The European Central Bank (ECB) today published its final Guide on outsourcing cloud services to cloud service providers. This follows a public consultation, which ended in July 2024.
Similar to other ECB Guides, this Guide does not lay down legally binding requirements, practices, or rules. It also does not introduce new rules or requirements over and above those currently imposed by the Digital Operational Resilience Act (DORA). Instead, it clarifies the expectations the ECB has for banks to comply with DORA requirements. It also provides good practices on effective outsourcing risk management for banks under ECB supervision that use third-party cloud services, based on observed industry practices.
“Banks are relying on outsourcing cloud services to a handful of third-party service providers. This exposes them to several risks, including IT security and cyber risks, which remain an ECB priority in times of heightened geopolitical tensions” said Anneli Tuominen, member of the ECB’s Supervisory Board. “Our Guide outlines good practices on how we expect banks to manage such risks, drawing on the experience we have gathered through our ongoing supervision.”
The ECB considered all 696 comments received from 26 respondents during the public consultation, helping it to further refine the Guide. The final Guide more clearly differentiates the requirements set out in DORA from the good practices recommended by the ECB. It also clarifies the way in which the principle of proportionality is applied. An overview of the comments received and the ECB’s assessment of them is available in a
feedback statement.
In publishing the Guide, the ECB will make supervision more consistent and help ensure a level playing field for the banks it supervises by outlining its expectations transparently and recommending good practices. The Guide emphasises the importance of maintaining a risk-based approach and applying proportionality to outsourcing cloud services, while accounting for the various organisational set-ups, areas of activity and risk profiles of the banks that the ECB supervises.
For media queries, please contact Clara Martín Marques, tel.: +49 69 1344 17919.