ECB Guide on outsourcing cloud services to cloud service providers

The use of cloud services by banks is not a new development, however the ECB notes that increasingly banks are decommissioning internal infrastructure and resources in favour of a move to third party cloud services, and that deficiencies in the way that banks manage third party supplier risk have been identified and need to be addressed. This is one of the ECB's supervisory priorities for 2024-26.

The Guide does not create new rules but clarifies the ECB's interpretation of existing rules in the context of cloud outsourcing and provides good practice examples. Banks will be paying close attention to these good practice examples and vendors will in turn be impacted by what is likely to shape industry practice in relation to the procurement of third party cloud services in the financial sector.

It is worth noting that this guidance is directed to Significant Institutions, and so is not directly applicable to Less Significant Institutions. However, it is not unreasonable to expect these expectations and examples of best practice to inform national competent authorities’ expectations in this area going forward.

The Guide uses the term "cloud services" broadly to include services provided using cloud computing - a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

According to the Guide, examples of good practice in relation to cloud outsourcing include the following:

• Assessment of concentration and provider lock-in risks: DORA requires financial entities to assess "all relevant risks relating to the contractual arrangement" before entering into an agreement for the provision of ICT services. The Guide makes clear that typical risks relating to cloud services should be considered, such as:

• Increased vendor lock-in and challenges finding an alternative provider;
• Data storage and processing risks and the potential for unauthorised loss or disclosure of sensitive data;
• Physical and region-specific risks, including political stability of the country where the services are provided from; 
• Quality and pricing fluctuations; 
• Less visibility of sub-providers; and
• Risks associated with a multi-tenant environment.

The ECB notes that concentration risks should be assessed on a regular basis due to the potential for providers to grow in size and extend their service offerings.

• Availability and resilience of cloud services: The Guide suggests that supervised entities should employ a holistic approach to business continuity in relation to its cloud solutions, which includes (among other things) drawing up a policy that ensures they can withstand termination of the service provider's service and continue to have access to data in this scenario. Backup policies and procedures should be maintained and backup data should be stored in physically and logically segregated systems from the source systems. In the case of cloud services that support critical or important functions, the ECB expects additional measures to be taken, which may include use of hybrid cloud architecture and engaging multiple cloud service providers or backup providers, without overlap in the physical location of data centres.
• Disaster recovery planning and testing: DORA requires financial entities to test their business continuity and disaster recovery plans at least annually. The ECB considers it good practice for supervised entities to assess the cloud provider's disaster recovery plans and tests – including readiness for actual disaster events - and not rely exclusively on disaster recovery certifications.
• Data location: Whilst the ECB does not rule out any locations or set a limit on how many locations may be used for data storage, the Guide states that it is good practice for supervised entities to restrict the locations where cloud providers can store their data and to apply appropriate tracing mechanisms to monitor compliance with those restrictions. Unsurprisingly, the Guide mentions geopolitical risks and expects supervised entities to draw up a list of countries where data can be stored, taking account of legal and political risks.
• Data security: The Guide sets out additional detail on expectations in relation to encryption measures, and notes that encryption keys used by the cloud provider for the encryption of supervised entity data should be unique; the same encryption keys should not be used for other data.
• Identity and access management policies: The Guide notes that clear roles and responsibilities for managing access rights and encryption keys is a "major source of operational risk and disruption for cloud services". The ECB therefore considers it good practice to include in cloud service provider agreements individual clauses requiring the provider to align with the supervised entity’s IT and identity and access management (IAM) policies. Where this cannot be done, the supervised entity should consider how the IAM structure provided by the cloud provider aligns with the supervised entity’s roles and responsibilities to ensure the effective segregation of duties.
• Exit: DORA requires financial entities to put in place exit strategies for ICT services that support critical or important functions. The ECB expects supervised entities to draw up exit strategies with clearly defined roles and responsibilities and estimated costs, and to put these plans in place before the systems go live. This goes further than the common practices of drawing up an exit plan during the first few months of the agreement term and agreeing costs of exit assistance in a statement of work, which may be drawn up at some time closer to the termination date. Note that where an exit strategy focuses on moving ICT services to another provider, the ECB recommends supervised entity to draw up a list of qualified alternative service providers. Expectations on the contents of the exit plan itself are set out in greater granularity than under existing regulations.
• Termination rights: DORA requires additional termination rights to be included in agreements with ICT third-party service providers. In addition to the stated termination rights (e.g. significant breach of the Agreement or applicable laws), the ECB goes further and recommends the following termination rights: (i) termination for a merger or sale, (ii) termination for relocation of the CSP’s head office to another jurisdiction, (iii) termination for relocation of the data centre hosting to another country, (iv) termination for a change to national legislation affecting the outsourcing arrangement, (v) termination for a change in the regulations applicable to data location and data processing if the CSP cannot or chooses not to modify its delivered services to comply with changed legislation, (vi) termination for significant changes to the subcontractor’s cybersecurity risk, and (vii) termination for continuous failure to achieve agreed service levels or a substantial loss of service.
• Subcontracting: The extent of oversight that ICT third-party service providers are expected to have over their subcontractors has been a topic of controversy, resulting in delays to the Regulatory Technical Standards (RTS) on subcontracting being finalised; the final RTS becomes effective on 21 July 2025. The ECB's recommendations are likely to result in additional granularity for the contractual obligations which are required under DORA: cloud providers that support critical or important functions should ensure their subcontractors comply with the same contractual obligations that apply between the supervised entity and the cloud provider, including in relation to confidentiality, integrity, availability, the retention and destruction of data, configurations and backups.
• Audit: The Guide brings clarity in relation to the ECB's expectations on conducting audits on cloud service providers, stating that it is good practice for supervised entities to work together to audit a cloud service provider by forming a joint inspection team containing at least one technical expert from each supervised entity. It is also good practice for supervised entities to verify that selected auditors have a recognised professional certification. Cost of audits – which is often a point of negotiations in cloud provider contracts – is also addressed by the ECB, noting that costs may be borne by the customer but the agreement should include details of how the cost of performing on-site audits is calculated.

Key takes aways and next steps

Whilst the Guide purports not to create legally binding rules, it does introduce additional granularity to the already prescriptive rules on ICT risk management and third party oversight that are set out in DORA. Whilst "best practices" are not strictly legally binding requirements, they are indicators of regulatory expectations therefore it is likely that entities subject to ECB supervision will interpret them as requirements.

For supervised entities, a thorough review of the Guide would be advisable to identify what additional measures need to be put in place for cloud services used across the business. Importantly, the Guide does not apply only in relation to cloud services that support critical or important functions (but proportionality will continue to be applied in assessing measures to be taken in relation to cloud services supporting critical or important functions).

Contractual arrangements between supervised entities and cloud providers may need to be updated to address the requirements set out in the Guide; supervised entities will need to consider whether a further review is to be undertaken in relation to contractual arrangements that have already been remediated to address DORA.

Cloud providers should also review the Guide to prepare for discussions with customers that will be in-scope of the new recommendations. We anticipate some friction in discussions as parties debate whether the new requirements are to be treated as legal requirements, or not.

Authored by Louise Crawford and Bill Laffan.