ECB consults on a proposed guide on outsourcing cloud services

Covering application of the Guide; overview of the ECB’s supervisory expectations, including governance of cloud services and BCPs; and the DORA timetable.

On June 3, 2024, the European Central Bank (ECB) issued a consultation, seeking comments on its draft Guide on outsourcing cloud services to cloud service providers (the Guide) by July 15, 2024. The Guide sets out:

  1. The ECB’s interpretation of certain of the operational resilience requirements applicable to banks under the overlapping regimes of: the Capital Requirements IV Directive (CRD IV), under which the EBA Guidelines on outsourcing arrangements (the EBA Guidelines) apply; the Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive); and the incoming Regulation on digital operational resilience for the financial sector (DORA), and
  2. The ECB’s supervisory expectations of banks that outsource cloud services to third-party providers. 

Whilst the proposed Guide is addressed to ECB-regulated banks, it will also affect, and should therefore be carefully considered by, banks’ cloud service providers (CSPs).

In this alert, we cover:

  • the application of the Guide;
  • an overview of key ECB expectations set out in the Guide; and
  • next steps in the legislative timetable for DORA.

Our Headlines

  • The supervisory expectations set out under the Guide are, as currently drafted, likely to require significant infrastructure and process change within banks (including in relation to the oversight and audit capabilities currently in place to monitor CSP services). This may, in turn, necessitate substantial resourcing in the lead up to and following the Guide coming into force – presumably on January 17, 2025, when DORA becomes operational.
  • As explained below, the ECB’s expectations for banks are broad and onerous – while the potential practical and operational repercussions that would be felt by CSPs are not to be underestimated.
  • We expect significant representations from stakeholders (including both banks and CSPs) on the draft Guide – including a call for clarification of the extent to which the proportionality principle can be applied.

A. Application of the Guide

The supervisory expectations under the Guide will apply to ECB-regulated credit institutions as guidance only. The Guide pertains to banks’ CSP arrangements and is underpinned by the principle of proportionality.

Given the rapidly increasing importance of cloud technologies to the provision of bank services, the Guide is intended to offer a “comprehensive description of prudent risk mitigation practices” by assisting banks in interpreting the key regulatory obligations applicable to them under the existing and incoming operational resilience and cybersecurity regimes. Cloud services are a subset of information and communication technologies captured under other regimes, in particular DORA. Therefore, the Guide will not (in principle) introduce any new rules or requirements, and should (once finalised) be read alongside:

  • EU operational resilience / cybersecurity requirements under the CRD IV, DORA (and national measures implementing the DORA Directive) and the NIS 2 Directive; and
  • the EBA Guidelines.

Significantly, in addition to being applicable to “direct” CSPs of banks, the ECB confirms that its expectations apply on a “look-through” basis, for example to the CSPs relied upon by third-party providers to whom banks have outsourced certain functions. Banks will therefore need to carry out a thorough audit of their current outsourcing arrangements to determine exactly how each outsourced service is provided, and the extent to which those third-party providers themselves rely on CSPs for cloud services.

B. Overview of key ECB supervisory expectations

1. Governance of cloud services

ICT risk management and control frameworks:

  • Banks’ management bodies will remain responsible for the management of ICT risk. Banks must ensure that the respective roles and responsibilities of the CSP and the bank in terms of the control and monitoring of cloud services are clearly defined, understood, and recorded (including contractually).
  • In order to “remain fully responsible” for compliance with DORA and other applicable financial services legislation, the ECB requires banks to apply the equivalent level of diligence (regarding risk management, processes, and controls) as would be applied by banks keeping such services in-house. Crucially, the ECB asserts that banks must ensure that CSPs establish equivalent risk management practices, processes and controls as would be adopted by banks. This is a potentially very onerous expectation of CSP, given that some may not have governance and internal control frameworks commensurate to those operated by a bank.

Pre-outsourcing analysis: Prior to procuring cloud services from a CSP, the bank must perform a “pre-outsourcing analysis” as specified by DORA – this process should include analyzing the control processes to be established and ensuring that the CSP itself has the requisite ability (including expertise and resource) to implement and perform the checks once the services are live. The Guide sets out a list of “good practice” considerations to be borne in mind as part of the pre-outsourcing analysis.

