On 3 June 2024, the European Central Bank (ECB) published a consultation paper on a draft guide for banks on outsourcing cloud services to cloud service providers (CSPs).
Scope and interaction with DORA
The ECB's Guide applies to banks that are supervised directly by the ECB, but will also be relevant to CSPs and other financial entities subject to DORA.
The ECB states that its Guide:
- should be read in conjunction with the incoming DORA regulatory framework and the EBA Guidelines on outsourcing arrangements; and
- does not lay down legally binding requirements and should not be construed as introducing new rules or requirements.
Importantly, the ECB helpfully confirms that DORA takes precedence and that the principle of proportionality applies to the ECB's expectations under the Guide.
Practical considerations
The Guide outlines a number of 'good practice' considerations across the entire cloud outsourcing lifecycle, including the pre-outsourcing phase, oversight and monitoring during the life of the arrangement, business continuity arrangements, and exit strategies and termination.
In introducing DORA, EU legislators promised to reduce fragmentation and harmonise rules on operational resilience. However, by issuing this paper while many firms are midway through their DORA implementation processes, the ECB has invited confusion and has, in certain instances, introduced contradictory expectations. Further, the ECB's Guide adds to an already crowded regulatory landscape, including the EBA Outsourcing Guidelines and ESMA's 2020 Cloud Outsourcing Guidelines. Consequently, rather than harmonisation and "supervisory consistency", firms are left to navigate and comply with an overlapping and in some cases inconsistent set of regulatory expectations.
Further, the ECB's Guide, like the EBA Outsourcing Guidelines and DORA, fails to recognise that regulated firms (even large financial institutions) often have limited negotiating power with the dominant CSPs and reflects a misunderstanding of CSPs' structure. This limits a firm's ability to comply with parts of the guidance, which require them to have more involvement in relation to the policies and procedures of CSPs. For example, the ECB's suggestion that institutions should ensure their CSPs have established "equivalent" risk management practices, processes and controls is not practical and does not account for the "one-to-many" nature of CSPs. CSPs cannot have equivalent risk measures to every single financial institution to whom they provide services. Additionally, the ECB states that the same supervisory expectations apply when a non-CSP service provider relies on a CSP. The ECB seems to overlook the practical challenges firms face when requiring other ICT service providers to pass down obligations to third-party CSPs.
Overall, in our view,
- there are specific considerations and recommendations within the Guide which may be helpful as part of firms' DORA implementation projects,
- in order to deal with the potential overlap and inconsistencies with DORA and other guidelines, in-scope institutions should take an outcomes- and risk-based approach to the expectations within the Guide and use the principle of proportionality where appropriate;
- firms should consider including specific references to CSPs within their relevant DORA-related policies and procedures in order to account for the regulators' classification of CSPs as a special and distinct category of ICT service providers; and
- various functions within financial institutions need to collaborate to ensure a unified, comprehensive and effective implementation of operational resilience strategies throughout the lifecycle of a CSP relationship (i.e. this is not simply a legal or compliance problem, but must necessarily involve IT teams, the business as well as third-party risk management teams).
Key elements of the ECB Guide
Governance of cloud services
- Responsibility remains with the institution: ECB interprets 28(2) of DORA as meaning that institutions outsourcing ICT services, should be required to apply the same level of diligence for risk management, processes and controls as those relevant who retain such services in-house. Accordingly, the ECB expects institutions to ensure their CSPs have equivalent risk management practices, processes and controls. We consider this means that institutions should ensure that CSP's processes should be no less rigorous than its own.
- Pre-sourcing analysis: DORA requires institutions to carry out risk analysis prior to entering into a new cloud outsourcing arrangement. The ECB considers that it is good practice for pre-outsourcing analysis to consider the risks such as (i) vendor lock-in and the challenges this might impose to switching providers, (ii) data storage and processing risks, including the risk of losing sensitive data, (iii) physical risks and region specific risk (e.g. risks relating to the political stability of the country where the services are provided and/or data is stored), (iv) the risk of a significant fall in quality or a significant increase in price; and (v) the risks of a multi-tenant environment. Firms should consider the above as part of their CSP/vendor due diligence and ongoing monitoring of CSPs.
- Consistency in strategy: The ECB considers that an institution's cloud strategy should be consistent with its overall strategy towards ICT third-party risk under DORA. This could take the form of a specific cloud strategy, or cloud-related aspects can be included in the broader strategies.
Availability and resilience of cloud services
- Holistic perspective on business continuity: The ECB interprets Article 12 of DORA (on back-up policies and procedures) to mean that institutions’ response and recovery planning for cloud services involving the storage of data should include back-up procedures and restoration and recovery procedures in order to mitigate a failure of the CSP to provide services, as well as the failure of the CSP as a whole.
