Cloud outsourcing guidance update for DORA considered by EU regulators

Both the European Insurance and Occupational Pensions Authority (EIOPA) and European Securities and Markets Authority (ESMA) told Out-Law that they are actively reviewing how their existing cloud outsourcing guidance sits alongside the DORA requirements.

EIOPA published finalised guidance on outsourcing to cloud service providers, relevant to insurance and reinsurance providers, in February 2020. The guidance has applied since 1 January 2021. A spokesperson for EIOPA said the authority is “currently performing a gap analysis between the content of these guidelines and the requirements of DORA” and currently “foresees the completion of the gap analysis and the identification of a possible way forward by the end of the year”.

ESMA published cloud outsourcing guidelines, relevant to regulated investment firms, in December 2020. Those guidelines took effect on 31 July 2021. An ESMA spokesperson told Out-Law that its guidelines “might need updating in light of DORA” and that it is “currently … assessing this issue internally”.

Clarification on EIOPA’s and ESMA’s position comes after the European Central Bank (ECB) began consulting on proposed new guidelines for banks on outsourcing cloud services to cloud service providers (17-page / 214KB PDF). The ECB said its draft guidelines, which are open to feedback until 15 July 2024, reflect its “understanding of … [DORA and other] specific rules [arising under the EU’s Capital Requirements Directive] and how they apply to the banks it supervises”.

The EIOPA and ESMA cloud outsourcing guidelines sit alongside a suite of guidance that has been produced by the three ‘European supervisory authorities’ (ESAs) – EIOPA, ESMA, and the European Banking Authority (EBA) – that relate to the management of operational risk, including risks associated with using third party service providers, in EU financial services.

DORA effectively codifies aspects of the existing guidelines and provides a single, harmonised EU rulebook for all financial entities pertaining to operational resilience and ICT-related risk.

As well as having direct impact on financial entities, the DORA rules will impact third parties that provide services to those entities – this is because the financial entities will have to ensure their contracts with service providers enable them to meet their regulatory obligations. In addition, DORA provides for direct regulation of so-called ‘critical ICT third-party service providers’ in EU financial services markets.

While the ECB is not an ESA, it does have a specific role in directly regulating certain ‘significant’ banks under EU law – a subset of those supervised by the EBA. DORA provides the ECB with broad scope to play a role in facilitating how the legislation is applied. The ECB said producing its own cloud outsourcing guidance has become “necessary” after it “found vulnerabilities in banks’ IT outsourcing strategies”.

The ECB said: “Banks are increasingly using cloud computing services offered by third-party service providers. These services are potentially cheaper, more flexible and more secure, but dependency on third parties can also expose banks to risks, for example with regard to IT security and possible business disruptions. For example, if a bank cannot easily substitute outsourced services during a failure, its functions may be interrupted. In addition, the market for cloud services is highly concentrated, with many banks relying on just a few service providers located in non-European countries. Therefore, the ECB considers it good practice for banks to explicitly take these risks into consideration.”

Yvonne Dunn of Pinsent Masons, who specialises in technology contracts in financial services, said: “One of the purposes of DORA was to set a single rulebook across EU financial services in respect of operational resilience and risk management and avoid financial entities and their service providers having to navigate a patchwork of different rules and guidance. The prospect of the ESAs updating their existing guidelines in light of DORA is not wholly unexpected, but the ECB’s intervention in this space creates a risk that further overlapping, and potentially contradictory, guidelines will need to be navigated by banks and their service providers.”

Luke Scanlon, also of Pinsent Masons, added: “Much of the ECB’s guidance, addresses topics covered in the EBA’s outsourcing guidance, such as how banks provide for business continuity and disaster recovery, and plan their exit from cloud arrangement and exercise termination rights. Overlapping guidance of this kind risks confusing businesses and adding complexity to compliance in an area where they will already have to grapple with the DORA legislation itself, the underlying raft of new regulatory technical standards, other implementing standards, and the existing ESA guidelines. It is hard to see how this helps promote the greater harmonisation DORA was designed to achieve.”

The ESAs have extensive responsibilities under DORA. Those responsibilities include developing draft regulatory technical standards – for adoption by the European Commission – to flesh out the detail around a raft of requirements arising under DORA – including around which incidents need to be reported by financial entities and in relation to the content and requirements of business continuity policies and disaster recovery plans that those entities also need to develop under the legislation.

The ESAs also have an important role in preparing separate implementing technical standards – including standardised templates, forms and procedures to help financial entities in reporting major ICT-related incidents and major operational or security payment-related incidents under DORA; in designating select ICT third-party service providers that will be regulated as ‘critical’ providers under the new regime – and in conducting inspections of such providers; and in sharing information and enabling regulatory cooperation, both within and outside of the EU.

The ESAs have further duties to prepare guidelines to help financial entities meet certain requirements arising under DORA – including in respect of estimating costs and losses arising from major ICT-related incidents, to meet reporting obligations. However, DORA does not expressly require the ESAs to update their existing suite of guidelines on outsourcing and ICT-related risk.