of the comments received and the ECB’s assessment of them is available in a feedback statement.
The guide emphasizes the importance of maintaining a risk-based approach and applying proportionality to outsourcing cloud services, while accounting for the various organizational set-ups, areas of activity and risk profiles of the banks that the ECB supervises.