Cloud strategy vs outsourcing strategy vs overall strategy: To account for ICT third-party risk with respect to CSPs, banks should either adopt a specific “cloud strategy” or integrate cloud service considerations within a general outsourcing strategy. Whichever method is adopted, the cloud strategy and/or general outsourcing strategy should be consistent with the firm’s general strategy framework and internal policies and processes. Realistically, this will necessitate banks to undertake a review of their firm-wide risk control frameworks and the underlying policies and procedures governing ICT risk (including cloud services outsourcing risk), in order to ensure a consistent and coherent approach.

2. Availability and resilience of cloud services

Business continuity and disaster recovery.

  • To comply with CRD IV, the NIS 2 Directive, and DORA, together, banks must have comprehensive contingency (including back-up management) and ICT business continuity plans which consider a variety of worst-case scenarios – for example, comprehensively detailing partial or complete failure of a CSP which ultimately leads to an exit process by the bank, with or without the cooperation of the CSP.
  • Highlighting the scrutiny with which banks’ business continuity and disaster recovery plans and underlying measures will be assessed by the regulator – where storage of data is involved, banks must adopt back-up, restoration, and recovery procedures which rely on storage methods that will be unaffected by any disruption to cloud services (i.e. an alternative to the cloud hosting the services).

Proportionate requirements for critical functions: Cloud resilience measures should be adopted on a risk-based approach. In relation to critical functions, this will include ensuring that an abrupt discontinuation of a CSP’s services does not lead to business disruption that surpasses the maximum tolerable downtime/data loss set by the bank’s internal policies. The ECB goes on to state that, ultimately, it expects a bank to remain fully operational and retain the ability to bring data and applications back on-premises. 

Banks will need to re-evaluate their current operational capabilities in this regard and consider up-resourcing, as necessary.

Oversight over the planning, establishment, testing and implementation of a disaster: To comply with testing requirements under DORA and the NIS 2 Directive, banks must test their CSPs’ disaster recovery plans, including via regular and impromptu (for example with little to no prior warning) spot tests – reliance on disaster recovery certifications will not be sufficient.

Regular performance of risk assessments: In addition to the risk assessment carried out on a prospective CSP as part of the pre-outsourcing analysis, the ECB considers that banks should perform such risk assessments on a regular basis, to account for changes in the CSP’s practices and market shares. This is particularly relevant to the assessment of concentration risk – for example reviewing the bank’s dependence on a particular CSP over time to avoid “lock-in risks” such as difficulties or heightened costs of switching/exiting contracts.

3. ICT security, data confidentiality and integrity

By allowing internal back-end systems to communicate with outsourced cloud applications, the ECB considers that banks necessarily “extend” their trusted zones to the cloud environment, heightening ICT security and data confidentiality risks. Therefore, the ECB considers banks should in particular:

  • carry out ICT risk assessments of the services;
  • maintain high levels of data encryption, which are constantly adapted to external threats (including by encrypting data in transit, at rest, and – to the extent possible – in use) in accordance with a data sensitivity classification policy;
  • consider restricting the locations where CSPs can store their data and applying tracing mechanisms to monitor CSPs’ compliance with such restrictions; and
  • where CSPs (or the CSPs of third-party providers) operate under the jurisdiction of third country jurisdiction/legislation – assess the risks this may create and establish a running list of “acceptable jurisdictions” where data can be stored and processed in alignment with the bank’s risk tolerances. In setting this expectation, the ECB references (in a footnote) the EU Commission’s list of non-EU countries where data protection is considered adequate in line with the GDPR, alluding that the list of banks’ acceptable jurisdictions should largely align with that of the EU Commission’s.

4. Exit strategy and termination rights

Exit strategy: Prior to entering into a contractual arrangement with a CSP, a bank must establish a comprehensive and granular exit plan that is based on a “principle-based exit strategy” and must be independently verified for feasibility by an individual who was not involved in its development. This strategy should have clearly defined roles and responsibilities, and set out estimated costs for outsourced cloud services facilitating the performance of critical/important functions. Exit plans must be reviewed and tested regularly, and, if needed, adapted to any changes (whether to the services provided by the bank or the CSP).

