ECB launches consultation on new cloud outsourcing guidelines

ECB

The ECB has initiated a public consultation on its new Guide concerning the outsourcing of cloud services to cloud service providers.

This Guide is designed to elucidate the ECB’s interpretation of relevant legal requirements and its expectations for the banks under its supervision. The intention is to ensure more consistent supervision and a level playing field for all banks.

As banks increasingly adopt cloud computing services from third-party providers, they gain access to potentially cheaper, more flexible, and more secure services. However, this reliance on third parties also introduces significant risks, including IT security issues and potential business disruptions. For instance, if a bank cannot seamlessly substitute outsourced services in case of failure, its operations may be severely affected. Additionally, the cloud services market is highly concentrated, with many banks depending on a limited number of service providers, most of which are based outside Europe. Consequently, the ECB urges banks to explicitly consider these risks.

During its 2023 Supervisory Review and Evaluation Process, the ECB identified several vulnerabilities in banks’ IT outsourcing arrangements. Therefore, third-party risk management, including cloud outsourcing, is a top supervisory priority for the ECB from 2024 to 2026.

To bolster ICT-related risk management, EU legislators have introduced the Digital Operational Resilience Act (DORA). This act emphasizes the need to proactively mitigate risks that could disrupt critical functions or services. Legal frameworks like DORA and the Capital Requirements Directive mandate banks to establish effective governance over outsourcing risks and to develop robust IT security and cyber resilience frameworks. The ECB’s Guide outlines its understanding of these rules and their application to supervised banks.

The public consultation on the Guide begins today and will run until 15 July 2024. Following this period, the ECB will publish the received comments along with a feedback statement and the finalised Guide.

ECB supervisory board chair Andrea Enria said, “This Guide is a significant step towards ensuring that banks properly manage the risks associated with outsourcing critical functions to cloud service providers.”

Copyright © 2024 RegTech Analyst

Enjoyed the story? 

Subscribe to our weekly RegTech newsletter and get the latest industry news & research

Copyright © 2018 RegTech Analyst

Investors

The following investor(s) were tagged in this article.