Edward Roozenburg: ECB guide is a useful compass, but not a complete map
Edward Roozenburg: ECB guide is a useful compass, but not a complete map
This column was originally written in Dutch. This is an English translation.
By Edward Roozenburg, Service Line Lead IT Risk and Information Security, Probability & Partners
This month, the European Central Bank (ECB) published its definitive guide on outsourcing cloud services to third parties: the ‘ECB Guide on outsourcing cloud services to cloud service providers’. The timing is excellent: with the implementation of DORA and geopolitical tensions exposing the vulnerability of digital infrastructure, guidance on cloud risks is more than welcome.
The guide provides an overview of best practices for effective risk management in cloud outsourcing for banks. Although these are explicitly applicable to banks, they also provide food for thought for other financial institutions covered by DORA, such as pension funds and asset managers. Many of these good practices are already familiar from DORA, such as conducting a risk assessment prior to outsourcing, drawing up an exit strategy, arranging audit rights, controlling sub-outsourcing, and continuously monitoring the performance and risks of ICT service providers. These elements are explicitly included in DORA and are therefore legally required.
However, the ECB provides more specific practical guidance on some points. For example, the guide recommends strengthening internal governance by, for example, appointing a specific officer responsible for cloud relationships. This would of course be a good initiative not only for banks but also for other financial institutions. In line with DORA, it is also recommended that monitoring be supported by performance indicators, risk reports, and periodic evaluations. The final version of the guide makes an explicit distinction between what DORA requires and what the ECB considers best practice, which increases its practical applicability.
Proportionality
A strong point of the guide is its clarification of the principle of proportionality. DORA mentioned this principle but did not elaborate on it. This guide goes a step further. Not every bank needs to apply the same level of risk management. The ECB recommends tailoring the approach to the nature, scale, and complexity of the organization and to the risk profile of the outsourced service. This means, for example, that a small asset manager using a standard accounting application in the cloud can suffice with a concise risk analysis and limited contractual safeguards. A large systemically important bank that outsources customer data or payment transactions to a hyperscaler, on the other hand, must carry out in-depth due diligence, stipulate extensive audit rights, and develop exit and migration scenarios. The guide thus provides a more workable framework for proportionate supervision without compromising the core principles of risk management.
DORA plus
What else does the guide add to DORA? In addition to the governance recommendations mentioned above, the guide also provides guidance on documentation requirements, internal accountability structures, and the importance of practical implementation of existing obligations. For example, it recommends managing cloud relationships using performance indicators, risk reports, and regular evaluations. These elements are also mentioned in DORA, but are presented in this guide as best practices based on the ECB's supervisory experience.
Geopolitics
The guide comes at a time when geopolitical tensions – from cyber threats to sanctions – are making dependence on a handful of cloud providers problematic. Pim Poppe's column on geopolitical risks provides a good description of the current geopolitical situation and its consequences for the financial sector.
The European financial sector is heavily dependent on US providers such as AWS, Microsoft Azure, and Google Cloud. This US dominance limits digital independence in Europe, leading to geopolitical vulnerability. What would happen, for example, if Azure were no longer accessible? Or if Office were suddenly no longer supported in Europe as a result of US legislation in a trade war? Could we still fall back on the contractual agreements with Microsoft?
The ECB therefore recommends explicitly including concentration risks in risk assessments and having exit strategies in place. In a world where digital infrastructure can be a geopolitical playing field, the ability to switch smoothly to other cloud providers, for example in Europe, is a good control measure. This leads to a desire among banks, but also among other financial institutions, to be able to switch easily to a European cloud provider. Some institutions may already be using a multi-cloud strategy to limit their dependence on a single cloud.
However, the guide leaves room for improvement in this area. An important issue when switching to another cloud provider is interoperability between cloud providers. This means that there are good opportunities to move data, applications, and services smoothly between different cloud environments without major technical or contractual obstacles. In order to be able to switch cloud providers, it makes sense for data to be available for transfer in a standard format. In practice, however, institutions often encounter incompatible standards. This is a shortcoming, particularly at a time when flexibility is important. Banks and other financial institutions need guidance in this area, as it is a prerequisite for addressing concentration risk in a concrete manner.
Guidance on how to deal with this—for example, through standardization or tooling for data portability—is lacking. Currently, financial institutions have to decide for themselves which standards they want to use, and each institution can choose its own standard. This leads to a variety of requirements that customers impose on cloud providers. It would be good to introduce some uniformity here. Just as uniformity has been achieved by European legislators in the USB-C port as the standard for mobile phones. Guidance from the ECB could be a first step towards greater uniformity.
Valuable
The ECB guide is a valuable addition to DORA. It offers practical guidance, clarifies proportionality, and helps banks better manage cloud risks under geopolitical pressure. However, institutions now need to think for themselves about issues such as interoperability. Additional guidance and perhaps even legislation could help in this regard. Nevertheless, this guide obviously contributes to further protection against IT risks. And that is a good thing!