Updated: October 2020
The cloud certification would help reduce technical, operational and security risks, and would support compliance with the EBA Outsourcing Guidelines. It would also help the European banking industry be more competitive worldwide by quickly adopting new technologies. In any case, it is clear that a new oversight framework shall not increase the banking and financial sectors obligations and supervisions. The EBA has advised the European Commission to look at the establishment of an appropriate oversight framework for third-party service providers (TPPs), in particular in the area of cloud services. ESBG encourages and shares the need to strengthen and harmonise the current legislative framework for TPPs at both micro and macro level.
ESBG is concerned about the unbalanced power relationship between CSP (Google, Amazon, Microsoft,
Alibaba, etc) and cloud service users, such as banks. It is indeed almost impossible for banks to negotiate
contractual terms with the powerful CSP that are compliant with the EBA guidelines or applicable legal acts,
and this situation generates compliance risk for banks as they are still responsible for the outsourcing arrangement.
Regarding the regulatory framework, the EBA in its Outsourcing Guidelines, sets unrealistic obligations for
banks (e.g. auditing rights, data localisation), as the negotiating position of European banks towards cloud
service providers is fairly weak.
Industry sectors like banking urgently need for cloud services offered by big players to fall
under a centralised, Europe-wide, validated and standardised EU framework that puts in place
legal, technology and security requirements. ESBG has identified some of the major cloud
guarantees expected from cloud service providers to comply with the authorities’ requirements
and obtain trustworthy banking cloud services.
ESBG welcomes the European Commission’s approach to standardising certain mandatory
and sensitive Cloud contractual clauses. Nevertheless, additional efforts are required to
strengthen the financial sector’s capacity to negotiate. Beyond the standardisation of Cloud
contractual clauses, a complementary approach could be considered to obtain a Trustworthy
European Cloud certification for the financial sector.
There is an ongoing reflection on the level of oversight and supervision for providers supplying a public Cloud to
the banking and financial sectors. The underlying idea is to ensure that CSPs deliver on a trusted European Cloud
which should comply with the technical, security, legal and regulatory requirements imposed by the 2019 EBA
Outsourcing Guidelines and the 2020 Guidelines on ICT and security risk management or legal acts like GDPR.