Termination rights: Contractual arrangements with CSPs should clearly set out the grounds for the bank using its right of termination – including:

  • ongoing inadequate performance (including continuous failure to achieve agreed service levels), or substantial loss of service;
  • serious breaches of contractual terms, or applicable laws or regulation (including DORA or the NIS 2 Directive);
  • an excessive increase in expenses under the arrangement which is attributable to the CSP;
  • relocation of the CSPs business units / data centres / the CSP’s headquarters, for example to a jurisdiction outside the bank’s (or the European Commission’s) list of “acceptable jurisdictions” for the purpose of data protection/ICT risk;
  • a material change in the sub-contracting chain, including to the management of cybersecurity risk; or
  • a failure to successfully execute cloud provider test migrations.

The provisions for consequences of termination should allow for a smooth and effective transition period in accordance with an agreed exit plan, to minimise disruption (particularly for critical / important functions). Such provisions should equally apply to sub-contractors of CSPs, in the same way as they would directly apply to the CSPs.

5. Oversight, monitoring and internal audits

The ECB considers that banks are presently overly reliant on CSP statements and certifications, and therefore that banks are not receiving sufficient detail, or obtaining sufficient visibility over, regarding CSP infrastructure processes and internal controls. This view appears to be based on the ECB’s observations from its supervisory activities, including on-site inspections of banks and CSPs. To comply with oversight, monitoring and audit requirements, the ECB considers that banks should:

  • ensure that their internal audit functions regularly review the risks of the use of CSP services – including the appropriateness of any risk assessments conducted by the CSP (and ensuring the requisite input by independent third parties, such as security analysts) and the quality of the CSP’s management. There is an open question as to how this latter obligation will be enforced by the ECB, for instance if a bank deems a CSP’s management lacking for any reason;
  • consider working with other banks to put together a “joint inspection team” for the audit of commonly used CSPs;
  • monitor cloud services through a combination of the CSPs’ own monitoring tools and processes, and independent expert monitoring tools to prevent the risk of manipulation of data by the CSP. Any such monitoring by banks should be conducted by a centralised function or department with the requisite expertise. Banks will need to review their monitoring and oversight metrics, and the resulting data packaged for review by the management body, and consider whether such information is of sufficient quality and detail to accurately assess the CSP’s services; and
  • ensure that all contractual arrangements with CSPs provide for broad inspection and audit rights over the CSP for the bank’s internal audit function, as well as for competent and resolution authorities. This includes for the purposes of the bank’s oversight function following up in detail on any incidents (whether notified to the bank by the CSP, or flagged as part of the bank’s monitoring processes).

C. Next Steps of DORA legislative timetable

DORA and the national measures implementing the DORA Directive in Member States will apply from January 17, 2025. Up until then, the key dates for banks and CSPs as they implement the new requirements and (in relation to CSPs) prepare for designation as critical ICT third-party service providers are as follows:

June 19, 2024The following two delegated acts will enter into force:

– Commission Delegated Regulation (C(2024)896), specifying the criteria for the designation of ICT third-party service providers as critical for financial entities; and

– Commission Delegated Regulation (C(2024)902), determining the amount of the oversight fees to be charged by the lead overseer to critical ICT third-party service providers and how those fees are to be paid.
July 1 – August 30, 2024The European Supervisory Authorities (ESAs) are holding a “dry run exercise” for financial entities, in order to assist them in:

– setting up and reporting to NCAs their register of information on their contractual arrangements with ICT third-party service providers (Article 28 DORA); and

– gathering information for compliance with the draft ITS on contractual arrangements with ICT third-party service providers (i.e. information to be included in firms’ registers).

As part of the dry-run, the ESAs intend to provide feedback on data quality to participants by October 31, and a lessons-learned workshop in November. Non-participants should pay particular attention to the aggregated data quality report, to be published in December.
17 July 2024– ESAs will publish guidelines under Article 11 DORA (the estimation of aggregated annual costs and losses caused by major ICT-related incidents so that financial entities can report this to the competent authorities) and Article 32 DORA (the detailed procedures and conditions for the allocation and execution of tasks between them and the competent authorities under the oversight framework.)

– Draft Level 2 materials (Regulatory Technical Standards and Implementing Technical Standards relating to Articles 20(a), 26(11), 30(5), 41(1) and 41(2) DORA) to be submitted to the EU Commission for adoption (and, in relation to RTS, scrutiny by the EU Parliament and Council).

David Berman leads Covington’s financial services practice in EMEA. Emily Lemaire is an associate in Covington’s financial services practice in London. Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group.