- Proportionate requirements for critical functions: For the purposes of Article 28(8) of DORA, the ECB expects institutions to ensure that, in the case of critical functions, abrupt discontinuation of a CSP's outsourced cloud services does not result in business disruption beyond the maximum tolerable downtime or data loss (as defined in the firm's internal policies).
- Oversight over the planning, establishment, testing and implementation of a disaster recovery strategy: On the basis of relevant legal requirements, the ECB considers that a firm should test its CSP's disaster recovery plans and that there should not be exclusive reliance on relevant disaster recovery certifications. Spot checks/and or tests at short notice need to be carried out, so as to gauge readiness for an actual disaster. The personnel at the firm and the CSP involved in the disaster recovery procedures should have designated roles and training. Any deficiencies spotted during the testing need to be documented and analysed to identify corrective measures, with a remediation plan.
- Assessment of concentration and lock-in risks: These assessments need to be carried out on a regular basis, as providers' practices may change over time. It is advisable for institutions to regularly review their dependence on individual service providers.
ICT security, data confidentiality and integrity.
- Data confidentiality and integrity: Institutions outsourcing to CSPs are expected to ensure data is encrypted in transit, at rest and where feasible, when in use. Institutions should restrict locations where CSPs can store their data and have appropriate tracing mechanisms to monitor compliance with these restrictions while also ensuring data can be accessed when needed.
- Establishment of adequate data security measures, such as encryption and cryptographic key management processes: Best practice processes include (i) ensuring there are detailed policies and procedures governing the entire lifecycle of encrypted data; (ii) regular review of details of encryption algorithms and processing logic to spot weaknesses and points of exposures, and (iii) controls around the creation, sharing and use of cryptographic and encryption keys.
- Risks stemming from the location and processing of data: Requirements, processes and controls for the processing and storage of data should be consistent across all agreed locations or zones. Institutions should assess additional risks associated with a sub-contractor relevant for the cloud services is located in a different country from the CSP and the risks of complex sub-outsourcing chains.
- ICT assets inventory: Institutions should adopt a clear policy on the classification of all ICT assets, including those that are outsourced to CSPs and maintain an up-to-date inventory of all the ICT assets it is responsible for under the policy. This is with a view to ensuring that all operational processes (monitoring, patching, incident management, change management, etc.) are extended to cover cloud assets.
- Identity and access management (IAM) policies: Roles and responsibilities related to the management of access and configuration rights and encryption keys should be clearly defined. An institution's IAM policy should include cloud assets and cover both technical and business users.
Exit strategy and termination rights
- Granularity of exit plans: Exit plans to include (as a minimum) the critical milestones, a description of tasks and skill sets necessary to perform the exit and rough estimate of the time needed and relevant costs. Supervised entities are expected to at least carry out an in-depth desktop review.
- Exiting under stress: Exit strategies required under Article 28(8) of DORA should include a business continuity policy that caters for the eventuality of a CSP exiting under stress (i.e. where service cannot be resumed by another party).
Oversight, monitoring and internal audits
- Internal Audits: An institution’s internal audit function should ensure that risk assessments are not based solely on narratives and certifications provided by the CSP without independent assessments/review. The ECB considers it to be good practice for institutions to work together to audit a CSP, putting together a joint inspection team containing at least one technical expert from each institution, provided that institutions should have the ability to follow up individually with the CSP on a bilateral basis regarding issues relevant to them.
- Independent expert monitoring of CSPs: Institutions should retain expertise in-house, with a centralised function or department being recommended for the purpose of monitoring of CSPs. For "critical or important" functions, any monitoring tools provided by the CSP for the purposes to assess performance should be complemented by independent tools.
- Contractual clauses: The ECB recommends that financial entities use standard contractual clauses when outsourcing to cloud service providers. The ECB considers best practice includes:
- Contractual clauses which allow institutions to follow up on ineffective provision of services and ask for the implementation of remedial actions.
- Contractual clauses which allow institutions to monitor any deterioration in services and ask for the implementation of remedial actions.
- Contracts should include details of how the cost of performing on-site audits is calculated, ideally including a breakdown and indicating the maximum cost.
- If contractual provisions are stored online, the provider should be required to sign a separate digital or physical copy to prevent any risk of unilateral changes.
Many firms will have a version of the above terms incorporated into their current standard outsourcing / DORA terms.
Next Steps
The consultation closes on 15 July 2024. The ECB is expected to publish the comments received together with a feedback statement and the final Guide before DORA comes into force on 17 January 2015.