The cloud certification would help reduce technical, operational and security risks, and would support compliance with the EBA Outsourcing Guidelines.

It would also help the European banking industry be more competitive worldwide by quickly adopting new technologies. In any case, it is clear that a new oversight framework shall not increase the banking and financial sectors obligations and supervisions. The EBA has advised the European Commission to look at the establishment of an appropriate oversight framework for third-party service providers (TPPs), in particular in the area of cloud services. ESBG encourages and shares the need to strengthen and harmonise the current legislative framework for TPPs at both micro and macro level. ​

  • At micro level, Supervisors should have access rights, audit rights and sanctioning rights directly from the regulatory framework rather than relying only on contractual provisions in outsourcing contracts. ESBG believes that the Cloud Certification is an additional toolkit and will contribute to achieving this policy objective. ESBG encourages policymakers to increase efforts to create a CSP certification framework.
  • At macro level, ESBG also agrees with the EBA that for critical TPPs there is an urgent need for a new oversight framework that sets higher standards related to security and data protection (e.g. obligatory cybersecurity certification). The scope of oversight should aim at monitoring concentration risk, financial stability risks and ensuring cooperation with relevant authorities.

Identified Concerns

ESBG is concerned about the unbalanced power relationship between CSP (Google, Amazon, Microsoft, Alibaba, etc) and cloud service users, such as banks. It is indeed almost impossible for banks to negotiate contractual terms with the powerful CSP that are compliant with the EBA guidelines or applicable legal acts, and this situation generates compliance risk for banks as they are still responsible for the outsourcing arrangement.​

Regarding the regulatory framework, the EBA in its Outsourcing Guidelines, sets unrealistic obligations for banks (e.g. auditing rights, data localisation), as the negotiating position of European banks towards cloud service providers is fairly weak.

Why Policymakers Should Act

Industry sectors like banking urgently need for cloud services offered by big players to fall under a centralised, Europe-wide, validated and standardised EU framework that puts in place legal, technology and security requirements. ESBG has identified some of the major cloud guarantees expected from cloud service providers to comply with the authorities’ requirements and obtain trustworthy banking cloud services.

ESBG welcomes the European Commission’s approach to standardising certain mandatory and sensitive Cloud contractual clauses. Nevertheless, additional efforts are required to strengthen the financial sector’s capacity to negotiate. Beyond the standardisation of Cloud contractual clauses, a complementary approach could be considered to obtain a Trustworthy European Cloud certification for the financial sector.


There is an ongoing reflection on the level of oversight and supervision for providers supplying a public Cloud to the banking and financial sectors. The underlying idea is to ensure that CSPs deliver on a trusted European Cloud which should comply with the technical, security, legal and regulatory requirements imposed by the 2019 EBA Outsourcing Guidelines and the 2020 Guidelines on ICT and security risk management or legal acts like GDPR.